CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ルール更新 (#224)

Browse Source
This commit is contained in:
Yamato Security
2021-11-23 15:04:03 +09:00
committed by GitHub
parent 034f9c0957
commit 015899bc51
2224 changed files with 2916 additions and 47186 deletions
Download Patch File Download Diff File Expand all files Collapse all files

72
rules/sigma/powershell/powershell_script/powershell_accessing_win_api.yml Normal file
View File

@@ -0,0 +1,72 @@
title: Accessing WinAPI in PowerShell
author: Nikita Nazarov, oscd.community
date: 2020/10/06
description: Detecting use WinAPI Functions in PowerShell
detection:
SELECTION_1:
ScriptBlockText:
- '*WaitForSingleObject*'
- '*QueueUserApc*'
- '*RtlCreateUserThread*'
- '*OpenProcess*'
- '*VirtualAlloc*'
- '*VirtualFree*'
- '*WriteProcessMemory*'
- '*CreateUserThread*'
- '*CloseHandle*'
- '*GetDelegateForFunctionPointer*'
- '*CreateThread*'
- '*memcpy*'
- '*LoadLibrary*'
- '*GetModuleHandle*'
- '*GetProcAddress*'
- '*VirtualProtect*'
- '*FreeLibrary*'
- '*ReadProcessMemory*'
- '*CreateRemoteThread*'
- '*AdjustTokenPrivileges*'
- '*WriteByte*'
- '*WriteInt32*'
- '*OpenThreadToken*'
- '*PtrToString*'
- '*FreeHGlobal*'
- '*ZeroFreeGlobalAllocUnicode*'
- '*OpenProcessToken*'
- '*GetTokenInformation*'
- '*SetThreadToken*'
- '*ImpersonateLoggedOnUser*'
- '*RevertToSelf*'
- '*GetLogonSessionData*'
- '*CreateProcessWithToken*'
- '*DuplicateTokenEx*'
- '*OpenWindowStation*'
- '*OpenDesktop*'
- '*MiniDumpWriteDump*'
- '*AddSecurityPackage*'
- '*EnumerateSecurityPackages*'
- '*GetProcessHandle*'
- '*DangerousGetHandle*'
- '*kernel32*'
- '*Advapi32*'
- '*msvcrt*'
- '*ntdll*'
- '*user32*'
- '*secur32*'
condition: SELECTION_1
falsepositives:
- Carbon PowerShell Module (https://github.com/webmd-health-services/Carbon)
id: 03d83090-8cba-44a0-b02f-0b756a050306
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1106

29
rules/sigma/powershell/powershell_script/powershell_adrecon_execution.yml Normal file
View File

@@ -0,0 +1,29 @@
title: PowerShell ADRecon Execution
author: Bhabesh Raj
date: 2021/07/16
description: Detects execution of ADRecon.ps1 for AD reconnaissance which has been
reported to be actively used by FIN7
detection:
SELECTION_1:
ScriptBlockText:
- '*Function Get-ADRExcelComOb*'
- '*ADRecon-Report.xlsx*'
condition: SELECTION_1
falsepositives:
- Unknown
id: bf72941a-cba0-41ea-b18c-9aca3925690d
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/sense-of-security/ADRecon
- https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319
status: experimental
tags:
- attack.discovery
- attack.execution
- attack.t1059.001

40
rules/sigma/powershell/powershell_script/powershell_automated_collection.yml Normal file
View File

@@ -0,0 +1,40 @@
title: Automated Collection Command PowerShell
author: frack113
date: 2021/07/28
description: Once established within a system or network, an adversary may use automated
techniques for collecting internal data.
detection:
SELECTION_1:
ScriptBlockText:
- '*.doc*'
- '*.docx*'
- '*.xls*'
- '*.xlsx*'
- '*.ppt*'
- '*.pptx*'
- '*.rtf*'
- '*.pdf*'
- '*.txt*'
SELECTION_2:
ScriptBlockText: '*Get-ChildItem*'
SELECTION_3:
ScriptBlockText: '* -Recurse *'
SELECTION_4:
ScriptBlockText: '* -Include *'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Unknown
id: c1dda054-d638-4c16-afc8-53e007f3fbc5
level: medium
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md
status: experimental
tags:
- attack.collection
- attack.t1119

31
rules/sigma/powershell/powershell_script/powershell_azurehound_commands.yml Normal file
View File

@@ -0,0 +1,31 @@
title: AzureHound PowerShell Commands
author: Austin Songer (@austinsonger)
date: 2021/10/23
description:
detection:
SELECTION_1:
ScriptBlockText:
- '*Invoke-AzureHound*'
condition: SELECTION_1
falsepositives:
- Penetration testing
id: 83083ac6-1816-4e76-97d7-59af9a9ae46e
level: high
logsource:
category: ps_script
definition: Script Block Logging must be enable
product: windows
references:
- https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/AzureHound.ps1
- https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
status: experimental
tags:
- attack.discovery
- attack.t1482
- attack.t1087
- attack.t1087.001
- attack.t1087.002
- attack.t1069.001
- attack.t1069.002
- attack.t1069

