From 56fc2beb467a73f8d653b1ad54f8bf80b75cd538 Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Sun, 15 Sep 2024 19:51:21 +0100
Subject: [PATCH] [New] Suspicious PowerShell Execution via Windows Scripts
 (#4060)

* [New] Suspicious PowerShell Execution via Windows Scripts

this PR converts this ER https://github.com/elastic/protections-artifacts/blob/ea2f8dd3b61a7cdf2ce83ca5f06f2096bb62a494/behavior/rules/windows/execution_suspicious_powershell_execution_via_windows_scripts.toml#L5 to a SIEM rule compatible with S1 and M365D and Winlog/sysmon.

* Update execution_powershell_susp_args_via_winscript.toml

* Create defense_evasion_script_via_html_app.toml

* ++

* Update defense_evasion_script_via_html_app.toml

* Update execution_powershell_susp_args_via_winscript.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
---
 .../defense_evasion_script_via_html_app.toml  | 104 +++++++++++++++
 ...on_powershell_susp_args_via_winscript.toml | 123 ++++++++++++++++++
 2 files changed, 227 insertions(+)
 create mode 100644 rules/windows/defense_evasion_script_via_html_app.toml
 create mode 100644 rules/windows/execution_powershell_susp_args_via_winscript.toml

diff --git a/rules/windows/defense_evasion_script_via_html_app.toml b/rules/windows/defense_evasion_script_via_html_app.toml
new file mode 100644
index 000000000..7236f2134
--- /dev/null
+++ b/rules/windows/defense_evasion_script_via_html_app.toml
@@ -0,0 +1,104 @@
+[metadata]
+creation_date = "2020/09/09"
+integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender"]
+maturity = "production"
+updated_date = "2024/09/09"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the execution of scripts via HTML applications using Windows utilities rundll32.exe or mshta.exe.
+Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed
+binaries.
+"""
+from = "now-9m"
+index = [
+    "winlogbeat-*",
+    "logs-windows.*",
+    "logs-system.security*",
+    "logs-windows.sysmon_operational-*",
+    "logs-sentinel_one_cloud_funnel.*",
+    "logs-m365_defender.event-*"
+]
+language = "eql"
+license = "Elastic License v2"
+name = "Script Execution via Microsoft HTML Application"
+risk_score = 73
+rule_id = "181f6b23-3799-445e-9589-0018328a9e46"
+severity = "high"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Defense Evasion",
+    "Data Source: System",
+    "Data Source: Sysmon",
+    "Data Source: SentinelOne",
+    "Data Source: Microsoft Defender for Endpoint"
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where host.os.type == "windows" and event.type == "start" and
+ process.name : ("rundll32.exe", "mshta.exe") and
+  (
+     (process.command_line :
+        (
+        "*script*eval(*",
+         "*script*GetObject*",
+         "*.regread(*",
+         "*WScript.Shell*",
+         "*.run(*",
+         "*).Exec()*",
+         "*mshta*http*",
+         "*mshtml*RunHTMLApplication*",
+         "*mshtml*,#135*",
+         "*StrReverse*",
+         "*.RegWrite*",
+         /* Issue #379 */
+         "*window.close(*",
+         "* Chr(*"
+         )
+     and not process.parent.executable :
+                  ("?:\\Program Files (x86)\\Citrix\\System32\\wfshell.exe",
+                   "?:\\Program Files (x86)\\Microsoft Office\\Office*\\MSACCESS.EXE",
+                   "?:\\Program Files\\Quokka.Works GTInstaller\\GTInstaller.exe")
+     ) or
+
+    (process.name : "mshta.exe" and
+     not process.command_line : ("*.hta*", "*.htm*", "-Embedding") and process.args_count >=2) or
+
+     /* Execution of HTA file downloaded from the internet */
+     (process.name : "mshta.exe" and process.command_line : "*\\Users\\*\\Downloads\\*.hta*") or
+
+     /* Execution of HTA file from archive */
+     (process.name : "mshta.exe" and
+      process.args : ("?:\\Users\\*\\Temp\\7z*", "?:\\Users\\*\\Temp\\Rar$*", "?:\\Users\\*\\Temp\\Temp?_*", "?:\\Users\\*\\Temp\\BNZ.*"))
+   )
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1218"
+name = "System Binary Proxy Execution"
+reference = "https://attack.mitre.org/techniques/T1218/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1218.005"
+name = "Mshta"
+reference = "https://attack.mitre.org/techniques/T1218/005/"
+[[rule.threat.technique.subtechnique]]
+id = "T1218.011"
+name = "Rundll32"
+reference = "https://attack.mitre.org/techniques/T1218/011/"
+
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+
