From 788ebbafdcffbcd938bc9e0b03c582fd56edf767 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 27 May 2021 09:20:29 +0200 Subject: [PATCH 01/10] use same trick as Invoke-Obfuscation Obfuscated IEX Invocation --- .../win_invoke_obfuscation_clip+_services.yml | 20 +++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml b/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml index a52ce3881..b33bf0cb8 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml @@ -5,6 +5,7 @@ description: Detects Obfuscated use of Clip.exe to execute PowerShell status: experimental author: Jonathan Cheong, oscd.community date: 2020/10/13 +modified: 2020/05/27 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26) tags: @@ -18,22 +19,25 @@ level: high detection: selection: - ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' - condition: selection + condition: selection and selection_eventid --- logsource: product: windows service: system detection: - selection: + selection_eventid: EventID: 7045 --- logsource: product: windows category: driver_load +detection: + selection_eventid: + EventID: 6 --- - logsource: - product: windows - service: security - detection: - selection: - EventID: 4697 +logsource: + product: windows + service: security +detection: + selection_eventid: + EventID: 4697 From f0d1c9aa7dd89cad114c83a89cbb2c85e0db9939 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 27 May 2021 09:26:08 +0200 Subject: [PATCH 02/10] use same trick as Invoke-Obfuscation Obfuscated IEX Invocation --- ...win_invoke_obfuscation_stdin+_services.yml | 20 +++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml b/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml index b11a25f94..3e8313bf7 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml @@ -5,6 +5,7 @@ description: Detects Obfuscated use of stdin to execute PowerShell status: experimental author: Jonathan Cheong, oscd.community date: 2020/10/15 +modified: 2021/05/27 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25) tags: @@ -18,22 +19,25 @@ level: high detection: selection: - ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' - condition: selection + condition: selection and selection_eventid --- logsource: product: windows service: system detection: - selection: + selection_eventid: EventID: 7045 --- logsource: product: windows category: driver_load +detection: + selection_eventid: + EventID: 6 --- - logsource: - product: windows - service: security - detection: - selection: - EventID: 4697 +logsource: + product: windows + service: security +detection: + selection_eventid: + EventID: 4697 From 417da3ac9581289203f779f243c14ebcd44c8c9b Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 27 May 2021 09:28:06 +0200 Subject: [PATCH 03/10] use same trick as Invoke-Obfuscation Obfuscated IEX Invocation --- .../win_invoke_obfuscation_var+_services.yml | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml b/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml index 0e1bca20f..d598d7f7e 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml @@ -5,6 +5,7 @@ description: Detects Obfuscated use of Environment Variables to execute PowerShe status: experimental author: Jonathan Cheong, oscd.community date: 2020/10/15 +modified: 2021/05/27 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24) tags: @@ -18,22 +19,25 @@ level: high detection: selection: - ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' - condition: selection + condition: selection and selection_eventid --- logsource: product: windows service: system detection: - selection: + selection_eventid: EventID: 7045 --- logsource: product: windows category: driver_load +detection: + selection_eventid: + EventID: 6 --- logsource: - product: windows - service: security + product: windows + service: security detection: - selection: - EventID: 4697 + selection_eventid: + EventID: 4697 From ce53a5a67bf73b9819272fabb2a2adc098e3f4d1 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 27 May 2021 09:30:00 +0200 Subject: [PATCH 04/10] use same trick as Invoke-Obfuscation Obfuscated IEX Invocation --- ...voke_obfuscation_via_compress_services.yml | 20 +++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml index 17f200b4a..9664661b0 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml @@ -5,6 +5,7 @@ description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION status: experimental author: Timur Zinniatullin, oscd.community date: 2020/10/18 +modified: 2021/05/27 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19) tags: @@ -18,22 +19,25 @@ level: medium detection: selection: - ImagePath|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend' - condition: selection + condition: selection and selection_eventid --- logsource: product: windows service: system detection: - selection: + selection_eventid: EventID: 7045 --- logsource: product: windows category: driver_load +detection: + selection_eventid: + EventID: 6 --- - logsource: - product: windows - service: security - detection: - selection: - EventID: 4697 +logsource: + product: windows + service: security +detection: + selection_eventid: + EventID: 4697 From 8d8df10687061948027eac7b41459de78abebaae Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 27 May 2021 09:31:57 +0200 Subject: [PATCH 05/10] use same trick as Invoke-Obfuscation Obfuscated IEX Invocation --- ...invoke_obfuscation_via_rundll_services.yml | 20 +++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml index 4ec340f8d..fcf7920ee 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml @@ -5,6 +5,7 @@ description: Detects Obfuscated Powershell via RUNDLL LAUNCHER status: experimental author: Timur Zinniatullin, oscd.community date: 2020/10/18 +modified: 2021/05/27 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23) tags: @@ -18,22 +19,25 @@ level: medium detection: selection: - ImagePath|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' - condition: selection + condition: selection and selection_eventid --- logsource: product: windows service: system detection: - selection: + selection_eventid: EventID: 7045 --- logsource: product: windows category: driver_load +detection: + selection_eventid: + EventID: 6 --- - logsource: - product: windows - service: security - detection: - selection: - EventID: 4697 +logsource: + product: windows + service: security +detection: + selection_eventid: + EventID: 4697 From cbce61bc8cb428a8dd3593576aee2a5e8ad8cda6 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 27 May 2021 09:34:46 +0200 Subject: [PATCH 06/10] use same trick as Invoke-Obfuscation Obfuscated IEX Invocation --- ..._invoke_obfuscation_via_stdin_services.yml | 20 +++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml index 0484fbf5a..df37801a0 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml @@ -5,6 +5,7 @@ description: Detects Obfuscated Powershell via Stdin in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/12 +modified: 2021/05/27 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task28) tags: @@ -18,22 +19,25 @@ level: high detection: selection: - ImagePath|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' - condition: selection + condition: selection and selection_eventid --- logsource: product: windows service: system detection: - selection: + selection_eventid: EventID: 7045 --- logsource: product: windows category: driver_load +detection: + selection_eventid: + EventID: 6 --- - logsource: - product: windows - service: security - detection: - selection: - EventID: 4697 +logsource: + product: windows + service: security +detection: + selection_eventid: + EventID: 4697 From a878f3b0a5d415d72ba532eb081b4eb8755c749a Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 27 May 2021 09:36:47 +0200 Subject: [PATCH 07/10] use same trick as Invoke-Obfuscation Obfuscated IEX Invocation --- ...voke_obfuscation_via_use_clip_services.yml | 20 +++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml index 565d62e2c..2bb42aec1 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml @@ -5,6 +5,7 @@ description: Detects Obfuscated Powershell via use Clip.exe in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/09 +modified: 2021/05/27 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task29) tags: @@ -18,22 +19,25 @@ level: high detection: selection: - ImagePath|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' - condition: selection + condition: selection and selection_eventid --- logsource: product: windows service: system detection: - selection: + selection_eventid: EventID: 7045 --- logsource: product: windows category: driver_load +detection: + selection_eventid: + EventID: 6 --- - logsource: - product: windows - service: security - detection: - selection: - EventID: 4697 +logsource: + product: windows + service: security +detection: + selection_eventid: + EventID: 4697 From e4c32c353a97a66eddbacdc7c60fe036de8c0984 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 27 May 2021 09:39:16 +0200 Subject: [PATCH 08/10] use same trick as Invoke-Obfuscation Obfuscated IEX Invocation --- ...oke_obfuscation_via_use_mshta_services.yml | 20 +++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml index 59ad9fee2..9ba4f8960 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml @@ -5,6 +5,7 @@ description: Detects Obfuscated Powershell via use MSHTA in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/09 +modified: 2021/05/27 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task31) tags: @@ -18,22 +19,25 @@ level: high detection: selection: - ImagePath|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' - condition: selection + condition: selection and selection_eventid --- logsource: product: windows service: system detection: - selection: + selection_eventid: EventID: 7045 --- logsource: product: windows category: driver_load +detection: + selection_eventid: + EventID: 6 --- - logsource: - product: windows - service: security - detection: - selection: - EventID: 4697 +logsource: + product: windows + service: security +detection: + selection_eventid: + EventID: 4697 From 30cc64a34944f09b2a0c2343ee84fdb52cfa7a22 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 27 May 2021 09:41:19 +0200 Subject: [PATCH 09/10] use same trick as Invoke-Obfuscation Obfuscated IEX Invocation --- ..._obfuscation_via_use_rundll32_services.yml | 20 +++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml index 2dcde1d54..84bf36fd0 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml @@ -5,6 +5,7 @@ description: Detects Obfuscated Powershell via use Rundll32 in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/09 +modified: 2021/05/27 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task30) tags: @@ -18,22 +19,25 @@ level: high detection: selection: - ImagePath|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' - condition: selection + condition: selection and selection_eventid --- logsource: product: windows service: system detection: - selection: + selection_eventid: EventID: 7045 --- logsource: product: windows category: driver_load +detection: + selection_eventid: + EventID: 6 --- - logsource: - product: windows - service: security - detection: - selection: - EventID: 4697 +logsource: + product: windows + service: security +detection: + selection_eventid: + EventID: 4697 From 2a687009916966ac16cfc9ec7a1a5087610ed254 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 27 May 2021 09:43:08 +0200 Subject: [PATCH 10/10] use same trick as Invoke-Obfuscation Obfuscated IEX Invocation --- ..._invoke_obfuscation_via_var++_services.yml | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml index 42ea9004f..aaa51e80b 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml @@ -18,22 +18,25 @@ level: high detection: selection: - ImagePath|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r - condition: selection + condition: selection and selection_eventid --- logsource: product: windows service: system detection: - selection: + selection_eventid: EventID: 7045 --- logsource: product: windows category: driver_load +detection: + selection_eventid: + EventID: 6 --- - logsource: - product: windows - service: security - detection: - selection: - EventID: 4697 +logsource: + product: windows + service: security +detection: + selection_eventid: + EventID: 4697