Rules for Issue 575 (#3820)

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>

rules/windows/powershell/powershell_script/posh_ps_dotnet_assembly_from_file.yml

@@ -0,0 +1,19 @@
+title: Potential In-Memory Execution Using Reflection.Assembly
+id: ddcd88cb-7f62-4ce5-86f9-1704190feb0a
+status: experimental
+description: Detects usage of "Reflection.Assembly" load functions to dynamically load assemblies in memory
+references:
+    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=50
+author: frack113
+date: 2022/12/25
+logsource:
+    product: windows
+    category: ps_script
+    definition: Script Block Logging must be enable
+detection:
+    selection:
+        ScriptBlockText|contains: '[Reflection.Assembly]::load'
+    condition: selection
+falsepositives:
+    - Legitimate use of the library
+level: medium

rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml

@@ -0,0 +1,35 @@
+title: Potential COM Objects Download Cradles Usage - PS Script
+id: 3c7d1587-3b13-439f-9941-7d14313dbdfe
+related:
+    - id: 02b64f1b-3f33-4e67-aede-ef3b0a5a8fcf
+      type: similar
+status: experimental
+description: Detects usage of COM objects that can be abused to download files in PowerShell by CLSID
+references:
+    - https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0
+    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57
+author: frack113
+date: 2022/12/25
+logsource:
+    product: windows
+    category: ps_script
+    definition: Script Block Logging must be enable
+detection:
+    selection_1:
+        ScriptBlockText|contains: '[Type]::GetTypeFromCLSID('
+    selection_2:
+        ScriptBlockText|contains: 
+            - '0002DF01-0000-0000-C000-000000000046'
+            - 'F6D90F16-9C73-11D3-B32E-00C04F990BB4'
+            - 'F5078F35-C551-11D3-89B9-0000F81FE221'
+            - '88d96a0a-f192-11d4-a65f-0040963251e5'
+            - 'AFBA6B42-5692-48EA-8141-DC517DCF0EF1'
+            - 'AFB40FFD-B609-40A3-9828-F88BBE11E4E3'
+            - '88d96a0b-f192-11d4-a65f-0040963251e5'
+            - '2087c2f4-2cef-4953-a8ab-66779b670495'
+            - '000209FF-0000-0000-C000-000000000046'
+            - '00024500-0000-0000-C000-000000000046'
+    condition: all of selection_*
+falsepositives:
+    - Legitimate use of the library
+level: medium

rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml

@@ -10,7 +10,7 @@ references:
     - https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell
 author: James Pemberton / @4A616D6573
 date: 2019/10/24
-modified: 2022/11/21
+modified: 2022/12/27
 tags:
     - attack.execution
     - attack.t1059.001
@@ -27,6 +27,9 @@ detection:
             - 'curl '
             - 'Net.WebClient'
             - 'Start-BitsTransfer'
+            - '[System.Net.WebRequest]::create'
+            - 'Invoke-RestMethod'
+            - 'WinHttp.WinHttpRequest'
     filter:
         Path|startswith: 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
     condition: selection and not filter