From 587da70c9449b5901e862ec4e21acfaba574da7b Mon Sep 17 00:00:00 2001 From: Fukusuke Takahashi <41001169+fukusuket@users.noreply.github.com> Date: Sat, 28 Oct 2023 19:43:58 +0900 Subject: [PATCH] Merge PR #4519 from @fukusuket - Update PowerShell Classic Rule To Use `Data` Field update: Suspicious XOR Encoded PowerShell Command Line - PowerShell update: Uncommon PowerShell Hosts update: Delete Volume Shadow Copies Via WMI With PowerShell update: PowerShell Downgrade Attack - PowerShell update: PowerShell Called from an Executable Version Mismatch update: Netcat The Powershell Version update: Remote PowerShell Session (PS Classic) update: Renamed Powershell Under Powershell Channel update: Suspicious PowerShell Download update: Use Get-NetTCPConnection update: Zip A Folder With PowerShell For Staging In Temp - PowerShell update: Tamper Windows Defender - PSClassic update: Suspicious Non PowerShell WSMAN COM Provider update: Suspicious XOR Encoded PowerShell Command Line - PowerShell --------- Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> --- ...osh_pc_abuse_nslookup_with_dns_records.yml | 14 +++++----- .../posh_pc_alternate_powershell_hosts.yml | 26 +++++++++++-------- .../posh_pc_delete_volume_shadow_copies.yml | 11 +++----- .../posh_pc_downgrade_attack.yml | 11 ++++---- .../posh_pc_exe_calling_ps.yml | 18 ++++++------- .../powershell_classic/posh_pc_powercat.yml | 5 ++-- .../posh_pc_remote_powershell_session.yml | 8 +++--- .../posh_pc_renamed_powershell.yml | 20 ++++++++------ .../posh_pc_susp_download.yml | 7 +++-- .../posh_pc_susp_get_nettcpconnection.yml | 5 ++-- .../posh_pc_susp_zip_compress.yml | 7 +++-- ...posh_pc_tamper_windows_defender_set_mp.yml | 21 +++++++-------- ...sh_pc_wsman_com_provider_no_powershell.yml | 17 +++++++----- .../posh_pc_xor_commandline.yml | 9 +++---- 14 files changed, 90 insertions(+), 89 deletions(-) diff --git a/rules/windows/powershell/powershell_classic/posh_pc_abuse_nslookup_with_dns_records.yml b/rules/windows/powershell/powershell_classic/posh_pc_abuse_nslookup_with_dns_records.yml index 34b8b6f74..d9eca12c8 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_abuse_nslookup_with_dns_records.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_abuse_nslookup_with_dns_records.yml @@ -4,27 +4,27 @@ related: - id: 1b3b01c7-84e9-4072-86e5-fc285a41ff23 type: similar status: test -description: Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records +description: Detects a powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records. references: - https://twitter.com/Alh4zr3d/status/1566489367232651264 author: Sai Prashanth Pulisetti @pulisettis, Aishwarya Singam date: 2022/12/10 -modified: 2022/12/19 +modified: 2023/10/27 tags: - attack.execution - attack.t1059.001 logsource: product: windows category: ps_classic_start - definition: fields have to be extract from event detection: selection: - HostApplication|contains|all: + Data|contains|all: - 'powershell' - 'nslookup' - HostApplication|contains: - - '-q=txt' - - '-querytype=txt' + - '[1]' + Data|contains: + - '-q=txt http' + - '-querytype=txt http' condition: selection falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml index 165ae4fb7..ee81642b4 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml @@ -1,4 +1,4 @@ -title: Alternate PowerShell Hosts +title: Uncommon PowerShell Hosts id: d7326048-328b-4d5e-98af-86e84b17c765 related: - id: 64e8e417-c19a-475a-8d19-98ea705394cc @@ -9,24 +9,28 @@ references: - https://threathunterplaybook.com/hunts/windows/190815-RemoteServiceInstallation/notebook.html author: Roberto Rodriguez @Cyb3rWard0g date: 2019/08/11 -modified: 2023/04/12 +modified: 2023/10/27 tags: - attack.execution - attack.t1059.001 logsource: product: windows category: ps_classic_start - definition: fields have to be extract from event detection: selection: - HostApplication|contains: '*' - filter: - # If you extracted the fields from this event. Use the filter list described in 64e8e417-c19a-475a-8d19-98ea705394cc to filter FPs - - HostApplication|startswith: - - 'powershell' - - 'C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe' - - ContextInfo|contains: 'Citrix\ConfigSync\ConfigSync.ps1' - condition: selection and not filter + Data|contains: 'HostApplication=' + # Note: Powershell Logging Data is localized. Meaning that "HostApplication" field will be translated to a different field on a non english layout. This rule doesn't take this into account due to the sheer ammount of possibilities. It's up to the user to add these cases. + filter_main_ps: + Data|contains: + - 'HostApplication=powershell' + - 'HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell' + - 'HostApplication=C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell' + # In some cases powershell was invoked with inverted slashes + - 'HostApplication=C:/Windows/System32/WindowsPowerShell/v1.0/powershell' + - 'HostApplication=C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell' + filter_optional_citrix: + Data|contains: 'Citrix\ConfigSync\ConfigSync.ps1*' + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Programs using PowerShell directly without invocation of a dedicated interpreter - MSP Detection Searcher diff --git a/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml b/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml index f21afa52c..44b3956c8 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml @@ -7,25 +7,22 @@ references: - https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods author: frack113 date: 2021/06/03 -modified: 2021/10/16 +modified: 2023/10/27 tags: - attack.impact - attack.t1490 logsource: product: windows category: ps_classic_start - definition: fields have to be extract from event detection: selection: - HostApplication|contains|all: + Data|contains|all: - 'Get-WmiObject' - - ' Win32_Shadowcopy' - HostApplication|contains: + - 'Win32_Shadowcopy' + Data|contains: - 'Delete()' - 'Remove-WmiObject' condition: selection -fields: - - HostApplication falsepositives: - Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason level: high diff --git a/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml b/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml index 650cfa829..64c6ba919 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml @@ -6,7 +6,7 @@ references: - http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/ author: Florian Roth (Nextron Systems), Lee Holmes (idea), Harish Segar (improvements) date: 2017/03/22 -modified: 2022/12/02 +modified: 2023/10/27 tags: - attack.defense_evasion - attack.execution @@ -14,13 +14,12 @@ tags: logsource: product: windows category: ps_classic_start - definition: fields have to be extract from event detection: selection: - EngineVersion|startswith: '2.' - filter: - HostVersion|startswith: '2.' - condition: selection and not filter + Data|contains: 'EngineVersion=2.' + filter_main: + Data|contains: 'HostVersion=2.' + condition: selection and not filter_main falsepositives: - Unknown level: medium diff --git a/rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml b/rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml index 65ff383ae..33e8e6c72 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml @@ -6,7 +6,7 @@ references: - https://adsecurity.org/?p=2921 author: Sean Metcalf (source), Florian Roth (Nextron Systems) date: 2017/03/05 -modified: 2022/12/25 +modified: 2023/10/27 tags: - attack.defense_evasion - attack.execution @@ -14,15 +14,15 @@ tags: logsource: product: windows category: ps_classic_start - definition: fields have to be extract from event detection: - selection1: - EngineVersion|startswith: - - '2.' - - '4.' - - '5.' - HostVersion|startswith: '3.' - condition: selection1 + selection_engine: + Data|contains: + - 'EngineVersion=2.' + - 'EngineVersion=4.' + - 'EngineVersion=5.' + selection_host: + Data|contains: 'HostVersion=3.' + condition: all of selection_* falsepositives: - Unknown level: high diff --git a/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml b/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml index 59e533a8b..77bb134ef 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml @@ -11,17 +11,16 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md author: frack113 date: 2021/07/21 -modified: 2022/12/25 +modified: 2023/10/27 tags: - attack.command_and_control - attack.t1095 logsource: product: windows category: ps_classic_start - definition: fields have to be extract from event detection: selection: - HostApplication|contains: + Data|contains: - 'powercat ' - 'powercat.ps1' condition: selection diff --git a/rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml b/rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml index e59918691..a5abc8b2a 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml @@ -9,7 +9,7 @@ references: - https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html author: Roberto Rodriguez @Cyb3rWard0g date: 2019/08/10 -modified: 2022/06/20 +modified: 2023/10/27 tags: - attack.execution - attack.t1059.001 @@ -18,11 +18,11 @@ tags: logsource: product: windows category: ps_classic_start - definition: fields have to be extract from event detection: selection: - HostName: 'ServerRemoteHost' - HostApplication|contains: 'wsmprovhost.exe' + Data|contains|all: + - 'HostName=ServerRemoteHost' + - 'wsmprovhost.exe' condition: selection falsepositives: - Legitimate use remote PowerShell sessions diff --git a/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml b/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml index 2a6adeb25..b60b0031e 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml @@ -6,22 +6,26 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse author: Harish Segar, frack113 date: 2020/06/29 -modified: 2021/10/16 +modified: 2023/10/27 tags: - attack.execution - attack.t1059.001 logsource: product: windows category: ps_classic_start - definition: fields have to be extract from event detection: selection: - HostName: ConsoleHost - filter: - HostApplication|startswith: - - powershell.exe - - C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe - condition: selection and not filter + Data|contains: 'HostName=ConsoleHost' + # Note: Powershell Logging Data is localized. Meaning that "HostApplication" field will be translated to a different field on a non english layout. This rule doesn't take this into account due to the sheer ammount of possibilities. It's up to the user to add these cases. + filter_main_ps: + Data|contains: + - 'HostApplication=powershell' + - 'HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell' + - 'HostApplication=C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell' + # In some cases powershell was invoked with inverted slashes + - 'HostApplication=C:/Windows/System32/WindowsPowerShell/v1.0/powershell' + - 'HostApplication=C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell' + condition: selection and not 1 of filter_main_* falsepositives: - Unknown level: low diff --git a/rules/windows/powershell/powershell_classic/posh_pc_susp_download.yml b/rules/windows/powershell/powershell_classic/posh_pc_susp_download.yml index 037a4671e..fbda1dbb9 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_susp_download.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_susp_download.yml @@ -9,19 +9,18 @@ references: - https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html author: Florian Roth (Nextron Systems) date: 2017/03/05 -modified: 2022/11/09 +modified: 2023/10/27 tags: - attack.execution - attack.t1059.001 logsource: product: windows category: ps_classic_start - definition: fields have to be extract from event detection: selection_webclient: - HostApplication|contains: 'Net.WebClient' + Data|contains: 'Net.WebClient' selection_download: - HostApplication|contains: + Data|contains: - '.DownloadFile(' - '.DownloadString(' condition: all of selection_* diff --git a/rules/windows/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml b/rules/windows/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml index 84c79ea4c..8b92aee51 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml @@ -6,17 +6,16 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell author: frack113 date: 2021/12/10 -modified: 2022/12/25 +modified: 2023/10/27 tags: - attack.discovery - attack.t1049 logsource: product: windows category: ps_classic_start - definition: fields have to be extract from event detection: selection: - HostApplication|contains: Get-NetTCPConnection + Data|contains: 'Get-NetTCPConnection' condition: selection falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml b/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml index 394ae9e8a..c7eb42a25 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml @@ -9,18 +9,17 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md author: frack113 date: 2021/07/20 -modified: 