From 5c68c42058b88bb830af394a4c2bd2ff99aa28b8 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 9 Oct 2021 10:30:36 +0200 Subject: [PATCH] order powershell_script --- .../powershell_module/powershell_invoke_obfuscation_var.yml | 1 + .../powershell_module/powershell_susp_zip_compress.yml | 2 +- .../{ => powershell_script}/powershell_adrecon_execution.yml | 0 .../{ => powershell_script}/powershell_automated_collection.yml | 0 .../powershell_cl_invocation_lolscript.yml | 0 .../powershell_cl_invocation_lolscript_count.yml | 0 .../powershell_cl_mutexverifiers_lolscript.yml | 0 .../powershell_cl_mutexverifiers_lolscript_count.yml | 0 .../{ => powershell_script}/powershell_create_local_user.yml | 0 .../{ => powershell_script}/powershell_data_compressed.yml | 0 .../{ => powershell_script}/powershell_detect_vm_env.yml | 0 .../{ => powershell_script}/powershell_dnscat_execution.yml | 0 .../{ => powershell_script}/powershell_icmp_exfiltration.yml | 0 .../{ => powershell_script}/powershell_invoke_nightmare.yml | 0 .../{ => powershell_script}/powershell_keylogging.yml | 0 .../powershell_malicious_commandlets.yml | 0 .../{ => powershell_script}/powershell_malicious_keywords.yml | 0 .../powershell_memorydump_getstoragediagnosticinfo.yml | 0 .../powershell_nishang_malicious_commandlets.yml | 0 .../{ => powershell_script}/powershell_ntfs_ads_access.yml | 0 .../powershell_powerview_malicious_commandlets.yml | 0 .../{ => powershell_script}/powershell_prompt_credentials.yml | 0 .../powershell/{ => powershell_script}/powershell_psattack.yml | 0 .../{ => powershell_script}/powershell_shellcode_b64.yml | 0 .../powershell_shellintel_malicious_commandlets.yml | 0 .../powershell_store_file_in_alternate_data_stream.yml | 0 .../powershell_suspicious_export_pfxcertificate.yml | 0 .../powershell_suspicious_getprocess_lsass.yml | 0 .../{ => powershell_script}/powershell_suspicious_keywords.yml | 0 .../powershell_suspicious_mail_acces.yml | 0 .../powershell_suspicious_mounted_share_deletion.yml | 0 .../{ => powershell_script}/powershell_suspicious_recon.yml | 0 .../powershell_suspicious_win32_pnpentity.yml | 0 .../powershell/{ => powershell_script}/powershell_timestomp.yml | 0 .../{ => powershell_script}/powershell_trigger_profiles.yml | 0 .../{ => powershell_script}/powershell_web_request.yml | 0 .../{ => powershell_script}/powershell_winlogon_helper_dll.yml | 0 .../{ => powershell_script}/powershell_wmi_persistence.yml | 0 .../powershell/{ => powershell_script}/powershell_wmimplant.yml | 0 39 files changed, 2 insertions(+), 1 deletion(-) rename rules/windows/powershell/{ => powershell_script}/powershell_adrecon_execution.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_automated_collection.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_cl_invocation_lolscript.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_cl_invocation_lolscript_count.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_cl_mutexverifiers_lolscript.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_cl_mutexverifiers_lolscript_count.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_create_local_user.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_data_compressed.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_detect_vm_env.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_dnscat_execution.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_icmp_exfiltration.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_invoke_nightmare.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_keylogging.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_malicious_commandlets.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_malicious_keywords.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_memorydump_getstoragediagnosticinfo.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_nishang_malicious_commandlets.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_ntfs_ads_access.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_powerview_malicious_commandlets.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_prompt_credentials.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_psattack.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_shellcode_b64.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_shellintel_malicious_commandlets.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_store_file_in_alternate_data_stream.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_suspicious_export_pfxcertificate.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_suspicious_getprocess_lsass.