security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add Redcannary Windows Rules

Browse Source
This commit is contained in:
frack113
2022-01-19 20:40:43 +01:00
parent 0ebf540deb
commit caa4c7f977
2 changed files with 58 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml
+28
View File
@@ -0,0 +1,28 @@
title: Powershell MsXml COM Object
id: 78aa1347-1517-4454-9982-b338d6df8343
status: experimental
description: |
Adversaries may abuse PowerShell commands and scripts for execution.
PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)
Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code
author: frack113
date: 2022/01/19
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt
- https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)
logsource:
product: windows
category: ps_script
detection:
selection:
ScriptBlockText|contains|all:
- New-Object
- '-ComObject'
- MsXml2.ServerXmlHttp
condition: selection
falsepositives:
- legitimate administrative script
level: medium
tags:
- attack.execution
- attack.t1059.001
rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml
+30
View File
@@ -0,0 +1,30 @@
title: Powershell XML Execute Command
id: 6c6c6282-7671-4fe9-a0ce-a2dcebdc342b
status: experimental
description: |
Adversaries may abuse PowerShell commands and scripts for execution.
PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)
Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code
author: frack113
date: 2022/01/19
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md#atomic-test-8---powershell-xml-requests
logsource:
product: windows
category: ps_script
detection:
selection_xml:
ScriptBlockText|contains|all:
- New-Object
- System.Xml.XmlDocument
- .Load
selection_exec:
- IEX
- Invoke-Expression
condition: all of selection_*
falsepositives:
- legitimate administrative script
level: medium
tags:
- attack.execution
- attack.t1059.001