diff --git a/rules/windows/powershell/powershell_script/powershell_accessing_win_api.yml b/rules/windows/powershell/powershell_script/powershell_accessing_win_api.yml index 4599517b9..7c600eb97 100644 --- a/rules/windows/powershell/powershell_script/powershell_accessing_win_api.yml +++ b/rules/windows/powershell/powershell_script/powershell_accessing_win_api.yml @@ -4,7 +4,7 @@ status: experimental description: Detecting use WinAPI Functions in PowerShell author: Nikita Nazarov, oscd.community date: 2020/10/06 -modified: 2021/08/04 +modified: 2021/10/16 references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse tags: @@ -13,11 +13,10 @@ tags: - attack.t1106 logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: selection: - EventID: 4104 ScriptBlockText|contains: - 'WaitForSingleObject' - 'QueueUserApc' diff --git a/rules/windows/powershell/powershell_script/powershell_adrecon_execution.yml b/rules/windows/powershell/powershell_script/powershell_adrecon_execution.yml index af2ba36ae..799b4e99c 100644 --- a/rules/windows/powershell/powershell_script/powershell_adrecon_execution.yml +++ b/rules/windows/powershell/powershell_script/powershell_adrecon_execution.yml @@ -11,13 +11,13 @@ tags: - attack.t1059.001 author: Bhabesh Raj date: 2021/07/16 +modified: 2021/10/16 logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: selection: - EventID: 4104 ScriptBlockText|contains: - 'Function Get-ADRExcelComOb' - 'ADRecon-Report.xlsx' #Default diff --git a/rules/windows/powershell/powershell_script/powershell_automated_collection.yml b/rules/windows/powershell/powershell_script/powershell_automated_collection.yml index d19a88eac..a56e163cb 100644 --- a/rules/windows/powershell/powershell_script/powershell_automated_collection.yml +++ b/rules/windows/powershell/powershell_script/powershell_automated_collection.yml @@ -3,6 +3,7 @@ id: c1dda054-d638-4c16-afc8-53e007f3fbc5 status: experimental author: frack113 date: 2021/07/28 +modified: 2021/10/16 description: Once established within a system or network, an adversary may use automated techniques for collecting internal data. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md @@ -11,11 +12,9 @@ tags: - attack.t1119 logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: - selection_eventid: - EventID: 4104 selection_ext: ScriptBlockText|contains: - '.doc' diff --git a/rules/windows/powershell/powershell_script/powershell_cl_invocation_lolscript.yml b/rules/windows/powershell/powershell_script/powershell_cl_invocation_lolscript.yml index 054cd341e..24dd5f709 100644 --- a/rules/windows/powershell/powershell_script/powershell_cl_invocation_lolscript.yml +++ b/rules/windows/powershell/powershell_script/powershell_cl_invocation_lolscript.yml @@ -4,7 +4,7 @@ description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module status: experimental author: oscd.community, Natalia Shornikova date: 2020/10/14 -modified: 2021/05/21 +modified: 2021/10/16 references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml - https://twitter.com/bohops/status/948061991012327424 @@ -13,11 +13,10 @@ tags: - attack.t1216 logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: selection: - EventID: 4104 ScriptBlockText|contains|all: - 'CL_Invocation.ps1' - 'SyncInvoke' diff --git a/rules/windows/powershell/powershell_script/powershell_cl_invocation_lolscript_count.yml b/rules/windows/powershell/powershell_script/powershell_cl_invocation_lolscript_count.yml index 7bce506c2..4a05379f0 100644 --- a/rules/windows/powershell/powershell_script/powershell_cl_invocation_lolscript_count.yml +++ b/rules/windows/powershell/powershell_script/powershell_cl_invocation_lolscript_count.yml @@ -4,7 +4,7 @@ description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module status: experimental author: oscd.community, Natalia Shornikova date: 2020/10/14 -modified: 2021/05/21 +modified: 2021/10/16 references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml - https://twitter.com/bohops/status/948061991012327424 @@ -13,11 +13,10 @@ tags: - attack.t1216 logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: selection: - EventID: 4104 ScriptBlockText|contains: - 'CL_Invocation.ps1' - 'SyncInvoke' diff --git a/rules/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript.yml b/rules/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript.yml index 3430cdd73..8c8880442 100644 --- a/rules/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript.yml +++ b/rules/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript.yml @@ -4,7 +4,7 @@ description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps status: experimental author: oscd.community, Natalia Shornikova date: 2020/10/14 -modified: 2021/05/21 +modified: 2021/10/16 references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml - https://twitter.com/pabraeken/status/995111125447577600 @@ -13,11 +13,10 @@ tags: - attack.t1216 logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: selection: - EventID: 4104 ScriptBlockText|contains|all: - 'CL_Mutexverifiers.ps1' - 'runAfterCancelProcess' diff --git a/rules/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript_count.yml b/rules/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript_count.yml index ac2c9ed9a..e449b6f6d 100644 --- a/rules/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript_count.yml +++ b/rules/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript_count.yml @@ -4,7 +4,7 @@ description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps status: experimental author: oscd.community, Natalia Shornikova date: 2020/10/14 -modified: 2021/05/21 +modified: 2021/10/16 references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml - https://twitter.com/pabraeken/status/995111125447577600 @@ -13,11 +13,10 @@ tags: - attack.t1216 logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: selection: - EventID: 4104 ScriptBlockText|contains: - 'CL_Mutexverifiers.ps1' - 'runAfterCancelProcess' diff --git a/rules/windows/powershell/powershell_script/powershell_create_local_user.yml b/rules/windows/powershell/powershell_script/powershell_create_local_user.yml index 29961866c..a5b0d2a85 100644 --- a/rules/windows/powershell/powershell_script/powershell_create_local_user.yml +++ b/rules/windows/powershell/powershell_script/powershell_create_local_user.yml @@ -13,14 +13,13 @@ tags: - attack.t1136 # an old one author: '@ROxPinTeddy' date: 2020/04/11 -modified: 2021/08/04 +modified: 2021/10/16 logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: selection: - EventID: 4104 ScriptBlockText|contains: 'New-LocalUser' condition: selection falsepositives: diff --git a/rules/windows/powershell/powershell_script/powershell_data_compressed.yml b/rules/windows/powershell/powershell_script/powershell_data_compressed.yml index 72ba0304a..c556a6603 100644 --- a/rules/windows/powershell/powershell_script/powershell_data_compressed.yml +++ b/rules/windows/powershell/powershell_script/powershell_data_compressed.yml @@ -4,16 +4,15 @@ status: experimental description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. author: Timur Zinniatullin, oscd.community date: 2019/10/21 -modified: 2021/07/06 +modified: 2021/10/16 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: selection: - EventID: 4104 ScriptBlockText|contains|all: - '-Recurse' - '|' diff --git a/rules/windows/powershell/powershell_script/powershell_detect_vm_env.yml b/rules/windows/powershell/powershell_script/powershell_detect_vm_env.yml index 250b71feb..42e307279 100644 --- a/rules/windows/powershell/powershell_script/powershell_detect_vm_env.yml +++ b/rules/windows/powershell/powershell_script/powershell_detect_vm_env.yml @@ -3,6 +3,7 @@ id: d93129cd-1ee0-479f-bc03-ca6f129882e3 status: experimental author: frack113 date: 2021/08/03 +modified: 2021/10/16 description: Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md @@ -12,11 +13,9 @@ tags: - attack.t1497.001 logsource: product: windows - service: powershell + category: ps_script definition: EnableScriptBlockLogging must be set to enable detection: - selection_id: - EventID: 4104 selection_action: ScriptBlockText|contains: Get-WmiObject selection_module: diff --git a/rules/windows/powershell/powershell_script/powershell_dnscat_execution.yml b/rules/windows/powershell/powershell_script/powershell_dnscat_execution.yml index bfe388a4c..69132d3f9 100644 --- a/rules/windows/powershell/powershell_script/powershell_dnscat_execution.yml +++ b/rules/windows/powershell/powershell_script/powershell_dnscat_execution.yml @@ -4,7 +4,7 @@ description: Dnscat exfiltration tool execution status: experimental author: Daniil Yugoslavskiy, oscd.community date: 2019/10/24 -modified: 2020/08/24 +modified: 2021/10/16 tags: - attack.exfiltration - attack.t1048 @@ -13,11 +13,10 @@ tags: - attack.t1086 # an old one logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: selection: - EventID: 4104 ScriptBlockText|contains: "Start-Dnscat2" condition: selection falsepositives: diff --git a/rules/windows/powershell/powershell_script/powershell_icmp_exfiltration.yml b/rules/windows/powershell/powershell_script/powershell_icmp_exfiltration.yml index a9d9036af..b64792133 100644 --- a/rules/windows/powershell/powershell_script/powershell_icmp_exfiltration.yml +++ b/rules/windows/powershell/powershell_script/powershell_icmp_exfiltration.yml @@ -6,16 +6,16 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md#atomic-test-2---exfiltration-over-alternative-protocol---icmp author: 'Bartlomiej Czyz @bczyz1, oscd.community' date: 2020/10/10 +modified: 2021/10/16 tags: - attack.exfiltration - attack.t1048.003 logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: selection: - EventID: 4104 ScriptBlockText|contains|all: - 'New-Object' - 'System.Net.NetworkInformation.Ping' diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_nightmare.yml b/rules/windows/powershell/powershell_script/powershell_invoke_nightmare.yml index 553f535eb..5ad5d0275 100644 --- a/rules/windows/powershell/powershell_script/powershell_invoke_nightmare.yml +++ b/rules/windows/powershell/powershell_script/powershell_invoke_nightmare.yml @@ -3,17 +3,16 @@ id: 6d3f1399-a81c-4409-aff3-1ecfe9330baf status: test description: Detects Commandlet name for PrintNightmare exploitation. date: 2021/08/09 -modified: 2021/08/31 +modified: 2021/10/16 references: - https://github.com/calebstewart/CVE-2021-1675 author: Max Altgelt, Tobias Michalski logsource: product: windows - service: powershell + category: ps_script definition: Script Block Logging must be enable detection: selection: - EventID: 4104 ScriptBlockText|contains: Invoke-Nightmare condition: selection falsepositives: diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_clip_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_clip_in_scriptblocktext.yml index 3d0f3df1c..b4aa1b056 100644 --- a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_clip_in_scriptblocktext.yml +++ b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_clip_in_scriptblocktext.yml @@ -4,7 +4,7 @@ description: Detects Obfuscated use of Clip.exe to execute PowerShell status: experimental author: Jonathan Cheong, oscd.community date: 2020/10/13 -modified: 2021/10/07 +modified: 2021/10/16 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26) tags: @@ -14,11 +14,10 @@ tags: - attack.t1059.001 logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: selection_4104: - EventID: 4104 ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' condition: selection_4104 falsepositives: diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml index 687ea8027..370d23f63 100644 --- a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml +++ b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml @@ -4,7 +4,7 @@ description: "Detects all variations of obfuscated powershell IEX invocation cod status: experimental author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community date: 2019/11/08 -modified: 2021/10/07 +modified: 2021/10/16 tags: - attack.defense_evasion - attack.t1027 @@ -13,12 +13,10 @@ tags: - attack.t1086 #an old one logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: - selection_1: - EventID: 4104 - selection_2: + selection_iex: - ScriptBlockText|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[' - ScriptBlockText|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[' - ScriptBlockText|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[' @@ -26,7 +24,7 @@ detection: - ScriptBlockText|re: '\\\\*mdr\\\\*\W\s*\)\.Name' - ScriptBlockText|re: '\$VerbosePreference\.ToString\(' - ScriptBlockText|re: '\String\]\s*\$VerbosePreference' - condition: selection_1 and selection_2 + condition: selection_iex falsepositives: - Unknown level: high diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml index 2cb8ef018..334e424a2 100644 --- a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml +++ b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml @@ -4,7 +4,7 @@ description: Detects Obfuscated use of stdin to execute PowerShell status: experimental author: Jonathan Cheong, oscd.community date: 2020/10/15 -modified: 2021/10/07 +modified: 2021/10/16 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25) tags: @@ -14,11 +14,10 @@ tags: - attack.t1059.001 logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: selection_4104: - EventID: 4104 ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' condition: selection_4104 falsepositives: diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_var_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_var_in_scriptblocktext.yml index c0460b5fc..ae25eadb5 100644 --- a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_var_in_scriptblocktext.yml +++ b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_var_in_scriptblocktext.yml @@ -4,7 +4,7 @@ description: Detects Obfuscated use of Environment Variables to execute PowerShe status: experimental author: Jonathan Cheong, oscd.community date: 2020/10/15 -modified: 2021/10/07 +modified: 2021/10/16 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24) tags: @@ -14,11 +14,10 @@ tags: - attack.t1059.001 logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: selection_4104: - EventID: 4104 ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' condition: selection_4104 falsepositives: diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml index 3151cae7c..3a4a52312 100644 --- a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml +++ b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml @@ -4,7 +4,7 @@ description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION status: experimental author: Timur Zinniatullin, oscd.community date: 2020/10/18 -modified: 2021/10/07 +modified: 2021/10/16 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19) tags: @@ -14,11 +14,10 @@ tags: - attack.t1059.001 logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: selection_4104: - EventID: 4104 ScriptBlockText|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend' condition: selection_4104 falsepositives: diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml index b17ab8904..e4d2ad84b 100644 --- a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml +++ b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml @@ -4,7 +4,7 @@ description: Detects Obfuscated Powershell via RUNDLL LAUNCHER status: experimental author: Timur Zinniatullin, oscd.community date: 2020/10/18 -modified: 2021/10/07 +modified: 2021/10/16 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23) tags: @@ -14,11 +14,10 @@ tags: - attack.t1059.001 logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: selection_4104: - EventID: 4104 ScriptBlockText|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' condition: selection_4104 falsepositives: diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml index c2b5f1276..73cfb7ba5 100644 --- a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml +++ b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml @@ -4,7 +4,7 @@ description: Detects Obfuscated Powershell via Stdin in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/12 -modified: 2021/10/07 +modified: 2021/10/16 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task28) tags: @@ -14,11 +14,10 @@ tags: - attack.t1059.001 logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: selection_4104: - EventID: 4104 ScriptBlockText|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' condition: selection_4104 falsepositives: diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml index 9205a2544..d2898f76c 100644 --- a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml +++ b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml @@ -4,7 +4,7 @@ description: Detects Obfuscated Powershell via use Clip.exe in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/09 -modified: 2021/10/07 +modified: 2021/10/16 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task29) tags: @@ -14,11 +14,10 @@ tags: - attack.t1059.001 logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: selection_4104: - EventID: 4104 ScriptBlockText|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' condition: selection_4104 falsepositives: diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml index d64558785..87a4ae6dc 100644 --- a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml +++ b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml @@ -4,7 +4,7 @@ description: Detects Obfuscated Powershell via use MSHTA in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/08 -modified: 2021/10/07 +modified: 2021/10/16 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task31) tags: @@ -14,11 +14,10 @@ tags: - attack.t1059.001 logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: selection_4104: - EventID: 4104 ScriptBlockText|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' condition: selection_4104 falsepositives: diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml index 516fc3fc8..b910c0837 100644 --- a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml +++ b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml @@ -4,7 +4,7 @@ description: Detects Obfuscated Powershell via use Rundll32 in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2019/10/08 -modified: 2021/10/07 +modified: 2021/10/16 references: - https://github.com/Neo23x0/sigma/issues/1009 tags: @@ -14,11 +14,10 @@ tags: - attack.t1059.001 logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: selection_4104: - EventID: 4104 ScriptBlockText|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' condition: selection_4104 falsepositives: diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml index cec226f8a..b81f4aa08 100644 --- a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml +++ b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml @@ -4,7 +4,7 @@ description: Detects Obfuscated Powershell via VAR++ LAUNCHER status: experimental author: Timur Zinniatullin, oscd.community date: 2020/10/13 -modified: 2021/10/07 +modified: 2021/10/16 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task27) tags: @@ -14,11 +14,10 @@ tags: - attack.t1059.001 logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: selection_4104: - EventID: 4104 ScriptBlockText|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r condition: selection_4104 falsepositives: diff --git a/rules/windows/powershell/powershell_script/powershell_keylogging.yml b/rules/windows/powershell/powershell_script/powershell_keylogging.yml index 822745614..6e2b8b568 100644 --- a/rules/windows/powershell/powershell_script/powershell_keylogging.yml +++ b/rules/windows/powershell/powershell_script/powershell_keylogging.yml @@ -3,6 +3,7 @@ id: 34f90d3c-c297-49e9-b26d-911b05a4866c status: experimental author: frack113 date: 2021/07/30 +modified: 2021/10/16 description: Adversaries may log user keystrokes to intercept credentials as the user types them. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md @@ -12,18 +13,16 @@ tags: - attack.t1056.001 logsource: product: windows - service: powershell + category: ps_script definition: EnableScriptBlockLogging must be set to enable detection: - selection_id: - EventID: 4104 selection_basic: ScriptBlockText|contains: 'Get-Keystrokes' selection_high: # want to run in background and keyboard ScriptBlockText|contains|all: - 'Get-ProcAddress user32.dll GetAsyncKeyState' - 'Get-ProcAddress user32.dll GetForegroundWindow' - condition: selection_id and (selection_basic or selection_high) + condition: selection_basic or selection_high falsepositives: - Unknown level: medium diff --git a/rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml index 34c4ccb08..8b414ae90 100644 --- a/rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml @@ -10,14 +10,13 @@ tags: - attack.t1086 #an old one author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update) date: 2017/03/05 -modified: 2021/08/21 +modified: 2021/10/16 logsource: product: windows - service: powershell + category: ps_script definition: Script Block Logging must be enable detection: select_Malicious: - EventID: 4104 ScriptBlockText|contains: - "Invoke-DllInjection" - "Invoke-Shellcode" diff --git a/rules/windows/powershell/powershell_script/powershell_malicious_keywords.yml b/rules/windows/powershell/powershell_script/powershell_malicious_keywords.yml index 071f37257..c8c392434 100644 --- a/rules/windows/powershell/powershell_script/powershell_malicious_keywords.yml +++ b/rules/windows/powershell/powershell_script/powershell_malicious_keywords.yml @@ -10,14 +10,13 @@ tags: - attack.t1086 #an old one author: Sean Metcalf (source), Florian Roth (rule) date: 2017/03/05 -modified: 2021/08/21 +modified: 2021/10/16 logsource: product: windows - service: powershell + category: ps_script definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' detection: Malicious: - EventID: 4104 ScriptBlockText|contains: - "AdjustTokenPrivileges" - "IMAGE_NT_OPTIONAL_HDR64_MAGIC" diff --git a/rules/windows/powershell/powershell_script/powershell_memorydump_getstoragediagnosticinfo.yml b/rules/windows/powershell/powershell_script/powershell_memorydump_getstoragediagnosticinfo.yml index 79ef1050f..f4ec3937c 100644 --- a/rules/windows/powershell/powershell_script/powershell_memorydump_getstoragediagnosticinfo.yml +++ b/rules/windows/powershell/powershell_script/powershell_memorydump_getstoragediagnosticinfo.yml @@ -3,6 +3,7 @@ id: cd185561-4760-45d6-a63e-a51325112cae status: experimental description: Detects usage of a PowerShell command to dump the live memory of a Windows machine date: 2021/09/21 +modified: 2021/10/16 references: - https://docs.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo tags: @@ -10,11 +11,10 @@ tags: author: Max Altgelt logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: dump: - EventID: 4104 ScriptBlockText|contains|all: - 'Get-StorageDiagnosticInfo' - '-IncludeLiveDump' diff --git a/rules/windows/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml index 90b3e7a76..91dda5050 100644 --- a/rules/windows/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml @@ -3,7 +3,7 @@ id: f772cee9-b7c2-4cb2-8f07-49870adc02e0 status: experimental description: Detects Commandlet names and arguments from the Nishang exploitation framework date: 2019/05/16 -modified: 2021/08/21 +modified: 2021/10/16 references: - https://github.com/samratashok/nishang tags: @@ -13,11 +13,10 @@ tags: author: Alec Costello logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: Nishang: - EventID: 4104 ScriptBlockText|contains: - Add-ConstrainedDelegationBackdoor - Set-DCShadowPermissions diff --git a/rules/windows/powershell/powershell_script/powershell_ntfs_ads_access.yml b/rules/windows/powershell/powershell_script/powershell_ntfs_ads_access.yml index 1c6f30184..f298d3d4d 100644 --- a/rules/windows/powershell/powershell_script/powershell_ntfs_ads_access.yml +++ b/rules/windows/powershell/powershell_script/powershell_ntfs_ads_access.yml @@ -14,14 +14,12 @@ tags: - attack.t1086 # an old one author: Sami Ruohonen date: 2018/07/24 -modified: 2021/08/21 +modified: 2021/10/16 logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: - event: - EventID: 4104 content: ScriptBlockText|contains: - "set-content" diff --git a/rules/windows/powershell/powershell_script/powershell_powerview_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/powershell_powerview_malicious_commandlets.yml index 1b2b74546..d72b29a3f 100644 --- a/rules/windows/powershell/powershell_script/powershell_powerview_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/powershell_powerview_malicious_commandlets.yml @@ -3,7 +3,7 @@ id: dcd74b95-3f36-4ed9-9598-0490951643aa status: experimental description: Detects Commandlet names from PowerView of PowerSploit exploitation framework. date: 2021/05/18 -modified: 2021/08/21 +modified: 2021/10/16 references: - https://powersploit.readthedocs.io/en/stable/Recon/README - https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon @@ -15,11 +15,10 @@ tags: author: Bhabesh Raj logsource: product: windows - service: powershell + category: ps_script definition: Script Block Logging must be enable detection: selection: - EventID: 4104 ScriptBlockText|contains: - Export-PowerViewCSV - Get-IPAddress diff --git a/rules/windows/powershell/powershell_script/powershell_prompt_credentials.yml b/rules/windows/powershell/powershell_script/powershell_prompt_credentials.yml index b3d5e7133..a795e8d11 100644 --- a/rules/windows/powershell/powershell_script/powershell_prompt_credentials.yml +++ b/rules/windows/powershell/powershell_script/powershell_prompt_credentials.yml @@ -12,14 +12,13 @@ tags: - attack.t1086 # an old one author: John Lambert (idea), Florian Roth (rule) date: 2017/04/09 -modified: 2021/08/04 +modified: 2021/10/16 logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: selection: - EventID: 4104 ScriptBlockText|contains: 'PromptForCredential' condition: selection falsepositives: diff --git a/rules/windows/powershell/powershell_script/powershell_psattack.yml b/rules/windows/powershell/powershell_script/powershell_psattack.yml index 8e178cb4e..121446277 100644 --- a/rules/windows/powershell/powershell_script/powershell_psattack.yml +++ b/rules/windows/powershell/powershell_script/powershell_psattack.yml @@ -10,14 +10,13 @@ tags: - attack.t1086 #an old one author: Sean Metcalf (source), Florian Roth (rule) date: 2017/03/05 -modified: 2021/08/21 +modified: 2021/10/16 logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: selection: - EventID: 4104 