order powershell_script

2021-10-09 10:30:36 +02:00
parent 77749510b7
commit 5c68c42058
39 changed files with 2 additions and 1 deletions
@@ -0,0 +1,27 @@
+title: PowerShell ADRecon Execution
+id: bf72941a-cba0-41ea-b18c-9aca3925690d
+status: experimental
+description: Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7 
+references:
+    - https://github.com/sense-of-security/ADRecon
+    - https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319
+tags:
+    - attack.discovery
+    - attack.execution
+    - attack.t1059.001
+author: Bhabesh Raj
+date: 2021/07/16
+logsource:
+    product: windows
+    service: powershell
+    definition: Script block logging must be enabled
+detection:
+    selection:
+        EventID: 4104
+        ScriptBlockText|contains:
+            - 'Function Get-ADRExcelComOb'
+            - 'ADRecon-Report.xlsx' #Default
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,38 @@
+title: Automated Collection Command PowerShell
+id: c1dda054-d638-4c16-afc8-53e007f3fbc5
+status: experimental
+author: frack113
+date: 2021/07/28
+description: Once established within a system or network, an adversary may use automated techniques for collecting internal data.
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md
+tags:
+    - attack.collection
+    - attack.t1119
+logsource:
+    product: windows
+    service: powershell
+    definition: Script block logging must be enabled
+detection:
+    selection_eventid:
+        EventID: 4104
+    selection_ext:
+        ScriptBlockText|contains:
+            - '.doc'
+            - '.docx'
+            - '.xls'
+            - '.xlsx'
+            - '.ppt'
+            - '.pptx'
+            - '.rtf'
+            - '.pdf'
+            - '.txt'
+    selection_cmd:
+        ScriptBlockText|contains|all:
+            - 'Get-ChildItem'
+            - ' -Recurse '
+            - ' -Include '
+    condition: all of them
+falsepositives:
+    - Unknown
+level: medium
@@ -0,0 +1,27 @@
+title: Execution via CL_Invocation.ps1
+id: 4cd29327-685a-460e-9dac-c3ab96e549dc
+description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module
+status: experimental
+author: oscd.community, Natalia Shornikova
+date: 2020/10/14
+modified: 2021/05/21
+references:
+    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml
+    - https://twitter.com/bohops/status/948061991012327424
+tags:
+    - attack.defense_evasion
+    - attack.t1216
+logsource:
+    product: windows
+    service: powershell
+    definition: Script block logging must be enabled
+detection:
+    selection:
+        EventID: 4104
+        ScriptBlockText|contains|all:
+          - 'CL_Invocation.ps1'
+          - 'SyncInvoke'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,29 @@
+title: Execution via CL_Invocation.ps1 (2 Lines)
+id: f588e69b-0750-46bb-8f87-0e9320d57536
+description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module
+status: experimental
+author: oscd.community, Natalia Shornikova
+date: 2020/10/14
+modified: 2021/05/21
+references:
+    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml
+    - https://twitter.com/bohops/status/948061991012327424
+tags:
+    - attack.defense_evasion
+    - attack.t1216
+logsource:
+    product: windows
+    service: powershell
+    definition: Script block logging must be enabled
+detection:
+    selection2:
+        EventID: 4104
+        ScriptBlockText|contains:
+          - 'CL_Invocation.ps1'
+          - 'SyncInvoke'
+    condition: selection2 | count(ScriptBlockText) by Computer > 2
+      # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Invocation.ps1
+      # PS > SyncInvoke c:\Evil.exe
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,27 @@
+title: Execution via CL_Mutexverifiers.ps1
+id: 39776c99-1c7b-4ba0-b5aa-641525eee1a4
+description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module
+status: experimental
+author: oscd.community, Natalia Shornikova
+date: 2020/10/14
+modified: 2021/05/21
+references:
+    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml
+    - https://twitter.com/pabraeken/status/995111125447577600
+tags:
+    - attack.defense_evasion
+    - attack.t1216
+logsource:
+    product: windows
+    service: powershell
+    definition: Script block logging must be enabled
+detection:
+    selection:
+        EventID: 4104
+        ScriptBlockText|contains|all:
+          - 'CL_Mutexverifiers.ps1'
+          - 'runAfterCancelProcess'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,29 @@
+title: Execution via CL_Mutexverifiers.ps1 (2 Lines)
+id: 6609c444-9670-4eab-9636-fe4755a851ce
+description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module
+status: experimental
+author: oscd.community, Natalia Shornikova
+date: 2020/10/14
+modified: 2021/05/21
+references:
+    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml
+    - https://twitter.com/pabraeken/status/995111125447577600
+tags:
+    - attack.defense_evasion
+    - attack.t1216
+logsource:
+    product: windows
+    service: powershell
+    definition: Script block logging must be enabled
+detection:
+    selection2:
+        EventID: 4104
+        ScriptBlockText|contains:
+          - 'CL_Mutexverifiers.ps1'
+          - 'runAfterCancelProcess'
+    condition: selection2 | count(ScriptBlockText) by Computer > 2
+      # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1
+      # PS > runAfterCancelProcess c:\Evil.exe
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,28 @@
+title: PowerShell Create Local User
+id: 243de76f-4725-4f2e-8225-a8a69b15ad61
+status: experimental
+description: Detects creation of a local user via PowerShell
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md
+tags:
+    - attack.execution
+    - attack.t1059.001
+    - attack.t1086  # an old one
+    - attack.persistence
+    - attack.t1136.001
+    - attack.t1136  # an old one    
+author: '@ROxPinTeddy'
+date: 2020/04/11
+modified: 2021/08/04
+logsource:
+    product: windows
+    service: powershell
+    definition: Script block logging must be enabled
+detection:
+    selection:
+        EventID: 4104
+        ScriptBlockText|contains: 'New-LocalUser'
+    condition: selection
+falsepositives:
+    - Legitimate user creation
+level: medium
@@ -0,0 +1,28 @@
+title: Data Compressed - PowerShell
+id: 6dc5d284-69ea-42cf-9311-fb1c3932a69a
+status: experimental
+description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
+author: Timur Zinniatullin, oscd.community
+date: 2019/10/21
+modified: 2021/07/06
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md
+logsource:
+    product: windows
+    service: powershell
+    definition: Script block logging must be enabled
+detection:
+    selection:
+        EventID: 4104
+        ScriptBlockText|contains|all:
+            - '-Recurse'
+            - '|'
+            - 'Compress-Archive'
+    condition: selection
+falsepositives:
+    - Highly likely if archive operations are done via PowerShell.
+level: low
+tags:
+    - attack.exfiltration
+    - attack.t1560
+    - attack.t1002  # an old one
@@ -0,0 +1,29 @@
+title: Powershell Detect Virtualization Environment
+id: d93129cd-1ee0-479f-bc03-ca6f129882e3
+status: experimental
+author: frack113
+date: 2021/08/03
+description: Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md
+    - https://techgenix.com/malicious-powershell-scripts-evade-detection/
+tags:
+    - attack.defense_evasion
+    - attack.t1497.001
+logsource:
+    product: windows
+    service: powershell
+    definition: EnableScriptBlockLogging must be set to enable
+detection:
+    selection_id:
+        EventID: 4104
+    selection_action:
+        ScriptBlockText|contains: Get-WmiObject
+    selection_module:
+        ScriptBlockText|contains: 
+            - MSAcpi_ThermalZoneTemperature
+            - Win32_ComputerSystem
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: medium
@@ -0,0 +1,25 @@
+title: Dnscat Execution
+id: a6d67db4-6220-436d-8afc-f3842fe05d43
+description: Dnscat exfiltration tool execution
+status: experimental
+author: Daniil Yugoslavskiy, oscd.community
+date: 2019/10/24
+modified: 2020/08/24
+tags:
+    - attack.exfiltration
+    - attack.t1048
+    - attack.execution
+    - attack.t1059.001
+    - attack.t1086  # an old one
+logsource:
+    product: windows
+    service: powershell
+    definition: Script block logging must be enabled
+detection:
+    selection:
+        EventID: 4104
+        ScriptBlockText|contains: "Start-Dnscat2"
+    condition: selection
+falsepositives:
+    - Legitimate usage of PowerShell Dnscat2 — DNS Exfiltration tool (unlikely)
+level: critical
@@ -0,0 +1,26 @@
+title: PowerShell ICMP Exfiltration
+id: 4c4af3cd-2115-479c-8193-6b8bfce9001c
+status: experimental
+description: Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md#atomic-test-2---exfiltration-over-alternative-protocol---icmp
+author: 'Bartlomiej Czyz @bczyz1, oscd.community'
+date: 2020/10/10
+tags:
+    - attack.exfiltration
+    - attack.t1048.003
+logsource:
+    product: windows
+    service: powershell
+    definition: Script block logging must be enabled
+detection:
+    selection:
+        EventID: 4104
+        ScriptBlockText|contains|all:
+          - 'New-Object'
+          - 'System.Net.NetworkInformation.Ping'
+          - '.Send('
+    condition: selection
+falsepositives:
+    - Legitimate usage of System.Net.NetworkInformation.Ping class
+level: medium
@@ -0,0 +1,23 @@
+title: PrintNightmare Powershell Exploitation
+id: 6d3f1399-a81c-4409-aff3-1ecfe9330baf
+status: test
+description: Detects Commandlet name for PrintNightmare exploitation.
+date: 2021/08/09
+modified: 2021/08/31
+references:
+    - https://github.com/calebstewart/CVE-2021-1675
+author: Max Altgelt, Tobias Michalski
+logsource:
+    product: windows
+    service: powershell
+    definition: Script Block Logging must be enable
+detection:
+  selection:
+      EventID: 4104
+      ScriptBlockText|contains: Invoke-Nightmare
+  condition: selection
+falsepositives:
+    - Unknown
+level: high
+tags:
+    - attack.privilege_escalation
@@ -0,0 +1,29 @@
+title: Powershell Keylogging
+id: 34f90d3c-c297-49e9-b26d-911b05a4866c
+status: experimental
+author: frack113
+date: 2021/07/30
+description: Adversaries may log user keystrokes to intercept credentials as the user types them.
