security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rules] PowerShell Suspicious Payload Encoded and Compressed (#1580)

Browse Source 
* Create defense_evasion_posh_compressed.toml

* Update defense_evasion_posh_compressed.toml

* Add GzipStream, cover common variations withou using wildcard

* Update defense_evasion_posh_compressed.toml

* Apply suggestions from code review

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Add false_positives

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
This commit is contained in:
Jonhnathan
2021-12-14 19:25:11 -03:00
committed by GitHub
parent 9cc342dab7
commit f2a28e49fb
1 changed files with 69 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/defense_evasion_posh_compressed.toml
+69
View File
@@ -0,0 +1,69 @@
[metadata]
creation_date = "2021/10/19"
maturity = "production"
updated_date = "2021/10/19"
[rule]
author = ["Elastic"]
description = """
Identifies the use of .Net functionality for decompression and base64 decoding combined in PowerShell scripts, which Malware and security tools
heavily use to deobfuscate payloads and load them directly in memory to bypass defenses.
"""
false_positives = ["Legitimate PowerShell Scripts which makes use of compression and encoding"]
from = "now-9m"
index = ["winlogbeat-*", "logs-windows.*"]
language = "kuery"
license = "Elastic License v2"
name = "PowerShell Suspicious Payload Encoded and Compressed"
risk_score = 47
rule_id = "81fe9dc6-a2d7-4192-a2d8-eed98afc766a"
severity = "medium"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.category:process and
powershell.file.script_block_text : (
(System.IO.Compression.DeflateStream or System.IO.Compression.GzipStream or IO.Compression.DeflateStream or IO.Compression.GzipStream) and
FromBase64String
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1140"
name = "Deobfuscate/Decode Files or Information"
reference = "https://attack.mitre.org/techniques/T1140/"
[[rule.threat.technique]]
id = "T1027"
name = "Obfuscated Files or Information"
reference = "https://attack.mitre.org/techniques/T1027/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
reference = "https://attack.mitre.org/techniques/T1059/"
name = "Command and Scripting Interpreter"
[[rule.threat.technique.subtechnique]]
id = "T1059.001"
reference = "https://attack.mitre.org/techniques/T1059/001/"
name = "PowerShell"
[rule.threat.tactic]
id = "TA0002"
reference = "https://attack.mitre.org/tactics/TA0002/"
name = "Execution"