diff --git a/rules/windows/defense_evasion_clearing_windows_console_history.toml b/rules/windows/defense_evasion_clearing_windows_console_history.toml new file mode 100644 index 000000000..544f288c4 --- /dev/null +++ b/rules/windows/defense_evasion_clearing_windows_console_history.toml @@ -0,0 +1,52 @@ +[metadata] +creation_date = "2021/11/22" +maturity = "production" +updated_date = "2021/11/24" + +[rule] +author = ["Austin Songer"] +description = """ +Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal +the actions undertaken during an intrusion. +""" +from = "now-9m" +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +language = "eql" +license = "Elastic License v2" +name = "Clearing Windows Console History" +references = [ + "https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/", + "https://www.shellhacks.com/clear-history-powershell/", + "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics", +] +risk_score = 47 +rule_id = "b5877334-677f-4fb9-86d5-a9721274223b" +severity = "medium" +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where event.action == "start" and + (process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or process.pe.original_file_name == "PowerShell.EXE") and + (process.args : "*Clear-History*" or + (process.args : ("*Remove-Item*", "rm") and process.args : ("*ConsoleHost_history.txt*", "*(Get-PSReadlineOption).HistorySavePath*")) or + (process.args : "*Set-PSReadlineOption*" and process.args : "*SaveNothing*")) +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1070" +name = "Indicator Removal on Host" +reference = "https://attack.mitre.org/techniques/T1070/" + + [[rule.threat.technique.subtechnique]] + id = "T1070.003" + name = "Clear Command History" + reference = "https://attack.mitre.org/techniques/T1070/003/" + +[rule.threat.tactic] +id = "TA0005" +reference = "https://attack.mitre.org/tactics/TA0005/" +name = "Defense Evasion"