PowerShell Invoke-NinjaCopy script
editPowerShell Invoke-NinjaCopy script
editDetects PowerShell scripts that contain the default exported functions used on Invoke-NinjaCopy. Attackers can use Invoke-NinjaCopy to read SYSTEM files that are normally locked, such as the NTDS.dit file or registry hives.
Rule type: query
Rule indices:
- winlogbeat-*
- logs-windows.*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Credential Access
- PowerShell
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editevent.category:process and powershell.file.script_block_text : ( "StealthReadFile" or "StealthReadFileAddr" or "StealthCloseFileDelegate" or "StealthOpenFile" or "StealthCloseFile" or "StealthReadFile" or "Invoke-NinjaCopy" ) and not user.id : "S-1-5-18"
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
-
Technique:
- Name: OS Credential Dumping
- ID: T1003
- Reference URL: https://attack.mitre.org/techniques/T1003/
-
Sub-technique:
- Name: Security Account Manager
- ID: T1003.002
- Reference URL: https://attack.mitre.org/techniques/T1003/002/
-
Sub-technique:
- Name: NTDS
- ID: T1003.003
- Reference URL: https://attack.mitre.org/techniques/T1003/003/
-
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
-
Technique:
- Name: Command and Scripting Interpreter
- ID: T1059
- Reference URL: https://attack.mitre.org/techniques/T1059/
-
Sub-technique:
- Name: PowerShell
- ID: T1059.001
- Reference URL: https://attack.mitre.org/techniques/T1059/001/