From 8a6f66b1207ecbedb2cefa01efb44a56ec3d1913 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 27 Dec 2022 15:17:45 +0100 Subject: [PATCH] Rules for Issue 575 (#3820) Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> --- .../posh_ps_dotnet_assembly_from_file.yml | 19 ++++++++++ .../posh_ps_download_com_cradles.yml | 35 +++++++++++++++++++ .../posh_ps_web_request_cmd_and_cmdlets.yml | 5 ++- ...c_creation_win_ps_download_com_cradles.yml | 34 ++++++++++++++++++ .../proc_creation_win_ps_exec_data_file.yml | 29 +++++++++++++++ ...eation_win_web_request_cmd_and_cmdlets.yml | 5 ++- 6 files changed, 125 insertions(+), 2 deletions(-) create mode 100644 rules/windows/powershell/powershell_script/posh_ps_dotnet_assembly_from_file.yml create mode 100644 rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml create mode 100644 rules/windows/process_creation/proc_creation_win_ps_download_com_cradles.yml create mode 100644 rules/windows/process_creation/proc_creation_win_ps_exec_data_file.yml diff --git a/rules/windows/powershell/powershell_script/posh_ps_dotnet_assembly_from_file.yml b/rules/windows/powershell/powershell_script/posh_ps_dotnet_assembly_from_file.yml new file mode 100644 index 000000000..c19f028db --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_dotnet_assembly_from_file.yml @@ -0,0 +1,19 @@ +title: Potential In-Memory Execution Using Reflection.Assembly +id: ddcd88cb-7f62-4ce5-86f9-1704190feb0a +status: experimental +description: Detects usage of "Reflection.Assembly" load functions to dynamically load assemblies in memory +references: + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=50 +author: frack113 +date: 2022/12/25 +logsource: + product: windows + category: ps_script + definition: Script Block Logging must be enable +detection: + selection: + ScriptBlockText|contains: '[Reflection.Assembly]::load' + condition: selection +falsepositives: + - Legitimate use of the library +level: medium diff --git a/rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml b/rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml new file mode 100644 index 000000000..71738e1b2 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml @@ -0,0 +1,35 @@ +title: Potential COM Objects Download Cradles Usage - PS Script +id: 3c7d1587-3b13-439f-9941-7d14313dbdfe +related: + - id: 02b64f1b-3f33-4e67-aede-ef3b0a5a8fcf + type: similar +status: experimental +description: Detects usage of COM objects that can be abused to download files in PowerShell by CLSID +references: + - https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0 + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57 +author: frack113 +date: 2022/12/25 +logsource: + product: windows + category: ps_script + definition: Script Block Logging must be enable +detection: + selection_1: + ScriptBlockText|contains: '[Type]::GetTypeFromCLSID(' + selection_2: + ScriptBlockText|contains: + - '0002DF01-0000-0000-C000-000000000046' + - 'F6D90F16-9C73-11D3-B32E-00C04F990BB4' + - 'F5078F35-C551-11D3-89B9-0000F81FE221' + - '88d96a0a-f192-11d4-a65f-0040963251e5' + - 'AFBA6B42-5692-48EA-8141-DC517DCF0EF1' + - 'AFB40FFD-B609-40A3-9828-F88BBE11E4E3' + - '88d96a0b-f192-11d4-a65f-0040963251e5' + - '2087c2f4-2cef-4953-a8ab-66779b670495' + - '000209FF-0000-0000-C000-000000000046' + - '00024500-0000-0000-C000-000000000046' + condition: all of selection_* +falsepositives: + - Legitimate use of the library +level: medium diff --git a/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml b/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml index 3cc9aeece..695c9fff0 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml @@ -10,7 +10,7 @@ references: - https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell author: James Pemberton / @4A616D6573 date: 2019/10/24 -modified: 2022/11/21 +modified: 2022/12/27 tags: - attack.execution - attack.t1059.001 @@ -27,6 +27,9 @@ detection: - 'curl ' - 'Net.WebClient' - 'Start-BitsTransfer' + - '[System.Net.WebRequest]::create' + - 'Invoke-RestMethod' + - 'WinHttp.WinHttpRequest' filter: Path|startswith: 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\' condition: selection and not filter diff --git a/rules/windows/process_creation/proc_creation_win_ps_download_com_cradles.yml b/rules/windows/process_creation/proc_creation_win_ps_download_com_cradles.yml new file mode 100644 index 000000000..0943424f9 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_ps_download_com_cradles.yml @@ -0,0 +1,34 @@ +title: Potential COM Objects Download Cradles Usage - Process Creation +id: 02b64f1b-3f33-4e67-aede-ef3b0a5a8fcf +related: + - id: 3c7d1587-3b13-439f-9941-7d14313dbdfe + type: similar +status: experimental +description: Detects usage of COM objects that can be abused to download files in PowerShell by CLSID +references: + - https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0 + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57 +author: frack113 +date: 2022/12/25 +logsource: + product: windows + category: process_creation +detection: + selection_1: + CommandLine|contains: '[Type]::GetTypeFromCLSID(' + selection_2: + CommandLine|contains: + - '0002DF01-0000-0000-C000-000000000046' + - 'F6D90F16-9C73-11D3-B32E-00C04F990BB4' + - 'F5078F35-C551-11D3-89B9-0000F81FE221' + - '88d96a0a-f192-11d4-a65f-0040963251e5' + - 'AFBA6B42-5692-48EA-8141-DC517DCF0EF1' + - 'AFB40FFD-B609-40A3-9828-F88BBE11E4E3' + - '88d96a0b-f192-11d4-a65f-0040963251e5' + - '2087c2f4-2cef-4953-a8ab-66779b670495' + - '000209FF-0000-0000-C000-000000000046' + - '00024500-0000-0000-C000-000000000046' + condition: all of selection_* +falsepositives: + - Legitimate use of the library +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_ps_exec_data_file.yml b/rules/windows/process_creation/proc_creation_win_ps_exec_data_file.yml new file mode 100644 index 000000000..5efafcdfc --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_ps_exec_data_file.yml @@ -0,0 +1,29 @@ +title: Powershell Inline Execution From A File +id: ee218c12-627a-4d27-9e30-d6fb2fe22ed2 +status: experimental +description: Detects inline execution of PowerShell code from a file +references: + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=50 +author: frack113 +date: 2022/12/25 +logsource: + product: windows + category: process_creation +detection: + selection_exec: + CommandLine|contains: + - 'iex ' + - 'Invoke-Expression ' + - 'Invoke-Command ' + - 'icm ' + selection_read: + CommandLine|contains: + - 'cat ' + - 'get-content ' + - 'type ' + selection_raw: + CommandLine|contains: ' -raw' + condition: all of selection_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_web_request_cmd_and_cmdlets.yml b/rules/windows/process_creation/proc_creation_win_web_request_cmd_and_cmdlets.yml index 070a94b3e..6383b6e39 100644 --- a/rules/windows/process_creation/proc_creation_win_web_request_cmd_and_cmdlets.yml +++ b/rules/windows/process_creation/proc_creation_win_web_request_cmd_and_cmdlets.yml @@ -12,7 +12,7 @@ references: - https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell author: James Pemberton / @4A616D6573 date: 2019/10/24 -modified: 2022/11/21 +modified: 2022/12/27 tags: - attack.execution - attack.t1059.001 @@ -28,6 +28,9 @@ detection: - 'curl ' - 'Net.WebClient' - 'Start-BitsTransfer' + - '[System.Net.WebRequest]::create' + - 'Invoke-RestMethod' + - 'WinHttp.WinHttpRequest' condition: selection falsepositives: - Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer.