
Summary
This detection rule aims to identify malicious PowerShell scripts utilizing the `Invoke-NinjaCopy` function, which allows attackers to read locked files from the SYSTEM, like `NTDS.dit` or sensitive registry hives. The `Invoke-NinjaCopy` script employs direct volume access techniques, bypassing traditional access controls and file system monitoring methods. By analyzing Windows event logs related to PowerShell, the rule filters for script blocks that include terms related to `Invoke-NinjaCopy`, as well as variations like `StealthReadFile` and `StealthOpenFile`, which indicate potentially malicious activities. The detection is enhanced with guidance on investigating alerts, possible false positive analysis, and remediation steps.
Categories
- Endpoint
- Windows
- Infrastructure
Data Sources
- Script
- Logon Session
- Windows Registry
ATT&CK Techniques
- T1003
- T1003.002
- T1003.003
- T1059
- T1059.001
- T1006
Created: 2023-01-23