diff --git a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_module/powershell_alternate_powershell_hosts.yml similarity index 94% rename from rules/windows/powershell/powershell_alternate_powershell_hosts.yml rename to rules/windows/powershell/powershell_module/powershell_alternate_powershell_hosts.yml index d3ce9723e..fb409b13b 100644 --- a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_module/powershell_alternate_powershell_hosts.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: ModuleLogging must be enable + definition: Module Logging must be enable detection: selection: EventID: 4103 diff --git a/rules/windows/powershell/powershell_bad_opsec_artifacts.yml b/rules/windows/powershell/powershell_module/powershell_bad_opsec_artifacts.yml similarity index 73% rename from rules/windows/powershell/powershell_bad_opsec_artifacts.yml rename to rules/windows/powershell/powershell_module/powershell_bad_opsec_artifacts.yml index 64bc41c2b..dcb92bd05 100644 --- a/rules/windows/powershell/powershell_bad_opsec_artifacts.yml +++ b/rules/windows/powershell/powershell_module/powershell_bad_opsec_artifacts.yml @@ -1,5 +1,8 @@ title: Bad Opsec Powershell Code Artifacts -id: 73e733cc-1ace-3212-a107-ff2523cc9fc3 +id: 8d31a8ce-46b5-4dd6-bdc3-680931f1db86 +related: + - id: 73e733cc-1ace-3212-a107-ff2523cc9fc3 + type: derived description: Focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads that often undergo minimal changes by attackers due to bad opsec. status: experimental references: @@ -8,7 +11,7 @@ references: - https://www.mdeditor.tw/pl/pgRt author: 'ok @securonix invrep_de, oscd.community' date: 2020/10/09 -modified: 2020/10/09 +modified: 2021/10/07 tags: - attack.execution - attack.t1059.001 @@ -16,17 +19,8 @@ tags: logsource: product: windows service: powershell - definition: Script block logging must be enabled for 4104 , Module Logging must be enable for 4103 + definition: Module Logging must be enable detection: - selection_4104: - EventID: 4104 - ScriptBlockText|contains: - - '$DoIt' - - 'harmj0y' - - 'mattifestation' - - '_RastaMouse' - - 'tifkin_' - - '0xdeadbeef' selection_4103: EventID: 4103 Payload|contains: @@ -36,7 +30,7 @@ detection: - '_RastaMouse' - 'tifkin_' - '0xdeadbeef' - condition: selection_4104 or selection_4103 + condition: selection_4103 falsepositives: - 'Moderate-to-low; Despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments.' level: critical diff --git a/rules/windows/powershell/powershell_clear_powershell_history.yml b/rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml similarity index 58% rename from rules/windows/powershell/powershell_clear_powershell_history.yml rename to rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml index 430e93052..fb57e9607 100644 --- a/rules/windows/powershell/powershell_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml @@ -1,5 +1,8 @@ title: Clear PowerShell History -id: dfba4ce1-e0ea-495f-986e-97140f31af2d +id: f99276ad-d122-4989-a09a-d00904a5f9d2 +related: + - id: dfba4ce1-e0ea-495f-986e-97140f31af2d + type: derived status: experimental description: Detects keywords that could indicate clearing PowerShell history date: 2019/10/25 @@ -14,22 +17,8 @@ tags: logsource: product: windows service: powershell - definition: 4104 Script block logging must be enabled , 4103 Module Logging must be enabled + definition: Module Logging must be enable detection: - selection_1: - EventID: 4104 - selection_2: - ScriptBlockText|contains: - - 'del' - - 'Remove-Item' - - 'rm' - ScriptBlockText|contains|all: - - '(Get-PSReadlineOption).HistorySavePath' - selection_3: - ScriptBlockText|contains|all: - - 'Set-PSReadlineOption' - - '–HistorySaveStyle' - - 'SaveNothing' selection_4: EventID: 4103 selection_5: @@ -44,8 +33,7 @@ detection: - 'Set-PSReadlineOption' - '–HistorySaveStyle' - 'SaveNothing' - condition: selection_1 and ( selection_2 or selection_3 ) or - selection_4 and ( selection_5 or selection_6 ) + condition: selection_4 and ( selection_5 or selection_6 ) falsepositives: - Legitimate PowerShell scripts level: medium diff --git a/rules/windows/powershell/powershell_decompress_commands.yml b/rules/windows/powershell/powershell_module/powershell_decompress_commands.yml similarity index 70% rename from rules/windows/powershell/powershell_decompress_commands.yml rename to rules/windows/powershell/powershell_module/powershell_decompress_commands.yml index 19028f6a8..e30c7fe3f 100644 --- a/rules/windows/powershell/powershell_decompress_commands.yml +++ b/rules/windows/powershell/powershell_module/powershell_decompress_commands.yml @@ -1,8 +1,12 @@ title: PowerShell Decompress Commands -id: 81fbdce6-ee49-485a-908d-1a728c5dcb09 +id: 1ddc1472-8e52-4f7d-9f11-eab14fc171f5 +related: + - id: 81fbdce6-ee49-485a-908d-1a728c5dcb09 + type: derived description: A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files. status: experimental date: 2020/05/02 +modified: 2021/10/07 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.defense_evasion @@ -13,15 +17,12 @@ references: logsource: product: windows service: powershell - definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 + definition: Module Logging must be enable detection: - selection1: - EventID: 4104 - ScriptBlockText|contains: 'Expand-Archive' selection2: EventID: 4103 Payload|contains: 'Expand-Archive' - condition: selection1 or selection2 + condition: selection2 falsepositives: - unknown level: informational \ No newline at end of file diff --git a/rules/windows/powershell/powershell_get_clipboard.yml b/rules/windows/powershell/powershell_module/powershell_get_clipboard.yml similarity index 70% rename from rules/windows/powershell/powershell_get_clipboard.yml rename to rules/windows/powershell/powershell_module/powershell_get_clipboard.yml index 542c432c5..2902ece65 100644 --- a/rules/windows/powershell/powershell_get_clipboard.yml +++ b/rules/windows/powershell/powershell_module/powershell_get_clipboard.yml @@ -1,8 +1,12 @@ title: PowerShell Get Clipboard -id: 5486f63a-aa4c-488d-9a61-c9192853099f +id: 4cbd4f12-2e22-43e3-882f-bff3247ffb78 +related: + - id: 5486f63a-aa4c-488d-9a61-c9192853099f + type: derived description: A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents. status: experimental date: 2020/05/02 +modified: 2021/10/07 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.collection @@ -13,15 +17,12 @@ references: logsource: product: windows service: powershell - definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 + definition: Module Logging must be enable detection: - selection1: - EventID: 4104 - ScriptBlockText|contains: 'Get-Clipboard' selection2: EventID: 4103 Payload|contains: 'Get-Clipboard' - condition: selection1 or selection2 + condition: selection2 falsepositives: - unknown level: medium \ No newline at end of file diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_clip.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml similarity index 62% rename from rules/windows/powershell/powershell_invoke_obfuscation_clip.yml rename to rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml index 45c57fa3b..a203d470d 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_clip.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml @@ -1,9 +1,13 @@ title: Invoke-Obfuscation CLIP+ Launcher -id: 73e67340-0d25-11eb-adc1-0242ac120002 +id: a136cde0-61ad-4a61-9b82-8dc490e60dd2 +related : + - id: 73e67340-0d25-11eb-adc1-0242ac120002 + type: derived description: Detects Obfuscated use of Clip.exe to execute PowerShell status: experimental author: Jonathan Cheong, oscd.community date: 2020/10/13 +modified: 2021/10/07 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26) tags: @@ -14,15 +18,12 @@ tags: logsource: product: windows service: powershell - definition: Script block logging must be enabled for 4104 , Module Logging must be enabled for 4103 + definition: Module Logging must be enable detection: - selection_1: - EventID: 4104 - ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' - selection_2: + selection_4103: EventID: 4103 Payload|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' - condition: 1 of them + condition: selection_4103 falsepositives: - Unknown level: high \ No newline at end of file diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_obfuscated_iex.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml similarity index 59% rename from rules/windows/powershell/powershell_invoke_obfuscation_obfuscated_iex.yml rename to rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml index 94164d372..2dcd9ad2c 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_obfuscated_iex.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml @@ -1,10 +1,13 @@ title: Invoke-Obfuscation Obfuscated IEX Invocation -id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7 +id: 2f211361-7dce-442d-b78a-c04039677378 +related: + - id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7 + type: derived description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888" status: experimental author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community date: 2019/11/08 -modified: 2020/08/24 +modified: 2021/10/07 tags: - attack.defense_evasion - attack.t1027 @@ -14,18 +17,8 @@ tags: logsource: product: windows service: powershell - definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 + definition: Module Logging must be enable detection: - selection_1: - EventID: 4104 - selection_2: - - ScriptBlockText|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[' - - ScriptBlockText|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[' - - ScriptBlockText|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[' - - ScriptBlockText|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}' - - ScriptBlockText|re: '\\\\*mdr\\\\*\W\s*\)\.Name' - - ScriptBlockText|re: '\$VerbosePreference\.ToString\(' - - ScriptBlockText|re: '\String\]\s*\$VerbosePreference' selection_3: EventID: 4103 selection_4: @@ -36,7 +29,7 @@ detection: - Payload|re: '\\\\*mdr\\\\*\W\s*\)\.Name' - Payload|re: '\$VerbosePreference\.ToString\(' - Payload|re: '\String\]\s*\$VerbosePreference' - condition: ( selection_1 and selection_2 ) or ( selection_3 and selection_4 ) + condition: selection_3 and selection_4 falsepositives: - Unknown level: high diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_stdin.