diff --git a/rules/windows/powershell/powershell_module/powershell_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_module/powershell_alternate_powershell_hosts.yml index 0a5dc88cb..cebabac1d 100644 --- a/rules/windows/powershell/powershell_module/powershell_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_module/powershell_alternate_powershell_hosts.yml @@ -3,7 +3,7 @@ id: 64e8e417-c19a-475a-8d19-98ea705394cc description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe status: test date: 2019/08/11 -modified: 2021/09/21 +modified: 2021/10/16 author: Roberto Rodriguez @Cyb3rWard0g references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html @@ -13,11 +13,10 @@ tags: - attack.t1086 # an old one logsource: product: windows - service: powershell + category: ps_module definition: PowerShell Module Logging must be enabled detection: selection: - EventID: 4103 ContextInfo: '*' filter: ContextInfo|contains: 'powershell.exe' # Host Application=...powershell.exe or Application hote=...powershell.exe in French Win10 event diff --git a/rules/windows/powershell/powershell_module/powershell_bad_opsec_artifacts.yml b/rules/windows/powershell/powershell_module/powershell_bad_opsec_artifacts.yml index dc3a6cdd5..b7a636ef6 100644 --- a/rules/windows/powershell/powershell_module/powershell_bad_opsec_artifacts.yml +++ b/rules/windows/powershell/powershell_module/powershell_bad_opsec_artifacts.yml @@ -11,18 +11,17 @@ references: - https://www.mdeditor.tw/pl/pgRt author: 'ok @securonix invrep_de, oscd.community' date: 2020/10/09 -modified: 2021/10/07 +modified: 2021/10/16 tags: - attack.execution - attack.t1059.001 - attack.t1086 # an old one logsource: product: windows - service: powershell + category: ps_module definition: PowerShell Module Logging must be enabled detection: selection_4103: - EventID: 4103 Payload|contains: - '$DoIt' - 'harmj0y' diff --git a/rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml b/rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml index 46da86f66..a13453f9a 100644 --- a/rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml @@ -6,7 +6,7 @@ related: status: experimental description: Detects keywords that could indicate clearing PowerShell history date: 2019/10/25 -modified: 2020/11/28 +modified: 2021/10/16 author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community references: - https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a @@ -16,11 +16,9 @@ tags: - attack.t1146 # an old one logsource: product: windows - service: powershell + category: ps_module definition: PowerShell Module Logging must be enabled detection: - selection_id: - EventID: 4103 selection_payload_1: Payload|contains: - 'del' @@ -33,7 +31,7 @@ detection: - 'Set-PSReadlineOption' - '–HistorySaveStyle' - 'SaveNothing' - condition: selection_id and ( selection_payload_1 or selection_payload_2 ) + condition: selection_payload_1 or selection_payload_2 falsepositives: - Legitimate PowerShell scripts level: medium diff --git a/rules/windows/powershell/powershell_module/powershell_decompress_commands.yml b/rules/windows/powershell/powershell_module/powershell_decompress_commands.yml index 5107fd704..6429b550c 100644 --- a/rules/windows/powershell/powershell_module/powershell_decompress_commands.yml +++ b/rules/windows/powershell/powershell_module/powershell_decompress_commands.yml @@ -6,7 +6,7 @@ related: description: A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files. status: experimental date: 2020/05/02 -modified: 2021/10/07 +modified: 2021/10/16 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.defense_evasion @@ -16,11 +16,10 @@ references: - https://threathunterplaybook.com/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.html logsource: product: windows - service: powershell + category: ps_module definition: PowerShell Module Logging must be enabled detection: selection_4103: - EventID: 4103 Payload|contains: 'Expand-Archive' condition: selection_4103 falsepositives: diff --git a/rules/windows/powershell/powershell_module/powershell_get_clipboard.yml b/rules/windows/powershell/powershell_module/powershell_get_clipboard.yml index 832dab3d8..65e817515 100644 --- a/rules/windows/powershell/powershell_module/powershell_get_clipboard.yml +++ b/rules/windows/powershell/powershell_module/powershell_get_clipboard.yml @@ -6,7 +6,7 @@ related: description: A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents. status: experimental date: 2020/05/02 -modified: 2021/10/07 +modified: 2021/10/16 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.collection @@ -16,11 +16,10 @@ references: - https://threathunterplaybook.com/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.html logsource: product: windows - service: powershell + category: ps_module definition: PowerShell Module Logging must be enabled detection: selection_4103: - EventID: 4103 Payload|contains: 'Get-Clipboard' condition: selection_4103 falsepositives: diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml index 98a298b6c..73f8b09f4 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml @@ -7,7 +7,7 @@ description: Detects Obfuscated use of Clip.exe to execute PowerShell status: experimental author: Jonathan Cheong, oscd.community date: 2020/10/13 -modified: 2021/10/07 +modified: 2021/10/16 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26) tags: @@ -17,11 +17,10 @@ tags: - attack.t1059.001 logsource: product: windows - service: powershell + category: ps_module definition: PowerShell Module Logging must be enabled detection: selection_4103: - EventID: 4103 Payload|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' condition: selection_4103 falsepositives: diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml index e00f05f98..6e6f969ba 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml @@ -7,7 +7,7 @@ description: "Detects all variations of obfuscated powershell IEX invocation cod status: experimental author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community date: 2019/11/08 -modified: 2021/10/07 +modified: 2021/10/16 tags: - attack.defense_evasion - attack.t1027 @@ -16,11 +16,9 @@ tags: - attack.t1086 #an old one logsource: product: windows - service: powershell + category: ps_module definition: PowerShell Module Logging must be enabled detection: - selection_id: - EventID: 4103 selection_payload: - Payload|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[' - Payload|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[' @@ -29,7 +27,7 @@ detection: - Payload|re: '\\\\*mdr\\\\*\W\s*\)\.Name' - Payload|re: '\$VerbosePreference\.ToString\(' - Payload|re: '\String\]\s*\$VerbosePreference' - condition: selection_id and selection_payload + condition: selection_payload falsepositives: - Unknown level: high diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml index ff0cda53b..483b4c343 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml @@ -7,6 +7,7 @@ description: Detects Obfuscated use of stdin to execute PowerShell status: experimental author: Jonathan Cheong, oscd.community date: 2020/10/15 +modified: 2021/10/16 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25) tags: @@ -16,11 +17,10 @@ tags: - attack.t1059.001 logsource: product: windows - service: powershell + category: ps_module definition: PowerShell Module Logging must be enabled detection: selection_4103: - EventID: 4103 Payload|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' condition: selection_4103 falsepositives: diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml index f85198ccd..91aec4b61 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml @@ -7,6 +7,7 @@ description: Detects Obfuscated use of Environment Variables to execute PowerShe status: experimental author: Jonathan Cheong, oscd.community date: 2020/10/15 +modified: 2021/10/16 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24) tags: @@ -16,11 +17,10 @@ tags: - attack.t1059.001 logsource: product: windows - service: powershell + category: ps_module definition: PowerShell Module Logging must be enabled detection: selection_4103: - EventID: 4103 Payload|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' condition: selection_4103 falsepositives: diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml index 1ba4b73ee..43ca7ebd5 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml @@ -7,7 +7,7 @@ description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION status: experimental author: Timur Zinniatullin, oscd.community date: 2020/10/18 -modified: 2021/10/07 +modified: 2021/10/16 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19) tags: @@ -17,11 +17,10 @@ tags: - attack.t1059.001 logsource: product: windows - service: powershell + category: ps_module definition: PowerShell Module Logging must be enabled detection: selection_4103: - EventID: 4103 Payload|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend' condition: selection_4103 falsepositives: diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml index ccbd2b9a9..bde556966 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml @@ -7,7 +7,7 @@ description: Detects Obfuscated Powershell via RUNDLL LAUNCHER status: experimental author: Timur Zinniatullin, oscd.community date: 2020/10/18 -modified: 2021/10/07 +modified: 2021/10/16 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23) tags: @@ -17,11 +17,10 @@ tags: - attack.t1059.001 logsource: product: windows - service: powershell + category: ps_module definition: PowerShell Module Logging must be enabled detection: selection_4103: - EventID: 4103 Payload|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' condition: selection_4103 falsepositives: diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml index d5715369d..1bd27a934 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml @@ -7,6 +7,7 @@ description: Detects Obfuscated Powershell via Stdin in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/12 +modified: 2021/10/16 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task28) tags: @@ -16,11 +17,10 @@ tags: - attack.t1059.001 logsource: product: windows - service: powershell + category: ps_module definition: PowerShell Module Logging must be enabled detection: selection_4103: - EventID: 4103 Payload|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' condition: selection_4103 falsepositives: diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml index 3c823c366..ddfa4f24f 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml @@ -7,6 +7,7 @@ description: Detects Obfuscated Powershell via use Clip.exe in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/09 +modified: 2021/10/16 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task29) tags: @@ -16,11 +17,10 @@ tags: - attack.t1059.001 logsource: product: windows - service: powershell + category: ps_module definition: PowerShell Module Logging must be enabled detection: selection_4103: - EventID: 4103 Payload|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' condition: selection_4103 falsepositives: diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml index 791c900bf..eb78f9ac3 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml @@ -7,7 +7,7 @@ description: Detects Obfuscated Powershell via use MSHTA in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/08 -modified: 2021/10/07 +modified: 2021/10/16 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task31) tags: @@ -17,11 +17,10 @@ tags: - attack.t1059.001 logsource: product: windows - service: powershell + category: ps_module definition: PowerShell Module Logging must be enabledd detection: selection_4103: - EventID: 4103 Payload|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' condition: selection_4103 falsepositives: diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml index 3c12fe926..a30dd2ccc 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml @@ -7,7 +7,7 @@ description: Detects Obfuscated Powershell via use Rundll32 in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2019/10/08 -modified: 2021/10/07 +modified: 2021/10/16 references: - https://github.com/Neo23x0/sigma/issues/1009 tags: @@ -17,11 +17,10 @@ tags: - attack.t1059.001 logsource: product: windows - service: powershell + category: ps_module definition: PowerShell Module Logging must be enabled detection: selection_4103: - EventID: 4103 Payload|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' condition: selection_4103 falsepositives: diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml index 2b78501f6..ddd02c3dd 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml @@ -7,7 +7,7 @@ description: Detects Obfuscated Powershell via VAR++ LAUNCHER status: experimental author: Timur Zinniatullin, oscd.community date: 2020/10/13 -modified: 2021/10/07 +modified: 2021/10/16 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task27) tags: @@ -17,11 +17,10 @@ tags: - attack.t1059.001 logsource: product: windows - service: powershell + category: ps_module definition: PowerShell Module Logging must be enabledd detection: selection_4103: - EventID: 4103 Payload|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r condition: selection_4103 falsepositives: diff --git a/rules/windows/powershell/powershell_module/powershell_powercat.yml b/rules/windows/powershell/powershell_module/powershell_powercat.yml index 649381c9f..ef9261cae 100644 --- a/rules/windows/powershell/powershell_module/powershell_powercat.yml +++ b/rules/windows/powershell/powershell_module/powershell_powercat.yml @@ -3,7 +3,7 @@ id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2 status: experimental author: frack113 date: 2021/07/21 -modified: 2021/09/07 +modified: 2021/10/16 description: Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network references: - https://nmap.org/ncat/ @@ -14,11 +14,10 @@ tags: - attack.t1095 logsource: product: windows - service: powershell + category: ps_module definition: PowerShell Module Logging must be enabled detection: selection: - EventID: 4103 ContextInfo|contains: - 'powercat ' - 'powercat.ps1' diff --git a/rules/windows/powershell/powershell_module/powershell_remote_powershell_session.yml b/rules/windows/powershell/powershell_module/powershell_remote_powershell_session.yml index 4bd6369c7..ba800a5b4 100644 --- a/rules/windows/powershell/powershell_module/powershell_remote_powershell_session.yml +++ b/rules/windows/powershell/powershell_module/powershell_remote_powershell_session.yml @@ -3,7 +3,7 @@ id: 96b9f619-aa91-478f-bacb-c3e50f8df575 description: Detects remote PowerShell sessions status: test date: 2019/08/10 -modified: 2021/09/21 +modified: 2021/10/16 author: Roberto Rodriguez @Cyb3rWard0g references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html @@ -16,11 +16,10 @@ tags: - attack.t1028 # an old one logsource: product: windows - service: powershell + category: ps_module definition: PowerShell Module Logging must be enabled detection: selection: - EventID: 4103 ContextInfo|contains|all: - ' = ServerRemoteHost ' # HostName: 'ServerRemoteHost' french : Nom d’hôte = - 'wsmprovhost.exe' # HostApplication|contains: 'wsmprovhost.exe' french Application hôte = diff --git a/rules/windows/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml b/rules/windows/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml index c6571b75f..cd9751e11 100644 --- a/rules/windows/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml +++ b/rules/windows/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml @@ -3,7 +3,7 @@ id: 38a7625e-b2cb-485d-b83d-aff137d859f4 status: experimental author: frack113 date: 2021/07/13 -modified: 2021/09/07 +modified: 2021/10/16 description: RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339). references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md @@ -13,11 +13,9 @@ tags: - attack.t1218 logsource: product: windows - service: powershell + category: ps_module definition: PowerShell Module Logging must be enabledd detection: - selection_id: - EventID: 4103 selection_cmd: ContextInfo|contains: 'Invoke-ATHRemoteFXvGPUDisablementCommand ' selection_opt: @@ -26,7 +24,7 @@ detection: - '-ModulePath ' - '-ScriptBlock ' - '-RemoteFXvGPUDisablementFilePath' - condition: selection_id and selection_cmd and selection_opt + condition: selection_cmd and selection_opt fields: - ComputerName - User diff --git a/rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml b/rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml index 6e9268e74..26b0c14a9 100644 --- a/rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml +++ b/rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml @@ -6,7 +6,7 @@ related: status: experimental author: frack113 date: 2021/07/20 -modified: 2021/10/09 +modified: 2021/10/16 description: Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md @@ -15,11 +15,10 @@ tags: - attack.t1074.001 logsource: product: windows - service: powershell + category: ps_module definition: PowerShell Module Logging must be enabledd detection: selection_4103: - EventID: 4103 ContextInfo|contains|all: - 'Compress-Archive ' - ' -Path '