27
rules/sigma/powershell/powershell_script/powershell_cl_invocation_lolscript.yml Normal file
View File

@@ -0,0 +1,27 @@
title: Execution via CL_Invocation.ps1
author: oscd.community, Natalia Shornikova
date: 2020/10/14
description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module
detection:
SELECTION_1:
ScriptBlockText: '*CL_Invocation.ps1*'
SELECTION_2:
ScriptBlockText: '*SyncInvoke*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 4cd29327-685a-460e-9dac-c3ab96e549dc
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml
- https://twitter.com/bohops/status/948061991012327424
status: experimental
tags:
- attack.defense_evasion
- attack.t1216

27
rules/sigma/powershell/powershell_script/powershell_cl_invocation_lolscript_count.yml Normal file
View File

@@ -0,0 +1,27 @@
title: Execution via CL_Invocation.ps1 (2 Lines)
author: oscd.community, Natalia Shornikova
date: 2020/10/14
description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module
detection:
SELECTION_1:
ScriptBlockText:
- '*CL_Invocation.ps1*'
- '*SyncInvoke*'
condition: SELECTION_1 | count(ScriptBlockText) by Computer > 2
falsepositives:
- Unknown
id: f588e69b-0750-46bb-8f87-0e9320d57536
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml
- https://twitter.com/bohops/status/948061991012327424
status: experimental
tags:
- attack.defense_evasion
- attack.t1216

28
rules/sigma/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript.yml Normal file
View File

@@ -0,0 +1,28 @@
title: Execution via CL_Mutexverifiers.ps1
author: oscd.community, Natalia Shornikova
date: 2020/10/14
description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1
module
detection:
SELECTION_1:
ScriptBlockText: '*CL_Mutexverifiers.ps1*'
SELECTION_2:
ScriptBlockText: '*runAfterCancelProcess*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 39776c99-1c7b-4ba0-b5aa-641525eee1a4
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml
- https://twitter.com/pabraeken/status/995111125447577600
status: experimental
tags:
- attack.defense_evasion
- attack.t1216

28
rules/sigma/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript_count.yml Normal file
View File

@@ -0,0 +1,28 @@
title: Execution via CL_Mutexverifiers.ps1 (2 Lines)
author: oscd.community, Natalia Shornikova
date: 2020/10/14
description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1
module
detection:
SELECTION_1:
ScriptBlockText:
- '*CL_Mutexverifiers.ps1*'
- '*runAfterCancelProcess*'
condition: SELECTION_1 | count(ScriptBlockText) by Computer > 2
falsepositives:
- Unknown
id: 6609c444-9670-4eab-9636-fe4755a851ce
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml
- https://twitter.com/pabraeken/status/995111125447577600
status: experimental
tags:
- attack.defense_evasion
- attack.t1216

28
rules/sigma/powershell/powershell_script/powershell_create_local_user.yml Normal file
View File

@@ -0,0 +1,28 @@
title: PowerShell Create Local User
author: '@ROxPinTeddy'
date: 2020/04/11
description: Detects creation of a local user via PowerShell
detection:
SELECTION_1:
ScriptBlockText: '*New-LocalUser*'
condition: SELECTION_1
falsepositives:
- Legitimate user creation
id: 243de76f-4725-4f2e-8225-a8a69b15ad61
level: medium
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086
- attack.persistence
- attack.t1136.001
- attack.t1136

31
rules/sigma/powershell/powershell_script/powershell_data_compressed.yml Normal file
View File

@@ -0,0 +1,31 @@
title: Data Compressed - PowerShell
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
description: An adversary may compress data (e.g., sensitive documents) that is collected
prior to exfiltration in order to make it portable and minimize the amount of data
sent over the network.
detection:
SELECTION_1:
ScriptBlockText: '*-Recurse*'
SELECTION_2:
ScriptBlockText: '*|*'
SELECTION_3:
ScriptBlockText: '*Compress-Archive*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Highly likely if archive operations are done via PowerShell.
id: 6dc5d284-69ea-42cf-9311-fb1c3932a69a
level: low
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md
status: experimental
tags:
- attack.exfiltration
- attack.t1560
- attack.t1002

32
rules/sigma/powershell/powershell_script/powershell_detect_vm_env.yml Normal file
View File