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml similarity index 63% rename from rules/windows/powershell/powershell_invoke_obfuscation_stdin.yml rename to rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml index a8b5d3432..d531c87e4 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_stdin.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml @@ -1,5 +1,8 @@ title: Invoke-Obfuscation STDIN+ Launcher -id: 779c8c12-0eb1-11eb-adc1-0242ac120002 +id: 9ac8b09b-45de-4a07-9da1-0de8c09304a3 +related: + - id: 779c8c12-0eb1-11eb-adc1-0242ac120002 + type: derived description: Detects Obfuscated use of stdin to execute PowerShell status: experimental author: Jonathan Cheong, oscd.community @@ -14,15 +17,12 @@ tags: logsource: product: windows service: powershell - definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 + definition: Module Logging must be enable detection: - selection_1: - EventID: 4104 - ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' - selection_2: + selection_4103: EventID: 4103 Payload|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' - condition: 1 of them + condition: selection_4103 falsepositives: - Unknown level: high \ No newline at end of file diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml similarity index 61% rename from rules/windows/powershell/powershell_invoke_obfuscation_var.yml rename to rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml index f84762624..6f187cfbd 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_var.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml @@ -1,5 +1,8 @@ title: Invoke-Obfuscation VAR+ Launcher -id: 0adfbc14-0ed1-11eb-adc1-0242ac120002 +id: 6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e +related: + - id: 0adfbc14-0ed1-11eb-adc1-0242ac120002 + type: derived description: Detects Obfuscated use of Environment Variables to execute PowerShell status: experimental author: Jonathan Cheong, oscd.community @@ -14,15 +17,11 @@ tags: logsource: product: windows service: powershell - definition: Script block logging must be enabled for 4104,Module Logging must be enabled for 4103 -detection: - selection_1: - EventID: 4104 - ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' - selection_2: + definition: Module Logging must be enable + selection_4103: EventID: 4103 Payload|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' - condition: 1 of them + condition: selection_4103 falsepositives: - Unknown level: high \ No newline at end of file diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml similarity index 61% rename from rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml rename to rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml index 165d13d29..e4f1400ce 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml @@ -1,9 +1,13 @@ title: Invoke-Obfuscation COMPRESS OBFUSCATION -id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07 +id: 7034cbbb-cc55-4dc2-8dad-36c0b942e8f1 +related: + - id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07 + type: derived description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION status: experimental author: Timur Zinniatullin, oscd.community date: 2020/10/18 +modified: 2021/10/07 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19) tags: @@ -14,15 +18,12 @@ tags: logsource: product: windows service: powershell - definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 + definition: Module Logging must be enable detection: - selection_1: - EventID: 4104 - ScriptBlockText|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend' - selection_2: + selection_4103: EventID: 4103 Payload|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend' - condition: 1 of them + condition: selection_4103 falsepositives: - unknown level: medium \ No newline at end of file diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml similarity index 64% rename from rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml rename to rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml index e47cf4f44..823699781 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml @@ -1,9 +1,13 @@ title: Invoke-Obfuscation RUNDLL LAUNCHER -id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0 +id: a23791fe-8846-485a-b16b-ca691e1b03d4 +related: + - id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0 + type: derived description: Detects Obfuscated Powershell via RUNDLL LAUNCHER status: experimental author: Timur Zinniatullin, oscd.community date: 2020/10/18 +modified: 2021/10/07 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23) tags: @@ -14,15 +18,12 @@ tags: logsource: product: windows service: powershell - definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 + definition: Module Logging must be enable detection: - selection_1: - EventID: 4104 - ScriptBlockText|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' - selection_2: + selection_4103: EventID: 4103 Payload|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' - condition: 1 of them + condition: selection_4103 falsepositives: - Unknown level: medium diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml similarity index 64% rename from rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml rename to rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml index 330912c96..15c1e5cda 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml @@ -1,5 +1,8 @@ title: Invoke-Obfuscation Via Stdin -id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7 +id: c72aca44-8d52-45ad-8f81-f96c4d3c755e +related: + - id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7 + type: derived description: Detects Obfuscated Powershell via Stdin in Scripts status: experimental author: Nikita Nazarov, oscd.community @@ -14,15 +17,12 @@ tags: logsource: product: windows service: powershell - definition: Script block logging must be enabled for 4104, Module Logging must be enable for 4103 + definition: Module Logging must be enable detection: - selection_1: - EventID: 4104 - ScriptBlockText|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' - selection_2: + selection_4103: EventID: 4103 Payload|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' - condition: 1 of them + condition: selection_4103 falsepositives: - Unknown level: high diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml similarity index 64% rename from rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml rename to rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml index 30749fc4e..482721a0f 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml @@ -1,5 +1,8 @@ title: Invoke-Obfuscation Via Use Clip -id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0 +id: ebdf49d8-b89c-46c9-8fdf-2c308406f6bd +related: + - id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0 + type: derived description: Detects Obfuscated Powershell via use Clip.exe in Scripts status: experimental author: Nikita Nazarov, oscd.community @@ -14,15 +17,12 @@ tags: logsource: product: windows service: powershell - definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 + definition: Module Logging must be enable detection: - selection_1: - EventID: 4104 - ScriptBlockText|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' - selection_2: + selection_4103: EventID: 4103 Payload|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' - condition: 1 of them + condition: selection_4103 falsepositives: - Unknown level: high diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml similarity index 63% rename from rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml rename to rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml index ceaab3492..ab47039d3 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml @@ -1,9 +1,13 @@ title: Invoke-Obfuscation Via Use MSHTA -id: e55a5195-4724-480e-a77e-3ebe64bd3759 +id: 07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb +related: + - id: e55a5195-4724-480e-a77e-3ebe64bd3759 + type: derived description: Detects Obfuscated Powershell via use MSHTA in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/08 +modified: 2021/10/07 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task31) tags: @@ -14,15 +18,12 @@ tags: logsource: product: windows service: powershell - definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 + definition: Module Logging must be enabled detection: - selection_1: - EventID: 4104 - ScriptBlockText|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' - selection_2: + selection_4103: EventID: 4103 Payload|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' - condition: 1 of them + condition: selection_4103 falsepositives: - Unknown level: high diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml similarity index 63% rename from rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml rename to rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml index 445355bc7..deee26edc 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml @@ -1,9 +1,13 @@ title: Invoke-Obfuscation Via Use Rundll32 -id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b +id: 88a22f69-62f9-4b8a-aa00-6b0212f2f05a +related: + - id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b + type: derived description: Detects Obfuscated Powershell via use Rundll32 in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2019/10/08 +modified: 2021/10/07 references: - https://github.com/Neo23x0/sigma/issues/1009 tags: @@ -14,15 +18,12 @@ tags: logsource: product: windows service: powershell - definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 + definition: Module Logging must be enable detection: - selection_1: - EventID: 4104 - ScriptBlockText|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' - selection_2: + selection_4103: EventID: 4103 Payload|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' - condition: 1 of them + condition: selection_4103 falsepositives: - Unknown level: high diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_var.