
Summary
This detection rule captures PowerShell execution patterns used by adversaries attempting to discover sensitive files on Windows systems. The rule specifically monitors for script block logging and identifies key commands that are frequently associated with file enumeration, such as 'ls', 'get-childitem', and its alias 'gci', which may indicate attempts to list files within directories. Additionally, it looks for recursive file searches through the '-recurse' parameter, and focuses on sensitive file extensions like '.pass', '.kdbx', and '.kdb'. These indicators combined allow for detecting when an adversary is trying to uncover credentials or sensitive data typically stored in these formats. The requirement for script block logging to be enabled is crucial for the functionality of this rule, as it ensures that the execution of potentially malicious scripts can be logged and examined. Alerts generated by this rule should be investigated, particularly in environments where sensitive data is handled.
Categories
- Endpoint
- Windows
Data Sources
- Script
- Process
Created: 2022-09-16