feat: updates and enhancements

rules/windows/powershell/powershell_script/posh_ps_accessing_win_api.yml

@@ -1,12 +1,15 @@
-title: Accessing WinAPI in PowerShell
+title: Potential WinAPI Calls Via PowerShell Scripts
 id: 03d83090-8cba-44a0-b02f-0b756a050306
+related:
+    - id: 03d83090-8cba-44a0-b02f-0b756a050306
+      type: similar
 status: experimental
-description: Detecting use WinAPI Functions in PowerShell
+description: Detects use of WinAPI Functions in PowerShell scripts
 references:
     - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
 author: Nikita Nazarov, oscd.community, Tim Shelton
 date: 2020/10/06
-modified: 2022/09/29
+modified: 2023/01/09
 tags:
     - attack.execution
     - attack.t1059.001
@@ -18,56 +21,57 @@ logsource:
 detection:
     selection:
         ScriptBlockText|contains:
-            - 'WaitForSingleObject'
-            - 'QueueUserApc'
-            - 'RtlCreateUserThread'
-            - 'OpenProcess'
-            - 'VirtualAlloc'
-            - 'VirtualFree'
-            - 'WriteProcessMemory'
-            - 'CreateUserThread'
+            - 'AddSecurityPackage'
+            - 'AdjustTokenPrivileges'
+            - 'Advapi32'
             - 'CloseHandle'
-            - 'GetDelegateForFunctionPointer'
+            - 'CreateProcessWithToken'
+            - 'CreateRemoteThread'
             - 'CreateThread'
-            - 'memcpy'
-            - 'LoadLibrary'
+            - 'CreateUserThread'
+            - 'DangerousGetHandle'
+            - 'DuplicateTokenEx'
+            - 'EnumerateSecurityPackages'
+            #- 'FreeHGlobal'
+            - 'FreeLibrary'
+            - 'GetDelegateForFunctionPointer'
+            - 'GetLogonSessionData'
             - 'GetModuleHandle'
             - 'GetProcAddress'
-            - 'VirtualProtect'
-            - 'FreeLibrary'
-            - 'ReadProcessMemory'
-            - 'CreateRemoteThread'
-            - 'AdjustTokenPrivileges'
-            # - 'WriteByte'  # FP with .NET System.IO.FileStream
-            - 'WriteInt32'
-            - 'OpenThreadToken'
-            # - 'PtrToString'
-            # - 'FreeHGlobal'
-            - 'ZeroFreeGlobalAllocUnicode'
-            - 'OpenProcessToken'
-            - 'GetTokenInformation'
-            - 'SetThreadToken'
-            - 'ImpersonateLoggedOnUser'
-            - 'RevertToSelf'
-            - 'GetLogonSessionData'
-            - 'CreateProcessWithToken'
-            - 'DuplicateTokenEx'
-            - 'OpenWindowStation'
-            - 'OpenDesktop'
-            - 'MiniDumpWriteDump'
-            - 'AddSecurityPackage'
-            - 'EnumerateSecurityPackages'
             - 'GetProcessHandle'
-            - 'DangerousGetHandle'
+            - 'GetTokenInformation'
+            - 'ImpersonateLoggedOnUser'
             - 'kernel32'
-            - 'Advapi32'
+            - 'LoadLibrary'
+            - 'memcpy'
+            - 'MiniDumpWriteDump'
             - 'msvcrt'
             - 'ntdll'
-            # - 'user32'  # FP with chocolatey
+            - 'OpenDesktop'
+            - 'OpenProcess'
+            - 'OpenProcessToken'
+            - 'OpenThreadToken'
+            - 'OpenWindowStation'
+            #- 'PtrToString'
+            - 'QueueUserApc'
+            - 'ReadProcessMemory'
+            - 'RevertToSelf'
+            - 'RtlCreateUserThread'
             - 'secur32'
-    falsepositive1:
+            - 'SetThreadToken'
+            #- 'user32' # FP with chocolatey
+            - 'VirtualAlloc'
+            - 'VirtualFree'
+            - 'VirtualProtect'
+            - 'WaitForSingleObject'
+            #- 'WriteByte' # FP with .NET System.IO.FileStream
+            - 'WriteInt32'
+            - 'WriteProcessMemory'
+            - 'ZeroFreeGlobalAllocUnicode'
+    filter_amazon:
         ScriptBlockText|startswith: '# Copyright 2016 Amazon.com, Inc. or its affiliates.' # aws scripts leverage CreateFile and CloseHandle may filter out these 2 items
-    condition: selection and not 1 of falsepositive*
+        ScriptBlockText|contains: 'function Import-SerialPortUtil '
+    condition: selection and not 1 of filter_*
 falsepositives:
     - Carbon PowerShell Module (https://github.com/webmd-health-services/Carbon)
 level: high

rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml

@@ -22,6 +22,7 @@ references:
     - https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1
     - https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
     - https://github.com/HarmJ0y/DAMP
+    - https://github.com/samratashok/nishang
 author: Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer
 date: 2017/03/05
 modified: 2023/01/05
@@ -118,7 +119,7 @@ detection:
             - 'Invoke-Farmer'
             - 'Invoke-Get-RBCD-Threaded'
             - 'Invoke-Gopher'
-            - 'Invoke-Grouper' # cover Invoke-GrouperX
+            - 'Invoke-Grouper' # Also Covers Invoke-GrouperX
             - 'Invoke-HandleKatz'
             - 'Invoke-Internalmonologue'
             - 'Invoke-Inveigh'
@@ -139,7 +140,7 @@ detection:
             - 'Invoke-P0wnedshell'
             - 'Invoke-Paranoia'
             - 'Invoke-PortScan'
-            - 'Invoke-PoshRatHttp'
+            - 'Invoke-PoshRatHttp' # Also Covers Invoke-PoshRatHttps
             - 'Invoke-PostExfil'
             - 'Invoke-PowerDump'
             - 'Invoke-PowerShellTCP'
@@ -171,7 +172,7 @@ detection:
             - 'Invoke-SharpGPO-RemoteAccessPolicies'
             - 'Invoke-SharpHandler'
             - 'Invoke-SharpHide'
-            - 'Invoke-Sharphound' # cover Invoke-SharpHound2, Invoke-SharpHound3,.
+            - 'Invoke-Sharphound' # Also Covers "Invoke-SharpHound2", "Invoke-SharpHound3"...etc.
             - 'Invoke-SharpImpersonation'
             - 'Invoke-SharpImpersonationNoSpace'
             - 'Invoke-SharpKatz'

rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml

@@ -6,7 +6,7 @@ references:
     - https://github.com/samratashok/nishang
 author: Alec Costello
 date: 2019/05/16
-modified: 2023/01/02
+modified: 2023/01/09
 tags:
     - attack.execution
     - attack.t1059.001
@@ -18,15 +18,21 @@ detection:
     selection:
         ScriptBlockText|contains:
             - 'Add-ConstrainedDelegationBackdoor'
-            - 'Add-Persistence'
+            #- 'Add-Persistence' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
+            #- 'Add-RegBackdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
+            #- 'Add-ScrnSaveBackdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
             - 'Copy-VSS'
             - 'Create-MultipleSessions'
             - 'DataToEncode'
             - 'DNS_TXT_Pwnage'
+            - 'Do-Exfiltration-Dns'
             - 'Download_Execute'
             - 'Download-Execute-PS'
+            - 'DownloadAndExtractFromRemoteRegistry'
             - 'DumpCerts'
             - 'DumpCreds'
+            - 'DumpHashes'
+            - 'Enable-DuplicateToken'
             - 'Enable-Duplication'
             - 'Execute-Command-MSSQL'
             - 'Execute-DNSTXT-Code'
@@ -38,10 +44,14 @@ detection:
             - 'FireBuster'
             - 'FireListener'
             - 'Get-Information'
+            #- 'Get-PassHashes' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
             - 'Get-PassHints'
             - 'Get-Web-Credentials'
+            - 'Get-WebCredentials'
             - 'Get-WLAN-Keys'
+            #- 'Gupt-Backdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
             - 'HTTP-Backdoor'
+            #- 'Invoke-ADSBackdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
             - 'Invoke-AmsiBypass'
             - 'Invoke-BruteForce'
             - 'Invoke-CredentialsPhish'
@@ -52,19 +62,21 @@ detection:
             - 'Invoke-JSRatRundll'
             - 'Invoke-MimikatzWDigestDowngrade'
             - 'Invoke-NetworkRelay'
-            - 'Invoke-PoshRatHttps'
+            #- 'Invoke-PortScan' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
+            #- 'Invoke-PoshRatHttp' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
             - 'Invoke-PowerShellIcmp'
             - 'Invoke-PowerShellUdp'
             - 'Invoke-Prasadhak'
             - 'Invoke-PSGcat'
             - 'Invoke-PsGcatAgent'
+            #- 'Invoke-PsUACme' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
             - 'Invoke-SessionGopher'
             - 'Invoke-SSIDExfil'
             #- Jitter  # Prone to FPs
-            - 'Keylogger'
+            #- 'Keylogger' # Too generic to be linked to Nishang
             - 'LoggedKeys'
             - 'Nishang'
-            - 'NotAllNameSpaces'
+            - 'NotAllNameSpaces' # This is param to "Set-RemoteWMI"
             - 'Out-CHM'
             - 'OUT-DNSTXT'
             - 'Out-HTA'

rules/windows/powershell/powershell_script/posh_ps_susp_alias_obfscuation.yml

@@ -0,0 +1,32 @@
+title: Potential PowerShell Obfuscation Using Character Join
+id: e8314f79-564d-4f79-bc13-fbc0bf2660d8
+related:
+    - id: 96cd126d-f970-49c4-848a-da3a09f55c55
+      type: derived
+status: experimental
+description: Detects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation
+references:
+    - Internal Research
+author: Nasreddine Bencherchali
+date: 2023/01/09
+tags:
+    - attack.defense_evasion
+    - attack.execution
+    - attack.t1027
+    - attack.t1059.001
+logsource:
+    product: windows
+    category: ps_script
+    definition: 'Requirements: Script Block Logging must be enabled'
+detection:
+    selection:
+        # Example:
+        #   Set-Alias -Name Y -Value (-join("Ne","w-O","bje","ct"))
+        #   Set-Alias -Name X -Value (-join("Inv","oke","-","Exp","ression"))
+        ScriptBlockText|contains|all:
+            - '-Alias' # For both "New-Alias" and "Set-Alias"
+            - ' -Value (-join('
+    condition: selection
+falsepositives:
+    - Unknown
+level: low

rules/windows/powershell/powershell_script/posh_ps_susp_set_alias.yml

@@ -1,5 +1,8 @@
 title: Potential PowerShell Obfuscation Using Alias Cmdlets
 id: 96cd126d-f970-49c4-848a-da3a09f55c55
+related:
+    - id: e8314f79-564d-4f79-bc13-fbc0bf2660d8
+      type: derived
 status: experimental
 description: Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts
 references:
@@ -10,7 +13,7 @@ tags:
     - attack.defense_evasion
     - attack.execution
     - attack.t1027
-    - attack.t1059.001 
+    - attack.t1059.001
 logsource:
     product: windows
     category: ps_script