From d4e06beee609c9895ad81cbffa034db9be6fd5e7 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Wed, 8 Dec 2021 17:59:17 -0300 Subject: [PATCH] [New Rule] PowerShell Reflection Assembly Load (#1559) * Create defense_evasion_posh_assembly_load.toml * Update defense_evasion_posh_assembly_load.toml * Update rules/windows/defense_evasion_posh_assembly_load.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Change event.code to event.category * Update rules/windows/defense_evasion_posh_assembly_load.toml Co-authored-by: Justin Ibarra Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Justin Ibarra --- .../defense_evasion_posh_assembly_load.toml | 77 +++++++++++++++++++ 1 file changed, 77 insertions(+) create mode 100644 rules/windows/defense_evasion_posh_assembly_load.toml diff --git a/rules/windows/defense_evasion_posh_assembly_load.toml b/rules/windows/defense_evasion_posh_assembly_load.toml new file mode 100644 index 000000000..79b61eb00 --- /dev/null +++ b/rules/windows/defense_evasion_posh_assembly_load.toml @@ -0,0 +1,77 @@ +[metadata] +creation_date = "2021/10/15" +maturity = "production" +updated_date = "2021/10/15" + +[rule] +author = ["Elastic"] +description = """ +This rule detects the use of Reflection.Assembly to load PEs and DLLs in memory in Powershell Scripts. Attackers use +this method to load executables and DLLs without writing to the disk, bypassing security solutions. +""" +from = "now-9m" +index = ["winlogbeat-*", "logs-windows.*"] +language = "kuery" +license = "Elastic License v2" +name = "Suspicious .NET Reflection via PowerShell" +references = [ + "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load", +] +risk_score = 73 +rule_id = "e26f042e-c590-4e82-8e05-41e81bd822ad" +severity = "high" +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.category:process and + powershell.file.script_block_text : ( + "[System.Reflection.Assembly]::Load" or + "[Reflection.Assembly]::Load" + ) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1055" +name = "Process Injection" +reference = "https://attack.mitre.org/techniques/T1055/" + + [[rule.threat.technique.subtechnique]] + id = "T1055.001" + name = "Dynamic-link Library Injection" + reference = "https://attack.mitre.org/techniques/T1055/001/" + + [[rule.threat.technique.subtechnique]] + id = "T1055.002" + name = "Portable Executable Injection" + reference = "https://attack.mitre.org/techniques/T1055/002/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + + [[rule.threat.technique.subtechnique]] + id = "T1059.001" + name = "PowerShell" + reference = "https://attack.mitre.org/techniques/T1059/001/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +