-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathregexes.txt
19 lines (19 loc) · 1.38 KB
/
regexes.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Type,regex,string
0,^cmd.exe /c echo [a-z]{6} > \\\\.\\pipe\\[a-z]{6}$,Metasploit-style cmd with pipe (possible use of Meterpreter 'getsystem')
0,^%SYSTEMROOT%\\[a-zA-Z]{8}\.exe$,Metasploit-style %SYSTEMROOT% image path (possible use of Metasploit 'Native upload' exploit payload)
0,powershell.*FromBase64String.*IO.Compression.GzipStream,Metasploit-style base64 encoded/compressed PowerShell function (possible use of Metasploit PowerShell exploit payload)
0,DownloadString\(.http,Download via Net.WebClient DownloadString
0,mimikatz,Command referencing Mimikatz
0,Invoke-Mimikatz.ps,PowerSploit Invoke-Mimikatz.ps1
0,PowerSploit.*ps1,Use of PowerSploit
0,User-Agent,User-Agent set via command line
0,[a-zA-Z0-9/+=]{500},500+ consecutive Base64 characters
0,powershell.exe.*Hidden.*Enc,Base64 encoded and hidden PowerShell command
# Generic csc.exe alert, comment out if experiencing false positives
0,\\csc\.exe,Use of C Sharp compiler csc.exe
0,\\csc\.exe.*\\Appdata\\Local\\Temp\\[a-z0-9]{8}\.cmdline,PSAttack-style command via csc.exe
# Generic cvtres.exe alert, comment out if experiencing false positives
0,\\cvtres\.exe.*,Resource File To COFF Object Conversion Utility cvtres.exe
0,\\cvtres\.exe.*\\AppData\\Local\\Temp\\[A-Z0-9]{7}\.tmp,PSAttack-style command via cvtres.exe
1,^[a-zA-Z]{22}$,Metasploit-style service name: 22 characters
1,^[a-zA-Z]{16}$,Metasploit-style service name: 16 characters