security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] PowerShell Reflection Assembly Load (#1559)

Browse Source 
* Create defense_evasion_posh_assembly_load.toml

* Update defense_evasion_posh_assembly_load.toml

* Update rules/windows/defense_evasion_posh_assembly_load.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Change event.code to event.category

* Update rules/windows/defense_evasion_posh_assembly_load.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
This commit is contained in:
Jonhnathan
2021-12-08 17:59:17 -03:00
committed by GitHub
parent ee548328d5
commit d4e06beee6
1 changed files with 77 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/defense_evasion_posh_assembly_load.toml
+77
View File
@@ -0,0 +1,77 @@
[metadata]
creation_date = "2021/10/15"
maturity = "production"
updated_date = "2021/10/15"
[rule]
author = ["Elastic"]
description = """
This rule detects the use of Reflection.Assembly to load PEs and DLLs in memory in Powershell Scripts. Attackers use
this method to load executables and DLLs without writing to the disk, bypassing security solutions.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-windows.*"]
language = "kuery"
license = "Elastic License v2"
name = "Suspicious .NET Reflection via PowerShell"
references = [
"https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load",
]
risk_score = 73
rule_id = "e26f042e-c590-4e82-8e05-41e81bd822ad"
severity = "high"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.category:process and
powershell.file.script_block_text : (
"[System.Reflection.Assembly]::Load" or
"[Reflection.Assembly]::Load"
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1055"
name = "Process Injection"
reference = "https://attack.mitre.org/techniques/T1055/"
[[rule.threat.technique.subtechnique]]
id = "T1055.001"
name = "Dynamic-link Library Injection"
reference = "https://attack.mitre.org/techniques/T1055/001/"
[[rule.threat.technique.subtechnique]]
id = "T1055.002"
name = "Portable Executable Injection"
reference = "https://attack.mitre.org/techniques/T1055/002/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.001"
name = "PowerShell"
reference = "https://attack.mitre.org/techniques/T1059/001/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"