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/src/Get-Keystrokes.ps1
+tags:
+    - attack.collection
+    - attack.t1056.001
+logsource:
+    product: windows
+    service: powershell
+    definition: EnableScriptBlockLogging must be set to enable
+detection:
+    selection_id:
+        EventID: 4104
+    selection_basic:
+        ScriptBlockText|contains: 'Get-Keystrokes'    
+    selection_high: # want to run in background and keyboard
+        ScriptBlockText|contains|all:
+            - 'Get-ProcAddress user32.dll GetAsyncKeyState'
+            - 'Get-ProcAddress user32.dll GetForegroundWindow'
+    condition: selection_id and (selection_basic or selection_high)
+falsepositives:
+    - Unknown
+level: medium
@@ -0,0 +1,122 @@
+title: Malicious PowerShell Commandlets
+id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
+status: experimental
+description: Detects Commandlet names from well-known PowerShell exploitation frameworks
+references:
+    - https://adsecurity.org/?p=2921
+tags:
+    - attack.execution
+    - attack.t1059.001
+    - attack.t1086  #an old one
+author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update)
+date: 2017/03/05
+modified: 2021/08/21
+logsource:
+    product: windows
+    service: powershell
+    definition: Script Block Logging must be enable
+detection:
+    select_Malicious:
+        EventID: 4104
+        ScriptBlockText|contains:
+            - "Invoke-DllInjection"
+            - "Invoke-Shellcode"
+            - "Invoke-WmiCommand"
+            - "Get-GPPPassword"
+            - "Get-Keystrokes"
+            - "Get-TimedScreenshot"
+            - "Get-VaultCredential"
+            - "Invoke-CredentialInjection"
+            - "Invoke-Mimikatz"
+            - "Invoke-NinjaCopy"
+            - "Invoke-TokenManipulation"
+            - "Out-Minidump"
+            - "VolumeShadowCopyTools"
+            - "Invoke-ReflectivePEInjection"
+            - "Invoke-UserHunter"
+            - "Find-GPOLocation"
+            - "Invoke-ACLScanner"
+            - "Invoke-DowngradeAccount"
+            - "Get-ServiceUnquoted"
+            - "Get-ServiceFilePermission"
+            - "Get-ServicePermission"
+            - "Invoke-ServiceAbuse"
+            - "Install-ServiceBinary"
+            - "Get-RegAutoLogon"
+            - "Get-VulnAutoRun"
+            - "Get-VulnSchTask"
+            - "Get-UnattendedInstallFile"
+            - "Get-ApplicationHost"
+            - "Get-RegAlwaysInstallElevated"
+            - "Get-Unconstrained"
+            - "Add-RegBackdoor"
+            - "Add-ScrnSaveBackdoor"
+            - "Gupt-Backdoor"
+            - "Invoke-ADSBackdoor"
+            - "Enabled-DuplicateToken"
+            - "Invoke-PsUaCme"
+            - "Remove-Update"
+            - "Check-VM"
+            - "Get-LSASecret"
+            - "Get-PassHashes"
+            - "Show-TargetScreen"
+            - "Port-Scan"
+            - "Invoke-PoshRatHttp"
+            - "Invoke-PowerShellTCP"
+            - "Invoke-PowerShellWMI"
+            - "Add-Exfiltration"
+            - "Add-Persistence"
+            - "Do-Exfiltration"
+            - "Start-CaptureServer"
+            - "Get-ChromeDump"
+            - "Get-ClipboardContents"
+            - "Get-FoxDump"
+            - "Get-IndexedItem"
+            - "Get-Screenshot"
+            - "Invoke-Inveigh"
+            - "Invoke-NetRipper"
+            - "Invoke-EgressCheck"
+            - "Invoke-PostExfil"
+            - "Invoke-PSInject"
+            - "Invoke-RunAs"
+            - "MailRaider"
+            - "New-HoneyHash"
+            - "Set-MacAttribute"
+            - "Invoke-DCSync"
+            - "Invoke-PowerDump"
+            - "Exploit-Jboss"
+            - "Invoke-ThunderStruck"
+            - "Invoke-VoiceTroll"
+            - "Set-Wallpaper"
+            - "Invoke-InveighRelay"
+            - "Invoke-PsExec"
+            - "Invoke-SSHCommand"
+            - "Get-SecurityPackages"
+            - "Install-SSP"
+            - "Invoke-BackdoorLNK"
+            - "PowerBreach"
+            - "Get-SiteListPassword"
+            - "Get-System"
+            - "Invoke-BypassUAC"
+            - "Invoke-Tater"
+            - "Invoke-WScriptBypassUAC"
+            - "PowerUp"
+            - "PowerView"
+            - "Get-RickAstley"
+            - "Find-Fruit"
+            - "HTTP-Login"
+            - "Find-TrustedDocuments"
+            - "Invoke-Paranoia"
+            - "Invoke-WinEnum"
+            - "Invoke-ARPScan"
+            - "Invoke-PortScan"
+            - "Invoke-ReverseDNSLookup"
+            - "Invoke-SMBScanner"
+            - "Invoke-Mimikittenz"
+            - "Invoke-AllChecks"
+    false_positives:
+        ScriptBlockText|contains: Get-SystemDriveInfo  # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1
+    condition: select_Malicious and not false_positives
+falsepositives:
+    - Penetration testing
+level: high
@@ -0,0 +1,45 @@
+title: Malicious PowerShell Keywords
+id: f62176f3-8128-4faa-bf6c-83261322e5eb
+status: experimental
+description: Detects keywords from well-known PowerShell exploitation frameworks
+references:
+    - https://adsecurity.org/?p=2921
+tags:
+    - attack.execution
+    - attack.t1059.001
+    - attack.t1086  #an old one
+author: Sean Metcalf (source), Florian Roth (rule)
+date: 2017/03/05
+modified: 2021/08/21
+logsource:
+    product: windows
+    service: powershell
+    definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
+detection:
+    Malicious:
+        EventID: 4104
+        ScriptBlockText|contains:
+            - "AdjustTokenPrivileges"
+            - "IMAGE_NT_OPTIONAL_HDR64_MAGIC"
+            - "Microsoft.Win32.UnsafeNativeMethods"
+            - "ReadProcessMemory.Invoke"
+            - "SE_PRIVILEGE_ENABLED"
+            - "LSA_UNICODE_STRING"
+            - "MiniDumpWriteDump"
+            - "PAGE_EXECUTE_READ"
+            - "SECURITY_DELEGATION"
+            - "TOKEN_ADJUST_PRIVILEGES"
+            - "TOKEN_ALL_ACCESS"
+            - "TOKEN_ASSIGN_PRIMARY"
+            - "TOKEN_DUPLICATE"
+            - "TOKEN_ELEVATION"
+            - "TOKEN_IMPERSONATE"
+            - "TOKEN_INFORMATION_CLASS"
+            - "TOKEN_PRIVILEGES"
+            - "TOKEN_QUERY"
+            - "Metasploit"
+            - "Mimikatz"
+    condition: Malicious
+falsepositives:
+    - Penetration tests
+level: high
@@ -0,0 +1,24 @@
+title: Live Memory Dump Using Powershell
+id: cd185561-4760-45d6-a63e-a51325112cae
+status: experimental
+description: Detects usage of a PowerShell command to dump the live memory of a Windows machine
+date: 2021/09/21
+references:
+    - https://docs.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo
+tags:
+    - attack.t1003
+author: Max Altgelt
+logsource:
+    product: windows
+    service: powershell
+    definition: Script block logging must be enabled
+detection:
+    dump:
+        EventID: 4104
+        ScriptBlockText|contains|all:
+            - 'Get-StorageDiagnosticInfo'
+            - '-IncludeLiveDump'
+    condition: dump
+falsepositives:
+    - Diagnostics
+level: high
@@ -0,0 +1,96 @@
+title: Malicious Nishang PowerShell Commandlets
+id: f772cee9-b7c2-4cb2-8f07-49870adc02e0
+status: experimental
+description: Detects Commandlet names and arguments from the Nishang exploitation framework
+date: 2019/05/16
+modified: 2021/08/21
+references:
+    - https://github.com/samratashok/nishang
+tags:
+    - attack.execution
+    - attack.t1059.001
+    - attack.t1086  #an old one
+author: Alec Costello
+logsource:
+    product: windows
+    service: powershell
+    definition: Script block logging must be enabled
+detection:
+    Nishang:
+        EventID: 4104
+        ScriptBlockText|contains:
+            - Add-ConstrainedDelegationBackdoor
+            - Set-DCShadowPermissions
+            - DNS_TXT_Pwnage
+            - Execute-OnTime
+            - HTTP-Backdoor
+            - Set-RemotePSRemoting
+            - Set-RemoteWMI
+            - Invoke-AmsiBypass
+            - Out-CHM
+            - Out-HTA
+            - Out-SCF
+            - Out-SCT
+            - Out-Shortcut
+            - Out-WebQuery
+            - Out-Word
+            - Enable-Duplication
+            - Remove-Update
+            - Download-Execute-PS
+            - Download_Execute
+            - Execute-Command-MSSQL
+            - Execute-DNSTXT-Code
+            - Out-RundllCommand
+            - Copy-VSS
+            - FireBuster
+            - FireListener
+            - Get-Information
+            - Get-PassHints
+            - Get-WLAN-Keys
+            - Get-Web-Credentials
+            - Invoke-CredentialsPhish
+            - Invoke-MimikatzWDigestDowngrade
+            - Invoke-SSIDExfil
+            - Invoke-SessionGopher
+            - Keylogger
+            - Invoke-Interceptor
+            - Create-MultipleSessions
+            - Invoke-NetworkRelay
+            - Run-EXEonRemote
+            - Invoke-Prasadhak
+            - Invoke-BruteForce
+            - Password-List
+            - Invoke-JSRatRegsvr
+            - Invoke-JSRatRundll
+            - Invoke-PoshRatHttps
+            - Invoke-PowerShellIcmp
+            - Invoke-PowerShellUdp
+            - Invoke-PSGcat
+            - Invoke-PsGcatAgent
+            - Remove-PoshRat
+            - Add-Persistance
+            - ExetoText
+            - Invoke-Decode
+            - Invoke-Encode
+            - Parse_Keys
+            - Remove-Persistence
+            - StringtoBase64
+            - TexttoExe
+            - Powerpreter
+            - Nishang
+            - DataToEncode
+            - LoggedKeys
+            - OUT-DNSTXT
+            # - Jitter  # Prone to FPs
+            - ExfilOption
+            - DumpCerts
+            - DumpCreds
+            - Shellcode32
+            - Shellcode64
+            - NotAllNameSpaces
+            - exfill
+            - FakeDC
+    condition: Nishang
+falsepositives:
+    - Penetration testing
+level: high
@@ -0,0 +1,35 @@
+title: NTFS Alternate Data Stream
+id: 8c521530-5169-495d-a199-0a3a881ad24e
+status: experimental
+description: Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.
