diff --git a/rules/windows/execution_posh_psreflect.toml b/rules/windows/execution_posh_psreflect.toml new file mode 100644 index 000000000..d5bc89f07 --- /dev/null +++ b/rules/windows/execution_posh_psreflect.toml @@ -0,0 +1,118 @@ +[metadata] +creation_date = "2021/10/15" +maturity = "production" +updated_date = "2021/10/15" + +[rule] +author = ["Elastic"] +description = """ +Detects the use of PSReflect in PowerShell scripts. Attackers leverage PSReflect as a library that enables +PowerShell to access win32 API functions. +""" +false_positives = ["Legitimate Powershell Scripts that make use of PSReflect to access the win32 API"] +from = "now-9m" +index = ["winlogbeat-*", "logs-windows.*"] +language = "kuery" +license = "Elastic License v2" +name = "PowerShell PSReflect Script" +note = """## Triage and analysis +### Investigating PowerShell PSReflect Script + +PowerShell is one of the main tools in the belt of system administrators for automation, report routines, and other tasks. + +PSReflect is a library that enables PowerShell to access win32 API functions in an uncomplicated way. It also helps to +create enums and structs easily—all without touching the disk. + +Although this is an interesting project for every developer and admin out there, it is mainly used in the red team and +malware tooling for its capabilities. + +Detecting the core implementation of PSReflect means detecting most of the tooling that uses windows API through +PowerShell, enabling the defender to discover tools being dropped in the environment. + +#### Possible investigation steps: +- Check for additional PowerShell logs that indicate that the script/command was run. +- Gather the script content that may be split into multiple script blocks, and identify its capabilities. +- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours. +- Look for additional alerts involving the host and the user. + +### False Positive Analysis +- Verify whether the script content is malicious/harmful. + +### Related Rules +- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e +- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889 +- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43 +- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d +- PowerShell Reflection Assembly Load - e26f042e-c590-4e82-8e05-41e81bd822ad +- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a +- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70 + +### Response and Remediation +- Immediate response should be taken to validate activity, investigate and potentially isolate activity to prevent further +post-compromise behavior. + +## Config +The 'PowerShell Script Block Logging' logging policy is required be configured (Enable). + +Steps to implement the logging policy with with Advanced Audit Configuration: +``` +Computer Configuration > +Administrative Templates > +Windows PowerShell > +Turn on PowerShell Script Block Logging (Enable) +``` +Steps to implement the logging policy via registry: +``` +reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 +``` +""" +references = [ + "https://github.com/mattifestation/PSReflect/blob/master/PSReflect.psm1", + "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md" +] +risk_score = 47 +rule_id = "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe" +severity = "medium" +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.category:process and + powershell.file.script_block_text:( + New-InMemoryModule or + Add-Win32Type or + psenum or + DefineDynamicAssembly or + DefineDynamicModule or + Reflection.TypeAttributes or + Reflection.Emit.OpCodes or + Reflection.Emit.CustomAttributeBuilder or + Runtime.InteropServices.DllImportAttribute + ) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +id = "T1059" + + [[rule.threat.technique.subtechnique]] + name = "PowerShell" + reference = "https://attack.mitre.org/techniques/T1059/001/" + id = "T1059.001" + +[[rule.threat.technique]] +name = "Native API" +reference = "https://attack.mitre.org/techniques/T1106/" +id = "T1106" + +[rule.threat.tactic] +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +id = "TA0002" +