rta/powershell_args.py

# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
# or more contributor license agreements. Licensed under the Elastic License
# 2.0; you may not use this file except in compliance with the Elastic License
# 2.0.

# Name: Powershell with Suspicious Arguments
# RTA: powershell_args.py
# ATT&CK: T1140
# Description: Calls PowerShell with suspicious command line arguments.

import base64
import os

from . import common
from . import RtaMetadata


metadata = RtaMetadata(
    uuid="5efc844c-0c11-4f84-a904-ada611315298",
    platforms=["windows"],
    endpoint=[],
    siem=[],
    techniques=[]
)


def encode(command):
    return base64.b64encode(command.encode("utf-16le"))


@common.requires_os(metadata.platforms)
def main():
    common.log("PowerShell Suspicious Commands")
    temp_script = os.path.abspath("tmp.ps1")

    # Create an empty script
    with open(temp_script, "w") as f:
        f.write("whoami.exe\nexit\n")

    powershell_commands = [
        ["powershell.exe", "-ExecutionPol", "Bypass", temp_script],
        ["powershell.exe", "iex", "Get-Process"],
        ["powershell.exe", "-ec", encode("Get-Process" + " " * 1000)],
    ]

    for command in powershell_commands:
        common.execute(command)

    common.remove_file(temp_script)


if __name__ == "__main__":
    exit(main())
Populate RTA directory. 2020-06-29 23:07:16 -06:00			`# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one`
Update License to Elastic v2 (#944 ) 2021-03-03 22:12:11 -09:00			`# or more contributor license agreements. Licensed under the Elastic License`
			`# 2.0; you may not use this file except in compliance with the Elastic License`
			`# 2.0.`
Populate RTA directory. 2020-06-29 23:07:16 -06:00
			`# Name: Powershell with Suspicious Arguments`
			`# RTA: powershell_args.py`
			`# ATT&CK: T1140`
			`# Description: Calls PowerShell with suspicious command line arguments.`

			`import base64`
			`import os`

			`from . import common`
Release ER Production RTAs to DR (#2270 ) 2022-09-08 12:50:39 -04:00			`from . import RtaMetadata`


[RTA] Adds RTAs to Windows Rules - 2 (#2628 ) 2023-03-24 10:13:12 -03:00			`metadata = RtaMetadata(`
			`uuid="5efc844c-0c11-4f84-a904-ada611315298",`
			`platforms=["windows"],`
			`endpoint=[],`
			`siem=[],`
			`techniques=[]`
			`)`
Populate RTA directory. 2020-06-29 23:07:16 -06:00

			`def encode(command):`
Release ER Production RTAs to DR (#2270 ) 2022-09-08 12:50:39 -04:00			`return base64.b64encode(command.encode("utf-16le"))`
Populate RTA directory. 2020-06-29 23:07:16 -06:00

Release ER Production RTAs to DR (#2270 ) 2022-09-08 12:50:39 -04:00			`@common.requires_os(metadata.platforms)`
Populate RTA directory. 2020-06-29 23:07:16 -06:00			`def main():`
			`common.log("PowerShell Suspicious Commands")`
			`temp_script = os.path.abspath("tmp.ps1")`

			`# Create an empty script`
			`with open(temp_script, "w") as f:`
			`f.write("whoami.exe\nexit\n")`

			`powershell_commands = [`
Release ER Production RTAs to DR (#2270 ) 2022-09-08 12:50:39 -04:00			`["powershell.exe", "-ExecutionPol", "Bypass", temp_script],`
			`["powershell.exe", "iex", "Get-Process"],`
			`["powershell.exe", "-ec", encode("Get-Process" + " " * 1000)],`
Populate RTA directory. 2020-06-29 23:07:16 -06:00			`]`

			`for command in powershell_commands:`
			`common.execute(command)`

			`common.remove_file(temp_script)`


			`if __name__ == "__main__":`
			`exit(main())`