From 045a9a5faa7c5de03327e255c3da96209aac5e06 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 15 Apr 2024 16:37:15 +0200 Subject: [PATCH] Merge PR #4803 from @frack113 - Update regex based rules update: Invoke-Obfuscation CLIP+ Launcher - PowerShell Module - Remove unnecessary starting wildcard update: Invoke-Obfuscation STDIN+ Launcher - PowerShell Module - Remove unnecessary starting wildcard update: Invoke-Obfuscation VAR+ Launcher - PowerShell Module - Remove unnecessary starting wildcard update: Invoke-Obfuscation Via Stdin - PowerShell Module - Remove unnecessary starting wildcard update: Invoke-Obfuscation Via Use Clip - PowerShell Module - Remove unnecessary starting wildcard update: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module - Remove unnecessary starting wildcard update: Invoke-Obfuscation CLIP+ Launcher - PowerShell - Remove unnecessary starting wildcard update: Invoke-Obfuscation STDIN+ Launcher - Powershell - Remove unnecessary starting wildcard update: Invoke-Obfuscation VAR+ Launcher - PowerShell - Remove unnecessary starting wildcard update: Invoke-Obfuscation Via Stdin - Powershell - Remove unnecessary starting wildcard update: Invoke-Obfuscation Via Use Clip - Powershell - Remove unnecessary starting wildcard update: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell - Remove unnecessary starting wildcard update: Invoke-Obfuscation STDIN+ Launcher - Update rule to use regex for better accuracy in CLI update: Invoke-Obfuscation VAR+ Launcher - Update rule to use regex for better accuracy in CLI update: Invoke-Obfuscation Via Stdin - Update rule to use regex for better accuracy in CLI update: Invoke-Obfuscation Via Use Clip - Update rule to use regex for better accuracy in CLI --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> --- ...voke_obfuscation_var_services_security.yml | 2 +- ..._obfuscation_via_var_services_security.yml | 2 +- ...stem_invoke_obfuscation_stdin_services.yml | 2 +- ...system_invoke_obfuscation_var_services.yml | 2 +- ..._invoke_obfuscation_via_stdin_services.yml | 2 +- ...em_invoke_obfuscation_via_var_services.yml | 2 +- .../posh_pm_invoke_obfuscation_clip.yml | 4 ++-- .../posh_pm_invoke_obfuscation_stdin.yml | 4 ++-- .../posh_pm_invoke_obfuscation_var.yml | 4 ++-- .../posh_pm_invoke_obfuscation_via_stdin.yml | 4 ++-- ...osh_pm_invoke_obfuscation_via_use_clip.yml | 4 ++-- .../posh_pm_invoke_obfuscation_via_var.yml | 4 ++-- .../posh_ps_invoke_obfuscation_clip.yml | 4 ++-- .../posh_ps_invoke_obfuscation_stdin.yml | 4 ++-- .../posh_ps_invoke_obfuscation_var.yml | 4 ++-- .../posh_ps_invoke_obfuscation_via_stdin.yml | 4 ++-- ...osh_ps_invoke_obfuscation_via_use_clip.yml | 4 ++-- .../posh_ps_invoke_obfuscation_via_var.yml | 4 ++-- ...ation_win_hktl_invoke_obfuscation_clip.yml | 2 +- ...tion_win_hktl_invoke_obfuscation_stdin.yml | 19 ++++--------------- ...eation_win_hktl_invoke_obfuscation_var.yml | 11 ++--------- ..._win_hktl_invoke_obfuscation_via_stdin.yml | 11 ++--------- ...n_hktl_invoke_obfuscation_via_use_clip.yml | 17 ++--------------- ...on_win_hktl_invoke_obfuscation_via_var.yml | 2 +- ..._powershell_cmdline_special_characters.yml | 10 +++++----- 25 files changed, 47 insertions(+), 85 deletions(-) diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_var_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_var_services_security.yml index 601cd0d93..98c8fd885 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_var_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_var_services_security.yml @@ -22,7 +22,7 @@ logsource: detection: selection: EventID: 4697 - # ServiceFileName|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' + # ServiceFileName|re: 'cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' # Example 1: C:\winDoWs\SySTeM32\cmd.Exe /C"SET NOtI=Invoke-Expression (New-Object Net.WebClient).DownloadString&& PowERshElL -NOl SET-iteM ( 'VAR' + 'i'+ 'A' + 'blE:Ao6' + 'I0') ( [TYpe](\"{2}{3}{0}{1}\"-F 'iRoN','mENT','e','nv') ) ; ${exECUtIONCOnTEXT}.\"IN`VO`KecOmMaND\".\"inVo`KES`crIPt\"( ( ( GEt-VAriAble ( 'a' + 'o6I0') -vaLU )::(\"{1}{4}{2}{3}{0}\" -f'e','gETenvIR','NtvaRIa','BL','ONme' ).Invoke(( \"{0}{1}\"-f'n','oti' ),( \"{0}{1}\" -f'pRoC','esS') )) )" # Example 2: cMD.exe /C "seT SlDb=Invoke-Expression (New-Object Net.WebClient).DownloadString&& pOWErShell .(( ^&(\"{1}{0}{2}{3}\" -f 'eT-vaR','G','iab','lE' ) (\"{0}{1}\" -f '*m','DR*' ) ).\"na`ME\"[3,11,2]-JOIN'' ) ( ( ^&(\"{0}{1}\" -f'g','CI' ) (\"{0}{1}\" -f 'ENV',':SlDb' ) ).\"VA`luE\" ) " ServiceFileName|contains|all: diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml index df5f64e2f..d9b7e0177 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml @@ -22,7 +22,7 @@ logsource: detection: selection: EventID: 4697 - # ServiceFileName|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r + # ServiceFileName|re: '(?i)&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r # Example 1: CMD /C"sET KUR=Invoke-Expression (New-Object Net.WebClient).DownloadString&&Set MxI=C:\wINDowS\sYsWow64\winDOWspoWERSheLl\V1.0\PowerShelL.EXe ${ExEcut`IoN`cON`TExT}.\"invo`kEcoMm`A`ND\".( \"{2}{1}{0}\" -f 'pt','EscRi','INvOk' ).Invoke( ( .( \"{0}{1}\" -f'D','IR' ) ( \"{0}{1}\"-f'ENV:kU','R')).\"vAl`Ue\" )&& CMD /C%mXI%" # Example 2: c:\WiNDOWS\sYSTEm32\CmD.exE /C "sEt DeJLz=Invoke-Expression (New-Object Net.WebClient).DownloadString&&set yBKM=PoWERShelL -noeX ^^^&(\"{2}{0}{1}\"-f '-ItE','m','seT') ( 'V' + 'a'+ 'RiAblE:z8J' +'U2' + 'l' ) ([TYpE]( \"{2}{3}{0}{1}\"-f 'e','NT','e','NViRONM' ) ) ; ^^^& ( ( [sTrIng]${VE`Rbo`SepReFER`Ence})[1,3] + 'X'-joIN'')( ( (.('gI') ('V' + 'a' + 'RIAbLe:z8j' + 'u2' +'l' ) ).vALUe::( \"{2}{5}{0}{1}{6}{4}{3}\" -f 'IRo','Nm','GETE','ABlE','I','nv','enTVAr').Invoke(( \"{0}{1}\"-f'd','ejLz' ),( \"{1}{2}{0}\"-f'cEss','P','RO') )) )&& c:\WiNDOWS\sYSTEm32\CmD.exE /C %ybkm%" ServiceFileName|contains|all: diff --git a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_stdin_services.yml b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_stdin_services.yml index a4a076d0a..cb8ed0b06 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_stdin_services.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_stdin_services.yml @@ -19,7 +19,7 @@ detection: selection_main: Provider_Name: 'Service Control Manager' EventID: 7045 - # ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' + # ImagePath|re: 'cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' # Example 1: c:\windows\sYstEm32\CmD.eXE /C"echO\Invoke-Expression (New-Object Net.WebClient).DownloadString | POwersHELl -NoEXiT -" # Example 2: c:\WiNDOws\sysTEm32\cmd.EXe /C " ECHo Invoke-Expression (New-Object Net.WebClient).DownloadString | POwersHELl -nol ${EXEcUtIONCONTeXT}.INvOkEComMANd.InvOKEScRIPt( $InpUt )" ImagePath|contains|all: diff --git a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_var_services.yml b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_var_services.yml index 4dae34d2c..9093a4cd7 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_var_services.