From 2db2ab30c4275ff6c63c121062c77023b6f775c6 Mon Sep 17 00:00:00 2001 From: "Nikita P. Nazarov" Date: Thu, 8 Oct 2020 17:08:43 +0300 Subject: [PATCH 1/5] Detects Obfuscated Powershell via use Rundll32 in Scripts --- ...ll_invoke_obfuscation_via_use_rundll32.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml new file mode 100644 index 000000000..f3da4a1da --- /dev/null +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml @@ -0,0 +1,28 @@ +title: Invoke-Obfuscation Via Use Rundll32 +id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b +description: Detects Obfuscated Powershell via use Rundll32 in Scripts +status: experimental +author: Nikita Nazarov, oscd.community +date: 2019/10/08 +references: https://github.com/Neo23x0/sigma/issues/1009 +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + service: powershell +detection: + selection_1: + EventID: 4104 + selection_2: + - ScriptBlockText|re: '(?i).*downloadstring&&.*rundll32.*powershell.*(value|invoke|comspec|iex).*"' + selection_3: + EventID: 4103 + selection_4: + - Payload|re: '(?i).*downloadstring&&.*rundll32.*powershell.*(value|invoke|comspec|iex).*"' + condition: ( selection_1 and selection_2 ) or ( selection_3 and selection_4 ) +falsepositives: + - Unknown +level: high From 3ba4eeac7bf683d4cb50057cbe0cb9069de87f18 Mon Sep 17 00:00:00 2001 From: Nikita Nazarov <61659062+NikitaStormwind@users.noreply.github.com> Date: Thu, 8 Oct 2020 17:36:20 +0300 Subject: [PATCH 2/5] Update powershell_invoke_obfuscation_via_use_rundll32.yml --- .../powershell_invoke_obfuscation_via_use_rundll32.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml index f3da4a1da..182bffe35 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml @@ -4,7 +4,7 @@ description: Detects Obfuscated Powershell via use Rundll32 in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2019/10/08 -references: https://github.com/Neo23x0/sigma/issues/1009 +references: -https://github.com/Neo23x0/sigma/issues/1009 tags: - attack.defense_evasion - attack.t1027 From b4377ed632b93a42a5ce08d5027ed283f87d3316 Mon Sep 17 00:00:00 2001 From: Nikita Nazarov <61659062+NikitaStormwind@users.noreply.github.com> Date: Thu, 8 Oct 2020 17:45:07 +0300 Subject: [PATCH 3/5] Update powershell_invoke_obfuscation_via_use_rundll32.yml --- .../powershell_invoke_obfuscation_via_use_rundll32.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml index 182bffe35..8d2a2bc0d 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml @@ -4,7 +4,7 @@ description: Detects Obfuscated Powershell via use Rundll32 in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2019/10/08 -references: -https://github.com/Neo23x0/sigma/issues/1009 +references: - https://github.com/Neo23x0/sigma/issues/1009 tags: - attack.defense_evasion - attack.t1027 From 80a3a6c0482a0ce6859f252965893ad3fb171f4e Mon Sep 17 00:00:00 2001 From: Nikita Nazarov <61659062+NikitaStormwind@users.noreply.github.com> Date: Thu, 8 Oct 2020 17:52:01 +0300 Subject: [PATCH 4/5] Update powershell_invoke_obfuscation_via_use_rundll32.yml --- .../powershell_invoke_obfuscation_via_use_rundll32.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml index 8d2a2bc0d..af6f94dbe 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml @@ -4,7 +4,8 @@ description: Detects Obfuscated Powershell via use Rundll32 in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2019/10/08 -references: - https://github.com/Neo23x0/sigma/issues/1009 +references: + - https://github.com/Neo23x0/sigma/issues/1009 tags: - attack.defense_evasion - attack.t1027 From 31095033ab7ceb0b45d417ddfc422524e8c2791e Mon Sep 17 00:00:00 2001 From: Nikita Nazarov <61659062+NikitaStormwind@users.noreply.github.com> Date: Fri, 9 Oct 2020 16:25:59 +0300 Subject: [PATCH 5/5] Update powershell_invoke_obfuscation_via_use_rundll32.yml --- .../powershell_invoke_obfuscation_via_use_rundll32.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml index af6f94dbe..bce2ea533 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml @@ -18,11 +18,11 @@ detection: selection_1: EventID: 4104 selection_2: - - ScriptBlockText|re: '(?i).*downloadstring&&.*rundll32.*powershell.*(value|invoke|comspec|iex).*"' + - ScriptBlockText|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' selection_3: EventID: 4103 selection_4: - - Payload|re: '(?i).*downloadstring&&.*rundll32.*powershell.*(value|invoke|comspec|iex).*"' + - Payload|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' condition: ( selection_1 and selection_2 ) or ( selection_3 and selection_4 ) falsepositives: - Unknown