+references:
+    - http://www.powertheshell.com/ntfsstreams/
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md
+tags:
+    - attack.defense_evasion
+    - attack.t1564.004
+    - attack.t1096  # an old one
+    - attack.execution
+    - attack.t1059.001
+    - attack.t1086  # an old one
+author: Sami Ruohonen
+date: 2018/07/24
+modified: 2021/08/21
+logsource:
+    product: windows
+    service: powershell
+    definition: Script block logging must be enabled
+detection:
+    event:
+        EventID: 4104
+    content:
+        ScriptBlockText|contains:
+            - "set-content"
+            - "add-content"
+    stream:
+        ScriptBlockText|contains:
+            - "-stream"
+    condition: all of them
+falsepositives:
+    - unknown
+level: high
@@ -0,0 +1,149 @@
+title: Malicious PowerView PowerShell Commandlets
+id: dcd74b95-3f36-4ed9-9598-0490951643aa
+status: experimental
+description: Detects Commandlet names from PowerView of PowerSploit exploitation framework.
+date: 2021/05/18
+modified: 2021/08/21
+references:
+    - https://powersploit.readthedocs.io/en/stable/Recon/README
+    - https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
+    - https://thedfirreport.com/2020/10/08/ryuks-return
+    - https://adsecurity.org/?p=2277
+tags:
+    - attack.execution
+    - attack.t1059.001
+author: Bhabesh Raj
+logsource:
+    product: windows
+    service: powershell
+    definition: Script Block Logging must be enable
+detection:
+  selection:
+      EventID: 4104
+      ScriptBlockText|contains:
+        - Export-PowerViewCSV
+        - Get-IPAddress
+        - Resolve-IPAddress
+        - Convert-NameToSid
+        - ConvertTo-SID
+        - Convert-ADName
+        - ConvertFrom-UACValue
+        - Add-RemoteConnection
+        - Remove-RemoteConnection
+        - Invoke-UserImpersonation
+        - Invoke-RevertToSelf
+        - Request-SPNTicket
+        - Get-DomainSPNTicket
+        - Invoke-Kerberoast
+        - Get-PathAcl
+        - Get-DNSZone
+        - Get-DomainDNSZone
+        - Get-DNSRecord
+        - Get-DomainDNSRecord
+        - Get-NetDomain
+        - Get-Domain
+        - Get-NetDomainController
+        - Get-DomainController
+        - Get-NetForest
+        - Get-Forest
+        - Get-NetForestDomain
+        - Get-ForestDomain
+        - Get-NetForestCatalog
+        - Get-ForestGlobalCatalog
+        - Find-DomainObjectPropertyOutlier
+        - Get-NetUser
+        - Get-DomainUser
+        - New-DomainUser
+        - Set-DomainUserPassword
+        - Get-UserEvent
+        - Get-DomainUserEvent
+        - Get-NetComputer
+        - Get-DomainComputer
+        - Get-ADObject
+        - Get-DomainObject
+        - Set-ADObject
+        - Set-DomainObject
+        - Get-ObjectAcl
+        - Get-DomainObjectAcl
+        - Add-ObjectAcl
+        - Add-DomainObjectAcl
+        - Invoke-ACLScanner
+        - Find-InterestingDomainAcl
+        - Get-NetOU
+        - Get-DomainOU
+        - Get-NetSite
+        - Get-DomainSite
+        - Get-NetSubnet
+        - Get-DomainSubnet
+        - Get-DomainSID
+        - Get-NetGroup
+        - Get-DomainGroup
+        - New-DomainGroup
+        - Find-ManagedSecurityGroups
+        - Get-DomainManagedSecurityGroup
+        - Get-NetGroupMember
+        - Get-DomainGroupMember
+        - Add-DomainGroupMember
+        - Get-NetFileServer
+        - Get-DomainFileServer
+        - Get-DFSshare
+        - Get-DomainDFSShare
+        - Get-NetGPO
+        - Get-DomainGPO
+        - Get-NetGPOGroup
+        - Get-DomainGPOLocalGroup
+        - Find-GPOLocation
+        - Get-DomainGPOUserLocalGroupMapping
+        - Find-GPOComputerAdmin
+        - Get-DomainGPOComputerLocalGroupMapping
+        - Get-DomainPolicy
+        - Get-NetLocalGroup
+        - Get-NetLocalGroupMember
+        - Get-NetShare
+        - Get-NetLoggedon
+        - Get-NetSession
+        - Get-LoggedOnLocal
+        - Get-RegLoggedOn
+        - Get-NetRDPSession
+        - Invoke-CheckLocalAdminAccess
+        - Test-AdminAccess
+        - Get-SiteName
+        - Get-NetComputerSiteName
+        - Get-Proxy
+        - Get-WMIRegProxy
+        - Get-LastLoggedOn
+        - Get-WMIRegLastLoggedOn
+        - Get-CachedRDPConnection
+        - Get-WMIRegCachedRDPConnection
+        - Get-RegistryMountedDrive
+        - Get-WMIRegMountedDrive
+        - Get-NetProcess
+        - Get-WMIProcess
+        - Find-InterestingFile
+        - Invoke-UserHunter
+        - Find-DomainUserLocation
+        - Invoke-ProcessHunter
+        - Find-DomainProcess
+        - Invoke-EventHunter
+        - Find-DomainUserEvent
+        - Invoke-ShareFinder
+        - Find-DomainShare
+        - Invoke-FileFinder
+        - Find-InterestingDomainShareFile
+        - Find-LocalAdminAccess
+        - Invoke-EnumerateLocalAdmin
+        - Find-DomainLocalGroupMember
+        - Get-NetDomainTrust
+        - Get-DomainTrust
+        - Get-NetForestTrust
+        - Get-ForestTrust
+        - Find-ForeignUser
+        - Get-DomainForeignUser
+        - Find-ForeignGroup
+        - Get-DomainForeignGroupMember
+        - Invoke-MapDomainTrust
+        - Get-DomainTrustMapping
+  condition: selection
