security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New] Suspicious PowerShell Execution via Windows Scripts (#4060)

Browse Source 
* [New] Suspicious PowerShell Execution via Windows Scripts

this PR converts this ER https://github.com/elastic/protections-artifacts/blob/ea2f8dd3b61a7cdf2ce83ca5f06f2096bb62a494/behavior/rules/windows/execution_suspicious_powershell_execution_via_windows_scripts.toml#L5 to a SIEM rule compatible with S1 and M365D and Winlog/sysmon.

* Update execution_powershell_susp_args_via_winscript.toml

* Create defense_evasion_script_via_html_app.toml

* ++

* Update defense_evasion_script_via_html_app.toml

* Update execution_powershell_susp_args_via_winscript.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
This commit is contained in:
Samirbous
2024-09-15 19:51:21 +01:00
committed by GitHub
parent b6162abefa
commit 56fc2beb46
2 changed files with 227 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/defense_evasion_script_via_html_app.toml
+104
View File
@@ -0,0 +1,104 @@
[metadata]
creation_date = "2020/09/09"
integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender"]
maturity = "production"
updated_date = "2024/09/09"
[rule]
author = ["Elastic"]
description = """
Identifies the execution of scripts via HTML applications using Windows utilities rundll32.exe or mshta.exe.
Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed
binaries.
"""
from = "now-9m"
index = [
"winlogbeat-*",
"logs-windows.*",
"logs-system.security*",
"logs-windows.sysmon_operational-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-m365_defender.event-*"
]
language = "eql"
license = "Elastic License v2"
name = "Script Execution via Microsoft HTML Application"
risk_score = 73
rule_id = "181f6b23-3799-445e-9589-0018328a9e46"
severity = "high"
tags = [
"Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: System",
"Data Source: Sysmon",
"Data Source: SentinelOne",
"Data Source: Microsoft Defender for Endpoint"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "windows" and event.type == "start" and
process.name : ("rundll32.exe", "mshta.exe") and
(
(process.command_line :
(
"*script*eval(*",
"*script*GetObject*",
"*.regread(*",
"*WScript.Shell*",
"*.run(*",
"*).Exec()*",
"*mshta*http*",
"*mshtml*RunHTMLApplication*",
"*mshtml*,#135*",
"*StrReverse*",
"*.RegWrite*",
/* Issue #379 */
"*window.close(*",
"* Chr(*"
)
and not process.parent.executable :
("?:\\Program Files (x86)\\Citrix\\System32\\wfshell.exe",
"?:\\Program Files (x86)\\Microsoft Office\\Office*\\MSACCESS.EXE",
"?:\\Program Files\\Quokka.Works GTInstaller\\GTInstaller.exe")
) or
(process.name : "mshta.exe" and
not process.command_line : ("*.hta*", "*.htm*", "-Embedding") and process.args_count >=2) or
/* Execution of HTA file downloaded from the internet */
(process.name : "mshta.exe" and process.command_line : "*\\Users\\*\\Downloads\\*.hta*") or
/* Execution of HTA file from archive */
(process.name : "mshta.exe" and
process.args : ("?:\\Users\\*\\Temp\\7z*", "?:\\Users\\*\\Temp\\Rar$*", "?:\\Users\\*\\Temp\\Temp?_*", "?:\\Users\\*\\Temp\\BNZ.*"))
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1218"
name = "System Binary Proxy Execution"
reference = "https://attack.mitre.org/techniques/T1218/"
[[rule.threat.technique.subtechnique]]
id = "T1218.005"
name = "Mshta"
reference = "https://attack.mitre.org/techniques/T1218/005/"
[[rule.threat.technique.subtechnique]]
id = "T1218.011"
name = "Rundll32"
reference = "https://attack.mitre.org/techniques/T1218/011/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/windows/execution_powershell_susp_args_via_winscript.toml
+123
View File
@@ -0,0 +1,123 @@
[metadata]
creation_date = "2024/09/09"
integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender"]
maturity = "production"
updated_date = "2024/09/09"
[rule]
author = ["Elastic"]
description = """
Identifies suspicious PowerShell execution spawning from Windows Script Host processes (cscript or wscript.exe).
"""
from = "now-9m"
index = [
"winlogbeat-*",
"logs-windows.*",
"logs-system.security*",
"logs-windows.sysmon_operational-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-m365_defender.event-*"
]
language = "eql"
license = "Elastic License v2"
name = "Suspicious PowerShell Execution via Windows Scripts"
risk_score = 73
rule_id = "2d62889e-e758-4c5e-b57e-c735914ee32a"
severity = "high"
tags = [
"Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: System",
"Data Source: Sysmon",
"Data Source: SentinelOne",
"Data Source: Microsoft Defender for Endpoint"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "windows" and event.action == "start" and
process.name : ("powershell.exe", "pwsh.exe") and
process.parent.name : ("wscript.exe", "cscript.exe", "mshta.exe") and
(
process.args_count == 1 or
process.command_line :
("*^*^*^*^*^*^*^*^*^*",
"*''*''*''*",
"*`*`*`*`*",
"*{*{*{*{*{*{*{*{*{*{*{*{*{*{*{*{*{*{*{*",
"*+*+*+*+*+*",
"*$*$*$*$*",
"*[char[]](*)*-join",
"*Base64String*",
"*[*Convert]*",
"*.Text.Encoding*",
"*.Compression.*",
"*.replace(*",
"*MemoryStream*",
"*WriteAllBytes*",
"* -en* *",
"* -ec *",
"* -e *",
"* -ep *",
"* /e *",
"* /en* *",
"* /ec *",
"* /ep *",
"*WebClient*",
"*DownloadFile*",
"*DownloadString*",
"*BitsTransfer*",
"*Invoke-Exp*",
"*invoke-web*",
"*iex*",
"*iwr*",
"*Reflection.Assembly*",
"*Assembly.GetType*",
"*.Sockets.*",
"*Add-MpPreference*ExclusionPath*",
"*raw.githubusercontent*")
) and
/* many legit powershell commands uses those non shortened execution flags excluding Sync-AppvPublishingServer lolbas */
not (process.args : ("-EncodedCommand", "Import-Module*", "-NonInteractive") and
process.args : "-ExecutionPolicy" and not process.args : "Sync-AppvPublishingServer") and
/* third party installation related FPs */
not ?process.parent.args : "?:\\Windows\\system32\\gatherNetworkInfo.vbs" and
not (?process.parent.args : "Microsoft.SystemCenter.ICMPProbe.WithConsecutiveSamples.vbs" and process.args : "Get-SCOMAgent") and
not (process.command_line : "*WEBLOGIC_ARGS_CURRENT_1.DATA*" and ?process.parent.command_line : "*Impact360*") and
not process.args : "$package = Get-AppxPackage Microsoft.Office.Desktop -allUsers;*" and
not process.command_line : ("*.Access.IdentityReference*win32_SID.SID*", "*AGIAbQB4AC0AYQBwAC4AcwAzAC4AdQBzAC0AZQBhAHMAd*") and
not (?process.parent.args : "?:\\Users\\Prestige\\AppData\\Local\\Temp\\Rar$*\\KMS_VL_ALL_AIO.cmd -elevated" and process.command_line : "*KMS_VL_ALL_AIO.cmd*") and
not process.args : "iwr https://*.s3.us-east-1.amazonaws.com/scripts/Start-SpeedTest.ps1 -UserAgent * -UseBasicParsing | invoke-expression" and
not (process.parent.name : "wscript.exe" and
?process.parent.args : "C:\\Program Files (x86)\\Telivy\\Telivy Agent\\telivy.js")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.001"
name = "PowerShell"
reference = "https://attack.mitre.org/techniques/T1059/001/"
[[rule.threat.technique.subtechnique]]
id = "T1059.005"
name = "Visual Basic"
reference = "https://attack.mitre.org/techniques/T1059/005/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"