Merge branch 'master' into rule-devel

2023-01-09 09:56:21 +01:00
parent 0a9be5922c 679c2a0500
commit bcce3a85aa
300 changed files with 1505 additions and 527 deletions
@@ -13,7 +13,7 @@ tags:
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    selection:
        ContextInfo|contains: '*'
@@ -21,7 +21,7 @@ tags:
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    selection_4103:
        Payload|contains:
@@ -16,7 +16,7 @@ tags:
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    selection_1a_payload:
        Payload|contains:
@@ -17,7 +17,7 @@ tags:
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    selection_4103:
        Payload|contains: 'Expand-Archive'
@@ -13,7 +13,7 @@ tags:
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    selection:
        Payload|contains|all:
@@ -7,18 +7,18 @@ references:
    - https://threathunterplaybook.com/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.html
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 date: 2020/05/02
-modified: 2022/06/20
+modified: 2023/01/04
 tags:
    - attack.collection
    - attack.t1115
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
-    selection_4103:
+    selection:
        Payload|contains: 'Get-Clipboard'
-    condition: selection_4103
+    condition: selection
 falsepositives:
    - Unknown
 level: medium
@@ -18,7 +18,7 @@ tags:
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    selection_4103:
        Payload|re: '.*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+-f.+"'
@@ -18,7 +18,7 @@ tags:
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    selection_payload:
        - Payload|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
@@ -18,7 +18,7 @@ tags:
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    selection_4103:
        Payload|re: '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\$\{?input\}?|noexit).+"'
@@ -18,7 +18,7 @@ tags:
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    selection_4103:
        Payload|re: '.*cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?-f(?:.*\)){1,}.*"'
@@ -18,7 +18,7 @@ tags:
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    selection_4103:
        Payload|contains|all:
@@ -18,7 +18,7 @@ tags:
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    selection_4103:
        Payload|contains|all:
@@ -18,7 +18,7 @@ tags:
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    selection_4103:
        Payload|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\$?\{?input).*&&.*"'
@@ -18,7 +18,7 @@ tags:
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    selection_4103:
        Payload|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*'
@@ -9,7 +9,7 @@ references:
    - https://github.com/SigmaHQ/sigma/issues/1009 #(Task31)
 author: Nikita Nazarov, oscd.community
 date: 2020/10/08
-modified: 2022/11/29
+modified: 2023/01/04
 tags:
    - attack.defense_evasion
    - attack.t1027
@@ -18,9 +18,9 @@ tags:
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabledd
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
-    selection_4103:
+    selection:
        Payload|contains|all:
            - 'set'
            - '&&'
@@ -28,7 +28,7 @@ detection:
            - 'vbscript:createobject'
            - '.run'
            - '(window.close)'
-    condition: selection_4103
+    condition: selection
 falsepositives:
    - Unknown
 level: high
@@ -18,7 +18,7 @@ tags:
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    selection_4103:
        Payload|contains|all:
@@ -18,7 +18,7 @@ tags:
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    selection_4103:
        Payload|re: '(?i).*&&set.*(\{\d\}){2,}\\"\s+?-f.*&&.*cmd.*/c' # FPs with |\/r
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    selection:
        ContextInfo|contains:
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    selection:
        ContextInfo|contains|all:
@@ -16,7 +16,7 @@ tags:
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    test_2:
        - Payload|contains: get-ADPrincipalGroupMembership
@@ -7,14 +7,14 @@ references:
    - https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
 author: frack113
 date: 2021/07/13
-modified: 2022/12/02
+modified: 2023/01/04
 tags:
    - attack.defense_evasion
    - attack.t1218
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabledd
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    selection_cmd:
        ContextInfo|contains: 'Invoke-ATHRemoteFXvGPUDisablementCommand '
@@ -24,12 +24,7 @@ detection:
            - '-ModulePath '
            - '-ScriptBlock '
            - '-RemoteFXvGPUDisablementFilePath'
-    condition: selection_cmd and selection_opt
-fields:
-    - ComputerName
-    - User
-    - CommandLine
-    - ParentCommandLine
+    condition: all of selection_*
 falsepositives:
    - Unknown
 level: medium
@@ -13,7 +13,7 @@ tags:
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    selection:
        ContextInfo|contains: 'Get-NetTCPConnection'
@@ -3,28 +3,32 @@ id: bbb80e91-5746-4fbe-8898-122e2cafdbf4
 related:
    - id: 3d304fda-78aa-43ed-975c-d740798a49c1
      type: derived
+    - id: ed965133-513f-41d9-a441-e38076a0798f
+      type: similar
 status: experimental
 description: Detects suspicious PowerShell invocation command parameters
 author: Florian Roth (rule)
 date: 2017/03/12
-modified: 2022/12/02
+modified: 2023/01/03
 tags:
    - attack.execution
    - attack.t1059.001
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    selection_encoded:
        ContextInfo|contains:
            - ' -enc '
