security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: new rules & updates (#4328)

Browse Source
This commit is contained in:
Nasreddine Bencherchali
2023-07-13 10:01:05 +02:00
committed by GitHub
parent 3d2b11ac5f
commit ccec820a01
42 changed files with 869 additions and 314 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/powershell/powershell_script/posh_ps_accessing_win_api.yml
+8 -5
View File
@@ -9,7 +9,7 @@ references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: Nikita Nazarov, oscd.community, Tim Shelton
date: 2020/10/06
modified: 2023/01/09
modified: 2023/06/20
tags:
- attack.execution
- attack.t1059.001
@@ -23,7 +23,7 @@ detection:
ScriptBlockText|contains:
- 'AddSecurityPackage'
- 'AdjustTokenPrivileges'
- 'Advapi32'
#- 'Advapi32'
- 'CloseHandle'
- 'CreateProcessWithToken'
- 'CreateRemoteThread'
@@ -68,10 +68,13 @@ detection:
- 'WriteInt32'
- 'WriteProcessMemory'
- 'ZeroFreeGlobalAllocUnicode'
filter_amazon:
filter_optional_amazon:
ScriptBlockText|startswith: '# Copyright 2016 Amazon.com, Inc. or its affiliates.' # aws scripts leverage CreateFile and CloseHandle may filter out these 2 items
ScriptBlockText|contains: 'function Import-SerialPortUtil '
condition: selection and not 1 of filter_*
ScriptBlockText|contains:
- 'function Import-SerialPortUtil '
- 'CloseHandle'
- 'DllImport("KernelBase.dll"'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Carbon PowerShell Module (https://github.com/webmd-health-services/Carbon)
level: high
rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml
+8 -8
View File
@@ -6,7 +6,7 @@ references:
- https://adsecurity.org/?p=2921
author: Sean Metcalf (source), Florian Roth (Nextron Systems)
date: 2017/03/05
modified: 2022/12/25
modified: 2023/06/20
tags:
- attack.execution
- attack.t1059.001
@@ -19,12 +19,14 @@ detection:
ScriptBlockText|contains:
- 'AdjustTokenPrivileges'
- 'IMAGE_NT_OPTIONAL_HDR64_MAGIC'
#- 'LSA_UNICODE_STRING'
- 'Metasploit'
- 'Microsoft.Win32.UnsafeNativeMethods'
- 'ReadProcessMemory.Invoke'
- 'SE_PRIVILEGE_ENABLED'
- 'LSA_UNICODE_STRING'
- 'Mimikatz'
- 'MiniDumpWriteDump'
- 'PAGE_EXECUTE_READ'
- 'ReadProcessMemory.Invoke'
- 'SE_PRIVILEGE_ENABLED'
- 'SECURITY_DELEGATION'
- 'TOKEN_ADJUST_PRIVILEGES'
- 'TOKEN_ALL_ACCESS'
@@ -35,9 +37,7 @@ detection:
- 'TOKEN_INFORMATION_CLASS'
- 'TOKEN_PRIVILEGES'
- 'TOKEN_QUERY'
- 'Metasploit'
- 'Mimikatz'
condition: selection
falsepositives:
- Unknown
level: high
- Depending on the scripts, this rule might require some initial tunning to fit the environment
level: medium
rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml
+52 -39
View File
@@ -9,9 +9,9 @@ references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
- https://bidouillesecurity.com/disable-windows-defender-in-powershell/
author: frack113, elhoim, Tim Shelton (fps, alias support), Swachchhanda Shrawan Poudel
author: frack113, elhoim, Tim Shelton (fps, alias support), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
date: 2022/01/16
modified: 2023/06/05
modified: 2023/06/21
tags:
- attack.defense_evasion
- attack.t1562.001
@@ -22,46 +22,59 @@ logsource:
detection:
selection_options_disabling_preference:
ScriptBlockText|contains: 'Set-MpPreference'
selection_options_disabling_value:
ScriptBlockText|contains:
- ' 1 '
- '$true'
selection_options_disabling_function:
ScriptBlockText|contains:
- 'dbaf'
- 'dbm'
- 'dips'
- 'DisableArchiveScanning'
- 'DisableBehaviorMonitoring'
- 'DisableBlockAtFirstSeen'
- 'DisableIntrusionPreventionSystem'
- 'DisableIOAVProtection'
- 'DisableRealtimeMonitoring'
- 'DisableRemovableDriveScanning'
- 'DisableScanningMappedNetworkDrivesForFullScan'
- 'DisableScanningNetworkFiles'
- 'DisableScriptScanning'
- 'drdsc'
- 'drtm'
- 'dscrptsc'
- 'dsmndf'
- 'dsnf'
- 'dss'
- '-dbaf $true'
- '-dbaf 1'
- '-dbm $true'
- '-dbm 1'
- '-dips $true'
- '-dips 1'
- '-DisableArchiveScanning $true'
- '-DisableArchiveScanning 1'
- '-DisableBehaviorMonitoring $true'
- '-DisableBehaviorMonitoring 1'
- '-DisableBlockAtFirstSeen $true'
- '-DisableBlockAtFirstSeen 1'
- '-DisableIntrusionPreventionSystem $true'
- '-DisableIntrusionPreventionSystem 1'
- '-DisableIOAVProtection $true'
- '-DisableIOAVProtection 1'
- '-DisableRealtimeMonitoring $true'
- '-DisableRealtimeMonitoring 1'
- '-DisableRemovableDriveScanning $true'
- '-DisableRemovableDriveScanning 1'
- '-DisableScanningMappedNetworkDrivesForFullScan $true'
- '-DisableScanningMappedNetworkDrivesForFullScan 1'
- '-DisableScanningNetworkFiles $true'
- '-DisableScanningNetworkFiles 1'
- '-DisableScriptScanning $true'
- '-DisableScriptScanning 1'
- '-drdsc $true'
- '-drdsc 1'
- '-drtm $true'
- '-drtm 1'
- '-dscrptsc $true'
- '-dscrptsc 1'
- '-dsmndf $true'
- '-dsmndf 1'
- '-dsnf $true'
- '-dsnf 1'
- '-dss $true'
- '-dss 1'
selection_other_default_actions_allow:
ScriptBlockText|contains|all:
- 'Set-MpPreference'
- 'Allow'
ScriptBlockText|contains: 'Set-MpPreference'
selection_other_default_actions_func:
ScriptBlockText|contains:
- 'LowThreatDefaultAction'
- 'ModerateThreatDefaultAction'
- 'HighThreatDefaultAction'
selection_other_use_of_alias:
ScriptBlockText|contains:
- 'ltdefac '
- 'mtdefac '
- 'htdefac '
- 'stdefac '
condition: all of selection_options_disabling_* or 1 of selection_other_*
- 'HighThreatDefaultAction Allow'
- 'htdefac Allow'
- 'LowThreatDefaultAction Allow'
- 'ltdefac Allow'
- 'ModerateThreatDefaultAction Allow'
- 'mtdefac Allow'
- 'SevereThreatDefaultAction Allow'
- 'stdefac Allow'
condition: all of selection_options_disabling_* or all of selection_other_default_actions_*
falsepositives:
- Legitimate PowerShell scripts
- Legitimate PowerShell scripts that disable Windows Defender for troubleshooting purposes. Must be investigated.
level: high