From 3f3328a630cc96b252fea94775cbc53a5bc308be Mon Sep 17 00:00:00 2001
From: Jonhnathan <jonhnathancesar@gmail.com>
Date: Wed, 17 Nov 2021 19:36:40 -0300
Subject: [PATCH] [New Rule] PowerShell Keylogging Script (#1561)

* Create collection_posh_keylogger.toml

* Apply suggestions from Samir

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Fix missing OR

* Change dup guid

* Apply suggestions from Justin

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 4b6794df32eeddfa1b8d21fd1a5a9a9360daa4ac)
---
 rules/windows/collection_posh_keylogger.toml | 73 ++++++++++++++++++++
 1 file changed, 73 insertions(+)
 create mode 100644 rules/windows/collection_posh_keylogger.toml

diff --git a/rules/windows/collection_posh_keylogger.toml b/rules/windows/collection_posh_keylogger.toml
new file mode 100644
index 000000000..2f306f5f5
--- /dev/null
+++ b/rules/windows/collection_posh_keylogger.toml
@@ -0,0 +1,73 @@
+[metadata]
+creation_date = "2021/10/15"
+maturity = "production"
+updated_date = "2021/10/15"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects the use of Win32 API Functions that can be used to capture user Keystrokes in PowerShell Scripts.
+Attackers use this technique to capture user input, looking for credentials and/or other valuable data.
+"""
+from = "now-9m"
+index = ["winlogbeat-*", "logs-windows.*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "PowerShell Keylogging Script"
+references = [
+    "https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-Keystrokes.ps1",
+    "https://github.com/MojtabaTajik/FunnyKeylogger/blob/master/FunnyLogger.ps1",
+]
+risk_score = 73
+rule_id = "bd2c86a0-8b61-4457-ab38-96943984e889"
+severity = "high"
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Collection"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.category:process and 
+  ( 
+   powershell.file.script_block_text : (GetAsyncKeyState or NtUserGetAsyncKeyState or GetKeyboardState or Get-Keystrokes) or 
+   powershell.file.script_block_text : ((SetWindowsHookA or SetWindowsHookW or SetWindowsHookEx or SetWindowsHookExA or NtUserSetWindowsHookEx) and (GetForegroundWindow or GetWindowTextA or GetWindowTextW or WM_KEYBOARD_LL))
+   )
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1056"
+name = "Input Capture"
+reference = "https://attack.mitre.org/techniques/T1056/"
+
+    [[rule.threat.technique.subtechnique]]
+    id = "T1056.001"
+    name = "Keylogging"
+    reference = "https://attack.mitre.org/techniques/T1056/001/"
+
+[rule.threat.tactic]
+id = "TA0009"
+name = "Collection"
+reference = "https://attack.mitre.org/tactics/TA0009/"
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+
+    [[rule.threat.technique.subtechnique]]
+    id = "T1059.001"
+    name = "PowerShell"
+    reference = "https://attack.mitre.org/techniques/T1059/001/"
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+