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml similarity index 62% rename from rules/windows/powershell/powershell_invoke_obfuscation_via_var.yml rename to rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml index 60a0fe2bb..06d3381a5 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_var.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml @@ -1,10 +1,13 @@ title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION -id: e54f5149-6ba3-49cf-b153-070d24679126 +id: f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6 +related: + - id: e54f5149-6ba3-49cf-b153-070d24679126 + type: derived description: Detects Obfuscated Powershell via VAR++ LAUNCHER status: experimental author: Timur Zinniatullin, oscd.community date: 2020/10/13 -modified: 2021/07/15 +modified: 2021/10/07 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task27) tags: @@ -15,15 +18,12 @@ tags: logsource: product: windows service: powershell - definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 + definition: Module Logging must be enabled detection: - selection_1: - EventID: 4104 - ScriptBlockText|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r - selection_2: + selection_4103: EventID: 4103 Payload|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r - condition: selection_1 or selection_2 + condition: selection_4103 falsepositives: - Unknown level: high diff --git a/rules/windows/powershell/powershell_powercat.yml b/rules/windows/powershell/powershell_module/powershell_powercat.yml similarity index 100% rename from rules/windows/powershell/powershell_powercat.yml rename to rules/windows/powershell/powershell_module/powershell_powercat.yml diff --git a/rules/windows/powershell/powershell_remote_powershell_session.yml b/rules/windows/powershell/powershell_module/powershell_remote_powershell_session.yml similarity index 90% rename from rules/windows/powershell/powershell_remote_powershell_session.yml rename to rules/windows/powershell/powershell_module/powershell_remote_powershell_session.yml index 146af6e53..c77953871 100644 --- a/rules/windows/powershell/powershell_remote_powershell_session.yml +++ b/rules/windows/powershell/powershell_module/powershell_remote_powershell_session.yml @@ -17,7 +17,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enable and fields have to be extract from event + definition: Module Logging must be enable detection: selection: EventID: 4103 diff --git a/rules/windows/powershell/powershell_susp_athremotefxvgpudisablementcommand.yml b/rules/windows/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml similarity index 100% rename from rules/windows/powershell/powershell_susp_athremotefxvgpudisablementcommand.yml rename to rules/windows/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml diff --git a/rules/windows/powershell/powershell_susp_zip_compress.yml b/rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml similarity index 63% rename from rules/windows/powershell/powershell_susp_zip_compress.yml rename to rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml index 98f882e49..ab97eb0d9 100644 --- a/rules/windows/powershell/powershell_susp_zip_compress.yml +++ b/rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml @@ -1,9 +1,12 @@ title: Zip A Folder With PowerShell For Staging In Temp -id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 +id: daf7eb81-35fd-410d-9d7a-657837e602bb +related: + - id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 + related: derived status: experimental author: frack113 date: 2021/07/20 -modified: 2021/09/30 +modified: 2021/10/09 description: Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md @@ -13,7 +16,7 @@ tags: logsource: product: windows service: powershell - definition: 4103 Module Logging must be enabled , 4104 Script Block Logging must be enable + definition: Module Logging must be enabled detection: selection_4103: EventID: 4103 @@ -22,14 +25,7 @@ detection: - ' -Path ' - ' -DestinationPath ' - '$env:TEMP\' - selection_4104: - EventID: 4104 - ScriptBlockText|contains|all: - - 'Compress-Archive ' - - ' -Path ' - - ' -DestinationPath ' - - '$env:TEMP\' - condition: selection_4103 or selection_4104 + condition: selection_4103 falsepositives: - Unknown level: medium