@@ -0,0 +1,32 @@
title: Powershell Detect Virtualization Environment
author: frack113
date: 2021/08/03
description: Adversaries may employ various system checks to detect and avoid virtualization
and analysis environments. This may include changing behaviors based on the results
of checks for the presence of artifacts indicative of a virtual machine environment
(VME) or sandbox
detection:
SELECTION_1:
ScriptBlockText: '*Get-WmiObject*'
SELECTION_2:
ScriptBlockText:
- '*MSAcpi_ThermalZoneTemperature*'
- '*Win32_ComputerSystem*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: d93129cd-1ee0-479f-bc03-ca6f129882e3
level: medium
logsource:
category: ps_script
definition: EnableScriptBlockLogging must be set to enable
product: windows
modified: 2021/10/16
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md
- https://techgenix.com/malicious-powershell-scripts-evade-detection/
status: experimental
tags:
- attack.defense_evasion
- attack.t1497.001

25
rules/sigma/powershell/powershell_script/powershell_dnscat_execution.yml Normal file
View File

@@ -0,0 +1,25 @@
title: Dnscat Execution
author: Daniil Yugoslavskiy, oscd.community
date: 2019/10/24
description: Dnscat exfiltration tool execution
detection:
SELECTION_1:
ScriptBlockText: '*Start-Dnscat2*'
condition: SELECTION_1
falsepositives:
- Legitimate usage of PowerShell Dnscat2 — DNS Exfiltration tool (unlikely)
id: a6d67db4-6220-436d-8afc-f3842fe05d43
level: critical
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
status: experimental
tags:
- attack.exfiltration
- attack.t1048
- attack.execution
- attack.t1059.001
- attack.t1086

30
rules/sigma/powershell/powershell_script/powershell_icmp_exfiltration.yml Normal file
View File

@@ -0,0 +1,30 @@
title: PowerShell ICMP Exfiltration
author: Bartlomiej Czyz @bczyz1, oscd.community
date: 2020/10/10
description: Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may
steal data by exfiltrating it over an un-encrypted network protocol other than that
of the existing command and control channel.
detection:
SELECTION_1:
ScriptBlockText: '*New-Object*'
SELECTION_2:
ScriptBlockText: '*System.Net.NetworkInformation.Ping*'
SELECTION_3:
ScriptBlockText: '*.Send(*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Legitimate usage of System.Net.NetworkInformation.Ping class
id: 4c4af3cd-2115-479c-8193-6b8bfce9001c
level: medium
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md#atomic-test-2---exfiltration-over-alternative-protocol---icmp
status: experimental
tags:
- attack.exfiltration
- attack.t1048.003

24
rules/sigma/powershell/powershell_script/powershell_invoke_nightmare.yml Normal file
View File

@@ -0,0 +1,24 @@
title: PrintNightmare Powershell Exploitation
author: Max Altgelt, Tobias Michalski
date: 2021/08/09
description: Detects Commandlet name for PrintNightmare exploitation.
detection:
SELECTION_1:
ScriptBlockText: '*Invoke-Nightmare*'
condition: SELECTION_1
falsepositives:
- Unknown
id: 6d3f1399-a81c-4409-aff3-1ecfe9330baf
level: high
logsource:
category: ps_script
definition: Script Block Logging must be enable
product: windows
modified: 2021/10/16
references:
- https://github.com/calebstewart/CVE-2021-1675
status: test
tags:
- attack.privilege_escalation
- attack.t1548

26
rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_clip_in_scriptblocktext.yml Normal file
View File

@@ -0,0 +1,26 @@
title: Invoke-Obfuscation CLIP+ Launcher
author: Jonathan Cheong, oscd.community
date: 2020/10/13
description: Detects Obfuscated use of Clip.exe to execute PowerShell
detection:
SELECTION_1:
ScriptBlockText|re: .*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+\-f.+"
condition: SELECTION_1
falsepositives:
- Unknown
id: 73e67340-0d25-11eb-adc1-0242ac120002
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

39
rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml Normal file
View File

@@ -0,0 +1,39 @@
title: Invoke-Obfuscation Obfuscated IEX Invocation
author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
date: 2019/11/08
description: Detects all variations of obfuscated powershell IEX invocation code generated
by Invoke-Obfuscation framework from the following code block — https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888
detection:
SELECTION_1:
ScriptBlockText|re: \$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[
SELECTION_2:
ScriptBlockText|re: \$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[
SELECTION_3:
ScriptBlockText|re: \$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[
SELECTION_4:
ScriptBlockText|re: \$env:ComSpec\[(\s*\d{1,3}\s*,){2}
SELECTION_5:
ScriptBlockText|re: \\\\*mdr\\\\*\W\s*\)\.Name
SELECTION_6:
ScriptBlockText|re: \$VerbosePreference\.ToString\(
SELECTION_7:
ScriptBlockText|re: \String\]\s*\$VerbosePreference
condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
or SELECTION_6 or SELECTION_7)
falsepositives:
- Unknown
id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001
- attack.t1086

