From fc30b5881fc0122ccab9cf888ee6b932cf03dd29 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Tue, 24 Jan 2023 07:58:48 -0300 Subject: [PATCH] [New Rule] PowerShell Suspicious Script with Clipboard Retrieval Capabilities (#2465) * [New Rule] PowerShell Suspicious Script with Clipboard Retrieval Capabilities * Bump sev * Update rules/windows/collection_posh_clipboard_capture.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --- .../collection_posh_clipboard_capture.toml | 75 +++++++++++++++++++ 1 file changed, 75 insertions(+) create mode 100644 rules/windows/collection_posh_clipboard_capture.toml diff --git a/rules/windows/collection_posh_clipboard_capture.toml b/rules/windows/collection_posh_clipboard_capture.toml new file mode 100644 index 000000000..c4c1023e0 --- /dev/null +++ b/rules/windows/collection_posh_clipboard_capture.toml @@ -0,0 +1,75 @@ +[metadata] +creation_date = "2023/01/12" +integration = ["windows"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/01/12" + +[rule] +author = ["Elastic"] +description = """ +Detects PowerShell scripts that can get the contents of the clipboard, which attackers can abuse to retrieve sensitive +information like credentials, messages, etc. +""" +from = "now-9m" +index = ["winlogbeat-*", "logs-windows.*"] +language = "kuery" +license = "Elastic License v2" +name = "PowerShell Suspicious Script with Clipboard Retrieval Capabilities" +references = [ + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-clipboard", + "https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-ClipboardContents.ps1", +] +risk_score = 47 +rule_id = "92984446-aefb-4d5e-ad12-598042ca80ba" +severity = "medium" +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Collection", "PowerShell"] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.category:process and + (powershell.file.script_block_text : ( + "Windows.Clipboard" or + "Windows.Forms.Clipboard" or + "Windows.Forms.TextBox" + ) and + powershell.file.script_block_text : ( + "]::GetText" or + ".Paste()" + )) or powershell.file.script_block_text : "Get-Clipboard" + and not user.id : "S-1-5-18" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1115" +name = "Clipboard Data" +reference = "https://attack.mitre.org/techniques/T1115/" + + +[rule.threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +