From 49854aaae2942ae2accb503e034183dd3fb3d6b5 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 20 Jan 2022 08:56:53 -0300 Subject: [PATCH] [Rule Tuning] Add Investigation Guides, Config/Logging Policy to PowerShell merged rules (#1610) * Add Investigation Guide and config to Suspicious Portable Executable Encoded in Powershell Script * Add Investigation Guide and config to "PowerShell Suspicious Discovery Related Windows API Functions" rule * Add Investigation Guide and Config to "PowerShell MiniDump Script" rule * Add logging policy reference * Add Investigation Guide/Config to "PowerShell Suspicious Script with Audio Capture Capabilities" * Add Related Rules GUIDs * Add Investigation Guide/config for "Potential Process Injection via PowerShell" * Adjust Response and remediation * Add Investigation Guide/config for "PowerShell Keylogging Script" * bump updated_date * Apply suggestions from Samir Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Apply suggestions * Revise line from investigation guides Co-authored-by: Justin Ibarra Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --- .../collection_posh_audio_capture.toml | 50 ++++++++++++++++- rules/windows/collection_posh_keylogger.toml | 49 ++++++++++++++++- .../credential_access_posh_minidump.toml | 53 +++++++++++++++++- ...efense_evasion_posh_process_injection.toml | 52 +++++++++++++++++- ...scovery_posh_suspicious_api_functions.toml | 50 ++++++++++++++++- .../execution_posh_portable_executable.toml | 54 ++++++++++++++++++- 6 files changed, 301 insertions(+), 7 deletions(-) diff --git a/rules/windows/collection_posh_audio_capture.toml b/rules/windows/collection_posh_audio_capture.toml index c6c4e2891..2209bbb9e 100644 --- a/rules/windows/collection_posh_audio_capture.toml +++ b/rules/windows/collection_posh_audio_capture.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/10/19" maturity = "production" -updated_date = "2021/11/17" +updated_date = "2021/11/30" [rule] author = ["Elastic"] @@ -13,6 +13,54 @@ index = ["winlogbeat-*", "logs-windows.*"] language = "kuery" license = "Elastic License v2" name = "PowerShell Suspicious Script with Audio Capture Capabilities" +note = """## Triage and analysis. + +### Investigating PowerShell Suspicious Script with Audio Capture Capabilities + +PowerShell is one of the main tools used by system administrators for automation, report routines, and other tasks. + +Attackers can use PowerShell to interact with the Windows API and capture audio from input devices connected to the +computer. + +#### Possible investigation steps: + +- Examine script content that triggered the detection. +- Investigate script execution chain (parent process tree) +- Inspect any file or network events from the suspicious powershell host process instance. +- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours. + +### False Positive Analysis + +- Verify whether the script content is malicious/harmful. + +### Related Rules + +- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe +- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d + +### Response and Remediation + +- Immediate response should be taken to validate, investigate, and potentially contain the activity to prevent further +post-compromise behavior. + +## Config + +The 'PowerShell Script Block Logging' logging policy must be enabled. +Steps to implement the logging policy with with Advanced Audit Configuration: + +``` +Computer Configuration > +Administrative Templates > +Windows PowerShell > +Turn on PowerShell Script Block Logging (Enable) +``` + +Steps to implement the logging policy via registry: + +``` +reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 +``` +""" references = ["https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-MicrophoneAudio.ps1"] risk_score = 47 rule_id = "2f2f4939-0b34-40c2-a0a3-844eb7889f43" diff --git a/rules/windows/collection_posh_keylogger.toml b/rules/windows/collection_posh_keylogger.toml index 2f306f5f5..e73e32559 100644 --- a/rules/windows/collection_posh_keylogger.toml +++ b/rules/windows/collection_posh_keylogger.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/10/15" maturity = "production" -updated_date = "2021/10/15" +updated_date = "2021/11/30" [rule] author = ["Elastic"] @@ -14,6 +14,53 @@ index = ["winlogbeat-*", "logs-windows.*"] language = "kuery" license = "Elastic License v2" name = "PowerShell Keylogging Script" +note = """## Triage and analysis. + +### Investigating PowerShell Keylogging Script + +PowerShell is one of the main tools used by system administrators for automation, report routines, and other tasks. + +Attackers can abuse PowerShell capabilities to capture user Keystrokes with the goal of stealing credentials and other +valuable information as Credit Card data and confidential conversations. + +#### Possible investigation steps: + +- Examine script content that triggered the detection. +- Investigate script execution chain (parent process tree) +- Inspect any file or network events from the suspicious powershell host process instance. +- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours. + +### False Positive Analysis + +- Verify whether the script content is malicious/harmful. + +### Related Rules + +- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe + +### Response and