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_var_services.yml @@ -19,7 +19,7 @@ detection: selection: Provider_Name: 'Service Control Manager' EventID: 7045 - # ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' + # ImagePath|re: 'cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' # Example 1: C:\winDoWs\SySTeM32\cmd.Exe /C"SET NOtI=Invoke-Expression (New-Object Net.WebClient).DownloadString&& PowERshElL -NOl SET-iteM ( 'VAR' + 'i'+ 'A' + 'blE:Ao6' + 'I0') ( [TYpe](\"{2}{3}{0}{1}\"-F 'iRoN','mENT','e','nv') ) ; ${exECUtIONCOnTEXT}.\"IN`VO`KecOmMaND\".\"inVo`KES`crIPt\"( ( ( GEt-VAriAble ( 'a' + 'o6I0') -vaLU )::(\"{1}{4}{2}{3}{0}\" -f'e','gETenvIR','NtvaRIa','BL','ONme' ).Invoke(( \"{0}{1}\"-f'n','oti' ),( \"{0}{1}\" -f'pRoC','esS') )) )" # Example 2: cMD.exe /C "seT SlDb=Invoke-Expression (New-Object Net.WebClient).DownloadString&& pOWErShell .(( ^&(\"{1}{0}{2}{3}\" -f 'eT-vaR','G','iab','lE' ) (\"{0}{1}\" -f '*m','DR*' ) ).\"na`ME\"[3,11,2]-JOIN'' ) ( ( ^&(\"{0}{1}\" -f'g','CI' ) (\"{0}{1}\" -f 'ENV',':SlDb' ) ).\"VA`luE\" ) " ImagePath|contains|all: diff --git a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_stdin_services.yml b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_stdin_services.yml index 832ce8faf..ddefd3987 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_stdin_services.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_stdin_services.yml @@ -19,7 +19,7 @@ detection: selection: Provider_Name: 'Service Control Manager' EventID: 7045 - # ImagePath|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' + # ImagePath|re: '(?i)(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' ImagePath|contains|all: - 'set' - '&&' diff --git a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_var_services.yml b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_var_services.yml index 1dd732b0e..a40794827 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_var_services.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_var_services.yml @@ -19,7 +19,7 @@ detection: selection: Provider_Name: 'Service Control Manager' EventID: 7045 - # ImagePath|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r + # ImagePath|re: '(?i)&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r # Example 1: CMD /C"sET KUR=Invoke-Expression (New-Object Net.WebClient).DownloadString&&Set MxI=C:\wINDowS\sYsWow64\winDOWspoWERSheLl\V1.0\PowerShelL.EXe ${ExEcut`IoN`cON`TExT}.\"invo`kEcoMm`A`ND\".( \"{2}{1}{0}\" -f 'pt','EscRi','INvOk' ).Invoke( ( .( \"{0}{1}\" -f'D','IR' ) ( \"{0}{1}\"-f'ENV:kU','R')).\"vAl`Ue\" )&& CMD /C%mXI%" # Example 2: c:\WiNDOWS\sYSTEm32\CmD.exE /C "sEt DeJLz=Invoke-Expression (New-Object Net.WebClient).DownloadString&&set yBKM=PoWERShelL -noeX ^^^&(\"{2}{0}{1}\"-f '-ItE','m','seT') ( 'V' + 'a'+ 'RiAblE:z8J' +'U2' + 'l' ) ([TYpE]( \"{2}{3}{0}{1}\"-f 'e','NT','e','NViRONM' ) ) ; ^^^& ( ( [sTrIng]${VE`Rbo`SepReFER`Ence})[1,3] + 'X'-joIN'')( ( (.('gI') ('V' + 'a' + 'RIAbLe:z8j' + 'u2' +'l' ) ).vALUe::( \"{2}{5}{0}{1}{6}{4}{3}\" -f 'IRo','Nm','GETE','ABlE','I','nv','enTVAr').Invoke(( \"{0}{1}\"-f'd','ejLz' ),( \"{1}{2}{0}\"-f'cEss','P','RO') )) )&& c:\WiNDOWS\sYSTEm32\CmD.exE /C %ybkm%" ImagePath|contains|all: diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml index 4d2beee03..35f24e169 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml @@ -9,7 +9,7 @@ references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 26) author: Jonathan Cheong, oscd.community date: 2020/10/13 -modified: 2022/12/02 +modified: 2024/04/05 tags: - attack.defense_evasion - attack.t1027 @@ -21,7 +21,7 @@ logsource: definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b detection: selection_4103: - Payload|re: '.*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+-f.+"' + Payload|re: 'cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+-f.+"' condition: selection_4103 falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml index 28f64a870..2c4daaf02 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml @@ -9,7 +9,7 @@ references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 25) author: Jonathan Cheong, oscd.community date: 2020/10/15 -modified: 2022/12/02 +modified: 2024/04/05 tags: - attack.defense_evasion - attack.t1027 @@ -21,7 +21,7 @@ logsource: definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b detection: selection_4103: - Payload|re: '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\$\{?input\}?|noexit).+"' + Payload|re: 'cmd.{0,5}(?:/c|/r).+powershell.+(?:\$\{?input\}?|noexit).+"' condition: selection_4103 falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml index 7cff26c79..b0959c6e6 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml @@ -9,7 +9,7 @@ references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 24) author: Jonathan Cheong, oscd.community date: 2020/10/15 -modified: 2022/12/02 +modified: 2024/04/05 tags: - attack.defense_evasion - attack.t1027 @@ -21,7 +21,7 @@ logsource: definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b detection: selection_4103: - Payload|re: '.*cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?-f(?:.*\)){1,}.*"' + Payload|re: 'cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?-f(?:.*\)){1,}.*"' condition: selection_4103 falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml index 307a68942..53738e646 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml @@ -9,7 +9,7 @@ references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task28) author: Nikita Nazarov, oscd.community date: 2020/10/12 -modified: 2022/11/29 +modified: 2024/04/05 tags: - attack.defense_evasion - attack.t1027 @@ -21,7 +21,7 @@ logsource: definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b detection: selection_4103: - Payload|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\$?\{?input).*&&.*"' + Payload|re: '(?i)(set).*&&\s?set.*(environment|invoke|\$?\{?input).*&&.*"' condition: selection_4103 falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml index c0e56b255..e78c5e3a7 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml @@ -9,7 +9,7 @@ references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task29) author: Nikita Nazarov, oscd.community date: 2020/10/09 -modified: 2022/11/29 +modified: 2024/04/05 tags: - attack.defense_evasion - attack.t1027 @@ -21,7 +21,7 @@ logsource: definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b detection: selection_4103: - Payload|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' + Payload|re: '(?i)echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?)' condition: selection_4103 falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml index 9c54f66e3..b8c764d3a 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml @@ -9,7 +9,7 @@ references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task27) author: Timur Zinniatullin, oscd.community date: 2020/10/13 -modified: 2022/12/02 +modified: 2024/04/05 tags: - attack.defense_evasion - attack.t1027 @@ -21,7 +21,7 @@ logsource: definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b detection: selection_4103: - Payload|re: '(?i).*&&set.*(\{\d\}){2,}\\"\s+?-f.*&&.*cmd.*/c' # FPs with |\/r + Payload|re: '(?i)&&set.