From 02e68a3d2658d8807d1afdcfbe7aea02b8cc2ee5 Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Tue, 29 Nov 2022 23:24:49 +0100
Subject: [PATCH] feat: new powertool rule

---
 .../proc_creation_win_powertool_execution.yml | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 rules/windows/process_creation/proc_creation_win_powertool_execution.yml

diff --git a/rules/windows/process_creation/proc_creation_win_powertool_execution.yml b/rules/windows/process_creation/proc_creation_win_powertool_execution.yml
new file mode 100644
index 000000000..89f26df5e
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_powertool_execution.yml
@@ -0,0 +1,27 @@
+title: PowerTool Execution
+id: a34f79a3-8e5f-4cc3-b765-de00695452c2
+status: experimental
+description: Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files
+references:
+    - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
+    - https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html
+    - https://twitter.com/gbti_sa/status/1249653895900602375?lang=en
+    - https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml
+author: Nasreddine Bencherchali
+date: 2022/11/29
+tags:
+    - attack.defense_evasion
+    - attack.t1562.001
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection:
+        - Image|endswith:
+            - '\PowerTool.exe'
+            - '\PowerTool64.exe'
+        - OriginalFileName: 'PowerTool.exe'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: high