Remediation + +- Immediate response should be taken to validate, investigate, and potentially contain the activity to prevent further +post-compromise behavior. + +## Config + +The 'PowerShell Script Block Logging' logging policy must be enabled. +Steps to implement the logging policy with with Advanced Audit Configuration: + +``` +Computer Configuration > +Administrative Templates > +Windows PowerShell > +Turn on PowerShell Script Block Logging (Enable) +``` + +Steps to implement the logging policy via registry: + +``` +reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 +``` +""" references = [ "https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-Keystrokes.ps1", "https://github.com/MojtabaTajik/FunnyKeylogger/blob/master/FunnyLogger.ps1", diff --git a/rules/windows/credential_access_posh_minidump.toml b/rules/windows/credential_access_posh_minidump.toml index 98dbdae3e..b589e2b92 100644 --- a/rules/windows/credential_access_posh_minidump.toml +++ b/rules/windows/credential_access_posh_minidump.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/10/05" maturity = "production" -updated_date = "2021/11/17" +updated_date = "2021/11/30" [rule] author = ["Elastic"] @@ -15,9 +15,58 @@ index = ["winlogbeat-*", "logs-windows.*"] language = "kuery" license = "Elastic License v2" name = "PowerShell MiniDump Script" +note = """## Triage and analysis. + +### Investigating PowerShell MiniDump Script + +PowerShell is one of the main tools used by system administrators for automation, report routines, and other tasks. + +Process Memory Dump capabilities can be abused by attackers to extract credentials from LSASS or to obtain other privileged +information stored in the process memory. + +#### Possible investigation steps: + +- Examine script content that triggered the detection. +- Investigate script execution chain (parent process tree) +- Inspect any file or network events from the suspicious powershell host process instance. +- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours. + +### False Positive Analysis + +- Verify whether the script content is malicious/harmful. + +### Related Rules + +- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe +- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d + +### Response and Remediation + +- Immediate response should be taken to validate, investigate, and potentially contain the activity to prevent further +post-compromise behavior. + +## Config + +The 'PowerShell Script Block Logging' logging policy must be enabled. +Steps to implement the logging policy with with Advanced Audit Configuration: + +``` +Computer Configuration > +Administrative Templates > +Windows PowerShell > +Turn on PowerShell Script Block Logging (Enable) +``` + +Steps to implement the logging policy via registry: + +``` +reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 +``` +""" references = [ "https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1", - "https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Get-ProcessMiniDump.ps1" + "https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Get-ProcessMiniDump.ps1", + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" ] risk_score = 73 rule_id = "577ec21e-56fe-4065-91d8-45eb8224fe77" diff --git a/rules/windows/defense_evasion_posh_process_injection.toml b/rules/windows/defense_evasion_posh_process_injection.toml index 5da9035a6..7ad1f4905 100644 --- a/rules/windows/defense_evasion_posh_process_injection.toml +++ b/rules/windows/defense_evasion_posh_process_injection.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/10/14" maturity = "production" -updated_date = "2021/11/17" +updated_date = "2021/11/30" [rule] author = ["Elastic"] @@ -15,6 +15,56 @@ index = ["winlogbeat-*", "logs-windows.*"] language = "kuery" license = "Elastic License v2" name = "Potential Process Injection via PowerShell" +note = """## Triage and analysis. + +### Investigating Potential Process Injection via PowerShell + +PowerShell is one of the main tools used by system administrators for automation, report routines, and other tasks. + +PowerShell also has solid capabilities to make the interaction with the Win32 API in an uncomplicated and reliable way, +like the execution of inline C# code, PSReflect, Get-ProcAddress, etc. + +Red Team tooling and Malware Developers take advantage of these capabilities to develop stagers and loaders that inject +payloads directly into the memory, without touching the disk. + +#### Possible investigation steps: + +- Examine script content that triggered the detection. +- Investigate script execution chain (parent process tree) +- Inspect any file or network events from the suspicious powershell host process instance. +- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours. + +### False Positive Analysis + +- Verify whether the script content is malicious/harmful. + +### Related Rules + +- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe + +### Response and Remediation + +- Immediate response should be taken to validate, investigate, and potentially contain the activity to prevent further +post-compromise behavior. + +## Config + +The 'PowerShell Script Block Logging' logging policy must be enabled. +Steps to implement the logging policy with with Advanced Audit Configuration: + +``` +Computer Configuration > +Administrative Templates > +Windows PowerShell > +Turn on PowerShell Script Block Logging (Enable) +``` + +Steps to implement the logging policy via registry: + +``` +reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 +``` +""" references = [ "https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-PSInject.ps1", "https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-ReflectivePEInjection.ps1", diff --git a/rules/windows/discovery_posh_suspicious_api_functions.toml b/rules/windows/discovery_posh_suspicious_api_functions.toml index 52e8e87e2..d896a875b 100644 --- a/rules/windows/discovery_posh_suspicious_api_functions.toml +++ b/rules/windows/discovery_posh_suspicious_api_functions.