[New Rule] Potential PowerShell HackTool Script by Author (#2472)

* [New Rule] Potential PowerShell HackTool Script by Author

* Update execution_posh_hacktool_authors.toml

* Update execution_posh_hacktool_authors.toml

* Update execution_posh_hacktool_authors.toml

* Apply suggestions from code review

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update execution_posh_hacktool_authors.toml

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update execution_posh_hacktool_authors.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit f85d7482fd)

rules/windows/execution_posh_hacktool_authors.toml

@@ -0,0 +1,96 @@
+[metadata]
+creation_date = "2024/05/08"
+integration = ["windows"]
+maturity = "production"
+updated_date = "2024/05/08"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects known PowerShell offensive tooling author's name in PowerShell scripts. Attackers commonly use out-of-the-box
+offensive tools without modifying the code, which may still contain the author artifacts. This rule identifies common
+author handles found in popular PowerShell scripts used for red team exercises.
+"""
+from = "now-9m"
+index = ["winlogbeat-*", "logs-windows.powershell*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Potential PowerShell HackTool Script by Author"
+setup = """## Setup
+
+The 'PowerShell Script Block Logging' logging policy must be enabled.
+Steps to implement the logging policy with Advanced Audit Configuration:
+
+```
+Computer Configuration >
+Administrative Templates >
+Windows PowerShell >
+Turn on PowerShell Script Block Logging (Enable)
+```
+
+Steps to implement the logging policy via registry:
+
+```
+reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
+```
+"""
+references = [
+    "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md",
+]
+risk_score = 73
+rule_id = "2553a9af-52a4-4a05-bb03-85b2a479a0a0"
+severity = "high"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: PowerShell Logs"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+host.os.type:windows and event.category:process and
+  powershell.file.script_block_text : (
+      "mattifestation" or "JosephBialek" or
+      "harmj0y" or "ukstufus" or
+      "SecureThisShit" or "Matthew Graeber" or
+      "secabstraction" or "mgeeky" or
+      "oddvarmoe" or "am0nsec" or
+      "obscuresec" or "sixdub" or
+      "darkoperator" or "funoverip" or
+      "rvrsh3ll" or "kevin_robertson" or
+      "dafthack" or "r4wd3r" or
+      "danielhbohannon" or "OneLogicalMyth" or
+      "cobbr_io" or "xorrior" or
+      "PetrMedonos" or "citronneur" or
+      "eladshamir" or "RastaMouse" or
+      "enigma0x3" or "FuzzySec" or
+      "424f424f" or "jaredhaight" or
+      "fullmetalcache" or "Hubbl3" or
+      "curi0usJack" or "Cx01N" or
+      "itm4n" or "nurfed1" or
+      "cfalta" or "Scott Sutherland" or
+      "_nullbind" or "_tmenochet" or
+      "Boe Prox" or "jaredcatkinson" or
+      "ChrisTruncer" or "monoxgas" or
+      "TheRealWover" or "splinter_code"
+  )
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+[[rule.threat.technique.subtechnique]]
+id = "T1059.001"
+name = "PowerShell"
+reference = "https://attack.mitre.org/techniques/T1059/001/"
+
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+