• Home
  • Expertise
  • SecureDNS
  • WiFi\Router
  • EDR
  • Patch
  • Links
  • FAQ
  • Zero Trust
  • Blue Team
  • Monitoring
  • More
    • Home
    • Expertise
    • SecureDNS
    • WiFi\Router
    • EDR
    • Patch
    • Links
    • FAQ
    • Zero Trust
    • Blue Team
    • Monitoring
  • Home
  • Expertise
  • SecureDNS
  • WiFi\Router
  • EDR
  • Patch
  • Links
  • FAQ
  • Zero Trust
  • Blue Team
  • Monitoring

List of commands in powershell and command prompt that should be looked at, obviously test, etc.

First, enable powershell and script logging:

https://logrhythm.com/blog/powershell-command-line-logging/


%.invoke%

%add-exfiltration%

%add-persistence%

%add-scrnsavebackdoor%

%add-type%

%base32%

%base64%

%base64tostring%

%bypass%

%check-vm%

%copy-vss%

%create-multiplesessions%

%disable-windowsoptionalfeature%

%discover-psinterestingservices%

%discover-psmsexchangeservers%

%discover-psmssqlservers%

%dllinjection%

%do-exfiltration%

%download-execute-ps%

%downloadfile%

%downloadstring%

%enable-duplicatetoken%

%enable-psremoting%

%-enc%

%encodedcommand%

%enter-pssession%

%execute-command-mssql%

%execute-dnstxt-code%

%execute-ontime%

%expand-archive%

%find-avsignature%

%find-psserviceaccounts%

%get-applicationhost%

%get-clipboardcontents%

%get-gpppassword%

%get-information%

%get-kerberospolicy%

%get-keystrokes%

%get-lsasecret%

%get-module%

%get-passhashes%

%getprocaddress%

%get-procaddress%

%get-psadforestinfo%

%get-psadforestkrbtgtinfo%

%get-regalwaysinstallelevated%

%get-regautologon%

%get-serviceexeperms%

%get-serviceperms%

%get-serviceunquoted%

%get-timedscreenshot%

%get-unattendedinstallfiles%

%get-vaultcredential%

%get-webconfig%

%get-wmiobject%

%gupt-backdoor%

%http-backdoor%

%icm%

%iex%

%install-module%

%invoke-adsbackdoor%

%invoke-allchecks%

%invoke-bruteforce%

%invoke-callbackiex%

%invoke-command%

%invoke-cradlecrafter%

%invoke-createcertificate%

%invoke-credentialinjection%

%invoke-credentialsphish%

%invoke-decode%

%invoke-dllencode%

%invoke-encode%

%invoke-expression%

%invoke-filefinder%

%invoke-finddllhijack%

%invoke-findpathhijack%

%invoke-masscommand%

%invoke-massmimikatz%

%invoke-masssearch%

%invoke-masstemplate%

%invoke-masstokens%

%invoke-mimikatzwdigestdowngrade%

%invoke-module%

%invoke-networkrelay%

%invoke-ninjacopy%

%invoke-obfuscation%

%invoke-poshrathttp%

%invoke-poshrathttps%

%invoke-powershellicmp%

%invoke-powershelltcp%

%invoke-powershelludp%

%invoke-powershellwmi%

%invoke-psgcat%

%invoke-psgcatagent%

%invoke-psinject%

%invoke-rickascii%

%invoke-scriptanalyzer%

%invoke-servicecmd%

%invoke-servicedisable%

%invoke-serviceenable%

%invoke-servicestart%

%invoke-servicestop%

%invoke-serviceuseradd%

%invoke-sharefinder%

%invoke-shellcode%

%invoke--shellcode%

%invoke-shellcodemsil%

%invoke-tokenmanipulation%

%invoke-webrequest%

%invoke-wmimethod%

%invoke-wmiplant%

%mimikatz%

%net.webclient%

%new-elevatedpersistenceoption%

%new-object%

%-nop%

%out-chm%

%out-excel%

%out-hta%

%out-java%

%out-minidump%

%out-shortcut%

%out-word%

%payload%

%port-scan%

%powercat%

%powershellempire%

%powersploit%

%reflectivepeinjection%

%remove-eventlog%

%remove-persistence%

%remove-poshrat%

%remove-update%

%rename-item%

%restore-serviceexe%

%root%

%run-exeonremote%

%set-clipboard%

%set-content%

%set-executionpolicy%

%set-item%

%set-itemproperty%

%set-location%

%set-masterbootrecord%

%set-mppreference%

%set-service%

%set-timezone%

%stringtobase64%

%system.management%

%system.reflection%

%texttoexe%

%wmi%

%wmiclass%

%write-cmdservicebinary%

%write-eventlog%

%writeline%

%write-serviceexe%

%write-serviceexecmd%

%write-useraddmsi%

%write-useraddservicebinary%

%wsman%

%net group "domain controllers"%

.invoke

add-exfiltration

add-persistence

add-scrnsavebackdoor

add-type

base32

base64

base64tostring

bypass

certutil

check-vm

copy

copy-vss

create-multiplesessions

createobject

disable-windowsoptionalfeature

discover-psinterestingservices

discover-psmsexchangeservers

discover-psmssqlservers

dllinjection

dns_txt

dns_txt_pwnage

dnscmd

do-exfiltration

