security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] PowerShell Script with Windows Defender Tampering Capabilities (#4075)

Browse Source 
* [New Rule] PowerShell Script with Windows Defender Tampering Capabilities

* .
This commit is contained in:
Jonhnathan
2024-09-13 11:51:19 -03:00
committed by GitHub
parent eda179bbe1
commit c3160b9279
1 changed files with 97 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules_building_block/defense_evasion_posh_defender_tampering.toml
+97
View File
@@ -0,0 +1,97 @@
[metadata]
bypass_bbr_timing = true
creation_date = "2024/09/11"
integration = ["windows"]
maturity = "production"
updated_date = "2024/09/11"
[rule]
author = ["Elastic"]
description = """
Identifies PowerShell scripts containing cmdlets and parameters that attackers can abuse to disable Windows Defender
features. Attackers can tamper with antivirus to reduce the risk of detection when executing their payloads.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-windows.powershell*"]
language = "kuery"
license = "Elastic License v2"
name = "PowerShell Script with Windows Defender Tampering Capabilities"
risk_score = 21
rule_id = "c124dc1b-cef2-4d01-8d74-ff6b0d5096b6"
setup = """## Setup
The 'PowerShell Script Block Logging' logging policy must be enabled.
Steps to implement the logging policy with Advanced Audit Configuration:
```
Computer Configuration >
Administrative Templates >
Windows PowerShell >
Turn on PowerShell Script Block Logging (Enable)
```
Steps to implement the logging policy via registry:
```
reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
```
"""
severity = "low"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs", "Rule Type: BBR"]
timestamp_override = "event.ingested"
type = "query"
building_block_type = "default"
query = '''
event.category: "process" and host.os.type:windows and
(
powershell.file.script_block_text: "Set-MpPreference" and
powershell.file.script_block_text: (
DisableArchiveScanning or DisableBehaviorMonitoring or
DisableIntrusionPreventionSystem or DisableIOAVProtection or
DisableRemovableDriveScanning or DisableBlockAtFirstSeen or
DisableScanningMappedNetworkDrivesForFullScan or
DisableScanningNetworkFiles or DisableScriptScanning or
DisableRealtimeMonitoring or LowThreatDefaultAction or
ModerateThreatDefaultAction or HighThreatDefaultAction
)
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1562"
name = "Impair Defenses"
reference = "https://attack.mitre.org/techniques/T1562/"
[[rule.threat.technique.subtechnique]]
id = "T1562.001"
name = "Disable or Modify Tools"
reference = "https://attack.mitre.org/techniques/T1562/001/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.001"
name = "PowerShell"
reference = "https://attack.mitre.org/techniques/T1059/001/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"