security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #2851 from SigmaHQ/rule-devel

Browse Source 
PowerShell IEX rules
This commit is contained in:
Florian Roth
2022-03-24 19:16:22 +01:00
committed by GitHub
parent 4d4f04e6b8 507551c631
commit 2593e08385
3 changed files with 42 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/network/net_wannacry_killswitch_domain.yml
+1 -2
View File
@@ -6,7 +6,7 @@ author: Mike Wade
references:
- https://www.fireeye.com/blog/products-and-services/2017/05/wannacry-ransomware-campaign.html
date: 2020/09/16
modified: 2021/11/27
modified: 2022/03/24
logsource:
category: dns
detection:
@@ -17,7 +17,6 @@ detection:
- 'ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com'
- 'ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com'
- 'iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea.com'
- ''
condition: selection
falsepositives:
- Analyst testing
rules/windows/process_creation/proc_creation_win_susp_powershell_download_iex.yml
+2
View File
@@ -21,6 +21,8 @@ detection:
- 'I`EX'
- 'IE`X'
- 'I`E`X'
- ' | IEX'
- '|IEX '
- 'Invoke-Execution'
- ';iex $'
condition: selection and execution
rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml
+39
View File
@@ -0,0 +1,39 @@
title: Suspicious PowerShell IEX Execution Patterns
id: 09576804-7a05-458e-a817-eb718ca91f54
status: experimental
description: Detects suspicious ways to run Invoke-Execution using IEX acronym
author: Florian Roth
date: 2022/03/24
references:
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2
logsource:
product: windows
category: process_creation
detection:
selection_combined_1:
Image|endswith: '\powershell.exe'
CommandLine|contains:
-' | iex;'
-' | iex '
-' | iex}'
-' | IEX;'
-' | IEX ;'
-' | IEX -Error'
-' | IEX (new'
-' | IEX (New'
-');IEX '
selection_combined_2:
CommandLine|contains:
- '::FromBase64String'
- '.GetString([System.Convert]::'
selection_standalone:
CommandLine|contains:
-')|iex;$'
-')|IEX;$'
-');iex($'
-');iex $'
-' | IEX | '
condition: all of selection_combined* or selection_standalone
falsepositives:
- Legitimate scripts that use IEX
level: high