2022/12/02 +modified: 2023/10/27 tags: - attack.collection - attack.t1074.001 logsource: product: windows service: powershell-classic - definition: fields have to be extract from event detection: selection: - HostApplication|contains|all: - - 'Compress-Archive ' + Data|contains|all: + - 'Compress-Archive' - ' -Path ' - ' -DestinationPath ' - '$env:TEMP\' diff --git a/rules/windows/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml b/rules/windows/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml index 6cd5cf46b..d5b162909 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml @@ -1,7 +1,7 @@ title: Tamper Windows Defender - PSClassic id: ec19ebab-72dc-40e1-9728-4c0b805d722c related: - - id: ec19ebab-72dc-40e1-9728-4c0b805d722c + - id: 14c71865-6cd3-44ae-adaa-1db923fae5f2 type: similar status: experimental description: Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow. @@ -9,19 +9,18 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2021/06/07 -modified: 2023/07/13 +modified: 2023/10/27 tags: - attack.defense_evasion - attack.t1562.001 logsource: product: windows category: ps_classic_provider_start - definition: fields have to be extracted from the event detection: - selection_options_disabling_preference: - HostApplication|contains: 'Set-MpPreference' - selection_options_disabling_function: - HostApplication|contains: + selection_set_mppreference: + Data|contains: 'Set-MpPreference' + selection_options_bool_allow: + Data|contains: - '-dbaf $true' - '-dbaf 1' - '-dbm $true' @@ -60,10 +59,8 @@ detection: - '-dsnf 1' - '-dss $true' - '-dss 1' - selection_other_default_actions_allow: - HostApplication|contains: 'Set-MpPreference' - selection_other_default_actions_func: - HostApplication|contains: + selection_options_actions_func: + Data|contains: - 'HighThreatDefaultAction Allow' - 'htdefac Allow' - 'LowThreatDefaultAction Allow' @@ -72,7 +69,7 @@ detection: - 'mtdefac Allow' - 'SevereThreatDefaultAction Allow' - 'stdefac Allow' - condition: all of selection_options_disabling_* or 1 of selection_other_* + condition: selection_set_mppreference and 1 of selection_options_* falsepositives: - Legitimate PowerShell scripts that disable Windows Defender for troubleshooting purposes. Must be investigated. level: high diff --git a/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml b/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml index bf8df3753..46601476b 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml @@ -8,7 +8,7 @@ references: - https://github.com/bohops/WSMan-WinRM author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/06/24 -modified: 2022/10/09 +modified: 2023/10/27 tags: - attack.execution - attack.t1059.001 @@ -17,13 +17,18 @@ tags: logsource: product: windows service: powershell-classic - definition: fields have to be extract from event detection: selection: - ProviderName: WSMan - filter: - HostApplication|contains: powershell - condition: selection and not filter + Data|contains: 'ProviderName=WSMan' + filter_main_ps: + Data|contains: + - 'HostApplication=powershell' + - 'HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell' + - 'HostApplication=C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell' + # In some cases powershell was invoked with inverted slashes + - 'HostApplication=C:/Windows/System32/WindowsPowerShell/v1.0/powershell' + - 'HostApplication=C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell' + condition: selection and not 1 of filter_main_* falsepositives: - Unknown level: medium diff --git a/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml b/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml index 4dc083c26..5049ca669 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml @@ -6,22 +6,21 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=46 author: Teymur Kheirkhabarov, Harish Segar (rule) date: 2020/06/29 -modified: 2022/12/02 +modified: 2023/10/27 tags: - attack.execution - attack.t1059.001 logsource: product: windows category: ps_classic_start - definition: fields have to be extract from event detection: selection: - HostName: 'ConsoleHost' + Data|contains: 'HostName=ConsoleHost' filter: - HostApplication|contains: + Data|contains: - 'bxor' - - 'join' - 'char' + - 'join' condition: selection and filter falsepositives: - Unknown