security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fd678dc5cb3891c482de52e5a7a307bcb9eff426
sigma-rules/rules/windows/execution_posh_portable_executable.toml
T
Jonhnathan 49854aaae2 [Rule Tuning] Add Investigation Guides, Config/Logging Policy to PowerShell merged rules (#1610) 
* Add Investigation Guide and config to Suspicious Portable Executable Encoded in Powershell Script

* Add Investigation Guide and config to "PowerShell Suspicious Discovery Related Windows API Functions" rule

* Add Investigation Guide and Config to "PowerShell MiniDump Script" rule

* Add logging policy reference

* Add Investigation Guide/Config to "PowerShell Suspicious Script with Audio Capture Capabilities"

* Add Related Rules GUIDs

* Add Investigation Guide/config for "Potential Process Injection via PowerShell"

* Adjust Response and remediation

* Add Investigation Guide/config for "PowerShell Keylogging Script"

* bump updated_date

* Apply suggestions from Samir

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Apply suggestions

* Revise line from investigation guides

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
2022-01-20 08:56:53 -03:00

103 lines
3.2 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2021/10/15"
maturity = "production"
updated_date = "2021/11/30"
[rule]
author = ["Elastic"]
description = """
Detects the presence of portable executables (PE) in a PowerShell script by looking for its encoded header.
Attackers embed PEs into PowerShell scripts for injecting them into the memory, avoiding defenses by not writing to
disk.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-windows.*"]
language = "kuery"
license = "Elastic License v2"
name = "Suspicious Portable Executable Encoded in Powershell Script"
note = """## Triage and analysis.
### Investigating Suspicious Portable Executable Encoded in Powershell Script
PowerShell is one of the main tools used by system administrators for automation, report routines, and other tasks.
Attackers can abuse PowerShell In-Memory capabilities to inject executables into memory without touching the disk, bypassing
AntiVirus software. These executables are generally base64 encoded.
#### Possible investigation steps:
- Examine script content that triggered the detection.
- Investigate script execution chain (parent process tree).
- Inspect any file or network events from the suspicious powershell host process instance.
- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours.
### False Positive Analysis
- Verify whether the script content is malicious/harmful.
### Related Rules
- PowerShell Reflection Assembly Load - e26f042e-c590-4e82-8e05-41e81bd822ad
- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a
- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe
### Response and Remediation
- Immediate response should be taken to validate, investigate, and potentially contain the activity to prevent further
post-compromise behavior.
## Config
The 'PowerShell Script Block Logging' logging policy must be enabled.
Steps to implement the logging policy with with Advanced Audit Configuration:
```
Computer Configuration >
Administrative Templates >
Windows PowerShell >
Turn on PowerShell Script Block Logging (Enable)
```
Steps to implement the logging policy via registry:
```
reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
```
"""
references = [
"https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"
]
risk_score = 47
rule_id = "ad84d445-b1ce-4377-82d9-7c633f28bf9a"
severity = "medium"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.category:process and
powershell.file.script_block_text : (
TVqQAAMAAAAEAAAA
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.001"
name = "PowerShell"
reference = "https://attack.mitre.org/techniques/T1059/001/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
Reference in New Issue View Git Blame Copy Permalink