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_suspicious_keywords.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_suspicious_mail_acces.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_suspicious_mounted_share_deletion.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_suspicious_recon.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_suspicious_win32_pnpentity.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_timestomp.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_trigger_profiles.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_web_request.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_winlogon_helper_dll.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_wmi_persistence.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_wmimplant.yml (100%) diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml index 6f187cfbd..e47caf118 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml @@ -18,6 +18,7 @@ logsource: product: windows service: powershell definition: Module Logging must be enable +detection: selection_4103: EventID: 4103 Payload|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' diff --git a/rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml b/rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml index ab97eb0d9..267532036 100644 --- a/rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml +++ b/rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml @@ -2,7 +2,7 @@ title: Zip A Folder With PowerShell For Staging In Temp id: daf7eb81-35fd-410d-9d7a-657837e602bb related: - id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 - related: derived + type: derived status: experimental author: frack113 date: 2021/07/20 diff --git a/rules/windows/powershell/powershell_adrecon_execution.yml b/rules/windows/powershell/powershell_script/powershell_adrecon_execution.yml similarity index 100% rename from rules/windows/powershell/powershell_adrecon_execution.yml rename to rules/windows/powershell/powershell_script/powershell_adrecon_execution.yml diff --git a/rules/windows/powershell/powershell_automated_collection.yml b/rules/windows/powershell/powershell_script/powershell_automated_collection.yml similarity index 100% rename from rules/windows/powershell/powershell_automated_collection.yml rename to rules/windows/powershell/powershell_script/powershell_automated_collection.yml diff --git a/rules/windows/powershell/powershell_cl_invocation_lolscript.yml b/rules/windows/powershell/powershell_script/powershell_cl_invocation_lolscript.yml similarity index 100% rename from rules/windows/powershell/powershell_cl_invocation_lolscript.yml rename to rules/windows/powershell/powershell_script/powershell_cl_invocation_lolscript.yml diff --git a/rules/windows/powershell/powershell_cl_invocation_lolscript_count.yml b/rules/windows/powershell/powershell_script/powershell_cl_invocation_lolscript_count.yml similarity index 100% rename from rules/windows/powershell/powershell_cl_invocation_lolscript_count.yml rename to rules/windows/powershell/powershell_script/powershell_cl_invocation_lolscript_count.yml diff --git a/rules/windows/powershell/powershell_cl_mutexverifiers_lolscript.yml b/rules/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript.yml similarity index 100% rename from rules/windows/powershell/powershell_cl_mutexverifiers_lolscript.yml rename to rules/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript.yml diff --git a/rules/windows/powershell/powershell_cl_mutexverifiers_lolscript_count.yml b/rules/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript_count.yml similarity index 100% rename from rules/windows/powershell/powershell_cl_mutexverifiers_lolscript_count.yml rename to rules/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript_count.yml diff --git a/rules/windows/powershell/powershell_create_local_user.yml b/rules/windows/powershell/powershell_script/powershell_create_local_user.yml similarity index 100% rename from rules/windows/powershell/powershell_create_local_user.yml rename to rules/windows/powershell/powershell_script/powershell_create_local_user.yml diff --git a/rules/windows/powershell/powershell_data_compressed.yml b/rules/windows/powershell/powershell_script/powershell_data_compressed.yml similarity index 100% rename from rules/windows/powershell/powershell_data_compressed.yml rename to rules/windows/powershell/powershell_script/powershell_data_compressed.yml diff --git a/rules/windows/powershell/powershell_detect_vm_env.yml b/rules/windows/powershell/powershell_script/powershell_detect_vm_env.yml similarity