security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fb167c5698ff01a30d2ada8eaa53c4e2dee2e54a
blue-team-tools/rules/windows/process_creation/win_powershell_cmdline_special_characters.yml
T
Tim Shelton 905d6bf8fd Adding fp filter for ssm-document-worker
2021-12-06 22:02:54 +00:00

42 lines
2.0 KiB
YAML
Raw Blame History

title: Suspicious PowerShell Command Line
id: d7bcd677-645d-4691-a8d4-7a5602b780d1
status: test
description: Detects the PowerShell command lines with special characters
author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp)
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=64
date: 2020/10/15
modified: 2021/12/06
logsource:
category: process_creation
product: windows
detection:
selection1:
Image|endswith: '\powershell.exe'
CommandLine|re: '.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*'
selection2:
Image|endswith: '\powershell.exe'
CommandLine|re: '.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*'
selection3:
Image|endswith: '\powershell.exe'
CommandLine|re: '.*{.*{.*{.*{.*{.*'
selection4:
Image|endswith: '\powershell.exe'
CommandLine|re: '.*\^.*\^.*\^.*\^.*\^.*'
selection5:
Image|endswith: '\powershell.exe'
CommandLine|re: '.*`.*`.*`.*`.*`.*'
filter:
ParentImage:
- C:\Program Files\Amazon\SSM\ssm-document-worker.exe
condition: (selection1 or selection2 or selection3 or selection4 or selection5) and not filter
falsepositives:
- Unlikely
- Amazon SSM Document Worker # fp example: powershell " [Console]::OutputEncoding = [System.Text.Encoding]::UTF8 $keyExists = Test-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents" $jsonObj = @() if ($keyExists) { $key = Get-Item "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents" $valueNames = $key.GetValueNames(); foreach ($valueName in $valueNames) { $value = $key.GetValue($valueName); if ($value -gt 0) { $installed = "True" } else { $installed = "False" } $jsonObj += @" {"Name": "$valueName", "Installed": "$installed"} "@ } } $result = $jsonObj -join "," $result = "[" + $result + "]" [Console]::WriteLine($result)
level: high
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001
Reference in New Issue View Git Blame Copy Permalink