download_execute

download-execute-ps

downloadfile

downloadstring

enable-duplicatetoken

enable-psremoting

-enc

encodedcommand

enter-pssession

-ep

execute-command-mssql

execute-dnstxt-code

execute-ontime

expand-archive

find-avsignature

find-psserviceaccounts

get-accepteddomain

get-adgroupmember

get-adreplaccount

get-aduser

get-applicationhost

get-casmailbox

get-clipboardcontents

get-gpppassword

get-information

get-kerberospolicy

get-keystrokes

get-lsasecret

get-mailbox

get-managementroleassignment

get-module

get-organizationconfig

get-owavirtualdirectory

get-passhashes

getprocaddress

get-procaddress

get-process

get-psadforestinfo

get-psadforestkrbtgtinfo

get-regalwaysinstallelevated

get-regautologon

get-serviceexeperms

get-serviceperms

get-serviceunquoted

get-timedscreenshot

get-unattendedinstallfiles

get-vaultcredential

get-webconfig

get-webservicesvirtualdirectory

get-wmiobject

git

gupt-backdoor

http-backdoor

icm

iex

install-module

invoke-adsbackdoor

invoke-allchecks

invoke-bruteforce

invoke-callbackiex

invoke-command

invoke-cradlecrafter

invoke-createcertificate

invoke-credentialinjection

invoke-credentialsphish

invoke-decode

invoke-dllencode

invoke-encode

invoke-expression

invoke-filefinder

invoke-finddllhijack

invoke-findpathhijack

invoke-masscommand

invoke-massmimikatz

invoke-masssearch

invoke-masstemplate

invoke-masstokens

invoke-mimikatzwdigestdowngrade

invoke-module

invoke-networkrelay

invoke-ninjacopy

invoke-obfuscation

invoke-poshrathttp

invoke-poshrathttps

invoke-powershellicmp

invoke-powershelltcp

invoke-powershelludp

invoke-powershellwmi

invoke-psgcat

invoke-psgcatagent

invoke-psinject

invoke-rickascii

invoke-scriptanalyzer

invoke-servicecmd

invoke-servicedisable

invoke-serviceenable

invoke-servicestart

invoke-servicestop

invoke-serviceuseradd

invoke-sharefinder

invoke-shellcode

invoke--shellcode

invoke-shellcodemsil

invoke-tokenmanipulation

invoke-webrequest

invoke-wmimethod

invoke-wmiplant

ldifde

makecab

mimikatz

net

net group

net.webclient

netsh

new-elevatedpersistenceoption

new-mailboxexportrequest

new-object

nltest

-nop

ntdsutil

out-chm

out-excel

out-hta

out-java

out-minidump

out-shortcut

out-word

parse_keys

payload

port-scan

powercat

powershell

powershellempire

powersploit

rclone

reflectivepeinjection

remove-eventlog

remove-mailboxexportrequest

remove-persistence

remove-poshrat

remove-update

rename-item

req

restore-serviceexe

robocopy

root

run-exeonremote

set-casmailbox

set-clipboard

set-content

set-executionpolicy

set-item

set-itemproperty

set-location

set-masterbootrecord

set-mppreference

set-service

set-timezone

stringtobase64

system.management

system.reflection

systeminfo

tasklist

texttoexe

wevtutil

wmi

wmic

wmiclass

write-cmdservicebinary

write-eventlog

writeline

write-serviceexe

write-serviceexecmd

write-useraddmsi

write-useraddservicebinary

wsman

xcopy

Auditd settings RedHat 9.4 STIG

#/etc/audit/rules.d/audit.rules

-a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F key=time-change

-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change

-a always,exit -F arch=b32 -S adjtimex -k audit_time_rules

-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules

-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rule

-a always,exit -F arch=b32 -S settimeofday -k audit_time_rules

-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules

-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules

-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change

-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change

-a always,exit -F arch=b32 -S clock_settime -k audit_time_rules

-a always,exit -F arch=b64 -S clock_settime -k audit_time_rules

-w /etc/localtime -p wa -k time-change

-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid

-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid

-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid

-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid

-a always,exit -F arch=b64 -S sethostname -S setdomainname -k audit_rules_networkconfig_modification

-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale

-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale

-w /etc/issue -p wa -k audit_rules_networkconfig_modification

-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification

-w /etc/issue -p wa -k system-locale

-w /etc/issue.net -p wa -k system-locale

-w /etc/hosts -p wa -k system-locale

-w /etc/hosts -p wa -k audit_rules_networkconfig_modification

-w /etc/hostname -p wa -k system-locale

-a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -F key=system-locale

-a always,exit -F dir=/etc/selinux/ -F perm=wa -F key=MAC-policy

-w /etc/selinux/ -p wa -k MAC-policy

-w /var/run/utmp -p wa -k session

-w /var/log/btmp -p wa -k session

-w /var/log/wtmp -p wa -k session

-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -F key=export

-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -F key=export

-w /etc/sudoers -p wa -k actions

-w /etc/sudoers.d/ -p wa -k actions

-a always,exit -F arch=b32 -S create_module -k module-change

-a always,exit -F arch=b64 -S create_module -k module-change

-a always,exit -F arch=b32 -S finit_module -k module-change

-a always,exit -F arch=b64 -S finit_module -k module-change

-w /etc/sysconfig/network -p wa -k system-locale

-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification

-w /usr/sbin/insmod -p x -k modules

-w /usr/sbin/rmmod -p x -k modules

-w /usr/sbin/modprobe -p x -k modules

-a always,exit -F arch=b64 -S init_module -S delete_module -k modules

-a always,exit -F arch=b32 -S init_module -S delete_module -k modules

-a always,exit -F arch=b32 -S init_module -k module-change

-a always,exit -F arch=b64 -S init_module -k module-change

-a always,exit -F perm=x -F path=/usr/bin/dnf-3 -F key=software-installer

-a always,exit -F perm=x -F path=/usr/bin/yum -F key=software-installer

-a always,exit -F perm=x -F path=/usr/bin/pip -F key=software-installer

-a always,exit -F perm=x -F path=/usr/bin/npm -F key=software-installer

-a always,exit -F perm=x -F path=/usr/bin/cpan -F key=software-installer

-a always,exit -F perm=x -F path=/usr/bin/gem -F key=software-installer

-a always,exit -F perm=x -F path=/usr/bin/luarocks -F key=software-installer

#Vul ID: V-258176

-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv

-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv

-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv

-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv

#Vul ID: V-258177

-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

#Vul ID: V-258178

-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod

-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod

#Vul ID: V-258179

-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod

-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod

#Vul ID: V-258180

-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount

#Vul ID: V-258181

-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod

-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng

#Vul ID: V-258182

-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod

#Vul ID: V-258183

-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod

#Vul ID: V-258184

-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update

#Vul ID: V-258185

-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update

#Vul ID: V-258186

-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

#Vul ID: V-258187

-a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete

-a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete

#Vul ID: V-258188

-a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access

-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access

-a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access

-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access

#Vul ID: V-258189

-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -k module_chng

-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -k module_chng

#Vul ID: V-258190

-a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng

-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng

#Vul ID: V-258191

-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage

#Vul ID: V-258192

-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd

#Vul ID: V-258193

-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-crontab

#Vul ID: V-258194

-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd

#Vul ID: V-258195

-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules

#Vul ID: V-258196

-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd

#Vul ID: V-258197

-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam_timestamp_check

#Vul ID: V-258198

-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd

#Vul ID: V-258199

-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update

#Vul ID: V-258200

-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update

#Vul ID: V-258201

-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh

#Vul ID: V-258202

-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh

#Vul ID: V-258203

-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change

#Vul ID: V-258204

-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd

#Vul ID: V-258205

-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd

#Vul ID: V-258206

-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update

#Vul ID: V-258207

#Vul ID: V-258208

-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update

#Vul ID: V-258209

-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod

#Vul ID: V-258210

-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount

#Vul ID: V-258211

-a always,exit -F path=/usr/sbin/init -F perm=x -F auid>=1000 -F auid!=unset -k privileged-init

#Vul ID: V-258212

-a always,exit -F path=/usr/sbin/poweroff -F perm=x -F auid>=1000 -F auid!=unset -k privileged-poweroff

#Vul ID: V-258213

-a always,exit -F path=/usr/sbin/reboot -F perm=x -F auid>=1000 -F auid!=unset -k privileged-reboot

#Vul ID: V-258214

-a always,exit -F path=/usr/sbin/shutdown -F perm=x -F auid>=1000 -F auid!=unset -k privileged-shutdown

#Vul ID: V-258215

-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -k perm_mod

-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -k privileged-umount

#Vul ID: V-258216

-a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -k perm_mod

-a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -k perm_mod

#Vul ID: V-258217

-w /etc/sudoers -p wa -k identity

#Vul ID: V-258218

-w /etc/sudoers.d/ -p wa -k identity

#Vul ID: V-258219

-w /etc/group -p wa -k identity

#Vul ID: V-258220

-w /etc/gshadow -p wa -k identity

#Vul ID: V-258221

-w /etc/security/opasswd -p wa -k identity

#Vul ID: V-258222

-w /etc/passwd -p wa -k identity

#Vul ID: V-258223

-w /etc/shadow -p wa -k identity

#Vul ID: V-258224

-w /var/log/faillock -p wa -k logins

#Vul ID: V-258225

-w /var/log/lastlog -p wa -k logins

#Vul ID: V-258226

-w /var/log/tallylog -p wa -k logins

#Vul ID: V-258228

#--loginuid-immutable

#Vul ID: V-258229

#-e 2

#--backlog_wait_time 60000

#Vul ID: V-258227

#-f 2

Copyright © 2019 SKRZ Security - All Rights Reserved.


Powered by