+falsepositives:
+    - Should not be any as administrators do not use this tool
+level: high
@@ -0,0 +1,27 @@
+title: PowerShell Credential Prompt
+id: ca8b77a9-d499-4095-b793-5d5f330d450e
+status: experimental
+description: Detects PowerShell calling a credential prompt
+references:
+    - https://twitter.com/JohnLaTwC/status/850381440629981184
+    - https://t.co/ezOTGy1a1G
+tags:
+    - attack.credential_access
+    - attack.execution
+    - attack.t1059.001
+    - attack.t1086  # an old one
+author: John Lambert (idea), Florian Roth (rule)
+date: 2017/04/09
+modified: 2021/08/04
+logsource:
+    product: windows
+    service: powershell
+    definition: Script block logging must be enabled
+detection:
+    selection:
+        EventID: 4104
+        ScriptBlockText|contains: 'PromptForCredential'
+    condition: selection
+falsepositives: 
+    - Unknown
+level: high
@@ -0,0 +1,25 @@
+title: PowerShell PSAttack
+id: b7ec41a4-042c-4f31-a5db-d0fcde9fa5c5
+status: experimental
+description: Detects the use of PSAttack PowerShell hack tool
+references:
+    - https://adsecurity.org/?p=2921
+tags:
+    - attack.execution
+    - attack.t1059.001
+    - attack.t1086  #an old one
+author: Sean Metcalf (source), Florian Roth (rule)
+date: 2017/03/05
+modified: 2021/08/21
+logsource:
+    product: windows
+    service: powershell
+    definition: Script block logging must be enabled
+detection:
+    selection:
+        EventID: 4104
+        ScriptBlockText|contains: 'PS ATTACK!!!'
+    condition: selection
+falsepositives:
+    - Pentesters
+level: high
@@ -0,0 +1,32 @@
+title: PowerShell ShellCode
+id: 16b37b70-6fcf-4814-a092-c36bd3aafcbd
+status: experimental
+description: Detects Base64 encoded Shellcode
+references:
+    - https://twitter.com/cyb3rops/status/1063072865992523776
+tags:
+    - attack.defense_evasion
+    - attack.privilege_escalation
+    - attack.t1055
+    - attack.execution
+    - attack.t1059.001
+    - attack.t1086  #an old one
+author: David Ledbetter (shellcode), Florian Roth (rule)
+date: 2018/11/17
+modified: 2020/12/01
+logsource:
+    product: windows
+    service: powershell
+    definition: Script block logging must be enabled
+detection:
+    selection:
+        EventID: 4104
+        ScriptBlockText|contains: 'AAAAYInlM'
+    selection2:
+        ScriptBlockText|contains:
+            - 'OiCAAAAYInlM'
+            - 'OiJAAAAYInlM'
+    condition: selection and selection2
+falsepositives:
+    - Unknown
+level: critical
@@ -0,0 +1,28 @@
+title: Malicious ShellIntel PowerShell Commandlets
+id: 402e1e1d-ad59-47b6-bf80-1ee44985b3a7
+status: experimental
+description: Detects Commandlet names from ShellIntel exploitation scripts.
+date: 2021/08/09
+modified: 2021/08/21
+references:
+    - https://github.com/Shellntel/scripts/
+tags:
+    - attack.execution
+    - attack.t1059.001
+author: Max Altgelt, Tobias Michalski
+logsource:
+    product: windows
+    service: powershell
+    definition: Script Block Logging must be enable
+detection:
+  selection:
+      EventID: 4104
+      ScriptBlockText|contains:
+        - Invoke-SMBAutoBrute
+        - Invoke-GPOLinks
+        - Out-Minidump
+        - Invoke-Potato
+  condition: selection
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,28 @@
+title: Powershell Store File In Alternate Data Stream
+id: a699b30e-d010-46c8-bbd1-ee2e26765fe9
+status: experimental
+author: frack113
+date: 2021/09/02
+description: Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md
+tags:
+    - attack.defense_evasion
+    - attack.t1564.004
+logsource:
+    product: windows
+    service: powershell
+    definition: EnableScriptBlockLogging must be set to enable
+detection:
+    selection_id:
+        EventID: 4104
+    selection_compspec:
+        ScriptBlockText|contains|all: 
+            - 'Start-Process'
+            - '-FilePath "$env:comspec" '
+            - '-ArgumentList '
+            - '>'
+    condition: selection_id and selection_compspec
+falsepositives:
+    - Unknown
+level: medium
@@ -0,0 +1,25 @@
+title: Suspicious Export-PfxCertificate
+id: aa7a3fce-bef5-4311-9cc1-5f04bb8c308c
+status: experimental
+description: Detects Commandlet that is used to export certificates from the local certificate store and sometimes used by threat actors to steal private keys from compromised machines
+references:
+    - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a
+    - https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate
+tags:
+    - attack.credential_access
+    - attack.t1552.004
+author: Florian Roth
+date: 2021/04/23
+modified: 2021/08/04
+logsource:
+    product: windows
+    service: powershell
+    definition: Script Block Logging must be enable
+detection:
+    PfxCertificate:
+        EventID: 4104
+        ScriptBlockText|contains: "Export-PfxCertificate"
+    condition: PfxCertificate
+falsepositives:
+    - Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)
+level: high
@@ -0,0 +1,24 @@
+title: PowerShell Get-Process LSASS in ScriptBlock
+id: 84c174ab-d3ef-481f-9c86-a50d0b8e3edb
+status: experimental
+description: Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity
+references:
+    - https://twitter.com/PythonResponder/status/1385064506049630211
+tags:
+    - attack.credential_access
+    - attack.t1003.001
+author: Florian Roth
+date: 2021/04/23
+modified: 2021/08/04
+logsource:
+    product: windows
+    service: powershell
+    definition: Script Block Logging must be enable
+detection:
+    select_LSASS:
+        EventID: 4104
+        ScriptBlockText|contains: 'Get-Process lsass'
+    condition: select_LSASS
+falsepositives:
+    - Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)
+level: high
@@ -0,0 +1,39 @@
+title: Suspicious PowerShell Keywords
+id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf
+status: experimental
+description: Detects keywords that could indicate the use of some PowerShell exploitation framework
+date: 2019/02/11
+modified: 2021/08/30
+author: Florian Roth, Perez Diego (@darkquassar)
+references:
+    - https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462
+    - https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1
+    - https://github.com/hlldz/Invoke-Phant0m/blob/master/Invoke-Phant0m.ps1
+    - https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7
+tags:
+    - attack.execution
+    - attack.t1059.001
+    - attack.t1086  #an old one
+logsource:
+    product: windows
+    service: powershell
+    definition: Script block logging must be enabled for 4104
+detection:
+    framework:
+        EventID: 4104
+        ScriptBlockText|contains:
+            - "System.Reflection.Assembly.Load($"
+            - "[System.Reflection.Assembly]::Load($"
+            - "[Reflection.Assembly]::Load($"
+            - "System.Reflection.AssemblyName"
+            - "Reflection.Emit.AssemblyBuilderAccess"
+            - "Runtime.InteropServices.DllImportAttribute"
+            - "SuspendThread"
+            - "rundll32"
+            # - "FromBase64"
+            - "Invoke-WMIMethod"
+            - "http://127.0.0.1"
+    condition: framework
+falsepositives:
+    - Penetration tests
+level: high
@@ -0,0 +1,27 @@
+title: Powershell Local Email Collection
+id: 2837e152-93c8-43d2-85ba-c3cd3c2ae614
+status: experimental
+author: frack113
+date: 2021/07/21
+description: Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files. 
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md
+tags:
+    - attack.collection
+    - attack.t1114.001
+logsource:
+    product: windows
+    service: powershell
+    definition: Script block logging must be enabled
+detection:
+    selection:
+        EventID: 4104
+        ScriptBlockText|contains:
+            - 'Get-Inbox.ps1'
+            - 'Microsoft.Office.Interop.Outlook'
+            - 'Microsoft.Office.Interop.Outlook.olDefaultFolders'
+            - '-comobject outlook.application'
+    condition: selection 
+falsepositives:
+    - Unknown
+level: medium
@@ -0,0 +1,25 @@
+title: PowerShell Deleted Mounted Share
+id: 66a4d409-451b-4151-94f4-a55d559c49b0
+status: experimental
+description: Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md
+author: 'oscd.community, @redcanary, Zach Stanford @svch0st'
+date: 2020/10/08
+tags:
+    - attack.defense_evasion
+    - attack.t1070.005
+logsource:
+    product: windows
+    service: powershell
+    definition: Script block logging must be enabled
+detection:
+    selection:
+        EventID: 4104
+        ScriptBlockText|contains:
+          - 'Remove-SmbShare'
+          - 'Remove-FileShare'
+    condition: selection
+falsepositives:
+    - Administrators or Power users may remove their shares via cmd line
+level: medium
@@ -0,0 +1,29 @@
+title: Recon Information for Export with PowerShell
+id: a9723fcc-881c-424c-8709-fd61442ab3c3
+status: experimental
+author: frack113
+date: 2021/07/30
+description: Once established within a system or network, an adversary may use automated techniques for collecting internal data
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md
+tags:
+    - attack.collection
+    - attack.t1119
+logsource:
+    product: windows
+    service: powershell
+    definition: Script block logging must be enabled
+detection:
+    selection_eventid:
+        EventID: 4104
+    selection_action:
+        ScriptBlockText|contains:
+            - 'Get-Service '
+            - 'Get-ChildItem '
+            - 'Get-Process '
+    selection_redirect:
+        ScriptBlockText|contains: '> $env:TEMP\'
+    condition: all of them 
+falsepositives:
+    - Unknown
+level: medium
@@ -0,0 +1,23 @@
+title: Powershell Suspicious Win32_PnPEntity  
+id: b26647de-4feb-4283-af6b-6117661283c5
+status: experimental
+author: frack113
+date: 2021/08/23
+description: Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. 
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md
+tags:
+    - attack.discovery
+    - attack.t1120
+logsource:
+    product: windows
+    service: powershell
+    definition: EnableScriptBlockLogging must be set to enable
+detection:
+    selection:
+        EventID: 4104
+        ScriptBlockText|contains: Win32_PnPEntity
+    condition: selection
+falsepositives:
+    - admin script
+level: low
@@ -0,0 +1,31 @@
+title: Powershell Timestomp
+id: c6438007-e081-42ce-9483-b067fbef33c3
+status: experimental
+author: frack113
+date: 2021/08/03
+description: Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. 