index 100% rename from rules/windows/powershell/powershell_detect_vm_env.yml rename to rules/windows/powershell/powershell_script/powershell_detect_vm_env.yml diff --git a/rules/windows/powershell/powershell_dnscat_execution.yml b/rules/windows/powershell/powershell_script/powershell_dnscat_execution.yml similarity index 100% rename from rules/windows/powershell/powershell_dnscat_execution.yml rename to rules/windows/powershell/powershell_script/powershell_dnscat_execution.yml diff --git a/rules/windows/powershell/powershell_icmp_exfiltration.yml b/rules/windows/powershell/powershell_script/powershell_icmp_exfiltration.yml similarity index 100% rename from rules/windows/powershell/powershell_icmp_exfiltration.yml rename to rules/windows/powershell/powershell_script/powershell_icmp_exfiltration.yml diff --git a/rules/windows/powershell/powershell_invoke_nightmare.yml b/rules/windows/powershell/powershell_script/powershell_invoke_nightmare.yml similarity index 100% rename from rules/windows/powershell/powershell_invoke_nightmare.yml rename to rules/windows/powershell/powershell_script/powershell_invoke_nightmare.yml diff --git a/rules/windows/powershell/powershell_keylogging.yml b/rules/windows/powershell/powershell_script/powershell_keylogging.yml similarity index 100% rename from rules/windows/powershell/powershell_keylogging.yml rename to rules/windows/powershell/powershell_script/powershell_keylogging.yml diff --git a/rules/windows/powershell/powershell_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml similarity index 100% rename from rules/windows/powershell/powershell_malicious_commandlets.yml rename to rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml diff --git a/rules/windows/powershell/powershell_malicious_keywords.yml b/rules/windows/powershell/powershell_script/powershell_malicious_keywords.yml similarity index 100% rename from rules/windows/powershell/powershell_malicious_keywords.yml rename to rules/windows/powershell/powershell_script/powershell_malicious_keywords.yml diff --git a/rules/windows/powershell/powershell_memorydump_getstoragediagnosticinfo.yml b/rules/windows/powershell/powershell_script/powershell_memorydump_getstoragediagnosticinfo.yml similarity index 100% rename from rules/windows/powershell/powershell_memorydump_getstoragediagnosticinfo.yml rename to rules/windows/powershell/powershell_script/powershell_memorydump_getstoragediagnosticinfo.yml diff --git a/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml similarity index 100% rename from rules/windows/powershell/powershell_nishang_malicious_commandlets.yml rename to rules/windows/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml diff --git a/rules/windows/powershell/powershell_ntfs_ads_access.yml b/rules/windows/powershell/powershell_script/powershell_ntfs_ads_access.yml similarity index 100% rename from rules/windows/powershell/powershell_ntfs_ads_access.yml rename to rules/windows/powershell/powershell_script/powershell_ntfs_ads_access.yml diff --git a/rules/windows/powershell/powershell_powerview_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/powershell_powerview_malicious_commandlets.yml similarity index 100% rename from rules/windows/powershell/powershell_powerview_malicious_commandlets.yml rename to rules/windows/powershell/powershell_script/powershell_powerview_malicious_commandlets.yml diff --git a/rules/windows/powershell/powershell_prompt_credentials.yml b/rules/windows/powershell/powershell_script/powershell_prompt_credentials.yml similarity index 100% rename from rules/windows/powershell/powershell_prompt_credentials.yml rename to rules/windows/powershell/powershell_script/powershell_prompt_credentials.yml diff --git a/rules/windows/powershell/powershell_psattack.yml b/rules/windows/powershell/powershell_script/powershell_psattack.yml similarity index 100% rename from rules/windows/powershell/powershell_psattack.yml rename to rules/windows/powershell/powershell_script/powershell_psattack.yml diff --git a/rules/windows/powershell/powershell_shellcode_b64.yml b/rules/windows/powershell/powershell_script/powershell_shellcode_b64.yml similarity index 100% rename from rules/windows/powershell/powershell_shellcode_b64.yml rename to rules/windows/powershell/powershell_script/powershell_shellcode_b64.yml diff --git a/rules/windows/powershell/powershell_shellintel_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/powershell_shellintel_malicious_commandlets.yml similarity index 100% rename from rules/windows/powershell/powershell_shellintel_malicious_commandlets.yml rename to rules/windows/powershell/powershell_script/powershell_shellintel_malicious_commandlets.yml diff --git a/rules/windows/powershell/powershell_store_file_in_alternate_data_stream.yml b/rules/windows/powershell/powershell_script/powershell_store_file_in_alternate_data_stream.yml similarity index 100% rename from rules/windows/powershell/powershell_store_file_in_alternate_data_stream.yml rename to rules/windows/powershell/powershell_script/powershell_store_file_in_alternate_data_stream.yml diff --git a/rules/windows/powershell/powershell_suspicious_export_pfxcertificate.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_export_pfxcertificate.yml similarity index 100% rename from rules/windows/powershell/powershell_suspicious_export_pfxcertificate.yml rename to rules/windows/powershell/powershell_script/powershell_suspicious_export_pfxcertificate.yml diff --git a/rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_getprocess_lsass.yml similarity index 100% rename from rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml rename to rules/windows/powershell/powershell_script/powershell_suspicious_getprocess_lsass.yml diff --git a/rules/windows/powershell/powershell_suspicious_keywords.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_keywords.yml similarity index 100% rename from rules/windows/powershell/powershell_suspicious_keywords.yml rename to rules/windows/powershell/powershell_script/powershell_suspicious_keywords.yml diff --git a/rules/windows/powershell/powershell_suspicious_mail_acces.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_mail_acces.yml similarity index 100% rename from rules/windows/powershell/powershell_suspicious_mail_acces.yml rename to rules/windows/powershell/powershell_script/powershell_suspicious_mail_acces.yml diff --git a/rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_mounted_share_deletion.yml similarity index 100% rename from rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml rename to rules/windows/powershell/powershell_script/powershell_suspicious_mounted_share_deletion.yml diff --git a/rules/windows/powershell/powershell_suspicious_recon.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_recon.yml similarity index 100% rename from rules/windows/powershell/powershell_suspicious_recon.yml rename to rules/windows/powershell/powershell_script/powershell_suspicious_recon.yml diff --git a/rules/windows/powershell/powershell_suspicious_win32_pnpentity.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_win32_pnpentity.yml similarity index 100% rename from rules/windows/powershell/powershell_suspicious_win32_pnpentity.yml rename to rules/windows/powershell/powershell_script/powershell_suspicious_win32_pnpentity.yml diff --git a/rules/windows/powershell/powershell_timestomp.yml b/rules/windows/powershell/powershell_script/powershell_timestomp.yml similarity index 100% rename from rules/windows/powershell/powershell_timestomp.yml rename to rules/windows/powershell/powershell_script/powershell_timestomp.yml diff --git a/rules/windows/powershell/powershell_trigger_profiles.yml b/rules/windows/powershell/powershell_script/powershell_trigger_profiles.yml similarity index 100% rename from rules/windows/powershell/powershell_trigger_profiles.yml rename to rules/windows/powershell/powershell_script/powershell_trigger_profiles.yml diff --git a/rules/windows/powershell/powershell_web_request.yml b/rules/windows/powershell/powershell_script/powershell_web_request.yml similarity index 100% rename from rules/windows/powershell/powershell_web_request.yml rename to rules/windows/powershell/powershell_script/powershell_web_request.yml diff --git a/rules/windows/powershell/powershell_winlogon_helper_dll.yml b/rules/windows/powershell/powershell_script/powershell_winlogon_helper_dll.yml similarity index 100% rename from rules/windows/powershell/powershell_winlogon_helper_dll.yml rename to rules/windows/powershell/powershell_script/powershell_winlogon_helper_dll.yml diff --git a/rules/windows/powershell/powershell_wmi_persistence.yml b/rules/windows/powershell/powershell_script/powershell_wmi_persistence.yml similarity index 100% rename from rules/windows/powershell/powershell_wmi_persistence.yml rename to rules/windows/powershell/powershell_script/powershell_wmi_persistence.yml diff --git a/rules/windows/powershell/powershell_wmimplant.yml b/rules/windows/powershell/powershell_script/powershell_wmimplant.yml similarity index 100% rename from rules/windows/powershell/powershell_wmimplant.yml rename to rules/windows/powershell/powershell_script/powershell_wmimplant.yml