From 75f4f439daba43d2e97a380e89441932228f1445 Mon Sep 17 00:00:00 2001 From: securepeacock <92804416+securepeacock@users.noreply.github.com> Date: Sun, 24 Oct 2021 13:32:22 -0400 Subject: [PATCH 1/4] Create sysmon_powershell_startup_shortcuts --- .../sysmon_powershell_startup_shortcuts | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 rules/windows/file_event/sysmon_powershell_startup_shortcuts diff --git a/rules/windows/file_event/sysmon_powershell_startup_shortcuts b/rules/windows/file_event/sysmon_powershell_startup_shortcuts new file mode 100644 index 000000000..2f0b954bf --- /dev/null +++ b/rules/windows/file_event/sysmon_powershell_startup_shortcuts @@ -0,0 +1,33 @@ +title: PowerShell writing startup shortcuts +id: 92fa78e7-4d39-45f1-91a3-8b23f3f1088d +description: Attempts to detect PowerShell writing startup shortcuts. +status: experimental +references: + - https://redcanary.com/blog/intelligence-insights-october-2021/ + # We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence. + # Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats. + # In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL" +notes: + - Atomic Test is avaiable. Copy and Paste the command into an elevated PowerShell to generate logs, then run the cleanup step. + https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder + + - Current SIGMA rule "Startup folder File Write" does not cover this activity, as it looks in the \ProgramData\ file path and not \AppData\. + https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/sysmon_startup_folder_file_write.yml +tags: + - attack.registry_run_keys_/_startup_folder + - attack.t1547.001 +date: 2021/10/24 +author: Christopher Peacock (@securepeacock), SCYTHE +level: high +logsource: + product: windows + category: file_event +detection: + selection: + Image|endswith: '\powershell.exe' + TargetFilename|contains: '\start menu\programs\startup\' + TargetFilename|endswith: '.lnk' + condition: selection +falsepositives: + - Unknown + - Depending on your environment accepted applications may leverage this at times. It is recomended to search for anomolies inidicative of malware. From 03301a065204f29f81b69f1c576d750475aaabfb Mon Sep 17 00:00:00 2001 From: securepeacock <92804416+securepeacock@users.noreply.github.com> Date: Sun, 24 Oct 2021 13:56:01 -0400 Subject: [PATCH 2/4] Rename sysmon_powershell_startup_shortcuts to sysmon_powershell_startup_shortcuts.yml --- ..._startup_shortcuts => sysmon_powershell_startup_shortcuts.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/file_event/{sysmon_powershell_startup_shortcuts => sysmon_powershell_startup_shortcuts.yml} (100%) diff --git a/rules/windows/file_event/sysmon_powershell_startup_shortcuts b/rules/windows/file_event/sysmon_powershell_startup_shortcuts.yml similarity index 100% rename from rules/windows/file_event/sysmon_powershell_startup_shortcuts rename to rules/windows/file_event/sysmon_powershell_startup_shortcuts.yml From 265faf6337dbcd8ce7ffc10131c6d3d784fa8c1f Mon Sep 17 00:00:00 2001 From: securepeacock <92804416+securepeacock@users.noreply.github.com> Date: Sun, 24 Oct 2021 14:15:04 -0400 Subject: [PATCH 3/4] Update sysmon_powershell_startup_shortcuts.yml --- .../file_event/sysmon_powershell_startup_shortcuts.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/file_event/sysmon_powershell_startup_shortcuts.yml b/rules/windows/file_event/sysmon_powershell_startup_shortcuts.yml index 2f0b954bf..70c82df34 100644 --- a/rules/windows/file_event/sysmon_powershell_startup_shortcuts.yml +++ b/rules/windows/file_event/sysmon_powershell_startup_shortcuts.yml @@ -1,4 +1,4 @@ -title: PowerShell writing startup shortcuts +title: PowerShell Writing Startup Shortcuts id: 92fa78e7-4d39-45f1-91a3-8b23f3f1088d description: Attempts to detect PowerShell writing startup shortcuts. status: experimental @@ -17,7 +17,7 @@ tags: - attack.registry_run_keys_/_startup_folder - attack.t1547.001 date: 2021/10/24 -author: Christopher Peacock (@securepeacock), SCYTHE +author: Christopher Peacock '@securepeacock', SCYTHE level: high logsource: product: windows From 8b45c6687c1aeaad234b82dd7f4df9fb88037aee Mon Sep 17 00:00:00 2001 From: securepeacock <92804416+securepeacock@users.noreply.github.com> Date: Sun, 24 Oct 2021 16:07:40 -0400 Subject: [PATCH 4/4] Update sysmon_powershell_startup_shortcuts.yml --- .../sysmon_powershell_startup_shortcuts.yml | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/rules/windows/file_event/sysmon_powershell_startup_shortcuts.yml b/rules/windows/file_event/sysmon_powershell_startup_shortcuts.yml index 70c82df34..a7ed3cfae 100644 --- a/rules/windows/file_event/sysmon_powershell_startup_shortcuts.yml +++ b/rules/windows/file_event/sysmon_powershell_startup_shortcuts.yml @@ -1,18 +1,10 @@ title: PowerShell Writing Startup Shortcuts id: 92fa78e7-4d39-45f1-91a3-8b23f3f1088d -description: Attempts to detect PowerShell writing startup shortcuts. +description: Attempts to detect PowerShell writing startup shortcuts. This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence. Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats. In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL" status: experimental references: - https://redcanary.com/blog/intelligence-insights-october-2021/ - # We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence. - # Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats. - # In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL" -notes: - - Atomic Test is avaiable. Copy and Paste the command into an elevated PowerShell to generate logs, then run the cleanup step. - https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder - - - Current SIGMA rule "Startup folder File Write" does not cover this activity, as it looks in the \ProgramData\ file path and not \AppData\. - https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/sysmon_startup_folder_file_write.yml + - https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder tags: - attack.registry_run_keys_/_startup_folder - attack.t1547.001