security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e2c860693c8d59d04e7bbfcda546347187c5a357
sigma-rules/rules/windows/execution_suspicious_powershell_imgload.toml
T
Brent Murphy ffe8e5bfc5 [Rule Tuning] Update file.name to dll.name for Library events (#893) 
* [Rule Tuning] Update file.name to dll.name for Library events

* replace == with :

* updated_date

* removed spacing inconsistencies

* jibs likes spaces

* NOT again jibs
2021-02-03 11:09:29 -05:00

94 lines
2.6 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2020/11/17"
maturity = "production"
updated_date = "2020/01/28"
[rule]
author = ["Elastic"]
description = """
Identifies the PowerShell engine being invoked by unexpected processes. Rather than executing PowerShell functionality
with powershell.exe, some attackers do this to operate more stealthily.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
language = "eql"
license = "Elastic License"
name = "Suspicious PowerShell Engine ImageLoad"
risk_score = 47
rule_id = "852c1f19-68e8-43a6-9dce-340771fe1be3"
severity = "medium"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
type = "eql"
query = '''
library where dll.name : ("System.Management.Automation.ni.dll", "System.Management.Automation.dll") and
/* add false positives relevant to your environment here */
not process.executable : ("C:\\Windows\\System32\\RemoteFXvGPUDisablement.exe", "C:\\Windows\\System32\\sdiagnhost.exe", "C:\\Program Files*\\*.exe") and
not process.name :
(
"Altaro.SubAgent.exe",
"AppV_Manage.exe",
"azureadconnect.exe",
"CcmExec.exe",
"configsyncrun.exe",
"choco.exe",
"ctxappvservice.exe",
"DVLS.Console.exe",
"edgetransport.exe",
"exsetup.exe",
"forefrontactivedirectoryconnector.exe",
"InstallUtil.exe",
"JenkinsOnDesktop.exe",
"Microsoft.EnterpriseManagement.ServiceManager.UI.Console.exe",
"mmc.exe",
"mscorsvw.exe",
"msexchangedelivery.exe",
"msexchangefrontendtransport.exe",
"msexchangehmworker.exe",
"msexchangesubmission.exe",
"msiexec.exe",
"MsiExec.exe",
"noderunner.exe",
"NServiceBus.Host.exe",
"NServiceBus.Host32.exe",
"NServiceBus.Hosting.Azure.HostProcess.exe",
"OuiGui.WPF.exe",
"powershell.exe",
"powershell_ise.exe",
"pwsh.exe",
"SCCMCliCtrWPF.exe",
"ScriptEditor.exe",
"ScriptRunner.exe",
"sdiagnhost.exe",
"servermanager.exe",
"setup100.exe",
"ServiceHub.VSDetouredHost.exe",
"SPCAF.Client.exe",
"SPCAF.SettingsEditor.exe",
"SQLPS.exe",
"telemetryservice.exe",
"UMWorkerProcess.exe",
"w3wp.exe",
"wsmprovhost.exe"
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.001"
name = "PowerShell"
reference = "https://attack.mitre.org/techniques/T1059/001/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
Reference in New Issue View Git Blame Copy Permalink