security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] PowerShell Rule Tunings (#2907)

Browse Source 
* [Rule Tuning] PowerShell Rule Tunings

* bump
This commit is contained in:
Jonhnathan
2023-07-14 15:41:36 -03:00
committed by GitHub
parent 9f29129585
commit fca8bcc071
12 changed files with 67 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/collection_mailbox_export_winlog.toml
+5 -2
View File
@@ -4,7 +4,7 @@ integration = ["windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/07/05"
[rule]
author = ["Elastic"]
@@ -68,7 +68,10 @@ timestamp_override = "event.ingested"
type = "query"
query = '''
event.category:process and host.os.type:windows and powershell.file.script_block_text : "New-MailboxExportRequest"
event.category:process and host.os.type:windows and
powershell.file.script_block_text : "New-MailboxExportRequest" and
not (file.path : (*Microsoft* and *Exchange* and *RemotePowerShell* or *AppData* and *Local*) and
file.name:(*.psd1 or *.psm1))
'''
rules/windows/collection_posh_audio_capture.toml
+6 -2
View File
@@ -4,7 +4,7 @@ integration = ["windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/07/05"
[rule]
author = ["Elastic"]
@@ -83,7 +83,11 @@ query = '''
event.category:process and host.os.type:windows and
powershell.file.script_block_text : (
"Get-MicrophoneAudio" or (waveInGetNumDevs and mciSendStringA)
) and not user.id : "S-1-5-18"
)
and not powershell.file.script_block_text : (
"sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators"
)
and not user.id : "S-1-5-18"
'''
rules/windows/collection_posh_clipboard_capture.toml
+9 -1
View File
@@ -4,7 +4,7 @@ integration = ["windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/28"
updated_date = "2023/07/05"
[rule]
author = ["Elastic"]
@@ -95,7 +95,15 @@ event.category:process and host.os.type:windows and
"]::GetText" or
".Paste()"
)) or powershell.file.script_block_text : "Get-Clipboard"
and not powershell.file.script_block_text : (
"sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators"
)
and not user.id : "S-1-5-18"
and not file.path : (*WindowsPowerShell*Modules*.psd1 or *WindowsPowerShell*Modules*.psm1)
and not (
file.path : *WindowsPowerShell*Modules*.ps1 and
file.name : ("Convert-ExcelRangeToImage.ps1" or "Read-Clipboard.ps1")
)
'''
rules/windows/collection_posh_keylogger.toml
+4 -1
View File
@@ -4,7 +4,7 @@ integration = ["windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/28"
updated_date = "2023/07/05"
[rule]
author = ["Elastic"]
@@ -93,6 +93,9 @@ event.category:process and host.os.type:windows and
(GetForegroundWindow or GetWindowTextA or GetWindowTextW or "WM_KEYBOARD_LL")
)
) and not user.id : "S-1-5-18"
and not powershell.file.script_block_text : (
"sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators"
)
'''
rules/windows/credential_access_posh_invoke_ninjacopy.toml
+4 -1
View File
@@ -4,7 +4,7 @@ integration = ["windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/07/05"
[rule]
author = ["Elastic"]
@@ -39,6 +39,9 @@ event.category:process and host.os.type:windows and
"Invoke-NinjaCopy"
)
and not user.id : "S-1-5-18"
and not powershell.file.script_block_text : (
"sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators"
)
'''
rules/windows/credential_access_posh_request_ticket.toml
+4 -1
View File
@@ -4,7 +4,7 @@ integration = ["windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/07/05"
[rule]
author = ["Elastic"]
@@ -85,6 +85,9 @@ event.category:process and host.os.type:windows and
powershell.file.script_block_text : (
KerberosRequestorSecurityToken
) and not user.id : "S-1-5-18"
and not powershell.file.script_block_text : (
"sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators"
)
'''
rules/windows/defense_evasion_amsi_bypass_powershell.toml
+5 -3
View File
@@ -4,7 +4,7 @@ integration = ["windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/28"
updated_date = "2023/07/05"
[transform]
[[transform.osquery]]
@@ -113,8 +113,7 @@ event.category:"process" and host.os.type:windows and
"amsi.dll" or
AntimalwareProvider or
amsiSession or
amsiContext or
"System.Management.Automation.ScriptBlock" or
amsiContext or
AmsiInitialize or
unloadobfuscated or
unloadsilent or
@@ -124,6 +123,9 @@ event.category:"process" and host.os.type:windows and
powershell.file.script_block_text:("[System.Runtime.InteropServices.Marshal]::Copy" and "VirtualProtect") or
powershell.file.script_block_text:("[Ref].Assembly.GetType(('System.Management.Automation" and ".SetValue(")
)
and not powershell.file.script_block_text : (
"sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators"
)
'''
rules/windows/defense_evasion_posh_assembly_load.toml
+11 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2021/10/15"
integration = ["windows"]
maturity = "production"
updated_date = "2023/06/22"
updated_date = "2023/07/05"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
@@ -133,7 +133,16 @@ event.category:process and host.os.type:windows and
powershell.file.script_block_text : (
"[System.Reflection.Assembly]::Load" or
"[Reflection.Assembly]::Load"
) and not user.id : "S-1-5-18"
) and not
powershell.file.script_block_text : (
("CommonWorkflowParameters" or "RelatedLinksHelpInfo") and
"HelpDisplayStrings"
) and not
(powershell.file.script_block_text :
("Get-SolutionFiles" or "Get-VisualStudio" or "Select-MSBuildPath") and
not file.name : "PathFunctions.ps1"
)
and not user.id : "S-1-5-18"
'''
rules/windows/defense_evasion_posh_compressed.toml
+2 -1
View File
@@ -4,7 +4,7 @@ integration = ["windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/07/05"
[transform]
[[transform.osquery]]
@@ -141,6 +141,7 @@ event.category:process and host.os.type:windows and
) and not
(user.id:("S-1-5-18" or "S-1-5-19") and
file.directory: "C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads")
and not user.id : "S-1-5-18"
'''
rules/windows/discovery_posh_suspicious_api_functions.toml
+3 -4
View File
@@ -4,7 +4,7 @@ integration = ["windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/07/05"
[rule]
author = ["Elastic"]
@@ -109,9 +109,8 @@ event.category:process and host.os.type:windows and
LsaEnumerateTrustedDomains or
NetScheduleJobEnum or
NetUserModalsGet
) and not
(user.id:("S-1-5-18" or "S-1-5-19") and
file.directory: "C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\DataCollection")
)
and not user.id : ("S-1-5-18" or "S-1-5-19")
'''
rules/windows/execution_posh_hacktool_functions.toml
+10 -9
View File
@@ -2,7 +2,7 @@
creation_date = "2023/01/17"
integration = ["windows"]
maturity = "production"
updated_date = "2023/06/22"
updated_date = "2023/07/05"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
@@ -53,8 +53,7 @@ event.category:process and host.os.type:windows and
"Add-RemoteConnection" or "Add-ServiceDacl" or
"Add-Win32Type" or "Convert-ADName" or
"Convert-LDAPProperty" or "ConvertFrom-LDAPLogonHours" or
"ConvertFrom-SID" or "ConvertFrom-UACValue" or
"ConvertTo-SID" or "Copy-ArrayOfMemAddresses" or
"ConvertFrom-UACValue" or "Copy-ArrayOfMemAddresses" or
"Create-NamedPipe" or "Create-ProcessWithToken" or
"Create-RemoteThread" or "Create-SuspendedWinLogon" or
"Create-WinLogonProcess" or "Emit-CallThreadStub" or
@@ -70,7 +69,7 @@ event.category:process and host.os.type:windows and
"Find-ProcessDLLHijack" or "Find-RDPClientConnection" or
"Get-AllAttributesForClass" or "Get-CachedGPPPassword" or
"Get-DecryptedCpassword" or "Get-DecryptedSitelistPassword" or
"Get-DelegateType" or "Get-DomainController" or
"Get-DelegateType" or
"Get-DomainDFSShare" or "Get-DomainDFSShareV1" or
"Get-DomainDFSShareV2" or "Get-DomainDNSRecord" or
"Get-DomainDNSZone" or "Get-DomainFileServer" or
@@ -94,7 +93,7 @@ event.category:process and host.os.type:windows and
"Get-GPPInnerFields" or "Get-GPPPassword" or
"Get-GptTmpl" or "Get-GroupsXML" or
"Get-HttpStatus" or "Get-ImageNtHeaders" or
"Get-IniContent" or "Get-Keystrokes" or
"Get-Keystrokes" or
"Get-MemoryProcAddress" or "Get-MicrophoneAudio" or
"Get-ModifiablePath" or "Get-ModifiableRegistryAutoRun" or
"Get-ModifiableScheduledTaskFile" or "Get-ModifiableService" or
@@ -105,9 +104,8 @@ event.category:process and host.os.type:windows and
"Get-NetShare" or "Get-PEArchitecture" or
"Get-PEBasicInfo" or "Get-PEDetailedInfo" or
"Get-PathAcl" or "Get-PrimaryToken" or
"Get-PrincipalContext" or "Get-ProcAddress" or
"Get-ProcessTokenGroup" or "Get-ProcessTokenPrivilege" or
"Get-ProcessTokenType" or "Get-Property" or
"Get-ProcAddress" or "Get-ProcessTokenGroup" or
"Get-ProcessTokenPrivilege" or "Get-ProcessTokenType" or
"Get-RegLoggedOn" or "Get-RegistryAlwaysInstallElevated" or
"Get-RegistryAutoLogon" or "Get-RemoteProcAddress" or
"Get-Screenshot" or "Get-ServiceDetail" or
@@ -140,7 +138,7 @@ event.category:process and host.os.type:windows and
"Invoke-WmiCommand" or "Mount-VolumeShadowCopy" or
"New-ADObjectAccessControlEntry" or "New-DomainGroup" or
"New-DomainUser" or "New-DynamicParameter" or
"New-InMemoryModule" or "New-ScriptBlockCallback" or
"New-InMemoryModule" or
"New-ThreadedFunction" or "New-VolumeShadowCopy" or
"Out-CompressedDll" or "Out-EncodedCommand" or
"Out-EncryptedScript" or "Out-Minidump" or
@@ -163,6 +161,9 @@ event.category:process and host.os.type:windows and
"Get-AVProcesses" or "Get-AVInfo" or
"Get-RecycleBin"
)
and not powershell.file.script_block_text : (
"sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators"
)
'''
rules/windows/privilege_escalation_posh_token_impersonation.toml
+4 -1
View File
@@ -4,7 +4,7 @@ integration = ["windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/07/05"
[rule]
author = ["Elastic"]
@@ -76,6 +76,9 @@ event.category:process and host.os.type:windows and
) and not
(user.id:("S-1-5-18" or "S-1-5-19") and
file.directory: "C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads")
and not powershell.file.script_block_text : (
"sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators"
)
'''