security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] PowerShell Share Enumeration Script (#2243)

Browse Source 
* [New Rule] PowerShell Share Enumeration Script

* Move the rule to the correct folder

* Update discovery_posh_invoke_sharefinder.toml

* Update discovery_posh_invoke_sharefinder.toml

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
This commit is contained in:
Jonhnathan
2022-09-19 11:38:23 -07:00
committed by GitHub
parent d52c0d2257
commit a955e34b43
1 changed files with 102 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/discovery_posh_invoke_sharefinder.toml
+102
View File
@@ -0,0 +1,102 @@
[metadata]
creation_date = "2022/08/17"
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2022/08/17"
[rule]
author = ["Elastic"]
description = """
Detects scripts that contain PowerShell functions, structures, or Windows API functions related to windows share
enumeration activities. Attackers, mainly ransomware groups, commonly identify and inspect network shares, looking for
critical information for encryption and/or exfiltration.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-windows.*"]
language = "kuery"
license = "Elastic License v2"
name = "PowerShell Share Enumeration Script"
note = """## Setup
The 'PowerShell Script Block Logging' logging policy must be configured (Enable).
Steps to implement the logging policy with with Advanced Audit Configuration:
```
Computer Configuration >
Administrative Templates >
Windows PowerShell >
Turn on PowerShell Script Block Logging (Enable)
```
Steps to implement the logging policy via registry:
```
reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
```
"""
references = [
"https://www.advintel.io/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations",
"https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/",
"https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"
]
risk_score = 47
rule_id = "4c59cff1-b78a-41b8-a9f1-4231984d1fb6"
severity = "medium"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery"]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.category:process and
powershell.file.script_block_text:(
"Invoke-ShareFinder" or
"Invoke-ShareFinderThreaded" or
(
"shi1_netname" and
"shi1_remark"
) or
(
"NetShareEnum" and
"NetApiBufferFree"
)
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1135"
name = "Network Share Discovery"
reference = "https://attack.mitre.org/techniques/T1135/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
id = "T1059"
[[rule.threat.technique.subtechnique]]
name = "PowerShell"
reference = "https://attack.mitre.org/techniques/T1059/001/"
id = "T1059.001"
[[rule.threat.technique]]
name = "Native API"
reference = "https://attack.mitre.org/techniques/T1106/"
id = "T1106"
[rule.threat.tactic]
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
id = "TA0002"