security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
cd4fe07c2cd10385343f37e40cef3a30d2f42894
sigma-rules/rules/windows/execution_posh_hacktool_authors.toml
T
shashank-elastic 63e91c2f12 Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30

101 lines
2.9 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2024/05/08"
integration = ["windows"]
maturity = "production"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
description = """
Detects known PowerShell offensive tooling author's name in PowerShell scripts. Attackers commonly use out-of-the-box
offensive tools without modifying the code, which may still contain the author artifacts. This rule identifies common
author handles found in popular PowerShell scripts used for red team exercises.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-windows.powershell*"]
language = "kuery"
license = "Elastic License v2"
name = "Potential PowerShell HackTool Script by Author"
references = [
"https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md",
]
risk_score = 73
rule_id = "2553a9af-52a4-4a05-bb03-85b2a479a0a0"
setup = """## Setup
The 'PowerShell Script Block Logging' logging policy must be enabled.
Steps to implement the logging policy with Advanced Audit Configuration:
```
Computer Configuration >
Administrative Templates >
Windows PowerShell >
Turn on PowerShell Script Block Logging (Enable)
```
Steps to implement the logging policy via registry:
```
reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
```
"""
severity = "high"
tags = [
"Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: PowerShell Logs",
]
timestamp_override = "event.ingested"
type = "query"
query = '''
host.os.type:windows and event.category:process and
powershell.file.script_block_text : (
"mattifestation" or "JosephBialek" or
"harmj0y" or "ukstufus" or
"SecureThisShit" or "Matthew Graeber" or
"secabstraction" or "mgeeky" or
"oddvarmoe" or "am0nsec" or
"obscuresec" or "sixdub" or
"darkoperator" or "funoverip" or
"rvrsh3ll" or "kevin_robertson" or
"dafthack" or "r4wd3r" or
"danielhbohannon" or "OneLogicalMyth" or
"cobbr_io" or "xorrior" or
"PetrMedonos" or "citronneur" or
"eladshamir" or "RastaMouse" or
"enigma0x3" or "FuzzySec" or
"424f424f" or "jaredhaight" or
"fullmetalcache" or "Hubbl3" or
"curi0usJack" or "Cx01N" or
"itm4n" or "nurfed1" or
"cfalta" or "Scott Sutherland" or
"_nullbind" or "_tmenochet" or
"Boe Prox" or "jaredcatkinson" or
"ChrisTruncer" or "monoxgas" or
"TheRealWover" or "splinter_code"
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.001"
name = "PowerShell"
reference = "https://attack.mitre.org/techniques/T1059/001/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
Reference in New Issue View Git Blame Copy Permalink