diff --git a/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml b/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml index 6ba0e08f4..c71bb902e 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml @@ -1,10 +1,10 @@ -action: global title: Invoke-Obfuscation CLIP+ Launcher +id: f7385ee2-0e0c-11eb-adc1-0242ac120002 description: Detects Obfuscated use of Clip.exe to execute PowerShell status: experimental author: Jonathan Cheong, oscd.community date: 2020/10/13 -modified: 2021/08/14 +modified: 2021/09/16 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26) tags: @@ -12,34 +12,15 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 -falsepositives: - - Unknown -level: high -detection: - selection: - ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' - condition: selection and selection_eventid ---- -id: f7385ee2-0e0c-11eb-adc1-0242ac120002 logsource: product: windows service: system detection: selection_eventid: EventID: 7045 ---- -id: 21e4b3c1-4985-4aa4-a6c0-f8639590a5f3 -logsource: - product: windows - category: driver_load -detection: - selection_eventid: - EventID: 6 ---- -id: 4edf51e1-cb83-4e1a-bc39-800e396068e3 -logsource: - product: windows - service: security -detection: - selection_eventid: - EventID: 4697 + selection: + ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' + condition: selection and selection_eventid +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml b/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml index 077f3e5cb..4a0dbf7ec 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml @@ -1,16 +1,19 @@ -action: global title: Invoke-Obfuscation Obfuscated IEX Invocation +id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9 description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888" status: experimental author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community date: 2019/11/08 +modified: 2021/09/16 tags: - attack.defense_evasion - attack.t1027 -falsepositives: - - Unknown -level: high +logsource: + product: windows + service: system detection: + selection: + EventID: 7045 selection_1: - ImagePath|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[' - ImagePath|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[' @@ -20,27 +23,6 @@ detection: - ImagePath|re: '\$VerbosePreference\.ToString\(' - ImagePath|re: '\String\]\s*\$VerbosePreference' condition: selection and selection_1 ---- -id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9 -logsource: - product: windows - service: system -detection: - selection: - EventID: 7045 ---- -id: e75c48bd-3434-4d61-94b7-ddfaa2c08487 -logsource: - product: windows - category: driver_load -detection: - selection: - EventID: 6 ---- -id: fd0f5778-d3cb-4c9a-9695-66759d04702a -logsource: - product: windows - service: security -detection: - selection: - EventID: 4697 +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml b/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml index 0bebb79dc..1df942347 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml @@ -1,10 +1,10 @@ -action: global title: Invoke-Obfuscation STDIN+ Launcher +id: 72862bf2-0eb1-11eb-adc1-0242ac120002 description: Detects Obfuscated use of stdin to execute PowerShell status: experimental author: Jonathan Cheong, oscd.community date: 2020/10/15 -modified: 2021/08/09 +modified: 2021/09/17 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25) tags: @@ -12,34 +12,15 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 -falsepositives: - - Unknown -level: high -detection: - selection: - ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' - condition: selection and selection_eventid ---- -id: 72862bf2-0eb1-11eb-adc1-0242ac120002 logsource: product: windows service: system detection: selection_eventid: EventID: 7045 ---- -id: de7fb680-6efa-4bf3-af2c-14b6d33c8e6e -logsource: - product: windows - category: driver_load -detection: - selection_eventid: - EventID: 6 ---- -id: 0c718a5e-4284-4fb9-b4d9-b9a50b3a1974 -logsource: - product: windows - service: security -detection: - selection_eventid: - EventID: 4697 + selection: + ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' + condition: selection and selection_eventid +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml b/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml index 939ff7258..c94706f07 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml @@ -1,10 +1,10 @@ -action: global title: Invoke-Obfuscation VAR+ Launcher +id: 8ca7004b-e620-4ecb-870e-86129b5b8e75 description: Detects Obfuscated use of Environment Variables to execute PowerShell status: experimental author: Jonathan Cheong, oscd.community date: 2020/10/15 -modified: 2021/08/09 +modified: 2021/09/17 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24) tags: @@ -12,31 +12,15 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 -falsepositives: - - Unknown -level: high -detection: - selection: - ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' - condition: all of them ---- -id: 8ca7004b-e620-4ecb-870e-86129b5b8e75 logsource: product: windows service: system detection: selection_eventid: EventID: 7045 ---- -id: 3e27b010-2cf2-4577-8ef0-3ea44aaea0dc -logsource: - product: windows - category: process_creation ---- -id: dcf2db1f-f091-425b-a821-c05875b8925a -logsource: - product: windows - service: security -detection: - selection_eventid: - EventID: 4697 + selection: + ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' + condition: all of them +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml index 1b1b490fa..04f8fbb61 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml @@ -1,5 +1,5 @@ -action: global title: Invoke-Obfuscation COMPRESS OBFUSCATION +id: 175997c5-803c-4b08-8bb0-70b099f47595 description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION status: experimental author: Timur Zinniatullin, oscd.community @@ -15,31 +15,12 @@ tags: falsepositives: - unknown level: medium -detection: - selection: - ImagePath|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend' - condition: selection and selection_eventid ---- -id: 175997c5-803c-4b08-8bb0-70b099f47595 logsource: product: windows service: system detection: selection_eventid: EventID: 7045 ---- -id: c70731dd-0097-40ff-b112-f7032f29c16c -logsource: - product: windows - category: driver_load -detection: - selection_eventid: - EventID: 6 ---- -id: 7a922f1b-2635-4d6c-91ef-af228b198ad3 -logsource: - product: windows - service: security -detection: - selection_eventid: - EventID: 4697 + selection: + ImagePath|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend' + condition: selection and selection_eventid \ No newline at end of file diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml index 11317dda4..2855fa003 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml @@ -1,10 +1,10 @@ -action: global title: Invoke-Obfuscation RUNDLL LAUNCHER +id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9 description: Detects Obfuscated Powershell via RUNDLL LAUNCHER status: experimental author: Timur Zinniatullin, oscd.community date: 2020/10/18 -modified: 2021/08/09 +modified: 2021/09/18 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23) tags: @@ -12,34 +12,15 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 -falsepositives: - - Unknown -level: medium -detection: - selection: - ImagePath|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' - condition: selection and selection_eventid ---- -id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9 logsource: product: windows service: system detection: selection_eventid: EventID: 7045 ---- -id: 03b024c6-aad1-4da5-9f60-e9e8c00fa64c -logsource: - product: windows - category: driver_load -detection: - selection_eventid: - EventID: 6 ---- -id: f241cf1b-3a6b-4e1a-b4f9-133c00dd95ca -logsource: - product: windows - service: security -detection: - selection_eventid: - EventID: 4697 + selection: + ImagePath|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' + condition: selection and selection_eventid +falsepositives: + - Unknown +level: medium \ No newline at end of file diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml index 4cc9ee799..f6a21dffb 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml @@ -1,10 +1,10 @@ -action: global title: Invoke-Obfuscation Via Stdin +id: 487c7524-f892-4054-b263-8a0ace63fc25 description: Detects Obfuscated Powershell via Stdin in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/12 -modified: 2021/08/09 +modified: 2021/09/18 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task28) tags: @@ -12,34 +12,15 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 -falsepositives: - - Unknown -level: high -detection: - selection: - ImagePath|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' - condition: selection and selection_eventid ---- -id: 487c7524-f892-4054-b263-8a0ace63fc25 logsource: product: windows service: system detection: selection_eventid: EventID: 7045 ---- -id: 82b66143-53ee-4369-ab02-de2c70cd6352 -logsource: - product: windows - category: driver_load -detection: - selection_eventid: - EventID: 6 ---- -id: 80b708f3-d034-40e4-a6c8-d23b7a7db3d1 -logsource: - product: windows - service: security -detection: - selection_eventid: - EventID: 4697 + selection: + ImagePath|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' + condition: selection and selection_eventid +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml index 45b5d47b1..a569fc7ae 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml @@ -1,10 +1,10 @@ -action: global title: Invoke-Obfuscation Via Use Clip +id: 63e3365d-4824-42d8-8b82-e56810fefa0c description: Detects Obfuscated Powershell via use Clip.exe in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/09 -modified: 2021/08/09 +modified: 2021/09/18 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task29) tags: @@ -12,34 +12,15 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 -falsepositives: - - Unknown -level: high -detection: - selection: - ImagePath|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' - condition: selection and selection_eventid ---- -id: 63e3365d-4824-42d8-8b82-e56810fefa0c logsource: product: windows service: system detection: selection_eventid: EventID: 7045 ---- -id: 1fc02cb5-8acf-4d2c-bf9c-a28b6e0ad851 -logsource: - product: windows - category: driver_load -detection: - selection_eventid: - EventID: 6 ---- -id: 1a0a2ff1-611b-4dac-8216-8a7b47c618a6 -logsource: - product: windows - service: security -detection: - selection_eventid: - EventID: 4697 + selection: + ImagePath|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' + condition: selection and selection_eventid +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml index decfefb65..71b54142a 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml @@ -1,10 +1,10 @@ -action: global title: Invoke-Obfuscation Via Use MSHTA +id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4 description: Detects Obfuscated Powershell via use MSHTA in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/09 -modified: 2021/08/09 +modified: 2021/09/18 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task31) tags: @@ -12,34 +12,15 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 -falsepositives: - - Unknown -level: high -detection: - selection: - ImagePath|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' - condition: selection and selection_eventid ---- -id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4 logsource: product: windows service: system detection: selection_eventid: EventID: 7045 ---- -id: a4e82ad2-7430-4ee8-b858-6ad6099773fa -logsource: - product: windows - category: driver_load -detection: - selection_eventid: - EventID: 6 ---- -id: 9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a -logsource: - product: windows - service: security -detection: - selection_eventid: - EventID: 4697 + selection: + ImagePath|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' + condition: selection and selection_eventid +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml index a095343e2..75b42d484 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml @@ -1,10 +1,10 @@ -action: global title: Invoke-Obfuscation Via Use Rundll32 +id: 641a4bfb-c017-44f7-800c-2aee0184ce9b description: Detects Obfuscated Powershell via use Rundll32 in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/09 -modified: 2021/08/09 +modified: 2021/09/18 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task30) tags: @@ -12,34 +12,15 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 -falsepositives: - - Unknown -level: high -detection: - selection: - ImagePath|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' - condition: selection and selection_eventid ---- -id: 641a4bfb-c017-44f7-800c-2aee0184ce9b logsource: product: windows service: system detection: selection_eventid: EventID: 7045 ---- -id: 4e1518d9-2136-4015-ab49-c31d7c8588e1 -logsource: - product: windows - category: driver_load -detection: - selection_eventid: - EventID: 6 ---- -id: cd0f7229-d16f-42de-8fe3-fba365fbcb3a -logsource: - product: windows - service: security -detection: - selection_eventid: - EventID: 4697 + selection: + ImagePath|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' + condition: selection and selection_eventid +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml index af6859b6a..7d8bc8d12 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml @@ -1,10 +1,10 @@ -action: global title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION +id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6 description: Detects Obfuscated Powershell via VAR++ LAUNCHER status: experimental author: Timur Zinniatullin, oscd.community date: 2020/10/13 -modified: 2021/08/09 +modified: 2021/09/18 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task27) tags: @@ -12,34 +12,15 @@ tags: - attack.t1027 - attack.execution - attack.t1059.001 -falsepositives: - - Unknown -level: high -detection: - selection: - ImagePath|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r - condition: selection and selection_eventid ---- -id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6 logsource: product: windows service: system detection: selection_eventid: EventID: 7045 ---- -id: 7b9a650e-6788-4fdf-888d-ec7c0a62810d -logsource: - product: windows - category: driver_load -detection: - selection_eventid: - EventID: 6 ---- -id: 4c54ba8f-73d2-4d40-8890-d9cf1dca3d30 -logsource: - product: windows - service: security -detection: - selection_eventid: - EventID: 4697 + selection: + ImagePath|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r + condition: selection and selection_eventid +falsepositives: + - Unknown +level: high \ No newline at end of file