Merge branch 'master' into rule-devel

2023-01-09 09:56:21 +01:00
parent 0a9be5922c 679c2a0500
commit bcce3a85aa
300 changed files with 1505 additions and 527 deletions
@@ -20,7 +20,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_cmd:
        ScriptBlockText|contains|all:
@@ -14,7 +14,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains:
@@ -16,7 +16,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script Block Logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains:
@@ -14,7 +14,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
@@ -0,0 +1,27 @@
+title: Potential AMSI Bypass Using NULL Bits - ScriptBlockLogging
+id: fa2559c8-1197-471d-9cdd-05a0273d4522
+related:
+    - id: 92a974db-ab84-457f-9ec0-55db83d7a825
+      type: similar
+status: experimental
+description: Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities
+references:
+    - https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-bypass-using-null-bits-satoshi
+author: Nasreddine Bencherchali
+date: 2023/01/04
+tags:
+    - attack.defense_evasion
+    - attack.t1562.001
+logsource:
+    product: windows
+    service: powershell
+    definition: 'Requirements: Script Block Logging must be enabled'
+detection:
+    selection:
+        ScriptBlockLogging|contains:
+            - "if(0){{{0}}}' -f $(0 -as [char]) +"
+            - "#<NULL>"
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
@@ -20,6 +20,7 @@ tags:
 logsource:
    product: windows
    service: powershell
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    empire:
        # better to randomise the order
@@ -13,7 +13,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        #4194304 DONT_REQ_PREAUTH
@@ -13,7 +13,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_ext:
        ScriptBlockText|contains:
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains: '.CopyFromScreen'
@@ -14,7 +14,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
@@ -14,7 +14,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains:
@@ -14,7 +14,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
@@ -14,7 +14,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains:
@@ -16,7 +16,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection1a:
        ScriptBlockText|contains:
@@ -16,7 +16,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection1:
        ScriptBlockText|contains: Clear-History
@@ -13,7 +13,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_cmdlet:
        ScriptBlockText|contains:
@@ -17,7 +17,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
@@ -13,7 +13,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_copy:
        ScriptBlockText|contains|all:
@@ -17,7 +17,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains: 'New-LocalUser'
@@ -13,7 +13,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
@@ -13,7 +13,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
@@ -16,7 +16,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_action:
        ScriptBlockText|contains:
@@ -12,7 +12,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script Block Logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains: System.DirectoryServices.AccountManagement
@@ -12,7 +12,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_cmd:
        ScriptBlockText|contains|all:
@@ -13,7 +13,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains: 'Start-Dnscat2'
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_kiddie:
        ScriptBlockText|contains:
@@ -13,7 +13,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_cmdlet:
        ScriptBlockText|contains: 'Enable-PSRemoting '
@@ -19,7 +19,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_cmd:
        ScriptBlockText|contains|all:
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_cmd:
        ScriptBlockText|contains|all:
@@ -18,7 +18,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_pwsh_remove:   #Autologger provider removal
        ScriptBlockText|contains: 'Remove-EtwTraceProvider '
@@ -11,7 +11,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
@@ -16,7 +16,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains:
@@ -12,7 +12,7 @@ date: 2022/12/23
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
@@ -16,7 +16,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
@@ -13,7 +13,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
@@ -13,7 +13,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
@@ -16,7 +16,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
@@ -11,7 +11,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
@@ -13,7 +13,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
@@ -12,7 +12,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_import:
        ScriptBlockText|contains:
@@ -13,7 +13,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_cmdlet:
        ScriptBlockText|contains|all:
@@ -13,7 +13,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_cmdlet:
        - ScriptBlockText|contains: 'Invoke-DNSExfiltrator'
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_4104:
        ScriptBlockText|re: '.*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+-f.+"'
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_iex:
        - ScriptBlockText|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_4104:
        ScriptBlockText|re: '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\$?\{?input\}?|noexit).+"'
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_4104:
        ScriptBlockText|re: '.*cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?-f(?:.*\)){1,}.*"'
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_4104:
        ScriptBlockText|contains|all:
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_4104:
        ScriptBlockText|contains|all:
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_4104:
        ScriptBlockText|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\$\{?input).*&&.*"'
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_4104:
        ScriptBlockText|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*'
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_4104:
        ScriptBlockText|contains|all:
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_4104:
        ScriptBlockText|contains|all:
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_4104:
        ScriptBlockText|re: '(?i).*&&set.*(\{\d\}){2,}\\"\s+?-f.*&&.*cmd.*/c' # FPs with |\/r
@@ -14,7 +14,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_basic:
        ScriptBlockText|contains: 'Get-Keystrokes'
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains:
@@ -17,7 +17,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
@@ -21,9 +21,10 @@ references:
    - https://github.com/calebstewart/CVE-2021-1675 # Invoke-Nightmare
    - https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1
    - https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
+    - https://github.com/HarmJ0y/DAMP
 author: Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer
 date: 2017/03/05
-modified: 2023/01/02
+modified: 2023/01/05
 tags:
    - attack.execution
    - attack.discovery
@@ -38,15 +39,18 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script Block Logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains:
            - 'Add-Exfiltration'
            - 'Add-Persistence'
            - 'Add-RegBackdoor'
+            - 'Add-RemoteRegBackdoor'
            - 'Add-ScrnSaveBackdoor'
            - 'Check-VM'
+            - 'ConvertTo-Rc4ByteStream'
+            - 'Decrypt-Hash'
            - 'Do-Exfiltration'
            - 'Enabled-DuplicateToken'
            - 'Exploit-Jboss'
@@ -64,6 +68,12 @@ detection:
            - 'Get-PassHashes'
            - 'Get-RegAlwaysInstallElevated'
            - 'Get-RegAutoLogon'
+            - 'Get-RemoteBootKey'
+            - 'Get-RemoteCachedCredential'
+            - 'Get-RemoteLocalAccountHash'
+            - 'Get-RemoteLSAKey'
+            - 'Get-RemoteMachineAccountHash'
+            - 'Get-RemoteNLKMKey'
            - 'Get-RickAstley'
            - 'Get-Screenshot'
            - 'Get-SecurityPackages'
@@ -211,6 +221,7 @@ detection:
            - 'Invoke-Zerologon'
            - 'MailRaider'
            - 'New-HoneyHash'
+            - 'New-InMemoryModule'
            - 'Out-Minidump'
            - 'Port-Scan'
            - 'PowerBreach'
@@ -13,7 +13,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains:
@@ -12,7 +12,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
@@ -16,7 +16,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_path:
        ScriptBlockText|contains: \SOFTWARE\Policies\Microsoft\Windows\System
@@ -18,7 +18,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
@@ -13,7 +13,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains:
@@ -16,7 +16,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_content:
        ScriptBlockText|contains:
@@ -14,7 +14,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
@@ -16,7 +16,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script Block Logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains:
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains: 'PromptForCredential'
@@ -12,7 +12,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains: 'PSAsyncShell'
@@ -13,7 +13,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains: 'PS ATTACK!!!'
@@ -16,7 +16,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
@@ -14,7 +14,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains: System.IdentityModel.Tokens.KerberosRequestorSecurityToken
@@ -13,7 +13,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection1:
        ScriptBlockText|contains|all:
@@ -13,7 +13,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_1:
        ScriptBlockText|contains|all:
@@ -16,7 +16,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains: 'Send-MailMessage'
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_action:
        ScriptBlockText|contains:
@@ -15,7 +15,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    cmdlet:
        ScriptBlockText|contains: 'Set-ExecutionPolicy'
@@ -16,7 +16,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains: 'AAAAYInlM'
@@ -13,7 +13,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script Block Logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains:
@@ -14,7 +14,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
@@ -13,7 +13,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_compspec:
        ScriptBlockText|contains|all:
@@ -0,0 +1,33 @@
+title: Potential Persistence Via Security Descriptors - ScriptBlock
+id: 2f77047c-e6e9-4c11-b088-a3de399524cd
+status: experimental
+description: Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.
+references:
+    - https://github.com/HarmJ0y/DAMP
+author: Nasreddine Bencherchali
+date: 2023/01/05
+tags:
+    - attack.persistence
+    - attack.defense_evasion
+    - attack.privilege_escalation
+logsource:
+    product: windows
+    category: ps_script
+    definition: 'Requirements: Script Block Logging must be enabled'
+detection:
+    selection:
+        ScriptBlockText|contains|all:
+            - 'win32_Trustee'
+            - 'win32_Ace'
+            - '.AccessMask'
+            - '.AceType'
+            - '.SetSecurityDescriptor'
+        ScriptBlockText|contains:
+            - '\Lsa\JD'
+            - '\Lsa\Skew1'
+            - '\Lsa\Data'
+            - '\Lsa\GBG'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
@@ -16,7 +16,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    test_2:
        ScriptBlockText|contains: get-ADPrincipalGroupMembership
@@ -17,7 +17,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains:
@@ -13,7 +13,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
@@ -14,7 +14,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    webclient:
        ScriptBlockText|contains: 'System.Net.WebClient'
@@ -17,7 +17,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection_start:
        ScriptBlockText|contains: Start-Process
@@ -14,7 +14,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains: 'Export-PfxCertificate'
@@ -16,7 +16,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
@@ -13,7 +13,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains|all:
@@ -13,7 +13,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains: Get-AdDefaultDomainPasswordPolicy
@@ -13,7 +13,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains:
@@ -13,7 +13,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains: Get-GPO
@@ -13,7 +13,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script block logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains: Get-Process
@@ -13,7 +13,7 @@ tags:
 logsource:
    product: windows
    category: ps_script
-    definition: Script Block Logging must be enabled
+    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
        ScriptBlockText|contains: 'Get-Process lsass'
--- a/Show More
+++ b/Show More