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/10/13" maturity = "production" -updated_date = "2021/11/17" +updated_date = "2021/11/30" [rule] author = ["Elastic"] @@ -16,8 +16,56 @@ index = ["winlogbeat-*", "logs-windows.*"] language = "kuery" license = "Elastic License v2" name = "PowerShell Suspicious Discovery Related Windows API Functions" +note = """## Triage and analysis. + +### Investigating PowerShell Suspicious Discovery Related Windows API Functions + +PowerShell is one of the main tools used by system administrators for automation, report routines, and other tasks. + +Attackers can use PowerShell to interact with the Win32 API to bypass file based AntiVirus detections, using libraries +like PSReflect or Get-ProcAddress Cmdlet. + +#### Possible investigation steps: + +- Examine script content that triggered the detection. +- Investigate script execution chain (parent process tree). +- Inspect any file or network events from the suspicious powershell host process instance. +- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours. + +### False Positive Analysis + +- Verify whether the script content is malicious/harmful. + +### Related Rules + +- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe + +### Response and Remediation + +- Immediate response should be taken to validate, investigate, and potentially contain the activity to prevent further +post-compromise behavior. + +## Config + +The 'PowerShell Script Block Logging' logging policy must be enabled. +Steps to implement the logging policy with with Advanced Audit Configuration: + +``` +Computer Configuration > +Administrative Templates > +Windows PowerShell > +Turn on PowerShell Script Block Logging (Enable) +``` + +Steps to implement the logging policy via registry: + +``` +reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 +``` +""" references = [ "https://github.com/BC-SECURITY/Empire/blob/9259e5106986847d2bb770c4289c0c0f1adf2344/data/module_source/situational_awareness/network/powerview.ps1#L21413", + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" ] risk_score = 47 rule_id = "61ac3638-40a3-44b2-855a-985636ca985e" diff --git a/rules/windows/execution_posh_portable_executable.toml b/rules/windows/execution_posh_portable_executable.toml index 165bb6e9a..616118ecf 100644 --- a/rules/windows/execution_posh_portable_executable.toml +++ b/rules/windows/execution_posh_portable_executable.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/10/15" maturity = "production" -updated_date = "2021/11/17" +updated_date = "2021/11/30" [rule] author = ["Elastic"] @@ -15,6 +15,58 @@ index = ["winlogbeat-*", "logs-windows.*"] language = "kuery" license = "Elastic License v2" name = "Suspicious Portable Executable Encoded in Powershell Script" +note = """## Triage and analysis. + +### Investigating Suspicious Portable Executable Encoded in Powershell Script + +PowerShell is one of the main tools used by system administrators for automation, report routines, and other tasks. + +Attackers can abuse PowerShell In-Memory capabilities to inject executables into memory without touching the disk, bypassing +AntiVirus software. These executables are generally base64 encoded. + +#### Possible investigation steps: + +- Examine script content that triggered the detection. +- Investigate script execution chain (parent process tree). +- Inspect any file or network events from the suspicious powershell host process instance. +- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours. + +### False Positive Analysis + +- Verify whether the script content is malicious/harmful. + +### Related Rules + +- PowerShell Reflection Assembly Load - e26f042e-c590-4e82-8e05-41e81bd822ad +- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a +- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe + +### Response and Remediation + +- Immediate response should be taken to validate, investigate, and potentially contain the activity to prevent further +post-compromise behavior. + +## Config + +The 'PowerShell Script Block Logging' logging policy must be enabled. +Steps to implement the logging policy with with Advanced Audit Configuration: + +``` +Computer Configuration > +Administrative Templates > +Windows PowerShell > +Turn on PowerShell Script Block Logging (Enable) +``` + +Steps to implement the logging policy via registry: + +``` +reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 +``` +""" +references = [ + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" +] risk_score = 47 rule_id = "ad84d445-b1ce-4377-82d9-7c633f28bf9a" severity = "medium"