            - ' -EncodedCommand '
+            - ' -ec '
    selection_hidden:
        ContextInfo|contains:
            - ' -w hidden '
            - ' -window hidden '
            - ' -windowstyle hidden '
+            - ' -w 1 '
    selection_noninteractive:
        ContextInfo|contains:
            - ' -noni '
@@ -3,18 +3,22 @@ id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090
 related:
    - id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
      type: derived
+    - id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71
+      type: similar
+    - id: 536e2947-3729-478c-9903-745aaffe60d2
+      type: similar
 status: experimental
 description: Detects suspicious PowerShell invocation command parameters
 author: Florian Roth (rule), Jonhnathan Ribeiro
 date: 2017/03/05
-modified: 2022/12/02
+modified: 2023/01/05
 tags:
    - attack.execution
    - attack.t1059.001
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    selection_convert_b64:
        ContextInfo|contains|all:
@@ -64,7 +68,7 @@ detection:
        ContextInfo|contains:
            - "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1"
            - 'Write-ChocolateyWarning'
-    condition: 1 of selection* and not 1 of filter*
+    condition: 1 of selection_* and not 1 of filter_*
 falsepositives:
    - Unknown
 level: high
@@ -16,7 +16,7 @@ tags:
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    test_3:
        - Payload|contains:
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    selection:
        ContextInfo|contains: 'Reset-ComputerMachinePassword'
@@ -16,7 +16,7 @@ tags:
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    selection:
        - Payload|contains: get-smbshare
@@ -16,7 +16,7 @@ tags:
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    selection_4103:
        ContextInfo|contains|all:
@@ -18,7 +18,7 @@ tags:
 logsource:
    product: windows
    category: ps_module
-    definition: PowerShell Module Logging must be enabled
+    definition: 'Requirements: PowerShell Module Logging must be enabled'
 detection:
    selection:
        ContextInfo|contains: 'SyncAppvPublishingServer.exe'
@@ -20,7 +20,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_cmd:
        ScriptBlockText|contains|all:
@@ -14,7 +14,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains:
@@ -16,7 +16,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script Block Logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains:
@@ -14,7 +14,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
@@ -0,0 +1,27 @@
+title: Potential AMSI Bypass Using NULL Bits - ScriptBlockLogging
+id: fa2559c8-1197-471d-9cdd-05a0273d4522
+related:
+    - id: 92a974db-ab84-457f-9ec0-55db83d7a825
+      type: similar
+status: experimental
+description: Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities
+references:
+    - https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-bypass-using-null-bits-satoshi
+author: Nasreddine Bencherchali
+date: 2023/01/04
+tags:
+    - attack.defense_evasion
+    - attack.t1562.001
+logsource:
+    product: windows
+    service: powershell
+    definition: 'Requirements: Script Block Logging must be enabled'
+detection:
+    selection:
+        ScriptBlockLogging|contains:
+            - "if(0){{{0}}}' -f $(0 -as [char]) +"
+            - "#<NULL>"
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
@@ -20,6 +20,7 @@ tags:
 logsource:
    product: windows
    service: powershell
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    empire:
        # better to randomise the order
@@ -13,7 +13,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        #4194304 DONT_REQ_PREAUTH
@@ -13,7 +13,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_ext:
        ScriptBlockText|contains:
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains: '.CopyFromScreen'
@@ -14,7 +14,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
@@ -14,7 +14,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains:
@@ -14,7 +14,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
@@ -14,7 +14,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains:
@@ -16,7 +16,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection1a:
        ScriptBlockText|contains:
@@ -16,7 +16,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection1:
        ScriptBlockText|contains: Clear-History
@@ -13,7 +13,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_cmdlet:
        ScriptBlockText|contains:
@@ -17,7 +17,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
@@ -13,7 +13,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_copy:
        ScriptBlockText|contains|all:
@@ -17,7 +17,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains: 'New-LocalUser'
@@ -13,7 +13,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
@@ -13,7 +13,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
@@ -16,7 +16,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_action:
        ScriptBlockText|contains:
@@ -12,7 +12,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script Block Logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains: System.DirectoryServices.AccountManagement
@@ -12,7 +12,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_cmd:
        ScriptBlockText|contains|all:
@@ -13,7 +13,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains: 'Start-Dnscat2'
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_kiddie:
        ScriptBlockText|contains:
@@ -13,7 +13,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_cmdlet:
        ScriptBlockText|contains: 'Enable-PSRemoting '