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md
+    - https://www.offensive-security.com/metasploit-unleashed/timestomp/
+tags:
+    - attack.defense_evasion
+    - attack.t1070.006
+logsource:
+    product: windows
+    service: powershell
+    definition: EnableScriptBlockLogging must be set to enable
+detection:
+    selection_id:
+        EventID: 4104
+    selection_ioc:
+        ScriptBlockText|contains: 
+            - '.CreationTime ='
+            - '.LastWriteTime ='
+            - '.LastAccessTime ='
+            - '[IO.File]::SetCreationTime'
+            - '[IO.File]::SetLastAccessTime'
+            - '[IO.File]::SetLastWriteTime'
+    condition: selection_id and selection_ioc
+falsepositives:
+    - legitime admin script
+level: medium
@@ -0,0 +1,29 @@
+title: Powershell Trigger Profiles by Add_Content
+id: 05b3e303-faf0-4f4a-9b30-46cc13e69152
+status: experimental
+author: frack113
+date: 2021/08/18
+description: Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles.
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md
+tags:
+    - attack.privilege_escalation
+    - attack.t1546.013
+logsource:
+    product: windows
+    service: powershell
+    definition: EnableScriptBlockLogging must be set to enable
+detection:
+    selection:
+        EventID: 4104
+        ScriptBlockText|contains|all:
+            - 'Add-Content'
+            - '$profile'
+            - '-Value' 
+        ScriptBlockText|contains: 
+            - 'Start-Process'
+            - '""'  #cleanup action
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
@@ -0,0 +1,35 @@
+title: Windows PowerShell Web Request
+id: 1139d2e2-84b1-4226-b445-354492eba8ba
+related:
+    - id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d
+      type: derived
+status: experimental
+description: Detects the use of various web request methods (including aliases) via Windows PowerShell command
+references:
+    - https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/
+    - https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell
+author: James Pemberton / @4A616D6573
+date: 2019/10/24
+modified: 2021/09/21
+tags:
+    - attack.execution
+    - attack.t1059.001
+    - attack.t1086  #an old one
+logsource:
+    product: windows
+    service: powershell
+    definition: 'Script block logging must be enabled'
+detection:
+    selection:
+        EventID: 4104
+        ScriptBlockText|contains:
+            - 'Invoke-WebRequest'
+            - 'iwr '
+            - 'wget '
+            - 'curl '
+            - 'Net.WebClient'
+            - 'Start-BitsTransfer'
+    condition: selection
+falsepositives:
+    - Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer.
+level: medium
@@ -0,0 +1,29 @@
+title: Winlogon Helper DLL
+id: 851c506b-6b7c-4ce2-8802-c703009d03c0
+status: experimental
+description: Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables.
+author: Timur Zinniatullin, oscd.community
+date: 2019/10/21
+modified: 2020/12/01
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md
+logsource:
+    product: windows
+    service: powershell
+    definition: Script block logging must be enabled
+detection:
+    selection:
+        EventID: 4104
+        ScriptBlockText|contains: 'CurrentVersion\Winlogon'
+    selection2:
+        ScriptBlockText|contains:
+            - 'Set-ItemProperty'
+            - 'New-Item'
+    condition: selection and selection2
+falsepositives:
+    - Unknown
+level: medium
+tags:
+    - attack.persistence
+    - attack.t1547.004
+    - attack.t1004  # an old one
@@ -0,0 +1,34 @@
+title: Powershell WMI Persistence
+id: 9e07f6e7-83aa-45c6-998e-0af26efd0a85
+status: experimental
+author: frack113
+date: 2021/08/19
+description: Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. 
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md
+    - https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545
+tags:
+    - attack.privilege_escalation
+    - attack.t1546.003
+logsource:
+    product: windows
+    service: powershell
+    definition: EnableScriptBlockLogging must be set to enable
+detection:
+    selection_id:
+        EventID: 4104
+    selection_ioc:
+        - ScriptBlockText|contains|all: 
+            - 'New-CimInstance '
+            - '-Namespace root/subscription '
+            - '-ClassName __EventFilter '
+            - '-Property ' #is a variable name 
+        - ScriptBlockText|contains|all:
+            - 'New-CimInstance '
+            - '-Namespace root/subscription '
+            - '-ClassName CommandLineEventConsumer '
+            - '-Property ' #is a variable name 
+    condition: all of them
+falsepositives:
+    - Unknown
+level: medium
@@ -0,0 +1,47 @@
+title: WMImplant Hack Tool
+id: 8028c2c3-e25a-46e3-827f-bbb5abf181d7
+status: experimental
+description: Detects parameters used by WMImplant
+references:
+  - https://github.com/FortyNorthSecurity/WMImplant
+tags:
+  - attack.execution
+  - attack.t1047
+  - attack.t1059.001
+  - attack.t1086  #an old one
+author: NVISO
+date: 2020/03/26
+modified: 2021/08/30
+logsource:
+  product: windows
+  service: powershell
+  definition: Script block logging must be enabled
+detection:
+  selection:
+    EventID: 4104
+    ScriptBlockText|contains:
+      - "WMImplant"
+      - " change_user "
+      - " gen_cli "
+      - " command_exec "
+      - " disable_wdigest "
+      - " disable_winrm "
+      - " enable_wdigest "
+      - " enable_winrm "
+      - " registry_mod "
+      - " remote_posh "
+      - " sched_job "
+      - " service_mod "
+      - " process_kill "
+      # - " process_start "
+      - " active_users "
+      - " basic_info "
+      # - " drive_list "
+      # - " installed_programs "
+      - " power_off "
+      - " vacant_system "
+      - " logon_events "
+  condition: selection
+falsepositives:
+  - Administrative scripts that use the same keywords.
+level: high