From 2e270cf78cb6555b57a977c8f8c2e51163f462dc Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Thu, 9 May 2024 13:00:41 -0300 Subject: [PATCH] [New Rule] Potential PowerShell HackTool Script by Author (#2472) * [New Rule] Potential PowerShell HackTool Script by Author * Update execution_posh_hacktool_authors.toml * Update execution_posh_hacktool_authors.toml * Update execution_posh_hacktool_authors.toml * Apply suggestions from code review Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Update execution_posh_hacktool_authors.toml * Apply suggestions from code review Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update execution_posh_hacktool_authors.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> (cherry picked from commit f85d7482fd6bd5599233358ccdc72e61b837c21f) --- .../execution_posh_hacktool_authors.toml | 96 +++++++++++++++++++ 1 file changed, 96 insertions(+) create mode 100644 rules/windows/execution_posh_hacktool_authors.toml diff --git a/rules/windows/execution_posh_hacktool_authors.toml b/rules/windows/execution_posh_hacktool_authors.toml new file mode 100644 index 000000000..dc920086f --- /dev/null +++ b/rules/windows/execution_posh_hacktool_authors.toml @@ -0,0 +1,96 @@ +[metadata] +creation_date = "2024/05/08" +integration = ["windows"] +maturity = "production" +updated_date = "2024/05/08" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" + +[rule] +author = ["Elastic"] +description = """ +Detects known PowerShell offensive tooling author's name in PowerShell scripts. Attackers commonly use out-of-the-box +offensive tools without modifying the code, which may still contain the author artifacts. This rule identifies common +author handles found in popular PowerShell scripts used for red team exercises. +""" +from = "now-9m" +index = ["winlogbeat-*", "logs-windows.powershell*"] +language = "kuery" +license = "Elastic License v2" +name = "Potential PowerShell HackTool Script by Author" +setup = """## Setup + +The 'PowerShell Script Block Logging' logging policy must be enabled. +Steps to implement the logging policy with Advanced Audit Configuration: + +``` +Computer Configuration > +Administrative Templates > +Windows PowerShell > +Turn on PowerShell Script Block Logging (Enable) +``` + +Steps to implement the logging policy via registry: + +``` +reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 +``` +""" +references = [ + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", +] +risk_score = 73 +rule_id = "2553a9af-52a4-4a05-bb03-85b2a479a0a0" +severity = "high" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: PowerShell Logs"] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +host.os.type:windows and event.category:process and + powershell.file.script_block_text : ( + "mattifestation" or "JosephBialek" or + "harmj0y" or "ukstufus" or + "SecureThisShit" or "Matthew Graeber" or + "secabstraction" or "mgeeky" or + "oddvarmoe" or "am0nsec" or + "obscuresec" or "sixdub" or + "darkoperator" or "funoverip" or + "rvrsh3ll" or "kevin_robertson" or + "dafthack" or "r4wd3r" or + "danielhbohannon" or "OneLogicalMyth" or + "cobbr_io" or "xorrior" or + "PetrMedonos" or "citronneur" or + "eladshamir" or "RastaMouse" or + "enigma0x3" or "FuzzySec" or + "424f424f" or "jaredhaight" or + "fullmetalcache" or "Hubbl3" or + "curi0usJack" or "Cx01N" or + "itm4n" or "nurfed1" or + "cfalta" or "Scott Sutherland" or + "_nullbind" or "_tmenochet" or + "Boe Prox" or "jaredcatkinson" or + "ChrisTruncer" or "monoxgas" or + "TheRealWover" or "splinter_code" + ) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +