From 6aad923023651383521f931d03bff28bea089d0f Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 1 Jun 2022 15:54:40 +0100 Subject: [PATCH 1/3] Fix typo and Update Rule - Fixed typo in PowerShell definition to "enabled" - Removed leading space from "/af" flag in "msdt" rule as it can be used without leading space. --- .../powershell_script/posh_ps_directorysearcher.yml | 4 ++-- .../powershell/powershell_script/posh_ps_invoke_nightmare.yml | 2 +- .../powershell_script/posh_ps_malicious_commandlets.yml | 2 +- .../posh_ps_powerview_malicious_commandlets.yml | 2 +- .../posh_ps_shellintel_malicious_commandlets.yml | 2 +- .../powershell_script/posh_ps_susp_export_pfxcertificate.yml | 2 +- .../powershell_script/posh_ps_susp_getprocess_lsass.yml | 2 +- .../powershell_script/posh_ps_susp_zip_compress.yml | 2 +- rules/windows/process_creation/proc_creation_win_msdt.yml | 2 +- 9 files changed, 10 insertions(+), 10 deletions(-) diff --git a/rules/windows/powershell/powershell_script/posh_ps_directorysearcher.yml b/rules/windows/powershell/powershell_script/posh_ps_directorysearcher.yml index f66d4b425..2be2fdf41 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_directorysearcher.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_directorysearcher.yml @@ -9,10 +9,10 @@ author: frack113 logsource: product: windows category: ps_script - definition: Script Block Logging must be enable + definition: Script Block Logging must be enabled detection: selection: - ScriptBlockText|contains|all: + ScriptBlockText|contains|all: - 'New-Object ' - 'System.DirectoryServices.DirectorySearcher' - '.PropertiesToLoad.Add' diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_nightmare.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_nightmare.yml index 4b0d42d1c..133b02854 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_nightmare.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_nightmare.yml @@ -10,7 +10,7 @@ author: Max Altgelt, Tobias Michalski logsource: product: windows category: ps_script - definition: Script Block Logging must be enable + definition: Script Block Logging must be enabled detection: selection: ScriptBlockText|contains: Invoke-Nightmare diff --git a/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml index c554e37bd..ed50e7d63 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml @@ -11,7 +11,7 @@ modified: 2022/05/26 logsource: product: windows category: ps_script - definition: Script Block Logging must be enable + definition: Script Block Logging must be enabled detection: select_Malicious: ScriptBlockText|contains: diff --git a/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml index d72b29a3f..332337938 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml @@ -16,7 +16,7 @@ author: Bhabesh Raj logsource: product: windows category: ps_script - definition: Script Block Logging must be enable + definition: Script Block Logging must be enabled detection: selection: ScriptBlockText|contains: diff --git a/rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml index 3dd0824c5..06c0c193e 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml @@ -13,7 +13,7 @@ author: Max Altgelt, Tobias Michalski logsource: product: windows category: ps_script - definition: Script Block Logging must be enable + definition: Script Block Logging must be enabled detection: selection: ScriptBlockText|contains: diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_export_pfxcertificate.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_export_pfxcertificate.yml index 8030c50e0..d4b0c05ba 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_export_pfxcertificate.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_export_pfxcertificate.yml @@ -14,7 +14,7 @@ modified: 2021/08/04 logsource: product: windows category: ps_script - definition: Script Block Logging must be enable + definition: Script Block Logging must be enabled detection: PfxCertificate: ScriptBlockText|contains: 'Export-PfxCertificate' diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml index 2af43b594..2df04d1f1 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml @@ -13,7 +13,7 @@ modified: 2021/10/16 logsource: product: windows category: ps_script - definition: Script Block Logging must be enable + definition: Script Block Logging must be enabled detection: select_LSASS: ScriptBlockText|contains: 'Get-Process lsass' diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml index 8053fe55e..fd0683f26 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml @@ -13,7 +13,7 @@ tags: logsource: product: windows category: ps_script - definition: Script Block Logging must be enable + definition: Script Block Logging must be enabled detection: selection_4104: ScriptBlockText|contains|all: diff --git a/rules/windows/process_creation/proc_creation_win_msdt.yml b/rules/windows/process_creation/proc_creation_win_msdt.yml index b646078d9..9d705ac0e 100644 --- a/rules/windows/process_creation/proc_creation_win_msdt.yml +++ b/rules/windows/process_creation/proc_creation_win_msdt.yml @@ -19,7 +19,7 @@ detection: selection_specific_cmd: CommandLine|contains: - 'IT_BrowseForFile=' - - ' /af ' # For answer files + - '/af ' # For answer files condition: all of selection_specific_* falsepositives: - Unknown From 7c9210a1191eb329f41b9c601382c03eb3229724 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 1 Jun 2022 15:55:12 +0100 Subject: [PATCH 2/3] Update proc_creation_win_msdt.yml --- rules/windows/process_creation/proc_creation_win_msdt.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_msdt.yml b/rules/windows/process_creation/proc_creation_win_msdt.yml index 9d705ac0e..4b9006469 100644 --- a/rules/windows/process_creation/proc_creation_win_msdt.yml +++ b/rules/windows/process_creation/proc_creation_win_msdt.yml @@ -8,7 +8,7 @@ references: - https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/ - https://twitter.com/_JohnHammond/status/1531672601067675648 date: 2022/05/29 -modified: 2022/05/31 +modified: 2022/06/01 logsource: category: process_creation product: windows From 30225cab11f1802a401dda3d2cfda9530c70877c Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 1 Jun 2022 16:00:43 +0100 Subject: [PATCH 3/3] Update proc_creation_win_msdt.yml - Add MITRE tag --- rules/windows/process_creation/proc_creation_win_msdt.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rules/windows/process_creation/proc_creation_win_msdt.yml b/rules/windows/process_creation/proc_creation_win_msdt.yml index 4b9006469..766f65762 100644 --- a/rules/windows/process_creation/proc_creation_win_msdt.yml +++ b/rules/windows/process_creation/proc_creation_win_msdt.yml @@ -24,3 +24,6 @@ detection: falsepositives: - Unknown level: high +tags: + - attack.defense_evasion + - attack.t1202