Max Altgelt
6f05e33feb
Correct a number of rules where message or keyword were incorrectly used as field names in events (typically windows event logs). However, neither field actually exists and as such these strings could never match.
57 lines
1.4 KiB
YAML
57 lines
1.4 KiB
YAML
title: Suspicious PowerShell Invocations - Specific
|
|
id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
|
|
status: experimental
|
|
description: Detects suspicious PowerShell invocation command parameters
|
|
tags:
|
|
- attack.execution
|
|
- attack.t1059.001
|
|
- attack.t1086 #an old one
|
|
author: Florian Roth (rule), Jonhnathan Ribeiro
|
|
date: 2017/03/05
|
|
logsource:
|
|
product: windows
|
|
service: powershell
|
|
detection:
|
|
convert_b64:
|
|
- '-nop'
|
|
- ' -w '
|
|
- 'hidden'
|
|
- ' -c '
|
|
- '[Convert]::FromBase64String'
|
|
iex_selection:
|
|
- ' -w '
|
|
- 'hidden'
|
|
- '-noni'
|
|
- '-nop'
|
|
- ' -c '
|
|
- 'iex'
|
|
- 'New-Object'
|
|
enc_selection:
|
|
- ' -w '
|
|
- 'hidden'
|
|
- '-ep'
|
|
- 'bypass'
|
|
- '-Enc'
|
|
reg_selection:
|
|
- 'powershell'
|
|
- 'reg'
|
|
- 'add'
|
|
- 'HKCU\software\microsoft\windows\currentversion\run'
|
|
webclient_selection:
|
|
- 'bypass'
|
|
- '-noprofile'
|
|
- '-windowstyle'
|
|
- 'hidden'
|
|
- 'new-object'
|
|
- 'system.net.webclient'
|
|
- '.download'
|
|
iex_webclient:
|
|
- 'iex'
|
|
- 'New-Object'
|
|
- 'Net.WebClient'
|
|
- '.Download'
|
|
condition: all of convert_b64 or all of iex_selection or all of enc_selection or all of reg_selection or all of webclient_selection or all of iex_webclient
|
|
falsepositives:
|
|
- Penetration tests
|
|
level: high
|