From 0e4cd397efe2561e537fb2434532a3a4e4101f54 Mon Sep 17 00:00:00 2001 From: hieuttmmo <46371125+hieuttmmo@users.noreply.github.com> Date: Fri, 25 Oct 2019 00:14:21 +0700 Subject: [PATCH 1/6] Create new rules for T1502 --- .../powershell_susp_profile_create.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/windows/powershell/powershell_susp_profile_create.yml diff --git a/rules/windows/powershell/powershell_susp_profile_create.yml b/rules/windows/powershell/powershell_susp_profile_create.yml new file mode 100644 index 000000000..0bf95f4f0 --- /dev/null +++ b/rules/windows/powershell/powershell_susp_profile_create.yml @@ -0,0 +1,24 @@ +title: Powershell profile modify +status: experimental +description: 'Detects a change in profile.ps1 of Powershell profile' +references: + - 'https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/' +tags: + - attack.persistence + - attack.privellege_escalation + - attack.t1502 +author: HieuTT35 +date: 2019/10/24 +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 11 + TargetFilename|re: + - '.*\\My Documents\\PowerShell\\(Microsoft\.)?.*(Profile|profile)\.ps1' + - 'C\:\\Windows\\System32\\WindowsPowerShell\\v1\.0\\(Microsoft\.)?.*(Profile|profile)\.ps1' + condition: selection +falsepositives: + - unknown +level: high From 73b10807d81b14401e6cc3a77b185d796b2c28fa Mon Sep 17 00:00:00 2001 From: hieuttmmo <46371125+hieuttmmo@users.noreply.github.com> Date: Fri, 25 Oct 2019 00:14:39 +0700 Subject: [PATCH 2/6] Rename powershell_susp_profile_create.yml to powershell_suspicious_profile_create.yml --- ...rofile_create.yml => powershell_suspicious_profile_create.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/powershell/{powershell_susp_profile_create.yml => powershell_suspicious_profile_create.yml} (100%) diff --git a/rules/windows/powershell/powershell_susp_profile_create.yml b/rules/windows/powershell/powershell_suspicious_profile_create.yml similarity index 100% rename from rules/windows/powershell/powershell_susp_profile_create.yml rename to rules/windows/powershell/powershell_suspicious_profile_create.yml From edb698c7f739cd71882c09c1e75e1e7e2d405da9 Mon Sep 17 00:00:00 2001 From: hieuttmmo <46371125+hieuttmmo@users.noreply.github.com> Date: Fri, 25 Oct 2019 00:28:11 +0700 Subject: [PATCH 3/6] Update powershell_suspicious_profile_create.yml --- .../windows/powershell/powershell_suspicious_profile_create.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/rules/windows/powershell/powershell_suspicious_profile_create.yml b/rules/windows/powershell/powershell_suspicious_profile_create.yml index 0bf95f4f0..2ea391081 100644 --- a/rules/windows/powershell/powershell_suspicious_profile_create.yml +++ b/rules/windows/powershell/powershell_suspicious_profile_create.yml @@ -5,8 +5,6 @@ references: - 'https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/' tags: - attack.persistence - - attack.privellege_escalation - - attack.t1502 author: HieuTT35 date: 2019/10/24 logsource: From e86ab608f246ce5bf964ffd6f8fd11882eecc61f Mon Sep 17 00:00:00 2001 From: hieuttmmo <46371125+hieuttmmo@users.noreply.github.com> Date: Fri, 25 Oct 2019 10:53:21 +0700 Subject: [PATCH 4/6] Update powershell_suspicious_profile_create.yml --- .../powershell_suspicious_profile_create.yml | 22 ++++++++++--------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/rules/windows/powershell/powershell_suspicious_profile_create.yml b/rules/windows/powershell/powershell_suspicious_profile_create.yml index 2ea391081..7b112b021 100644 --- a/rules/windows/powershell/powershell_suspicious_profile_create.yml +++ b/rules/windows/powershell/powershell_suspicious_profile_create.yml @@ -1,22 +1,24 @@ -title: Powershell profile modify +title: 'Powershell profile modify' status: experimental description: 'Detects a change in profile.ps1 of Powershell profile' references: - 'https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/' -tags: - - attack.persistence author: HieuTT35 date: 2019/10/24 logsource: product: windows service: sysmon detection: - selection: - EventID: 11 - TargetFilename|re: - - '.*\\My Documents\\PowerShell\\(Microsoft\.)?.*(Profile|profile)\.ps1' - - 'C\:\\Windows\\System32\\WindowsPowerShell\\v1\.0\\(Microsoft\.)?.*(Profile|profile)\.ps1' - condition: selection + event: + EventID: 11 + target1: + TargetFilename|re: '.*\\My Documents\\PowerShell\\(Microsoft\.)?.*(Profile|profile)\.ps1' + target2: + TargetFilename|re: 'C\:\\Windows\\System32\\WindowsPowerShell\\v1\.0\\(Microsoft\.)?.*(Profile|profile)\.ps1' + condition: event and (target1 or target2) falsepositives: - - unknown + - 'System administrator create Powershell profile manually' level: high +tags: + - attack.persistence + - attack.privilege_escalation From 0c07c5ea1665142478a36d1a58e30d7386dc3b79 Mon Sep 17 00:00:00 2001 From: hieuttmmo <46371125+hieuttmmo@users.noreply.github.com> Date: Fri, 25 Oct 2019 11:00:05 +0700 Subject: [PATCH 5/6] convention --- .../powershell/powershell_suspicious_profile_create.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/powershell/powershell_suspicious_profile_create.yml b/rules/windows/powershell/powershell_suspicious_profile_create.yml index 7b112b021..5266c23e5 100644 --- a/rules/windows/powershell/powershell_suspicious_profile_create.yml +++ b/rules/windows/powershell/powershell_suspicious_profile_create.yml @@ -1,8 +1,8 @@ -title: 'Powershell profile modify' +title: Powershell profile modify status: experimental -description: 'Detects a change in profile.ps1 of Powershell profile' +description: Detects a change in profile.ps1 of Powershell profile references: - - 'https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/' + - https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/ author: HieuTT35 date: 2019/10/24 logsource: @@ -17,7 +17,7 @@ detection: TargetFilename|re: 'C\:\\Windows\\System32\\WindowsPowerShell\\v1\.0\\(Microsoft\.)?.*(Profile|profile)\.ps1' condition: event and (target1 or target2) falsepositives: - - 'System administrator create Powershell profile manually' + - System administrator create Powershell profile manually level: high tags: - attack.persistence From f4928e95bc059fcefa2babf0da780d645fc6fbea Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 3 Apr 2020 09:36:17 +0200 Subject: [PATCH 6/6] Update powershell_suspicious_profile_create.yml --- .../powershell_suspicious_profile_create.yml | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/rules/windows/powershell/powershell_suspicious_profile_create.yml b/rules/windows/powershell/powershell_suspicious_profile_create.yml index 5266c23e5..de6a3897b 100644 --- a/rules/windows/powershell/powershell_suspicious_profile_create.yml +++ b/rules/windows/powershell/powershell_suspicious_profile_create.yml @@ -1,20 +1,26 @@ -title: Powershell profile modify +title: Powershell Profile.ps1 Modification +id: b5b78988-486d-4a80-b991-930eff3ff8bf status: experimental -description: Detects a change in profile.ps1 of Powershell profile +description: Detects a change in profile.ps1 of the Powershell profile references: - https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/ author: HieuTT35 date: 2019/10/24 +modified: 2020/04/03 logsource: product: windows service: sysmon detection: event: - EventID: 11 + EventID: 11 target1: - TargetFilename|re: '.*\\My Documents\\PowerShell\\(Microsoft\.)?.*(Profile|profile)\.ps1' + TargetFilename|contains|all: + - '\My Documents\PowerShell\' + - '\profile.ps1' target2: - TargetFilename|re: 'C\:\\Windows\\System32\\WindowsPowerShell\\v1\.0\\(Microsoft\.)?.*(Profile|profile)\.ps1' + TargetFilename|contains|all: + - 'C:\Windows\System32\WindowsPowerShell\v1.0\' + - '\profile.ps1' condition: event and (target1 or target2) falsepositives: - System administrator create Powershell profile manually