From c33119563729eca8a2517d92aa7922ad2cd59cd9 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 24 Mar 2022 15:17:29 +0100 Subject: [PATCH 1/5] fix: empty query in rule > bug --- rules/network/net_wannacry_killswitch_domain.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/network/net_wannacry_killswitch_domain.yml b/rules/network/net_wannacry_killswitch_domain.yml index 52eb64c33..9ca3530c5 100644 --- a/rules/network/net_wannacry_killswitch_domain.yml +++ b/rules/network/net_wannacry_killswitch_domain.yml @@ -6,7 +6,7 @@ author: Mike Wade references: - https://www.fireeye.com/blog/products-and-services/2017/05/wannacry-ransomware-campaign.html date: 2020/09/16 -modified: 2021/11/27 +modified: 2022/03/24 logsource: category: dns detection: @@ -17,7 +17,6 @@ detection: - 'ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com' - 'ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com' - 'iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea.com' - - '' condition: selection falsepositives: - Analyst testing From a06b599bec8b5ea301b7933c2663ddc35ebb4746 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 24 Mar 2022 16:31:50 +0100 Subject: [PATCH 2/5] rule: IEX patterns --- ...ation_win_susp_powershell_iex_patterns.yml | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml new file mode 100644 index 000000000..eccc4bbde --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml @@ -0,0 +1,35 @@ +title: Suspicious PowerShell IEX Execution Patterns +id: 09576804-7a05-458e-a817-eb718ca91f54 +status: experimental +description: Detects suspicious ways to run Invoke-Execution using IEX acronym +author: Florian Roth +date: 2022/03/24 +references: + - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2 +logsource: + product: windows + category: process_creation +detection: + selection_combined: + Image|endwith: '\powershell.exe' + CommandLine|contains: + -' | iex;' + -' | iex ' + -' | iex}' + -' | IEX;' + -' | IEX ;' + -' | IEX -Error' + -' | IEX (new' + -' | IEX (New' + -');IEX ' + selection_standalone: + CommandLine|contains: + -')|iex;$' + -')|IEX;$' + -');iex($' + -');iex $' + -' | IEX | ' + condition: 1 of selection* +falsepositives: + - Legitimate scripts that use IEX +level: high From f1b91ba8ac4171fd7ece5d18d6faebb2786a3369 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 24 Mar 2022 16:44:35 +0100 Subject: [PATCH 3/5] refactor: more powershell loader rules --- .../proc_creation_win_susp_powershell_download_iex.yml | 2 ++ .../proc_creation_win_susp_powershell_iex_patterns.yml | 8 ++++++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_download_iex.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_download_iex.yml index 0c9779e7f..bcce4ec7f 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_powershell_download_iex.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_download_iex.yml @@ -21,6 +21,8 @@ detection: - 'I`EX' - 'IE`X' - 'I`E`X' + - ' | IEX' + - '|IEX ' - 'Invoke-Execution' - ';iex $' condition: selection and execution diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml index eccc4bbde..2f6206177 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml @@ -10,7 +10,7 @@ logsource: product: windows category: process_creation detection: - selection_combined: + selection_combined_1: Image|endwith: '\powershell.exe' CommandLine|contains: -' | iex;' @@ -22,6 +22,10 @@ detection: -' | IEX (new' -' | IEX (New' -');IEX ' + selection_combined_2: + CommandLine|contains: + - '::FromBase64String' + - '.GetString([System.Convert]::' selection_standalone: CommandLine|contains: -')|iex;$' @@ -29,7 +33,7 @@ detection: -');iex($' -');iex $' -' | IEX | ' - condition: 1 of selection* + condition: all of selection_combined* or selection_standalone falsepositives: - Legitimate scripts that use IEX level: high From 69702238724f0b6a26a15dacd91b34adc0efe589 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 24 Mar 2022 19:05:04 +0100 Subject: [PATCH 4/5] fix: bug in modifier --- .../proc_creation_win_susp_powershell_iex_patterns.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml index 2f6206177..f2169567e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml @@ -11,7 +11,7 @@ logsource: category: process_creation detection: selection_combined_1: - Image|endwith: '\powershell.exe' + Image|endwiths: '\powershell.exe' CommandLine|contains: -' | iex;' -' | iex ' From 507551c63111cb4072e1ce3acdf64673bc7d2286 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 24 Mar 2022 19:08:53 +0100 Subject: [PATCH 5/5] fix: typo in modifier --- .../proc_creation_win_susp_powershell_iex_patterns.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml index f2169567e..47fce53b0 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml @@ -11,7 +11,7 @@ logsource: category: process_creation detection: selection_combined_1: - Image|endwiths: '\powershell.exe' + Image|endswith: '\powershell.exe' CommandLine|contains: -' | iex;' -' | iex '