From aafab2e936a55d4bf12a1fbe65892695d0a8ea08 Mon Sep 17 00:00:00 2001 From: Karneades Date: Tue, 29 Oct 2019 19:53:18 +0100 Subject: [PATCH] fix: bound keywords to field in multiple PS rules Rules changed: - rules/windows/powershell/powershell_malicious_commandlets.yml - rules/windows/powershell/powershell_malicious_keywords.yml - rules/windows/powershell/powershell_suspicious_download.yml - rules/windows/powershell/powershell_suspicious_invocation_specific.yml --- .../powershell_malicious_commandlets.yml | 189 +++++++++--------- .../powershell_malicious_keywords.yml | 41 ++-- .../powershell_suspicious_download.yml | 5 +- ...ershell_suspicious_invocation_specific.yml | 13 +- 4 files changed, 126 insertions(+), 122 deletions(-) diff --git a/rules/windows/powershell/powershell_malicious_commandlets.yml b/rules/windows/powershell/powershell_malicious_commandlets.yml index fcc15429f..c01420607 100644 --- a/rules/windows/powershell/powershell_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_malicious_commandlets.yml @@ -14,100 +14,101 @@ logsource: definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' detection: keywords: - - Invoke-DllInjection - - Invoke-Shellcode - - Invoke-WmiCommand - - Get-GPPPassword - - Get-Keystrokes - - Get-TimedScreenshot - - Get-VaultCredential - - Invoke-CredentialInjection - - Invoke-Mimikatz - - Invoke-NinjaCopy - - Invoke-TokenManipulation - - Out-Minidump - - VolumeShadowCopyTools - - Invoke-ReflectivePEInjection - - Invoke-UserHunter - - Find-GPOLocation - - Invoke-ACLScanner - - Invoke-DowngradeAccount - - Get-ServiceUnquoted - - Get-ServiceFilePermission - - Get-ServicePermission - - Invoke-ServiceAbuse - - Install-ServiceBinary - - Get-RegAutoLogon - - Get-VulnAutoRun - - Get-VulnSchTask - - Get-UnattendedInstallFile - - Get-ApplicationHost - - Get-RegAlwaysInstallElevated - - Get-Unconstrained - - Add-RegBackdoor - - Add-ScrnSaveBackdoor - - Gupt-Backdoor - - Invoke-ADSBackdoor - - Enabled-DuplicateToken - - Invoke-PsUaCme - - Remove-Update - - Check-VM - - Get-LSASecret - - Get-PassHashes - - Show-TargetScreen - - Port-Scan - - Invoke-PoshRatHttp - - Invoke-PowerShellTCP - - Invoke-PowerShellWMI - - Add-Exfiltration - - Add-Persistence - - Do-Exfiltration - - Start-CaptureServer - - Get-ChromeDump - - Get-ClipboardContents - - Get-FoxDump - - Get-IndexedItem - - Get-Screenshot - - Invoke-Inveigh - - Invoke-NetRipper - - Invoke-EgressCheck - - Invoke-PostExfil - - Invoke-PSInject - - Invoke-RunAs - - MailRaider - - New-HoneyHash - - Set-MacAttribute - - Invoke-DCSync - - Invoke-PowerDump - - Exploit-Jboss - - Invoke-ThunderStruck - - Invoke-VoiceTroll - - Set-Wallpaper - - Invoke-InveighRelay - - Invoke-PsExec - - Invoke-SSHCommand - - Get-SecurityPackages - - Install-SSP - - Invoke-BackdoorLNK - - PowerBreach - - Get-SiteListPassword - - Get-System - - Invoke-BypassUAC - - Invoke-Tater - - Invoke-WScriptBypassUAC - - PowerUp - - PowerView - - Get-RickAstley - - Find-Fruit - - HTTP-Login - - Find-TrustedDocuments - - Invoke-Paranoia - - Invoke-WinEnum - - Invoke-ARPScan - - Invoke-PortScan - - Invoke-ReverseDNSLookup - - Invoke-SMBScanner - - Invoke-Mimikittenz + Message: + - "*Invoke-DllInjection*" + - "*Invoke-Shellcode*" + - "*Invoke-WmiCommand*" + - "*Get-GPPPassword*" + - "*Get-Keystrokes*" + - "*Get-TimedScreenshot*" + - "*Get-VaultCredential*" + - "*Invoke-CredentialInjection*" + - "*Invoke-Mimikatz*" + - "*Invoke-NinjaCopy*" + - "*Invoke-TokenManipulation*" + - "*Out-Minidump*" + - "*VolumeShadowCopyTools*" + - "*Invoke-ReflectivePEInjection*" + - "*Invoke-UserHunter*" + - "*Find-GPOLocation*" + - "*Invoke-ACLScanner*" + - "*Invoke-DowngradeAccount*" + - "*Get-ServiceUnquoted*" + - "*Get-ServiceFilePermission*" + - "*Get-ServicePermission*" + - "*Invoke-ServiceAbuse*" + - "*Install-ServiceBinary*" + - "*Get-RegAutoLogon*" + - "*Get-VulnAutoRun*" + - "*Get-VulnSchTask*" + - "*Get-UnattendedInstallFile*" + - "*Get-ApplicationHost*" + - "*Get-RegAlwaysInstallElevated*" + - "*Get-Unconstrained*" + - "*Add-RegBackdoor*" + - "*Add-ScrnSaveBackdoor*" + - "*Gupt-Backdoor*" + - "*Invoke-ADSBackdoor*" + - "*Enabled-DuplicateToken*" + - "*Invoke-PsUaCme*" + - "*Remove-Update*" + - "*Check-VM*" + - "*Get-LSASecret*" + - "*Get-PassHashes*" + - "*Show-TargetScreen*" + - "*Port-Scan*" + - "*Invoke-PoshRatHttp*" + - "*Invoke-PowerShellTCP*" + - "*Invoke-PowerShellWMI*" + - "*Add-Exfiltration*" + - "*Add-Persistence*" + - "*Do-Exfiltration*" + - "*Start-CaptureServer*" + - "*Get-ChromeDump*" + - "*Get-ClipboardContents*" + - "*Get-FoxDump*" + - "*Get-IndexedItem*" + - "*Get-Screenshot*" + - "*Invoke-Inveigh*" + - "*Invoke-NetRipper*" + - "*Invoke-EgressCheck*" + - "*Invoke-PostExfil*" + - "*Invoke-PSInject*" + - "*Invoke-RunAs*" + - "*MailRaider*" + - "*New-HoneyHash*" + - "*Set-MacAttribute*" + - "*Invoke-DCSync*" + - "*Invoke-PowerDump*" + - "*Exploit-Jboss*" + - "*Invoke-ThunderStruck*" + - "*Invoke-VoiceTroll*" + - "*Set-Wallpaper*" + - "*Invoke-InveighRelay*" + - "*Invoke-PsExec*" + - "*Invoke-SSHCommand*" + - "*Get-SecurityPackages*" + - "*Install-SSP*" + - "*Invoke-BackdoorLNK*" + - "*PowerBreach*" + - "*Get-SiteListPassword*" + - "*Get-System*" + - "*Invoke-BypassUAC*" + - "*Invoke-Tater*" + - "*Invoke-WScriptBypassUAC*" + - "*PowerUp*" + - "*PowerView*" + - "*Get-RickAstley*" + - "*Find-Fruit*" + - "*HTTP-Login*" + - "*Find-TrustedDocuments*" + - "*Invoke-Paranoia*" + - "*Invoke-WinEnum*" + - "*Invoke-ARPScan*" + - "*Invoke-PortScan*" + - "*Invoke-ReverseDNSLookup*" + - "*Invoke-SMBScanner*" + - "*Invoke-Mimikittenz*" false_positives: - Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1 condition: keywords and not false_positives diff --git a/rules/windows/powershell/powershell_malicious_keywords.yml b/rules/windows/powershell/powershell_malicious_keywords.yml index d2ec581e6..d553efe23 100644 --- a/rules/windows/powershell/powershell_malicious_keywords.yml +++ b/rules/windows/powershell/powershell_malicious_keywords.yml @@ -14,26 +14,27 @@ logsource: definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' detection: keywords: - - AdjustTokenPrivileges - - IMAGE_NT_OPTIONAL_HDR64_MAGIC - - Microsoft.Win32.UnsafeNativeMethods - - ReadProcessMemory.Invoke - - SE_PRIVILEGE_ENABLED - - LSA_UNICODE_STRING - - MiniDumpWriteDump - - PAGE_EXECUTE_READ - - SECURITY_DELEGATION - - TOKEN_ADJUST_PRIVILEGES - - TOKEN_ALL_ACCESS - - TOKEN_ASSIGN_PRIMARY - - TOKEN_DUPLICATE - - TOKEN_ELEVATION - - TOKEN_IMPERSONATE - - TOKEN_INFORMATION_CLASS - - TOKEN_PRIVILEGES - - TOKEN_QUERY - - Metasploit - - Mimikatz + Message: + - "*AdjustTokenPrivileges*" + - "*IMAGE_NT_OPTIONAL_HDR64_MAGIC*" + - "*Microsoft.Win32.UnsafeNativeMethods*" + - "*ReadProcessMemory.Invoke*" + - "*SE_PRIVILEGE_ENABLED*" + - "*LSA_UNICODE_STRING*" + - "*MiniDumpWriteDump*" + - "*PAGE_EXECUTE_READ*" + - "*SECURITY_DELEGATION*" + - "*TOKEN_ADJUST_PRIVILEGES*" + - "*TOKEN_ALL_ACCESS*" + - "*TOKEN_ASSIGN_PRIMARY*" + - "*TOKEN_DUPLICATE*" + - "*TOKEN_ELEVATION*" + - "*TOKEN_IMPERSONATE*" + - "*TOKEN_INFORMATION_CLASS*" + - "*TOKEN_PRIVILEGES*" + - "*TOKEN_QUERY*" + - "*Metasploit*" + - "*Mimikatz*" condition: keywords falsepositives: - Penetration tests diff --git a/rules/windows/powershell/powershell_suspicious_download.yml b/rules/windows/powershell/powershell_suspicious_download.yml index ad8ff90b6..a56980438 100644 --- a/rules/windows/powershell/powershell_suspicious_download.yml +++ b/rules/windows/powershell/powershell_suspicious_download.yml @@ -10,8 +10,9 @@ logsource: service: powershell detection: keywords: - - 'System.Net.WebClient).DownloadString(' - - 'system.net.webclient).downloadfile(' + Message: + - '*System.Net.WebClient).DownloadString(*' + - '*system.net.webclient).downloadfile(*' condition: keywords falsepositives: - PowerShell scripts that download content from the Internet diff --git a/rules/windows/powershell/powershell_suspicious_invocation_specific.yml b/rules/windows/powershell/powershell_suspicious_invocation_specific.yml index 84ddfe55c..5e7aae6c3 100644 --- a/rules/windows/powershell/powershell_suspicious_invocation_specific.yml +++ b/rules/windows/powershell/powershell_suspicious_invocation_specific.yml @@ -10,12 +10,13 @@ logsource: service: powershell detection: keywords: - - ' -nop -w hidden -c * [Convert]::FromBase64String' - - ' -w hidden -noni -nop -c "iex(New-Object' - - ' -w hidden -ep bypass -Enc' - - 'powershell.exe reg add HKCU\software\microsoft\windows\currentversion\run' - - 'bypass -noprofile -windowstyle hidden (new-object system.net.webclient).download' - - 'iex(New-Object Net.WebClient).Download' + Message: + - '* -nop -w hidden -c * [Convert]::FromBase64String*' + - '* -w hidden -noni -nop -c "iex(New-Object*' + - '* -w hidden -ep bypass -Enc*' + - '*powershell.exe reg add HKCU\software\microsoft\windows\currentversion\run*' + - '*bypass -noprofile -windowstyle hidden (new-object system.net.webclient).download*' + - '*iex(New-Object Net.WebClient).Download*' condition: keywords falsepositives: - Penetration tests