*(\{\d\}){2,}\\"\s+?-f.*&&.*cmd.*/c' # FPs with |\/r condition: selection_4103 falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml index b3d1e46ce..b948669e9 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml @@ -6,7 +6,7 @@ references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 26) author: Jonathan Cheong, oscd.community date: 2020/10/13 -modified: 2022/12/02 +modified: 2024/04/05 tags: - attack.defense_evasion - attack.t1027 @@ -18,7 +18,7 @@ logsource: definition: 'Requirements: Script Block Logging must be enabled' detection: selection_4104: - ScriptBlockText|re: '.*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+-f.+"' + ScriptBlockText|re: 'cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+-f.+"' condition: selection_4104 falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml index 004b6b437..7915effcc 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml @@ -6,7 +6,7 @@ references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 25) author: Jonathan Cheong, oscd.community date: 2020/10/15 -modified: 2022/12/03 +modified: 2024/04/05 tags: - attack.defense_evasion - attack.t1027 @@ -18,7 +18,7 @@ logsource: definition: 'Requirements: Script Block Logging must be enabled' detection: selection_4104: - ScriptBlockText|re: '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\$?\{?input\}?|noexit).+"' + ScriptBlockText|re: 'cmd.{0,5}(?:/c|/r).+powershell.+(?:\$?\{?input\}?|noexit).+"' condition: selection_4104 falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml index 4a65450e2..5a76116ce 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml @@ -6,7 +6,7 @@ references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 24) author: Jonathan Cheong, oscd.community date: 2020/10/15 -modified: 2022/12/02 +modified: 2024/04/05 tags: - attack.defense_evasion - attack.t1027 @@ -18,7 +18,7 @@ logsource: definition: 'Requirements: Script Block Logging must be enabled' detection: selection_4104: - ScriptBlockText|re: '.*cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?-f(?:.*\)){1,}.*"' + ScriptBlockText|re: 'cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?-f(?:.*\)){1,}.*"' condition: selection_4104 falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml index 51b97ac65..3b39dfd48 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml @@ -6,7 +6,7 @@ references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task28) author: Nikita Nazarov, oscd.community date: 2020/10/12 -modified: 2022/11/29 +modified: 2024/04/05 tags: - attack.defense_evasion - attack.t1027 @@ -18,7 +18,7 @@ logsource: definition: 'Requirements: Script Block Logging must be enabled' detection: selection_4104: - ScriptBlockText|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\$\{?input).*&&.*"' + ScriptBlockText|re: '(?i)(set).*&&\s?set.*(environment|invoke|\$\{?input).*&&.*"' condition: selection_4104 falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml index b9801bd8d..15d3e29c9 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml @@ -6,7 +6,7 @@ references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task29) author: Nikita Nazarov, oscd.community date: 2020/10/09 -modified: 2022/11/29 +modified: 2024/04/15 tags: - attack.defense_evasion - attack.t1027 @@ -18,7 +18,7 @@ logsource: definition: 'Requirements: Script Block Logging must be enabled' detection: selection_4104: - ScriptBlockText|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' + ScriptBlockText|re: '(?i)echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?)' condition: selection_4104 falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml index e162cabef..0f357ea7c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml @@ -6,7 +6,7 @@ references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task27) author: Timur Zinniatullin, oscd.community date: 2020/10/13 -modified: 2022/12/02 +modified: 2024/04/05 tags: - attack.defense_evasion - attack.t1027 @@ -18,7 +18,7 @@ logsource: definition: 'Requirements: Script Block Logging must be enabled' detection: selection_4104: - ScriptBlockText|re: '(?i).*&&set.*(\{\d\}){2,}\\"\s+?-f.*&&.*cmd.*/c' # FPs with |\/r + ScriptBlockText|re: '(?i)&&set.*(\{\d\}){2,}\\"\s+?-f.*&&.*cmd.*/c' # FPs with |\/r condition: selection_4104 falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_clip.yml b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_clip.yml index 549ee05c4..24f14b03c 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_clip.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_clip.yml @@ -17,7 +17,7 @@ logsource: product: windows detection: selection: - # CommandLine|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' + # CommandLine|re: 'cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' # Example 1: Cmd /c" echo/Invoke-Expression (New-Object Net.WebClient).DownloadString |cLiP&& POWerSheLl -Nolog -sT . (\"{1}{2}{0}\"-f'pe','Ad',(\"{1}{0}\" -f'Ty','d-' ) ) -Assemb ( \"{5}{1}{3}{0}{2}{4}\" -f'ows','y','.F',(\"{0}{1}{2}\" -f'stem.W','i','nd'),( \"{0}{1}\"-f 'o','rms' ),'S' ) ; ([SySTEM.wiNDows.FoRmS.CLiPbOArd]::( \"{1}{0}\" -f (\"{1}{0}\" -f'T','TTeX' ),'gE' ).\"invO`Ke\"( ) ) ^| ^&( \"{5}{1}{2}{4}{3}{0}\" -f 'n',( \"{1}{0}\"-f'KE-','o' ),(\"{2}{1}{0}\"-f 'pRESS','x','e' ),'o','i','iNV') ; [System.Windows.Forms.Clipboard]::(\"{0}{1}\" -f( \"{1}{0}\"-f'e','SetT' ),'xt').\"InV`oKe\"( ' ')" # Example 2: CMD/c " ECho Invoke-Expression (New-Object Net.WebClient).DownloadString|c:\WiNDowS\SySteM32\cLip && powershElL -noPRO -sTa ^& (\"{2}{0}{1}\" -f 'dd',(\"{1}{0}\"-f 'ype','-T' ),'A' ) -AssemblyN (\"{0}{3}{2}{1}{4}\"-f'Pr','nCo',(\"{0}{1}\"-f'e','ntatio'),'es','re' ) ; ^& ( ( [StRinG]${ve`RB`OSE`pr`e`FeReNCE} )[1,3] + 'x'-JoiN'') ( ( [sySTem.WInDOWs.ClipbOaRD]::( \"{1}{0}\" -f(\"{0}{1}\" -f'tTe','xt' ),'ge' ).\"IN`Vo`Ke\"( ) ) ) ; [System.Windows.Clipboard]::( \"{2}{1}{0}\" -f't',( \"{0}{1}\" -f 'tT','ex' ),'Se' ).\"In`V`oKe\"( ' ' )" CommandLine|contains|all: diff --git a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_stdin.yml b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_stdin.yml index 80ec9d73a..1b8b10d88 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_stdin.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_stdin.yml @@ -6,7 +6,7 @@ references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 25) author: Jonathan Cheong, oscd.community date: 2020/10/15 -modified: 2022/11/17 +modified: 2024/04/15 tags: - attack.defense_evasion - attack.t1027 @@ -16,22 +16,11 @@ logsource: category: process_creation product: windows detection: - selection_main: - # CommandLine|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' + selection: # Example 1: c:\windows\sYstEm32\CmD.eXE /C"echO\Invoke-Expression (New-Object Net.WebClient).DownloadString | POwersHELl -NoEXiT -" # Example 2: c:\WiNDOws\sysTEm32\cmd.EXe /C " ECHo Invoke-Expression (New-Object Net.WebClient).DownloadString | POwersHELl -nol ${EXEcUtIONCONTeXT}.INvOkEComMANd.InvOKEScRIPt( $InpUt )" - CommandLine|contains|all: - - 'cmd' - - 'powershell' - CommandLine|contains: - - '/c' - - '/r' - selection_other: - - CommandLine|contains: 'noexit' - - CommandLine|contains|all: - - 'input' - - '$' - condition: all of selection_* + CommandLine|re: 'cmd.