diff --git a/rules/windows/execution_powershell_susp_args_via_winscript.toml b/rules/windows/execution_powershell_susp_args_via_winscript.toml
new file mode 100644
index 000000000..5a8c4f4e0
--- /dev/null
+++ b/rules/windows/execution_powershell_susp_args_via_winscript.toml
@@ -0,0 +1,123 @@
+[metadata]
+creation_date = "2024/09/09"
+integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender"]
+maturity = "production"
+updated_date = "2024/09/09"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies suspicious PowerShell execution spawning from Windows Script Host processes (cscript or wscript.exe).
+"""
+from = "now-9m"
+index = [
+    "winlogbeat-*",
+    "logs-windows.*",
+    "logs-system.security*",
+    "logs-windows.sysmon_operational-*",
+    "logs-sentinel_one_cloud_funnel.*",
+    "logs-m365_defender.event-*"
+]
+language = "eql"
+license = "Elastic License v2"
+name = "Suspicious PowerShell Execution via Windows Scripts"
+risk_score = 73
+rule_id = "2d62889e-e758-4c5e-b57e-c735914ee32a"
+severity = "high"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Execution",
+    "Data Source: System",
+    "Data Source: Sysmon",
+    "Data Source: SentinelOne",
+    "Data Source: Microsoft Defender for Endpoint"
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where host.os.type == "windows" and event.action == "start" and
+  process.name : ("powershell.exe", "pwsh.exe") and
+  process.parent.name : ("wscript.exe", "cscript.exe", "mshta.exe") and
+   (
+   process.args_count == 1 or
+   process.command_line :
+             ("*^*^*^*^*^*^*^*^*^*",
+              "*''*''*''*",
+              "*`*`*`*`*",
+              "*{*{*{*{*{*{*{*{*{*{*{*{*{*{*{*{*{*{*{*",
+              "*+*+*+*+*+*",
+              "*$*$*$*$*",
+              "*[char[]](*)*-join",
+              "*Base64String*",
+              "*[*Convert]*",
+              "*.Text.Encoding*",
+              "*.Compression.*",
+              "*.replace(*",
+              "*MemoryStream*",
+              "*WriteAllBytes*",
+              "* -en* *",
+              "* -ec *",
+              "* -e *",
+              "* -ep *",
+              "* /e *",
+              "* /en* *",
+              "* /ec *",
+              "* /ep *",
+              "*WebClient*",
+              "*DownloadFile*",
+              "*DownloadString*",
+              "*BitsTransfer*",
+              "*Invoke-Exp*",
+              "*invoke-web*",
+              "*iex*",
+              "*iwr*",
+              "*Reflection.Assembly*",
+              "*Assembly.GetType*",
+              "*.Sockets.*",
+              "*Add-MpPreference*ExclusionPath*",
+              "*raw.githubusercontent*")
+   ) and
+
+   /* many legit powershell commands uses those non shortened execution flags excluding Sync-AppvPublishingServer lolbas */
+   not (process.args : ("-EncodedCommand", "Import-Module*", "-NonInteractive") and
+        process.args : "-ExecutionPolicy" and not process.args : "Sync-AppvPublishingServer") and
+
+   /* third party installation related FPs */
+   not ?process.parent.args : "?:\\Windows\\system32\\gatherNetworkInfo.vbs" and
+   not (?process.parent.args : "Microsoft.SystemCenter.ICMPProbe.WithConsecutiveSamples.vbs" and process.args : "Get-SCOMAgent") and
+   not (process.command_line : "*WEBLOGIC_ARGS_CURRENT_1.DATA*" and ?process.parent.command_line : "*Impact360*") and
+   not process.args :  "$package = Get-AppxPackage Microsoft.Office.Desktop -allUsers;*" and
+   not process.command_line : ("*.Access.IdentityReference*win32_SID.SID*", "*AGIAbQB4AC0AYQBwAC4AcwAzAC4AdQBzAC0AZQBhAHMAd*") and
+   not (?process.parent.args : "?:\\Users\\Prestige\\AppData\\Local\\Temp\\Rar$*\\KMS_VL_ALL_AIO.cmd  -elevated" and process.command_line : "*KMS_VL_ALL_AIO.cmd*") and
+   not process.args : "iwr https://*.s3.us-east-1.amazonaws.com/scripts/Start-SpeedTest.ps1 -UserAgent * -UseBasicParsing | invoke-expression" and
+   not (process.parent.name : "wscript.exe" and
+        ?process.parent.args : "C:\\Program Files (x86)\\Telivy\\Telivy Agent\\telivy.js")
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+[[rule.threat.technique.subtechnique]]
+id = "T1059.001"
+name = "PowerShell"
+reference = "https://attack.mitre.org/techniques/T1059/001/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1059.005"
+name = "Visual Basic"
+reference = "https://attack.mitre.org/techniques/T1059/005/"
+
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+