From cd3cef5996e1b1522013dcda35f121f811d10f64 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Tue, 26 Oct 2021 10:16:31 -0500 Subject: [PATCH] [Rule Tuning] Added Powershell_ise.exe to some rules. (#1566) * Update collection_email_powershell_exchange_mailbox.toml * Update command_and_control_remote_file_copy_powershell.toml * Update defense_evasion_disabling_windows_defender_powershell.toml * Update execution_scheduled_task_powershell_source.toml * Update execution_via_compiled_html_file.toml * Update impact_volume_shadow_copy_deletion_via_powershell.toml * Update initial_access_suspicious_ms_exchange_worker_child_process.toml * Update persistence_powershell_exch_mailbox_activesync_add_device.toml * Update persistence_webshell_detection.toml * Update defense_evasion_execution_msbuild_started_by_script.toml * Update defense_evasion_clearing_windows_event_logs.toml * Update defense_evasion_suspicious_zoom_child_process.toml * Update defense_evasion_defender_exclusion_via_powershell.toml * Update persistence_local_scheduled_task_scripting.toml * Update persistence_local_scheduled_task_creation.toml * Update persistence_system_shells_via_services.toml * Update collection_email_powershell_exchange_mailbox.toml * Update command_and_control_remote_file_copy_powershell.toml * Update defense_evasion_clearing_windows_event_logs.toml * Update defense_evasion_defender_exclusion_via_powershell.toml * Update defense_evasion_disabling_windows_defender_powershell.toml * Update defense_evasion_execution_msbuild_started_by_script.toml * Update defense_evasion_suspicious_zoom_child_process.toml * Update execution_scheduled_task_powershell_source.toml * Update execution_via_compiled_html_file.toml * Update impact_volume_shadow_copy_deletion_via_powershell.toml * Update initial_access_suspicious_ms_exchange_worker_child_process.toml * Update persistence_local_scheduled_task_creation.toml * Update persistence_local_scheduled_task_scripting.toml * Update persistence_powershell_exch_mailbox_activesync_add_device.toml * Update persistence_system_shells_via_services.toml * Update persistence_webshell_detection.toml * Update rules/windows/persistence_local_scheduled_task_creation.toml Co-authored-by: Justin Ibarra * Update rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml Co-authored-by: Justin Ibarra * Update rules/windows/defense_evasion_disabling_windows_defender_powershell.toml Co-authored-by: Justin Ibarra * Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml Co-authored-by: Justin Ibarra Co-authored-by: Justin Ibarra Co-authored-by: Jonhnathan (cherry picked from commit ef7548f04c4341e0d1a172810330d59453f46a21) --- .../collection_email_powershell_exchange_mailbox.toml | 4 ++-- .../command_and_control_remote_file_copy_powershell.toml | 4 ++-- .../defense_evasion_clearing_windows_event_logs.toml | 4 ++-- .../defense_evasion_defender_exclusion_via_powershell.toml | 4 ++-- ...fense_evasion_disabling_windows_defender_powershell.toml | 4 ++-- ...defense_evasion_execution_msbuild_started_by_script.toml | 4 ++-- .../defense_evasion_suspicious_zoom_child_process.toml | 4 ++-- .../windows/execution_scheduled_task_powershell_source.toml | 6 +++--- rules/windows/execution_via_compiled_html_file.toml | 4 ++-- .../impact_volume_shadow_copy_deletion_via_powershell.toml | 4 ++-- ..._access_suspicious_ms_exchange_worker_child_process.toml | 6 +++--- .../windows/persistence_local_scheduled_task_creation.toml | 6 +++--- .../windows/persistence_local_scheduled_task_scripting.toml | 4 ++-- ...tence_powershell_exch_mailbox_activesync_add_device.toml | 4 ++-- rules/windows/persistence_system_shells_via_services.toml | 4 ++-- rules/windows/persistence_webshell_detection.toml | 4 ++-- 16 files changed, 35 insertions(+), 35 deletions(-) diff --git a/rules/windows/collection_email_powershell_exchange_mailbox.toml b/rules/windows/collection_email_powershell_exchange_mailbox.toml index 831ef17a6..eee6f233b 100644 --- a/rules/windows/collection_email_powershell_exchange_mailbox.toml +++ b/rules/windows/collection_email_powershell_exchange_mailbox.