ScriptBlockText|contains: 'PS ATTACK!!!' condition: selection falsepositives: diff --git a/rules/windows/powershell/powershell_script/powershell_shellcode_b64.yml b/rules/windows/powershell/powershell_script/powershell_shellcode_b64.yml index 45ea29091..9cad56ae0 100644 --- a/rules/windows/powershell/powershell_script/powershell_shellcode_b64.yml +++ b/rules/windows/powershell/powershell_script/powershell_shellcode_b64.yml @@ -13,14 +13,13 @@ tags: - attack.t1086 #an old one author: David Ledbetter (shellcode), Florian Roth (rule) date: 2018/11/17 -modified: 2020/12/01 +modified: 2021/10/16 logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: selection: - EventID: 4104 ScriptBlockText|contains: 'AAAAYInlM' selection2: ScriptBlockText|contains: diff --git a/rules/windows/powershell/powershell_script/powershell_shellintel_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/powershell_shellintel_malicious_commandlets.yml index 62dfb25f8..3dd0824c5 100644 --- a/rules/windows/powershell/powershell_script/powershell_shellintel_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/powershell_shellintel_malicious_commandlets.yml @@ -3,7 +3,7 @@ id: 402e1e1d-ad59-47b6-bf80-1ee44985b3a7 status: experimental description: Detects Commandlet names from ShellIntel exploitation scripts. date: 2021/08/09 -modified: 2021/08/21 +modified: 2021/10/16 references: - https://github.com/Shellntel/scripts/ tags: @@ -12,11 +12,10 @@ tags: author: Max Altgelt, Tobias Michalski logsource: product: windows - service: powershell + category: ps_script definition: Script Block Logging must be enable detection: selection: - EventID: 4104 ScriptBlockText|contains: - Invoke-SMBAutoBrute - Invoke-GPOLinks diff --git a/rules/windows/powershell/powershell_script/powershell_store_file_in_alternate_data_stream.yml b/rules/windows/powershell/powershell_script/powershell_store_file_in_alternate_data_stream.yml index 070ace3c9..c299fe7e3 100644 --- a/rules/windows/powershell/powershell_script/powershell_store_file_in_alternate_data_stream.yml +++ b/rules/windows/powershell/powershell_script/powershell_store_file_in_alternate_data_stream.yml @@ -3,6 +3,7 @@ id: a699b30e-d010-46c8-bbd1-ee2e26765fe9 status: experimental author: frack113 date: 2021/09/02 +modified: 2021/10/16 description: Storing files in Alternate Data Stream (ADS) similar to Astaroth malware. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md @@ -11,18 +12,16 @@ tags: - attack.t1564.004 logsource: product: windows - service: powershell + category: ps_script definition: EnableScriptBlockLogging must be set to enable detection: - selection_id: - EventID: 4104 selection_compspec: ScriptBlockText|contains|all: - 'Start-Process' - '-FilePath "$env:comspec" ' - '-ArgumentList ' - '>' - condition: selection_id and selection_compspec + condition: selection_compspec falsepositives: - Unknown level: medium \ No newline at end of file diff --git a/rules/windows/powershell/powershell_script/powershell_susp_zip_compress_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_susp_zip_compress_in_scriptblocktext.yml index 1073d0a11..8053fe55e 100644 --- a/rules/windows/powershell/powershell_script/powershell_susp_zip_compress_in_scriptblocktext.yml +++ b/rules/windows/powershell/powershell_script/powershell_susp_zip_compress_in_scriptblocktext.yml @@ -3,7 +3,7 @@ id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 status: experimental author: frack113 date: 2021/07/20 -modified: 2021/10/09 +modified: 2021/10/16 description: Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md @@ -12,11 +12,10 @@ tags: - attack.t1074.001 logsource: product: windows - service: powershell + category: ps_script definition: Script Block Logging must be enable detection: selection_4104: - EventID: 4104 ScriptBlockText|contains|all: - 'Compress-Archive ' - ' -Path ' diff --git a/rules/windows/powershell/powershell_script/powershell_suspicious_export_pfxcertificate.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_export_pfxcertificate.yml index b39cf109e..0f99583dc 100644 --- a/rules/windows/powershell/powershell_script/powershell_suspicious_export_pfxcertificate.yml +++ b/rules/windows/powershell/powershell_script/powershell_suspicious_export_pfxcertificate.yml @@ -13,11 +13,10 @@ date: 2021/04/23 modified: 2021/08/04 logsource: product: windows - service: powershell + category: ps_script definition: Script Block Logging must be enable detection: PfxCertificate: - EventID: 4104 ScriptBlockText|contains: "Export-PfxCertificate" condition: PfxCertificate falsepositives: diff --git a/rules/windows/powershell/powershell_script/powershell_suspicious_getprocess_lsass.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_getprocess_lsass.yml index eccd3337d..2af43b594 100644 --- a/rules/windows/powershell/powershell_script/powershell_suspicious_getprocess_lsass.yml +++ b/rules/windows/powershell/powershell_script/powershell_suspicious_getprocess_lsass.yml @@ -9,14 +9,13 @@ tags: - attack.t1003.001 author: Florian Roth date: 2021/04/23 -modified: 2021/08/04 +modified: 2021/10/16 logsource: product: windows - service: powershell + category: ps_script definition: Script Block Logging must be enable detection: select_LSASS: - EventID: 4104 ScriptBlockText|contains: 'Get-Process lsass' condition: select_LSASS falsepositives: diff --git a/rules/windows/powershell/powershell_script/powershell_suspicious_keywords.