Merge branch 'master' of https://github.com/Gude5/sigma

rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml

@@ -0,0 +1,26 @@
+title: Powershell Add Name Resolution Policy Table Rule
+id: 4368354e-1797-463c-bc39-a309effbe8d7
+status: experimental
+description: Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace. This will bypass the default DNS server and uses a specified server for answering the query.
+references:
+    - https://twitter.com/NathanMcNulty/status/1569497348841287681
+    - https://docs.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps
+author: Borna Talebi
+date: 2021/09/14
+logsource:
+    product: windows
+    category: ps_script
+    definition: Script Block Logging must be enabled
+detection:
+    selection:
+        ScriptBlockText|contains|all:
+            - 'Add-DnsClientNrptRule'
+            - '-Namesp'
+            - '-NameSe'
+    condition: selection
+tags:
+    - attack.impact
+    - attack.t1565
+falsepositives:
+    - Unknown
+level: high

rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml

@@ -0,0 +1,36 @@
+title: Disable-WindowsOptionalFeature Command PowerShell
+id: 99c4658d-2c5e-4d87-828d-7c066ca537c3
+status: experimental
+author: frack113
+date: 2022/09/10
+description: |
+  Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.
+  Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md
+    - https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps
+tags:
+    - attack.defense_evasion
+    - attack.t1562.001
+logsource:
+    product: windows
+    category: ps_script
+    definition: Script block logging must be enabled
+detection:
+    selection_cmd:
+        ScriptBlockText|contains|all:
+            - 'Disable-WindowsOptionalFeature'
+            - '-Online'
+            - '-FeatureName'
+    selection_feature:
+        # Add any important windows features
+        ScriptBlockText|contains:
+            - 'Windows-Defender-Gui'
+            - 'Windows-Defender-Features'
+            - 'Windows-Defender'
+            - 'Windows-Defender-ApplicationGuard'
+            #- 'Containers-DisposableClientVM' # Windows Sandbox
+    condition: all of selection*
+falsepositives:
+    - Unknown
+level: high

rules/windows/powershell/powershell_script/posh_ps_enable_windowsoptionalfeature.yml

@@ -0,0 +1,33 @@
+title: Enable-WindowsOptionalFeature Command PowerShell
+id: 55c925c1-7195-426b-a136-a9396800e29b
+status: experimental
+author: frack113
+date: 2022/09/10
+description: |
+  Detect built in PowerShell cmdlet Enable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.
+  Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
+references:
+    - https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps
+tags:
+    - attack.defense_evasion
+logsource:
+    product: windows
+    category: ps_script
+    definition: Script block logging must be enabled
+detection:
+    selection_cmd:
+        ScriptBlockText|contains|all:
+            - 'Enable-WindowsOptionalFeature'
+            - '-Online'
+            - '-FeatureName'
+    selection_feature:
+        # Add any unsecure windows features
+        ScriptBlockText|contains:
+            - 'TelnetServer'
+            - 'Internet-Explorer-Optional-amd64'
+            - 'TFTP'
+            - 'SMB1Protocol'
+    condition: all of selection*
+falsepositives:
+    - Unknown
+level: medium

rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml

@@ -18,131 +18,131 @@ logsource:
     category: ps_script
     definition: Script Block Logging must be enabled
 detection:
-  selection:
-      ScriptBlockText|contains:
-        - Export-PowerViewCSV
-        - Get-IPAddress
-        - Resolve-IPAddress
-        - Convert-NameToSid
-        - ConvertTo-SID
-        - Convert-ADName
-        - ConvertFrom-UACValue
-        - Add-RemoteConnection
-        - Remove-RemoteConnection
-        - Invoke-UserImpersonation
-        - Invoke-RevertToSelf
-        - Request-SPNTicket
-        - Get-DomainSPNTicket
-        - Invoke-Kerberoast
-        - Get-PathAcl
-        - Get-DNSZone
-        - Get-DomainDNSZone
-        - Get-DNSRecord
-        - Get-DomainDNSRecord
-        - Get-NetDomain
-        - Get-Domain
-        - Get-NetDomainController
-        - Get-DomainController
-        - Get-NetForest
-        - Get-Forest
-        - Get-NetForestDomain
-        - Get-ForestDomain
-        - Get-NetForestCatalog
-        - Get-ForestGlobalCatalog
-        - Find-DomainObjectPropertyOutlier
-        - Get-NetUser
-        - Get-DomainUser
-        - New-DomainUser
-        - Set-DomainUserPassword
-        - Get-UserEvent
-        - Get-DomainUserEvent
-        - Get-NetComputer
-        - Get-DomainComputer
-        - Get-ADObject
-        - Get-DomainObject
-        - Set-ADObject
-        - Set-DomainObject
-        - Get-ObjectAcl
-        - Get-DomainObjectAcl
-        - Add-ObjectAcl
-        - Add-DomainObjectAcl
-        - Invoke-ACLScanner
-        - Find-InterestingDomainAcl
-        - Get-NetOU
-        - Get-DomainOU
-        - Get-NetSite
-        - Get-DomainSite
-        - Get-NetSubnet
-        - Get-DomainSubnet
-        - Get-DomainSID
-        - Get-NetGroup
-        - Get-DomainGroup
-        - New-DomainGroup
-        - Find-ManagedSecurityGroups
-        - Get-DomainManagedSecurityGroup
-        - Get-NetGroupMember
-        - Get-DomainGroupMember
-        - Add-DomainGroupMember
-        - Get-NetFileServer
-        - Get-DomainFileServer
-        - Get-DFSshare
-        - Get-DomainDFSShare
-        - Get-NetGPO
-        - Get-DomainGPO
-        - Get-NetGPOGroup
-        - Get-DomainGPOLocalGroup
-        - Find-GPOLocation
-        - Get-DomainGPOUserLocalGroupMapping
-        - Find-GPOComputerAdmin
-        - Get-DomainGPOComputerLocalGroupMapping
-        - Get-DomainPolicy
-        - Get-NetLocalGroup
-        - Get-NetLocalGroupMember
-        - Get-NetShare
-        - Get-NetLoggedon
-        - Get-NetSession
-        - Get-LoggedOnLocal
-        - Get-RegLoggedOn
-        - Get-NetRDPSession
-        - Invoke-CheckLocalAdminAccess
-        - Test-AdminAccess
-        - Get-SiteName
-        - Get-NetComputerSiteName
-        - Get-Proxy
-        - Get-WMIRegProxy
-        - Get-LastLoggedOn
-        - Get-WMIRegLastLoggedOn
-        - Get-CachedRDPConnection
-        - Get-WMIRegCachedRDPConnection
-        - Get-RegistryMountedDrive
-        - Get-WMIRegMountedDrive
-        - Get-NetProcess
-        - Get-WMIProcess
-        - Find-InterestingFile
-        - Invoke-UserHunter
-        - Find-DomainUserLocation
-        - Invoke-ProcessHunter
-        - Find-DomainProcess
-        - Invoke-EventHunter
-        - Find-DomainUserEvent
-        - Invoke-ShareFinder
-        - Find-DomainShare
-        - Invoke-FileFinder
-        - Find-InterestingDomainShareFile
-        - Find-LocalAdminAccess
-        - Invoke-EnumerateLocalAdmin
-        - Find-DomainLocalGroupMember
-        - Get-NetDomainTrust
-        - Get-DomainTrust
-        - Get-NetForestTrust
-        - Get-ForestTrust
-        - Find-ForeignUser
-        - Get-DomainForeignUser
-        - Find-ForeignGroup
-        - Get-DomainForeignGroupMember
-        - Invoke-MapDomainTrust
-        - Get-DomainTrustMapping
-  condition: selection
+    selection:
+        ScriptBlockText|contains:
+            - Export-PowerViewCSV
+            - Get-IPAddress
+            - Resolve-IPAddress
+            - Convert-NameToSid
+            - ConvertTo-SID
+            - Convert-ADName
+            - ConvertFrom-UACValue
+            - Add-RemoteConnection
+            - Remove-RemoteConnection
+            - Invoke-UserImpersonation
+            - Invoke-RevertToSelf
+            - Request-SPNTicket
+            - Get-DomainSPNTicket
+            - Invoke-Kerberoast
+            - Get-PathAcl
+            - Get-DNSZone
+            - Get-DomainDNSZone
+            - Get-DNSRecord
+            - Get-DomainDNSRecord
+            - Get-NetDomain
+            - Get-Domain
+            - Get-NetDomainController
+            - Get-DomainController
+            - Get-NetForest
+            - Get-Forest
+            - Get-NetForestDomain
+            - Get-ForestDomain
+            - Get-NetForestCatalog
+            - Get-ForestGlobalCatalog
+            - Find-DomainObjectPropertyOutlier
+            - Get-NetUser
+            - Get-DomainUser
+            - New-DomainUser
+            - Set-DomainUserPassword
+            - Get-UserEvent
+            - Get-DomainUserEvent
+            - Get-NetComputer
+            - Get-DomainComputer
+            - Get-ADObject
+            - Get-DomainObject
+            - Set-ADObject
+            - Set-DomainObject
+            - Get-ObjectAcl
+            - Get-DomainObjectAcl
+            - Add-ObjectAcl
+            - Add-DomainObjectAcl
+            - Invoke-ACLScanner
+            - Find-InterestingDomainAcl
+            - Get-NetOU
+            - Get-DomainOU
+            - Get-NetSite
+            - Get-DomainSite
+            - Get-NetSubnet
+            - Get-DomainSubnet
+            - Get-DomainSID
+            - Get-NetGroup
+            - Get-DomainGroup
+            - New-DomainGroup
+            - Find-ManagedSecurityGroups
+            - Get-DomainManagedSecurityGroup
+            - Get-NetGroupMember
+            - Get-DomainGroupMember
+            - Add-DomainGroupMember
+            - Get-NetFileServer
+            - Get-DomainFileServer
+            - Get-DFSshare
+            - Get-DomainDFSShare
+            - Get-NetGPO
+            - Get-DomainGPO
+            - Get-NetGPOGroup
+            - Get-DomainGPOLocalGroup
+            - Find-GPOLocation
+            - Get-DomainGPOUserLocalGroupMapping
+            - Find-GPOComputerAdmin
+            - Get-DomainGPOComputerLocalGroupMapping
+            - Get-DomainPolicy
+            - Get-NetLocalGroup
+            - Get-NetLocalGroupMember
+            - Get-NetShare
+            - Get-NetLoggedon
+            - Get-NetSession
+            - Get-LoggedOnLocal
+            - Get-RegLoggedOn
+            - Get-NetRDPSession
+            - Invoke-CheckLocalAdminAccess
+            - Test-AdminAccess
+            - Get-SiteName
+            - Get-NetComputerSiteName
+            - Get-Proxy
+            - Get-WMIRegProxy
+            - Get-LastLoggedOn
+            - Get-WMIRegLastLoggedOn
+            - Get-CachedRDPConnection
+            - Get-WMIRegCachedRDPConnection
+            - Get-RegistryMountedDrive
+            - Get-WMIRegMountedDrive
+            - Get-NetProcess
+            - Get-WMIProcess
+            - Find-InterestingFile
+            - Invoke-UserHunter
+            - Find-DomainUserLocation
+            - Invoke-ProcessHunter
+            - Find-DomainProcess
+            - Invoke-EventHunter
+            - Find-DomainUserEvent
+            - Invoke-ShareFinder
+            - Find-DomainShare
+            - Invoke-FileFinder
+            - Find-InterestingDomainShareFile
+            - Find-LocalAdminAccess
+            - Invoke-EnumerateLocalAdmin
+            - Find-DomainLocalGroupMember
+            - Get-NetDomainTrust
+            - Get-DomainTrust
+            - Get-NetForestTrust
+            - Get-ForestTrust
+            - Find-ForeignUser
+            - Get-DomainForeignUser
+            - Find-ForeignGroup
+            - Get-DomainForeignGroupMember
+            - Invoke-MapDomainTrust
+            - Get-DomainTrustMapping
+    condition: selection
 falsepositives:
     - Should not be any as administrators do not use this tool
 level: high

rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml

@@ -9,15 +9,17 @@ references:
     - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.2
     - https://www.ietf.org/rfc/rfc2821.txt
 author: frack113
-date: 2022/01/07
+date: 2022/09/26
 logsource:
     product: windows
     category: ps_script
     definition: Script block logging must be enabled
 detection:
-    selection_cmdlet:
-        ScriptBlockText|contains: Send-MailMessage
-    condition: selection_cmdlet
+    selection:
+        ScriptBlockText|contains: 'Send-MailMessage'
+    filter:
+        ScriptBlockText|contains: 'CmdletsToExport'
+    condition: selection and not filter
 falsepositives:
     - Legitimate script
 level: medium

rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml

@@ -0,0 +1,35 @@
+title: Powershell Sensitive File Discovery
+id: 7d416556-6502-45b2-9bad-9d2f05f38997
+related:
+    - id: d23f2ba5-9da0-4463-8908-8ee47f614bb9
+      type: derived
+description: Detect adversaries enumerate sensitive files
+references:
+    - https://twitter.com/malmoeb/status/1570814999370801158
+status: experimental
+author: frack113
+date: 2022/09/16
+logsource:
+    product: windows
+    category: ps_script
+    definition: Script block logging must be enabled
+detection:
+    selection_action:
+        ScriptBlockText|contains:
+            - ls
+            - get-childitem
+            - gci
+    selection_recurse:
+        ScriptBlockText|contains: '-recurse'
+    selection_file:
+        ScriptBlockText|contains:
+            - '.pass'
+            - '.kdbx'
+            - '.kdb'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: medium
+tags:
+    - attack.discovery
+    - attack.t1083

rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml

@@ -0,0 +1,31 @@
+title: Suspicious Eventlog Clear
+id: 0f017df3-8f5a-414f-ad6b-24aff1128278
+related:
+    - id: cc36992a-4671-4f21-a91d-6c2b72a2edf5
+      type: derived
+description: Detects usage of known powershell cmdlets such as "Clear-EventLog" to clear the windows event logs
+references:
+    - https://twitter.com/oroneequalsone/status/1568432028361830402
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md
+    - https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html
+status: experimental
+author: Nasreddine Bencherchali
+date: 2022/09/12
+logsource:
+    product: windows
+    category: ps_script
+    definition: Script block logging must be enabled
+detection:
+    selection:
+        ScriptBlockText|contains:
+            - 'Clear-EventLog '
+            - 'Remove-EventLog '
+            - 'Limit-EventLog '
+            - 'Clear-WinEvent '
+    condition: selection
+falsepositives:
+    - Rare need to clear logs before doing something. Sometimes used by installers or cleaner scripts. The script should be investigated to determine if it's legitimate
+level: medium
+tags:
+    - attack.defense_evasion
+    - attack.t1070.001

rules/windows/powershell/powershell_script/posh_ps_web_request.yml

@@ -10,7 +10,7 @@ references:
     - https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell
 author: James Pemberton / @4A616D6573
 date: 2019/10/24
-modified: 2021/10/16
+modified: 2022/09/26
 tags:
     - attack.execution
     - attack.t1059.001
@@ -27,7 +27,9 @@ detection:
             - 'curl '
             - 'Net.WebClient'
             - 'Start-BitsTransfer'
-    condition: selection
+    filter:
+        Path|startswith: 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
+    condition: selection and not filter
 falsepositives:
     - Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer.
 level: medium