From 79b3c384ef9d48a16b8b524dbcbbdd60a942d0a4 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Fri, 6 Jan 2023 14:04:35 +0000 Subject: [PATCH 1/3] FP: import and use of Get-MpComputerStatus and use of aliases not being monitored --- .../posh_ps_tamper_defender.yml | 21 ++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml b/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml index 6cdeaa8a2..dd1ac2068 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml @@ -9,9 +9,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - https://bidouillesecurity.com/disable-windows-defender-in-powershell/ -author: frack113, elhoim +author: frack113, elhoim, Tim Shelton (fps, alias support) date: 2022/01/16 -modified: 2022/08/05 +modified: 2023/01/06 tags: - attack.defense_evasion - attack.t1562.001 @@ -52,7 +52,22 @@ detection: - LowThreatDefaultAction - ModerateThreatDefaultAction - HighThreatDefaultAction - condition: all of selection_options_disabling* or selection_default_actions_allow + selection_use_of_alias: + ScriptBlockText|contains: + - ltdefac + - mtdefac + - htdefac + - stdefac + filter_alias: + # powershell use of Get-MpComputerStatus loads ps1 for management + # Host Application = C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe -command Get-MpComputerStatus Engine Version = 5.1.17763.3770 Runspace ID = 86662fa7-ad6f-4ead-93a2-267be387d004 Pipeline ID = 6 Command Name = Remove-Variable Command Type = Cmdlet Script Name = Command Path = Sequence Number = 1825 User = HUNT\hawkscan Connected User = Shell ID = Microsoft.PowerShell | Payload=CommandInvocation(Remove-Variable): "Remove-Variable" ParameterBinding(Remove-Variable): name="Scope"; value="local" ParameterBinding(Remove-Variable): name="Confirm"; value="False" ParameterBinding(Remove-Variable): name="Name"; value="PreviousErrCount" + ScriptBlockText|contains|all: + - "Alias('ltdefac')" + - "Alias('mtdefac')" + - "Alias('htdefac')" + - "Alias('stdefac')" + + condition: all of selection_options_disabling* or selection_default_actions_allow or selection_use_of_alias and not 1 of filter* falsepositives: - Legitimate PowerShell scripts level: high From 88308b713c65055f1961de244b077be0ced6bfcc Mon Sep 17 00:00:00 2001 From: "redsand (Tim Shelton)" Date: Thu, 12 Jan 2023 10:14:14 -0600 Subject: [PATCH 2/3] Update rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml whatever you guys want, im good with. i like @neo23x0 suggestion Co-authored-by: Florian Roth --- .../posh_ps_tamper_defender.yml | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml b/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml index dd1ac2068..42a46ca0d 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml @@ -54,18 +54,10 @@ detection: - HighThreatDefaultAction selection_use_of_alias: ScriptBlockText|contains: - - ltdefac - - mtdefac - - htdefac - - stdefac - filter_alias: - # powershell use of Get-MpComputerStatus loads ps1 for management - # Host Application = C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe -command Get-MpComputerStatus Engine Version = 5.1.17763.3770 Runspace ID = 86662fa7-ad6f-4ead-93a2-267be387d004 Pipeline ID = 6 Command Name = Remove-Variable Command Type = Cmdlet Script Name = Command Path = Sequence Number = 1825 User = HUNT\hawkscan Connected User = Shell ID = Microsoft.PowerShell | Payload=CommandInvocation(Remove-Variable): "Remove-Variable" ParameterBinding(Remove-Variable): name="Scope"; value="local" ParameterBinding(Remove-Variable): name="Confirm"; value="False" ParameterBinding(Remove-Variable): name="Name"; value="PreviousErrCount" - ScriptBlockText|contains|all: - - "Alias('ltdefac')" - - "Alias('mtdefac')" - - "Alias('htdefac')" - - "Alias('stdefac')" + - 'ltdefac ' + - 'mtdefac ' + - 'htdefac ' + - 'stdefac ' condition: all of selection_options_disabling* or selection_default_actions_allow or selection_use_of_alias and not 1 of filter* falsepositives: From 09b3e43afc96001e736004abacbc0333b00d1b74 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Thu, 12 Jan 2023 16:21:58 +0000 Subject: [PATCH 3/3] Removing filter specification in condition --- .../powershell/powershell_script/posh_ps_tamper_defender.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml b/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml index 42a46ca0d..b1d7d2321 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml @@ -58,8 +58,7 @@ detection: - 'mtdefac ' - 'htdefac ' - 'stdefac ' - - condition: all of selection_options_disabling* or selection_default_actions_allow or selection_use_of_alias and not 1 of filter* + condition: all of selection_options_disabling* or selection_default_actions_allow or selection_use_of_alias falsepositives: - Legitimate PowerShell scripts level: high