{0,5}(?:/c|/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' + condition: selection falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_var.yml b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_var.yml index d5603d93e..ef47ac6d0 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_var.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_var.yml @@ -6,7 +6,7 @@ references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 24) author: Jonathan Cheong, oscd.community date: 2020/10/15 -modified: 2022/11/17 +modified: 2024/04/15 tags: - attack.defense_evasion - attack.t1027 @@ -17,16 +17,9 @@ logsource: product: windows detection: selection: - # CommandLine|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' # Example 1: C:\winDoWs\SySTeM32\cmd.Exe /C"SET NOtI=Invoke-Expression (New-Object Net.WebClient).DownloadString&& PowERshElL -NOl SET-iteM ( 'VAR' + 'i'+ 'A' + 'blE:Ao6' + 'I0') ( [TYpe](\"{2}{3}{0}{1}\"-F 'iRoN','mENT','e','nv') ) ; ${exECUtIONCOnTEXT}.\"IN`VO`KecOmMaND\".\"inVo`KES`crIPt\"( ( ( GEt-VAriAble ( 'a' + 'o6I0') -vaLU )::(\"{1}{4}{2}{3}{0}\" -f'e','gETenvIR','NtvaRIa','BL','ONme' ).Invoke(( \"{0}{1}\"-f'n','oti' ),( \"{0}{1}\" -f'pRoC','esS') )) )" # Example 2: cMD.exe /C "seT SlDb=Invoke-Expression (New-Object Net.WebClient).DownloadString&& pOWErShell .(( ^&(\"{1}{0}{2}{3}\" -f 'eT-vaR','G','iab','lE' ) (\"{0}{1}\" -f '*m','DR*' ) ).\"na`ME\"[3,11,2]-JOIN'' ) ( ( ^&(\"{0}{1}\" -f'g','CI' ) (\"{0}{1}\" -f 'ENV',':SlDb' ) ).\"VA`luE\" ) " - CommandLine|contains|all: - - 'cmd' - - '"set' - - '-f' - CommandLine|contains: - - '/c' - - '/r' + CommandLine|re: 'cmd.{0,5}(?:/c|/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml index b28a3c35d..bf59737d8 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml @@ -6,7 +6,7 @@ references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task28) author: Nikita Nazarov, oscd.community date: 2020/10/12 -modified: 2022/11/16 +modified: 2024/04/15 tags: - attack.defense_evasion - attack.t1027 @@ -17,14 +17,7 @@ logsource: product: windows detection: selection: - # CommandLine|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' - CommandLine|contains|all: - - 'set' - - '&&' - CommandLine|contains: - - 'environment' - - 'invoke' - - 'input' + CommandLine|re: '(?i)(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml index 462132514..9fb519d45 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml @@ -6,7 +6,7 @@ references: - https://github.com/SigmaHQ/sigma/issues/1009 # (Task29) author: Nikita Nazarov, oscd.community date: 2020/10/09 -modified: 2022/11/16 +modified: 2024/04/15 tags: - attack.defense_evasion - attack.t1027 @@ -17,22 +17,9 @@ logsource: product: windows detection: selection: - # CommandLine|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' # Example 1: C:\WINdoWS\sySteM32\CMd /c " ECho\Invoke-Expression (New-Object Net.WebClient).DownloadString|Clip.Exe&&C:\WINdoWS\sySteM32\CMd /c pOWerSheLl -STa . ( \"{2}{0}{1}\"-f'dd-',(\"{0}{1}\" -f 'T','ype' ),'A' ) -Assembly ( \"{4}{1}{3}{0}{2}\"-f (\"{0}{1}\" -f 'nd','ow'),( \"{1}{0}\"-f'.W','stem' ),( \"{2}{1}{0}\" -f 'rms','Fo','s.'),'i','Sy') ; ${exeCUtIOnCONTeXT}.\"INV`oKECOM`m`ANd\".\"INV`ok`ESCriPT\"( ( [sYSteM.wiNDoWS.forMs.ClIPboaRD]::( \"{2}{0}{1}\" -f'Ex','t',(\"{0}{1}\" -f'Get','t' ) ).\"iNvo`Ke\"( )) ) ; [System.Windows.Forms.Clipboard]::(\"{1}{0}\" -f 'ar','Cle' ).\"in`V`oKE\"( )" # Example 2: C:\WINDowS\sYsTEM32\CmD.eXE /C" echo\Invoke-Expression (New-Object Net.WebClient).DownloadString| C:\WIndOWs\SYSteM32\CLip &&C:\WINDowS\sYsTEM32\CmD.eXE /C POWERSHeLL -sT -noL [Void][System.Reflection.Assembly]::( \"{0}{3}{4}{1}{2}\" -f( \"{0}{1}\"-f'Lo','adW' ),( \"{0}{1}\"-f 'Par','t'),( \"{0}{1}{2}\"-f 'ial','N','ame'),'it','h' ).\"in`VO`KE\"( ( \"{3}{1}{4}{5}{2}{0}\"-f'rms','ystem.Windo','Fo','S','w','s.' )) ; ( [wIndows.fOrms.cLIPBOArD]::( \"{1}{0}\"-f'T',( \"{1}{0}\" -f'tEX','gET' )).\"i`Nvoke\"( ) ) ^^^| ^^^& ( ( ^^^& ( \"{2}{1}{0}\"-f 'e',( \"{2}{1}{0}\"-f'IABl','aR','v' ),( \"{0}{1}\"-f'Get','-' ) ) ( \"{1}{0}\"-f'*','*MDr' )).\"n`Ame\"[3,11,2]-jOin'') ; [Windows.Forms.Clipboard]::( \"{0}{1}\" -f (\"{1}{0}\"-f'tT','Se' ),'ext').\"in`VoKe\"(' ' )" - CommandLine|contains|all: - - 'echo' - - 'clip' - - '&&' - CommandLine|contains: - - 'clipboard' - - 'invoke' - - 'i`' - - 'n`' - - 'v`' - - 'o`' - - 'k`' - - 'e`' + CommandLine|re: '(?i)echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?)' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_var.yml b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_var.yml index 27bf68125..d237f85aa 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_var.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_var.yml @@ -17,7 +17,7 @@ logsource: product: windows detection: selection: - # CommandLine|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r + # CommandLine|re: '(?i)&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r # Example 1: CMD /C"sET KUR=Invoke-Expression (New-Object Net.WebClient).DownloadString&&Set MxI=C:\wINDowS\sYsWow64\winDOWspoWERSheLl\V1.0\PowerShelL.EXe ${ExEcut`IoN`cON`TExT}.\"invo`kEcoMm`A`ND\".( \"{2}{1}{0}\" -f 'pt','EscRi','INvOk' ).Invoke( ( .( \"{0}{1}\" -f'D','IR' ) ( \"{0}{1}\"-f'ENV:kU','R')).\"vAl`Ue\" )&& CMD /C%mXI%" # Example 2: c:\WiNDOWS\sYSTEm32\CmD.exE /C "sEt DeJLz=Invoke-Expression (New-Object Net.WebClient).DownloadString&&set yBKM=PoWERShelL -noeX ^^^&(\"{2}{0}{1}\"-f '-ItE','m','seT') ( 'V' + 'a'+ 'RiAblE:z8J' +'U2' + 'l' ) ([TYpE]( \"{2}{3}{0}{1}\"-f 'e','NT','e','NViRONM' ) ) ; ^^^& ( ( [sTrIng]${VE`Rbo`SepReFER`Ence})[1,3] + 'X'-joIN'')( ( (.('gI') ('V' + 'a' + 'RIAbLe:z8j' + 'u2' +'l' ) ).vALUe::( \"{2}{5}{0}{1}{6}{4}{3}\" -f 'IRo','Nm','GETE','ABlE','I','nv','enTVAr').Invoke(( \"{0}{1}\"-f'd','ejLz' ),( \"{1}{2}{0}\"-f'cEss','P','RO') )) )&& c:\WiNDOWS\sYSTEm32\CmD.exE /C %ybkm%" CommandLine|contains|all: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml b/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml index 82422dacd..ca41366fd 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml @@ -6,7 +6,7 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=64 author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp) date: 2020/10/15 -modified: 2023/04/06 +modified: 2024/04/15 tags: - attack.execution - attack.defense_evasion @@ -25,10 +25,10 @@ detection: - 'pwsh.dll' selection_re: # TODO: Optimize for PySIGMA - - CommandLine|re: '.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*' - - CommandLine|re: '.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*' - - CommandLine|re: '.*\^.*\^.*\^.*\^.*\^.*' - - CommandLine|re: '.*`.*`.*`.*`.*`.*' + - CommandLine|re: '\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+' + - CommandLine|re: '\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{' + - CommandLine|re: '\^.*\^.*\^.*\^.*\^' + - CommandLine|re: '`.*`.*`.*`.*`' filter_optional_amazonSSM: ParentImage: C:\Program Files\Amazon\SSM\ssm-document-worker.exe filter_optional_defender_atp: