Merge PR #4519 from @fukusuket - Update PowerShell Classic Rule To Use Data Field

update: Suspicious XOR Encoded PowerShell Command Line - PowerShell update: Uncommon PowerShell Hosts update: Delete Volume Shadow Copies Via WMI With PowerShell update: PowerShell Downgrade Attack - PowerShell update: PowerShell Called from an Executable Version Mismatch update: Netcat The Powershell Version update: Remote PowerShell Session (PS Classic) update: Renamed Powershell Under Powershell Channel update: Suspicious PowerShell Download update: Use Get-NetTCPConnection update: Zip A Folder With PowerShell For Staging In Temp - PowerShell update: Tamper Windows Defender - PSClassic update: Suspicious Non PowerShell WSMAN COM Provider update: Suspicious XOR Encoded PowerShell Command Line - PowerShell --------- Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
2023-10-28 19:43:58 +09:00
parent 3f8eb891e8
commit 587da70c94
14 changed files with 90 additions and 89 deletions
@@ -4,27 +4,27 @@ related:
    - id: 1b3b01c7-84e9-4072-86e5-fc285a41ff23
      type: similar
 status: test
-description: Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records
+description: Detects a powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records.
 references:
    - https://twitter.com/Alh4zr3d/status/1566489367232651264
 author: Sai Prashanth Pulisetti @pulisettis, Aishwarya Singam
 date: 2022/12/10
-modified: 2022/12/19
+modified: 2023/10/27
 tags:
    - attack.execution
    - attack.t1059.001
 logsource:
    product: windows
    category: ps_classic_start
-    definition: fields have to be extract from event
 detection:
    selection:
-        HostApplication|contains|all:
+        Data|contains|all:
            - 'powershell'
            - 'nslookup'
-        HostApplication|contains:
-            - '-q=txt'
-            - '-querytype=txt'
+            - '[1]'
+        Data|contains:
+            - '-q=txt http'
+            - '-querytype=txt http'
    condition: selection
 falsepositives:
    - Unknown
@@ -1,4 +1,4 @@
-title: Alternate PowerShell Hosts
+title: Uncommon PowerShell Hosts
 id: d7326048-328b-4d5e-98af-86e84b17c765
 related:
    - id: 64e8e417-c19a-475a-8d19-98ea705394cc
@@ -9,24 +9,28 @@ references:
    - https://threathunterplaybook.com/hunts/windows/190815-RemoteServiceInstallation/notebook.html
 author: Roberto Rodriguez @Cyb3rWard0g
 date: 2019/08/11
-modified: 2023/04/12
+modified: 2023/10/27
 tags:
    - attack.execution
    - attack.t1059.001
 logsource:
    product: windows
    category: ps_classic_start
-    definition: fields have to be extract from event
 detection:
    selection:
-        HostApplication|contains: '*'
-    filter:
-        # If you extracted the fields from this event. Use the filter list described in 64e8e417-c19a-475a-8d19-98ea705394cc to filter FPs
-        - HostApplication|startswith:
-              - 'powershell'
-              - 'C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe'
-        - ContextInfo|contains: 'Citrix\ConfigSync\ConfigSync.ps1'
-    condition: selection and not filter
+        Data|contains: 'HostApplication='
+    # Note: Powershell Logging Data is localized. Meaning that "HostApplication" field will be translated to a different field on a non english layout. This rule doesn't take this into account due to the sheer ammount of possibilities. It's up to the user to add these cases.
+    filter_main_ps:
+        Data|contains:
+            - 'HostApplication=powershell'
+            - 'HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell'
+            - 'HostApplication=C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell'
+            # In some cases powershell was invoked with inverted slashes
+            - 'HostApplication=C:/Windows/System32/WindowsPowerShell/v1.0/powershell'
+            - 'HostApplication=C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell'
+    filter_optional_citrix:
+        Data|contains: 'Citrix\ConfigSync\ConfigSync.ps1*'
+    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
    - Programs using PowerShell directly without invocation of a dedicated interpreter
    - MSP Detection Searcher
@@ -7,25 +7,22 @@ references:
    - https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods
 author: frack113
 date: 2021/06/03
-modified: 2021/10/16
+modified: 2023/10/27
 tags:
    - attack.impact
    - attack.t1490
 logsource:
    product: windows
    category: ps_classic_start
-    definition: fields have to be extract from event
 detection:
    selection:
-        HostApplication|contains|all:
+        Data|contains|all:
            - 'Get-WmiObject'
-            - ' Win32_Shadowcopy'
-        HostApplication|contains:
+            - 'Win32_Shadowcopy'
+        Data|contains:
            - 'Delete()'
            - 'Remove-WmiObject'
    condition: selection
-fields:
-    - HostApplication
 falsepositives:
    - Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason
 level: high
@@ -6,7 +6,7 @@ references:
    - http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
 author: Florian Roth (Nextron Systems), Lee Holmes (idea), Harish Segar (improvements)
 date: 2017/03/22
-modified: 2022/12/02
+modified: 2023/10/27
 tags:
    - attack.defense_evasion
    - attack.execution
@@ -14,13 +14,12 @@ tags:
 logsource:
    product: windows
    category: ps_classic_start
-    definition: fields have to be extract from event
 detection:
    selection:
-        EngineVersion|startswith: '2.'
-    filter:
-        HostVersion|startswith: '2.'
-    condition: selection and not filter
+        Data|contains: 'EngineVersion=2.'
+    filter_main:
+        Data|contains: 'HostVersion=2.'
+    condition: selection and not filter_main
 falsepositives:
    - Unknown
 level: medium
@@ -6,7 +6,7 @@ references:
    - https://adsecurity.org/?p=2921
 author: Sean Metcalf (source), Florian Roth (Nextron Systems)
 date: 2017/03/05
-modified: 2022/12/25
+modified: 2023/10/27
 tags:
    - attack.defense_evasion
    - attack.execution
@@ -14,15 +14,15 @@ tags:
 logsource:
    product: windows
    category: ps_classic_start
-    definition: fields have to be extract from event
 detection:
-    selection1:
-        EngineVersion|startswith:
-            - '2.'
-            - '4.'
-            - '5.'
-        HostVersion|startswith: '3.'
-    condition: selection1
+    selection_engine:
+        Data|contains:
+            - 'EngineVersion=2.'
+            - 'EngineVersion=4.'
+            - 'EngineVersion=5.'
+    selection_host:
+        Data|contains: 'HostVersion=3.'
+    condition: all of selection_*
 falsepositives:
    - Unknown
 level: high
@@ -11,17 +11,16 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md
 author: frack113
 date: 2021/07/21
-modified: 2022/12/25
+modified: 2023/10/27
 tags:
    - attack.command_and_control
    - attack.t1095
 logsource:
    product: windows
    category: ps_classic_start
-    definition: fields have to be extract from event
 detection:
    selection:
-        HostApplication|contains:
+        Data|contains:
            - 'powercat '
            - 'powercat.ps1'
    condition: selection
@@ -9,7 +9,7 @@ references:
    - https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html
 author: Roberto Rodriguez @Cyb3rWard0g
 date: 2019/08/10
-modified: 2022/06/20
+modified: 2023/10/27
 tags:
    - attack.execution
    - attack.t1059.001
@@ -18,11 +18,11 @@ tags:
 logsource:
    product: windows
    category: ps_classic_start
-    definition: fields have to be extract from event
 detection:
    selection:
-        HostName: 'ServerRemoteHost'
-        HostApplication|contains: 'wsmprovhost.exe'
+        Data|contains|all:
+            - 'HostName=ServerRemoteHost'
+            - 'wsmprovhost.exe'
    condition: selection
 falsepositives:
    - Legitimate use remote PowerShell sessions
@@ -6,22 +6,26 @@ references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
 author: Harish Segar, frack113
 date: 2020/06/29
-modified: 2021/10/16
+modified: 2023/10/27
 tags:
    - attack.execution
    - attack.t1059.001
 logsource:
    product: windows
    category: ps_classic_start
-    definition: fields have to be extract from event
 detection:
    selection:
-        HostName: ConsoleHost
-    filter:
-        HostApplication|startswith:
-            - powershell.exe
-            - C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
-    condition: selection and not filter
+        Data|contains: 'HostName=ConsoleHost'
+    # Note: Powershell Logging Data is localized. Meaning that "HostApplication" field will be translated to a different field on a non english layout. This rule doesn't take this into account due to the sheer ammount of possibilities. It's up to the user to add these cases.