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_keywords.yml index 17910236d..a37fa3fee 100644 --- a/rules/windows/powershell/powershell_script/powershell_suspicious_keywords.yml +++ b/rules/windows/powershell/powershell_script/powershell_suspicious_keywords.yml @@ -3,7 +3,7 @@ id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf status: experimental description: Detects keywords that could indicate the use of some PowerShell exploitation framework date: 2019/02/11 -modified: 2021/08/30 +modified: 2021/10/16 author: Florian Roth, Perez Diego (@darkquassar) references: - https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462 @@ -16,11 +16,10 @@ tags: - attack.t1086 #an old one logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled for 4104 detection: framework: - EventID: 4104 ScriptBlockText|contains: - "System.Reflection.Assembly.Load($" - "[System.Reflection.Assembly]::Load($" diff --git a/rules/windows/powershell/powershell_script/powershell_suspicious_mail_acces.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_mail_acces.yml index 18b6b4600..b89413bba 100644 --- a/rules/windows/powershell/powershell_script/powershell_suspicious_mail_acces.yml +++ b/rules/windows/powershell/powershell_script/powershell_suspicious_mail_acces.yml @@ -3,6 +3,7 @@ id: 2837e152-93c8-43d2-85ba-c3cd3c2ae614 status: experimental author: frack113 date: 2021/07/21 +modified: 2021/10/16 description: Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md @@ -11,11 +12,10 @@ tags: - attack.t1114.001 logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: selection: - EventID: 4104 ScriptBlockText|contains: - 'Get-Inbox.ps1' - 'Microsoft.Office.Interop.Outlook' diff --git a/rules/windows/powershell/powershell_script/powershell_suspicious_mounted_share_deletion.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_mounted_share_deletion.yml index 941ef606c..968a3d47f 100644 --- a/rules/windows/powershell/powershell_script/powershell_suspicious_mounted_share_deletion.yml +++ b/rules/windows/powershell/powershell_script/powershell_suspicious_mounted_share_deletion.yml @@ -6,16 +6,16 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md author: 'oscd.community, @redcanary, Zach Stanford @svch0st' date: 2020/10/08 +modified: 2021/10/16 tags: - attack.defense_evasion - attack.t1070.005 logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: selection: - EventID: 4104 ScriptBlockText|contains: - 'Remove-SmbShare' - 'Remove-FileShare' diff --git a/rules/windows/powershell/powershell_script/powershell_suspicious_recon.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_recon.yml index a46b1d1b6..d7468b444 100644 --- a/rules/windows/powershell/powershell_script/powershell_suspicious_recon.yml +++ b/rules/windows/powershell/powershell_script/powershell_suspicious_recon.yml @@ -3,6 +3,7 @@ id: a9723fcc-881c-424c-8709-fd61442ab3c3 status: experimental author: frack113 date: 2021/07/30 +modified: 2021/10/16 description: Once established within a system or network, an adversary may use automated techniques for collecting internal data references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md @@ -11,11 +12,9 @@ tags: - attack.t1119 logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: - selection_eventid: - EventID: 4104 selection_action: ScriptBlockText|contains: - 'Get-Service ' diff --git a/rules/windows/powershell/powershell_script/powershell_suspicious_win32_pnpentity.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_win32_pnpentity.yml index 3cf7777d5..55ce58dd8 100644 --- a/rules/windows/powershell/powershell_script/powershell_suspicious_win32_pnpentity.yml +++ b/rules/windows/powershell/powershell_script/powershell_suspicious_win32_pnpentity.yml @@ -3,6 +3,7 @@ id: b26647de-4feb-4283-af6b-6117661283c5 status: experimental author: frack113 date: 2021/08/23 +modified: 2021/10/16 description: Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md @@ -11,11 +12,10 @@ tags: - attack.t1120 logsource: product: windows - service: powershell + category: ps_script definition: EnableScriptBlockLogging must be set to enable detection: selection: - EventID: 4104 ScriptBlockText|contains: Win32_PnPEntity condition: selection falsepositives: diff --git a/rules/windows/powershell/powershell_script/powershell_timestomp.yml b/rules/windows/powershell/powershell_script/powershell_timestomp.yml index 5c53560cd..b87e3354a 100644 --- a/rules/windows/powershell/powershell_script/powershell_timestomp.yml +++ b/rules/windows/powershell/powershell_script/powershell_timestomp.yml @@ -3,6 +3,7 @@ id: c6438007-e081-42ce-9483-b067fbef33c3 status: experimental author: frack113 date: 2021/08/03 +modified: 2021/10/16 description: Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md @@ -12,11 +13,9 @@ tags: - attack.t1070.006 logsource: product: windows - service: powershell + category: ps_script definition: EnableScriptBlockLogging must be set to enable detection: - selection_id: - EventID: 4104 selection_ioc: ScriptBlockText|contains: - '.CreationTime =' @@ -25,7 +24,7 @@ detection: - '[IO.File]::SetCreationTime' - '[IO.File]::SetLastAccessTime' - '[IO.File]::SetLastWriteTime' - condition: selection_id and selection_ioc + condition: selection_ioc falsepositives: - legitime admin script level: medium diff --git a/rules/windows/powershell/powershell_script/powershell_trigger_profiles.yml b/rules/windows/powershell/powershell_script/powershell_trigger_profiles.yml index 58321ba2f..99083248d 100644 --- a/rules/windows/powershell/powershell_script/powershell_trigger_profiles.yml +++ b/rules/windows/powershell/powershell_script/powershell_trigger_profiles.yml @@ -3,6 +3,7 @@ id: 05b3e303-faf0-4f4a-9b30-46cc13e69152 status: experimental author: frack113 date: 2021/08/18 +modified: 2021/10/16 description: Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md @@ -11,11 +12,10 @@ tags: - attack.t1546.013 logsource: product: windows - service: powershell + category: ps_script definition: EnableScriptBlockLogging must be set to enable detection: selection: - EventID: 4104 ScriptBlockText|contains|all: - 'Add-Content' - '$profile' diff --git a/rules/windows/powershell/powershell_script/powershell_web_request.yml b/rules/windows/powershell/powershell_script/powershell_web_request.yml index fb66db239..2a6ff8e32 100644 --- a/rules/windows/powershell/powershell_script/powershell_web_request.yml +++ b/rules/windows/powershell/powershell_script/powershell_web_request.yml @@ -10,18 +10,17 @@ references: - https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell author: James Pemberton / @4A616D6573 date: 2019/10/24 -modified: 2021/09/21 +modified: 2021/10/16 tags: - attack.execution - attack.t1059.001 - attack.t1086 #an old one logsource: product: windows - service: powershell + category: ps_script definition: 'Script block logging must be enabled' detection: selection: - EventID: 4104 ScriptBlockText|contains: - 'Invoke-WebRequest' - 'iwr ' diff --git a/rules/windows/powershell/powershell_script/powershell_windows_firewall_profile_disabled.yml b/rules/windows/powershell/powershell_script/powershell_windows_firewall_profile_disabled.yml index eb7f1ed0c..db4941656 100644 --- a/rules/windows/powershell/powershell_script/powershell_windows_firewall_profile_disabled.yml +++ b/rules/windows/powershell/powershell_script/powershell_windows_firewall_profile_disabled.yml @@ -4,6 +4,7 @@ description: Detects when a user disables the Windows Firewall via a Profile to status: experimental author: Austin Songer @austinsonger date: 2021/10/12 +modified: 2021/10/16 references: - https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps - https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell @@ -11,10 +12,9 @@ references: - http://woshub.com/manage-windows-firewall-powershell/ logsource: product: windows - service: powershell + category: ps_script detection: selection: - EventID: 4104 ScriptBlockText|contains|all: - Set-NetFirewallProfile - -Profile diff --git a/rules/windows/powershell/powershell_script/powershell_winlogon_helper_dll.yml b/rules/windows/powershell/powershell_script/powershell_winlogon_helper_dll.yml index d15724be1..9054932c4 100644 --- a/rules/windows/powershell/powershell_script/powershell_winlogon_helper_dll.yml +++ b/rules/windows/powershell/powershell_script/powershell_winlogon_helper_dll.yml @@ -4,16 +4,15 @@ status: experimental description: Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. author: Timur Zinniatullin, oscd.community date: 2019/10/21 -modified: 2020/12/01 +modified: 2021/10/16 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: selection: - EventID: 4104 ScriptBlockText|contains: 'CurrentVersion\Winlogon' selection2: ScriptBlockText|contains: diff --git a/rules/windows/powershell/powershell_script/powershell_wmi_persistence.yml b/rules/windows/powershell/powershell_script/powershell_wmi_persistence.yml index 03fa7e18b..65677d9dc 100644 --- a/rules/windows/powershell/powershell_script/powershell_wmi_persistence.yml +++ b/rules/windows/powershell/powershell_script/powershell_wmi_persistence.yml @@ -3,6 +3,7 @@ id: 9e07f6e7-83aa-45c6-998e-0af26efd0a85 status: experimental author: frack113 date: 2021/08/19 +modified: 2021/10/16 description: Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md @@ -12,11 +13,9 @@ tags: - attack.t1546.003 logsource: product: windows - service: powershell + category: ps_script definition: EnableScriptBlockLogging must be set to enable detection: - selection_id: - EventID: 4104 selection_ioc: - ScriptBlockText|contains|all: - 'New-CimInstance ' @@ -28,7 +27,7 @@ detection: - '-Namespace root/subscription ' - '-ClassName CommandLineEventConsumer ' - '-Property ' #is a variable name - condition: selection_id and selection_ioc + condition: selection_ioc falsepositives: - Unknown level: medium \ No newline at end of file diff --git a/rules/windows/powershell/powershell_script/powershell_wmimplant.yml b/rules/windows/powershell/powershell_script/powershell_wmimplant.yml index 9ed475bd9..cc59e9346 100644 --- a/rules/windows/powershell/powershell_script/powershell_wmimplant.yml +++ b/rules/windows/powershell/powershell_script/powershell_wmimplant.yml @@ -11,14 +11,13 @@ tags: - attack.t1086 #an old one author: NVISO date: 2020/03/26 -modified: 2021/08/30 +modified: 2021/10/16 logsource: product: windows - service: powershell + category: ps_script definition: Script block logging must be enabled detection: selection: - EventID: 4104 ScriptBlockText|contains: - "WMImplant" - " change_user "