security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rules] Amsi Bypass (#2473)

Browse Source 
* Create defense_evasion_amsi_bypass_powershell.toml

* Create defense_evasion_amsi_bypass_dllhijack.toml

* Update defense_evasion_amsi_bypass_dllhijack.toml
This commit is contained in:
Samirbous
2023-01-26 06:03:53 +00:00
committed by GitHub
parent 1c6e5a3448
commit 2372602c4e
2 changed files with 145 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/defense_evasion_amsi_bypass_dllhijack.toml
+57
View File
@@ -0,0 +1,57 @@
[metadata]
creation_date = "2023/01/17"
integration = ["windows", "endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/01/17"
[rule]
author = ["Elastic"]
description = """
Identifies the creation of the Antimalware Scan Interface (AMSI) DLL in an unusual location. This may indicate an
attempt to bypass AMSI by loading a rogue AMSI module instead of the legit one.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious Antimalware Scan Interface DLL"
references = ["https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell"]
risk_score = 73
rule_id = "fa488440-04cc-41d7-9279-539387bf2a17"
severity = "high"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
file where event.action != "deletion" and file.path != null and
file.name : ("amsi.dll", "amsi") and not file.path : ("?:\\Windows\\system32\\amsi.dll", "?:\\Windows\\Syswow64\\amsi.dll")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1562"
name = "Impair Defenses"
reference = "https://attack.mitre.org/techniques/T1562/"
[[rule.threat.technique.subtechnique]]
id = "T1562.001"
name = "Disable or Modify Tools"
reference = "https://attack.mitre.org/techniques/T1562/001/"
[[rule.threat.technique]]
id = "T1574"
name = "Hijack Execution Flow"
reference = "https://attack.mitre.org/techniques/T1574/"
[[rule.threat.technique.subtechnique]]
id = "T1574.001"
name = "DLL Search Order Hijacking"
reference = "https://attack.mitre.org/techniques/T1574/001/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/windows/defense_evasion_amsi_bypass_powershell.toml
+88
View File
@@ -0,0 +1,88 @@
[metadata]
creation_date = "2023/01/17"
integration = ["windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/01/17"
[rule]
author = ["Elastic"]
description = """
Identifies the execution of PowerShell script with keywords related to different Antimalware Scan Interface (AMSI) bypasses.
An adversary may attempt first to disable AMSI before executing further malicious powershell scripts to evade detection.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-windows.*"]
language = "kuery"
license = "Elastic License v2"
name = "Potential Antimalware Scan Interface Bypass via PowerShell"
references = ["https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell"]
risk_score = 73
rule_id = "1f0a69c0-3392-4adf-b7d5-6012fd292da8"
severity = "high"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "PowerShell"]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.category :"process" and
(
powershell.file.script_block_text :
(System.Management.Automation.AmsiUtils or
amsiInitFailed or
Invoke-AmsiBypass or
Bypass.AMSI or
amsi.dll or
AntimalwareProvider or
amsiSession or
amsiContext or
System.Management.Automation.ScriptBlock or
AmsiInitialize or
unloadobfuscated or
unloadsilent or
AmsiX64 or
AmsiX32 or
FindAmsiFun) or
powershell.file.script_block_text : ("[System.Runtime.InteropServices.Marshal]::Copy" and "VirtualProtect") or
powershell.file.script_block_text : ("[Ref].Assembly.GetType(('System.Management.Automation" and ".SetValue(")
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1562"
name = "Impair Defenses"
reference = "https://attack.mitre.org/techniques/T1562/"
[[rule.threat.technique.subtechnique]]
id = "T1562.001"
name = "Disable or Modify Tools"
reference = "https://attack.mitre.org/techniques/T1562/001/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.001"
name = "PowerShell"
reference = "https://attack.mitre.org/techniques/T1059/001/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"