+    filter_main_ps:
+        Data|contains:
+            - 'HostApplication=powershell'
+            - 'HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell'
+            - 'HostApplication=C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell'
+            # In some cases powershell was invoked with inverted slashes
+            - 'HostApplication=C:/Windows/System32/WindowsPowerShell/v1.0/powershell'
+            - 'HostApplication=C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell'
+    condition: selection and not 1 of filter_main_*
 falsepositives:
    - Unknown
 level: low
@@ -9,19 +9,18 @@ references:
    - https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html
 author: Florian Roth (Nextron Systems)
 date: 2017/03/05
-modified: 2022/11/09
+modified: 2023/10/27
 tags:
    - attack.execution
    - attack.t1059.001
 logsource:
    product: windows
    category: ps_classic_start
-    definition: fields have to be extract from event
 detection:
    selection_webclient:
-        HostApplication|contains: 'Net.WebClient'
+        Data|contains: 'Net.WebClient'
    selection_download:
-        HostApplication|contains:
+        Data|contains:
            - '.DownloadFile('
            - '.DownloadString('
    condition: all of selection_*
@@ -6,17 +6,16 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell
 author: frack113
 date: 2021/12/10
-modified: 2022/12/25
+modified: 2023/10/27
 tags:
    - attack.discovery
    - attack.t1049
 logsource:
    product: windows
    category: ps_classic_start
-    definition: fields have to be extract from event
 detection:
    selection:
-        HostApplication|contains: Get-NetTCPConnection
+        Data|contains: 'Get-NetTCPConnection'
    condition: selection
 falsepositives:
    - Unknown
@@ -9,18 +9,17 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md
 author: frack113
 date: 2021/07/20
-modified: 2022/12/02
+modified: 2023/10/27
 tags:
    - attack.collection
    - attack.t1074.001
 logsource:
    product: windows
    service: powershell-classic
-    definition: fields have to be extract from event
 detection:
    selection:
-        HostApplication|contains|all:
-            - 'Compress-Archive '
+        Data|contains|all:
+            - 'Compress-Archive'
            - ' -Path '
            - ' -DestinationPath '
            - '$env:TEMP\'
@@ -1,7 +1,7 @@
 title: Tamper Windows Defender - PSClassic
 id: ec19ebab-72dc-40e1-9728-4c0b805d722c
 related:
-    - id: ec19ebab-72dc-40e1-9728-4c0b805d722c
+    - id: 14c71865-6cd3-44ae-adaa-1db923fae5f2
      type: similar
 status: experimental
 description: Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.
@@ -9,19 +9,18 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
 author: frack113, Nasreddine Bencherchali (Nextron Systems)
 date: 2021/06/07
-modified: 2023/07/13
+modified: 2023/10/27
 tags:
    - attack.defense_evasion
    - attack.t1562.001
 logsource:
    product: windows
    category: ps_classic_provider_start
-    definition: fields have to be extracted from the event
 detection:
-    selection_options_disabling_preference:
-        HostApplication|contains: 'Set-MpPreference'
-    selection_options_disabling_function:
-        HostApplication|contains:
+    selection_set_mppreference:
+        Data|contains: 'Set-MpPreference'
+    selection_options_bool_allow:
+        Data|contains:
            - '-dbaf $true'
            - '-dbaf 1'
            - '-dbm $true'
@@ -60,10 +59,8 @@ detection:
            - '-dsnf 1'
            - '-dss $true'
            - '-dss 1'
-    selection_other_default_actions_allow:
-        HostApplication|contains: 'Set-MpPreference'
-    selection_other_default_actions_func:
-        HostApplication|contains:
+    selection_options_actions_func:
+        Data|contains:
            - 'HighThreatDefaultAction Allow'
            - 'htdefac Allow'
            - 'LowThreatDefaultAction Allow'
@@ -72,7 +69,7 @@ detection:
            - 'mtdefac Allow'
            - 'SevereThreatDefaultAction Allow'
            - 'stdefac Allow'
-    condition: all of selection_options_disabling_* or 1 of selection_other_*
+    condition: selection_set_mppreference and 1 of selection_options_*
 falsepositives:
    - Legitimate PowerShell scripts that disable Windows Defender for troubleshooting purposes. Must be investigated.
 level: high
@@ -8,7 +8,7 @@ references:
    - https://github.com/bohops/WSMan-WinRM
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 date: 2020/06/24
-modified: 2022/10/09
+modified: 2023/10/27
 tags:
    - attack.execution
    - attack.t1059.001
@@ -17,13 +17,18 @@ tags:
 logsource:
    product: windows
    service: powershell-classic
-    definition: fields have to be extract from event
 detection:
    selection:
-        ProviderName: WSMan
-    filter:
-        HostApplication|contains: powershell
-    condition: selection and not filter
+        Data|contains: 'ProviderName=WSMan'
+    filter_main_ps:
+        Data|contains:
+            - 'HostApplication=powershell'
+            - 'HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell'
+            - 'HostApplication=C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell'
+            # In some cases powershell was invoked with inverted slashes
+            - 'HostApplication=C:/Windows/System32/WindowsPowerShell/v1.0/powershell'
+            - 'HostApplication=C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell'
+    condition: selection and not 1 of filter_main_*
 falsepositives:
    - Unknown
 level: medium
@@ -6,22 +6,21 @@ references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=46
 author: Teymur Kheirkhabarov, Harish Segar (rule)
 date: 2020/06/29
-modified: 2022/12/02
+modified: 2023/10/27
 tags:
    - attack.execution
    - attack.t1059.001
 logsource:
    product: windows
    category: ps_classic_start
-    definition: fields have to be extract from event
 detection:
    selection:
-        HostName: 'ConsoleHost'
+        Data|contains: 'HostName=ConsoleHost'
    filter:
-        HostApplication|contains:
+        Data|contains:
            - 'bxor'
-            - 'join'
            - 'char'
+            - 'join'
    condition: selection and filter
 falsepositives:
    - Unknown