@@ -19,7 +19,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_cmd:
        ScriptBlockText|contains|all:
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_cmd:
        ScriptBlockText|contains|all:
@@ -18,7 +18,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_pwsh_remove:   #Autologger provider removal
        ScriptBlockText|contains: 'Remove-EtwTraceProvider '
@@ -11,7 +11,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
@@ -16,7 +16,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains:
@@ -12,7 +12,7 @@ date: 2022/12/23
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
@@ -16,7 +16,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
@@ -13,7 +13,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
@@ -13,7 +13,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
@@ -16,7 +16,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
@@ -11,7 +11,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
@@ -13,7 +13,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
@@ -12,7 +12,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_import:
        ScriptBlockText|contains:
@@ -13,7 +13,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_cmdlet:
        ScriptBlockText|contains|all:
@@ -13,7 +13,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_cmdlet:
        - ScriptBlockText|contains: 'Invoke-DNSExfiltrator'
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_4104:
        ScriptBlockText|re: '.*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+-f.+"'
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_iex:
        - ScriptBlockText|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_4104:
        ScriptBlockText|re: '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\$?\{?input\}?|noexit).+"'
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_4104:
        ScriptBlockText|re: '.*cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?-f(?:.*\)){1,}.*"'
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_4104:
        ScriptBlockText|contains|all:
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_4104:
        ScriptBlockText|contains|all:
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_4104:
        ScriptBlockText|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\$\{?input).*&&.*"'
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_4104:
        ScriptBlockText|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*'
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_4104:
        ScriptBlockText|contains|all:
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_4104:
        ScriptBlockText|contains|all:
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_4104:
        ScriptBlockText|re: '(?i).*&&set.*(\{\d\}){2,}\\"\s+?-f.*&&.*cmd.*/c' # FPs with |\/r
@@ -14,7 +14,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_basic:
        ScriptBlockText|contains: 'Get-Keystrokes'
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains:
@@ -17,7 +17,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
@@ -21,9 +21,10 @@ references:
    - https://github.com/calebstewart/CVE-2021-1675 # Invoke-Nightmare
    - https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1
    - https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
+    - https://github.com/HarmJ0y/DAMP
 author: Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer
 date: 2017/03/05
-modified: 2023/01/02
+modified: 2023/01/05
 tags:
    - attack.execution
    - attack.discovery
@@ -38,15 +39,18 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script Block Logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains:
            - 'Add-Exfiltration'
            - 'Add-Persistence'
            - 'Add-RegBackdoor'
+            - 'Add-RemoteRegBackdoor'
            - 'Add-ScrnSaveBackdoor'
            - 'Check-VM'
+            - 'ConvertTo-Rc4ByteStream'
+            - 'Decrypt-Hash'
            - 'Do-Exfiltration'
            - 'Enabled-DuplicateToken'
            - 'Exploit-Jboss'
@@ -64,6 +68,12 @@ detection:
            - 'Get-PassHashes'
            - 'Get-RegAlwaysInstallElevated'
            - 'Get-RegAutoLogon'
+            - 'Get-RemoteBootKey'
+            - 'Get-RemoteCachedCredential'
+            - 'Get-RemoteLocalAccountHash'
+            - 'Get-RemoteLSAKey'
+            - 'Get-RemoteMachineAccountHash'
+            - 'Get-RemoteNLKMKey'
            - 'Get-RickAstley'
            - 'Get-Screenshot'
            - 'Get-SecurityPackages'
@@ -211,6 +221,7 @@ detection:
            - 'Invoke-Zerologon'
            - 'MailRaider'
            - 'New-HoneyHash'
+            - 'New-InMemoryModule'
            - 'Out-Minidump'
            - 'Port-Scan'
            - 'PowerBreach'
@@ -13,7 +13,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains:
@@ -12,7 +12,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
@@ -16,7 +16,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_path:
        ScriptBlockText|contains: \SOFTWARE\Policies\Microsoft\Windows\System
@@ -18,7 +18,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
@@ -13,7 +13,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains:
@@ -16,7 +16,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_content:
        ScriptBlockText|contains:
@@ -14,7 +14,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
@@ -16,7 +16,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script Block Logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains:
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains: 'PromptForCredential'
--- a/Show More
+++ b/Show More