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/15" maturity = "production" -updated_date = "2021/09/23" +updated_date = "2021/10/17" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ type = "eql" query = ''' process where event.type in ("start", "process_started") and - process.name: ("powershell.exe", "pwsh.exe") and process.args : "New-MailboxExportRequest*" + process.name: ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and process.args : "New-MailboxExportRequest*" ''' diff --git a/rules/windows/command_and_control_remote_file_copy_powershell.toml b/rules/windows/command_and_control_remote_file_copy_powershell.toml index e358dd279..fea7a401c 100644 --- a/rules/windows/command_and_control_remote_file_copy_powershell.toml +++ b/rules/windows/command_and_control_remote_file_copy_powershell.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/30" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/10/17" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ type = "eql" query = ''' sequence by host.id, process.entity_id with maxspan=30s - [network where process.name : "powershell.exe" and network.protocol == "dns" and + [network where process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and network.protocol == "dns" and not dns.question.name : ("localhost", "*.microsoft.com", "*.azureedge.net", "*.powershellgallery.com", "*.windowsupdate.com", "metadata.google.internal") and not user.domain : "NT AUTHORITY"] [file where process.name : "powershell.exe" and event.type == "creation" and file.extension : ("exe", "dll", "ps1", "bat") and diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml index ac205758a..feaced051 100644 --- a/rules/windows/defense_evasion_clearing_windows_event_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_event_logs.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/09/23" +updated_date = "2021/10/17" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ query = ''' process where event.type in ("process_started", "start") and (process.name : "wevtutil.exe" or process.pe.original_file_name == "wevtutil.exe") and process.args : ("/e:false", "cl", "clear-log") or - process.name : "powershell.exe" and process.args : "Clear-EventLog" + process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and process.args : "Clear-EventLog" ''' diff --git a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml index 44906e115..75509d400 100644 --- a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml +++ b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/07/20" maturity = "production" -updated_date = "2021/09/09" +updated_date = "2021/10/17" [rule] author = ["Elastic"] @@ -57,7 +57,7 @@ type = "eql" query = ''' process where event.type == "start" and - (process.name : ("powershell.exe", "pwsh.exe") or process.pe.original_file_name : ("powershell.exe", "pwsh.exe")) and + (process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or process.pe.original_file_name in ("powershell.exe", "pwsh.dll", "powershell_ise.exe")) and process.args : ("*Add-MpPreference*-Exclusion*", "*Set-MpPreference*-Exclusion*") ''' diff --git a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml index 8ee7bf2cb..e11a5ad4a 100644 --- a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml +++ b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/07/07" maturity = "production" -updated_date = "2021/07/07" +updated_date = "2021/10/17" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ type = "eql" query = ''' process where event.type == "start" and - (process.name : ("powershell.exe", "pwsh.exe") or process.pe.original_file_name == "PowerShell.EXE") and + (process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or process.pe.original_file_name in ("powershell.exe", "pwsh.dll", "powershell_ise.exe")) and process.args : "Set-MpPreference" and process.args : ("-Disable*", "Disabled", "NeverSend", "-Exclusion*") ''' diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml index ab188c4ae..b9c6f60d8 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2021/09/23" +updated_date = "2021/10/17" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ type = "eql" query = ''' process where event.type == "start" and (process.name : "MSBuild.exe" or process.pe.original_file_name == "MSBuild.exe") and - process.parent.name : ("cmd.exe", "powershell.exe", "cscript.exe", "wscript.exe", "mshta.exe") + process.parent.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "cscript.exe", "wscript.exe", "mshta.exe") ''' diff --git a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml index ffc34d1e1..b015af49f 100644 --- a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml +++ b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/10/17" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ type = "eql" query = ''' process where event.type in ("start", "process_started", "info") and - process.parent.name : "Zoom.exe" and process.name : ("cmd.exe", "powershell.exe", "pwsh.exe") + process.parent.name : "Zoom.exe" and process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe") ''' diff --git a/rules/windows/execution_scheduled_task_powershell_source.toml b/rules/windows/execution_scheduled_task_powershell_source.toml index 50d43bece..71bc29fc9 100644 --- a/rules/windows/execution_scheduled_task_powershell_source.toml +++ b/rules/windows/execution_scheduled_task_powershell_source.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/15" maturity = "production" -updated_date = "2021/09/23" +updated_date = "2021/10/17" [rule] author = ["Elastic"] @@ -26,8 +26,8 @@ type = "eql" query = ''' sequence by host.id, process.entity_id with maxspan = 5s - [library where dll.name : "taskschd.dll" and process.name : ("powershell.exe", "pwsh.exe")] - [network where process.name : ("powershell.exe", "pwsh.exe") and destination.port == 135 and not destination.address in ("127.0.0.1", "::1")] + [library where dll.name : "taskschd.dll" and process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe")] + [network where process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and destination.port == 135 and not destination.address in ("127.0.0.1", "::1")] ''' diff --git a/rules/windows/execution_via_compiled_html_file.toml b/rules/windows/execution_via_compiled_html_file.toml index d8979ea94..109e73d81 100644 --- a/rules/windows/execution_via_compiled_html_file.toml +++ b/rules/windows/execution_via_compiled_html_file.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/09/23" +updated_date = "2021/10/17" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ type = "eql" query = ''' process where event.type in ("start", "process_started") and process.parent.name : "hh.exe" and - process.name : ("mshta.exe", "cmd.exe", "powershell.exe", "pwsh.exe", "cscript.exe", "wscript.exe") + process.name : ("mshta.exe", "cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "cscript.exe", "wscript.exe") ''' diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml index 0c0467aea..57bcfe182 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/07/19" maturity = "production" -updated_date = "2021/10/01" +updated_date = "2021/10/17" [rule] author = ["Elastic", "Austin Songer"] @@ -28,7 +28,7 @@ type = "eql" query = ''' process where event.type in ("start", "process_started") and - process.name : ("powershell.exe", "pwsh.exe") and + process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and process.args : ("*Get-WmiObject*", "*gwmi*", "*Get-CimInstance*", "*gcim*") and process.args : ("*Win32_ShadowCopy*") and process.args : ("*.Delete()*", "*Remove-WmiObject*", "*rwmi*", "*Remove-CimInstance*", "*rcim*") diff --git a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml index 85ee28601..bba6c3e6a 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/03/08" maturity = "production" -updated_date = "2021/03/08" +updated_date = "2021/10/17" [rule] author = ["Elastic"] @@ -29,8 +29,8 @@ type = "eql" query = ''' process where event.type == "start" and process.parent.name : "w3wp.exe" and process.parent.args : "MSExchange*AppPool" and - (process.name : ("cmd.exe", "powershell.exe", "pwsh.exe") or - process.pe.original_file_name : ("cmd.exe", "powershell.exe", "pwsh.exe")) + (process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe") or + process.pe.original_file_name in ("cmd.exe", "powershell.exe", "pwsh.dll", "powershell_ise.exe")) ''' diff --git a/rules/windows/persistence_local_scheduled_task_creation.toml b/rules/windows/persistence_local_scheduled_task_creation.toml index a326f2dac..a2d232ba6 100644 --- a/rules/windows/persistence_local_scheduled_task_creation.toml +++ b/rules/windows/persistence_local_scheduled_task_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/03/15" +updated_date = "2021/10/17" [rule] author = ["Elastic"] @@ -23,9 +23,9 @@ query = ''' sequence with maxspan=1m [process where event.type != "end" and ((process.name : ("cmd.exe", "wscript.exe", "rundll32.exe", "regsvr32.exe", "wmic.exe", "mshta.exe", - "powershell.exe", "pwsh.exe", "WmiPrvSe.exe", "wsmprovhost.exe", "winrshost.exe") or + "powershell.exe", "pwsh.exe", "powershell_ise.exe", "WmiPrvSe.exe", "wsmprovhost.exe", "winrshost.exe") or process.pe.original_file_name : ("cmd.exe", "wscript.exe", "rundll32.exe", "regsvr32.exe", "wmic.exe", "mshta.exe", - "powershell.exe", "pwsh.exe", "WmiPrvSe.exe", "wsmprovhost.exe", + "powershell.exe", "pwsh.dll", "powershell_ise.exe", "WmiPrvSe.exe", "wsmprovhost.exe", "winrshost.exe")) or process.code_signature.trusted == false)] by process.entity_id [process where event.type == "start" and diff --git a/rules/windows/persistence_local_scheduled_task_scripting.toml b/rules/windows/persistence_local_scheduled_task_scripting.toml index b16dcbf2e..4f2851651 100644 --- a/rules/windows/persistence_local_scheduled_task_scripting.toml +++ b/rules/windows/persistence_local_scheduled_task_scripting.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/29" maturity = "production" -updated_date = "2021/09/23" +updated_date = "2021/10/17" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ type = "eql" query = ''' sequence by host.id with maxspan = 30s - [library where dll.name : "taskschd.dll" and process.name : ("cscript.exe", "wscript.exe", "powershell.exe")] + [library where dll.name : "taskschd.dll" and process.name : ("cscript.exe", "wscript.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe")] [registry where registry.path : "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\*\\Actions"] ''' diff --git a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml index c3bcfb462..11d8a4c48 100644 --- a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml +++ b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/15" maturity = "production" -updated_date = "2021/09/23" +updated_date = "2021/10/17" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ type = "eql" query = ''' process where event.type in ("start", "process_started") and - process.name: ("powershell.exe", "pwsh.exe") and process.args : "Set-CASMailbox*ActiveSyncAllowedDeviceIDs*" + process.name: ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and process.args : "Set-CASMailbox*ActiveSyncAllowedDeviceIDs*" ''' diff --git a/rules/windows/persistence_system_shells_via_services.toml b/rules/windows/persistence_system_shells_via_services.toml index b58745144..f306794a4 100644 --- a/rules/windows/persistence_system_shells_via_services.toml +++ b/rules/windows/persistence_system_shells_via_services.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/04/14" +updated_date = "2021/10/17" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ type = "eql" query = ''' process where event.type in ("start", "process_started") and process.parent.name : "services.exe" and - process.name : ("cmd.exe", "powershell.exe") and + process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe") and /* Third party FP's */ not process.args : "NVDisplay.ContainerLocalSystem" diff --git a/rules/windows/persistence_webshell_detection.toml b/rules/windows/persistence_webshell_detection.toml index c2eb1dff0..4898c1863 100644 --- a/rules/windows/persistence_webshell_detection.toml +++ b/rules/windows/persistence_webshell_detection.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/08/24" maturity = "production" -updated_date = "2021/08/24" +updated_date = "2021/10/17" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ type = "eql" query = ''' process where event.type == "start" and process.parent.name : ("w3wp.exe", "httpd.exe", "nginx.exe", "php.exe", "php-cgi.exe", "tomcat.exe") and - process.name : ("cmd.exe", "cscript.exe", "powershell.exe", "pwsh.exe", "wmic.exe", "wscript.exe") + process.name : ("cmd.exe", "cscript.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "wmic.exe", "wscript.exe") '''