26
rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml Normal file
View File

@@ -0,0 +1,26 @@
title: Invoke-Obfuscation STDIN+ Launcher
author: Jonathan Cheong, oscd.community
date: 2020/10/15
description: Detects Obfuscated use of stdin to execute PowerShell
detection:
SELECTION_1:
ScriptBlockText|re: .*cmd.{0,5}(?:/c|/r).+powershell.+(?:\$\{?input\}?|noexit).+"
condition: SELECTION_1
falsepositives:
- Unknown
id: 779c8c12-0eb1-11eb-adc1-0242ac120002
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

26
rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_var_in_scriptblocktext.yml Normal file
View File

@@ -0,0 +1,26 @@
title: Invoke-Obfuscation VAR+ Launcher
author: Jonathan Cheong, oscd.community
date: 2020/10/15
description: Detects Obfuscated use of Environment Variables to execute PowerShell
detection:
SELECTION_1:
ScriptBlockText|re: .*cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?\-f(?:.*\)){1,}.*"
condition: SELECTION_1
falsepositives:
- Unknown
id: 0adfbc14-0ed1-11eb-adc1-0242ac120002
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

26
rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml Normal file
View File

@@ -0,0 +1,26 @@
title: Invoke-Obfuscation COMPRESS OBFUSCATION
author: Timur Zinniatullin, oscd.community
date: 2020/10/18
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
detection:
SELECTION_1:
ScriptBlockText|re: (?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend
condition: SELECTION_1
falsepositives:
- unknown
id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07
level: medium
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

26
rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml Normal file
View File

@@ -0,0 +1,26 @@
title: Invoke-Obfuscation RUNDLL LAUNCHER
author: Timur Zinniatullin, oscd.community
date: 2020/10/18
description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
detection:
SELECTION_1:
ScriptBlockText|re: (?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*"
condition: SELECTION_1
falsepositives:
- Unknown
id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0
level: medium
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

26
rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml Normal file
View File

@@ -0,0 +1,26 @@
title: Invoke-Obfuscation Via Stdin
author: Nikita Nazarov, oscd.community
date: 2020/10/12
description: Detects Obfuscated Powershell via Stdin in Scripts
detection:
SELECTION_1:
ScriptBlockText|re: (?i).*(set).*&&\s?set.*(environment|invoke|\$\{?input).*&&.*"
condition: SELECTION_1
falsepositives:
- Unknown
id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

26
rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml Normal file
View File

@@ -0,0 +1,26 @@
title: Invoke-Obfuscation Via Use Clip
author: Nikita Nazarov, oscd.community
date: 2020/10/09
description: Detects Obfuscated Powershell via use Clip.exe in Scripts
detection:
SELECTION_1:
ScriptBlockText|re: (?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*
condition: SELECTION_1
falsepositives:
- Unknown
id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

26
rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml Normal file
View File

@@ -0,0 +1,26 @@
title: Invoke-Obfuscation Via Use MSHTA
author: Nikita Nazarov, oscd.community
date: 2020/10/08
description: Detects Obfuscated Powershell via use MSHTA in Scripts
detection:
SELECTION_1:
ScriptBlockText|re: (?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"
condition: SELECTION_1
falsepositives:
- Unknown
id: e55a5195-4724-480e-a77e-3ebe64bd3759
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

26
rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml Normal file
View File

@@ -0,0 +1,26 @@
title: Invoke-Obfuscation Via Use Rundll32
author: Nikita Nazarov, oscd.community
date: 2019/10/08
description: Detects Obfuscated Powershell via use Rundll32 in Scripts
detection:
SELECTION_1:
ScriptBlockText|re: (?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"
condition: SELECTION_1
falsepositives:
- Unknown
id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

26
rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml Normal file
View File

@@ -0,0 +1,26 @@
title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
author: Timur Zinniatullin, oscd.community
date: 2020/10/13
description: Detects Obfuscated Powershell via VAR++ LAUNCHER
detection:
SELECTION_1:
ScriptBlockText|re: (?i).*&&set.*(\{\d\}){2,}\\"\s+?\-f.*&&.*cmd.*/c
condition: SELECTION_1
falsepositives:
- Unknown
id: e54f5149-6ba3-49cf-b153-070d24679126
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

30
rules/sigma/powershell/powershell_script/powershell_keylogging.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Powershell Keylogging
author: frack113
date: 2021/07/30
description: Adversaries may log user keystrokes to intercept credentials as the user
types them.
detection:
SELECTION_1:
ScriptBlockText: '*Get-Keystrokes*'
SELECTION_2:
ScriptBlockText: '*Get-ProcAddress user32.dll GetAsyncKeyState*'
SELECTION_3:
ScriptBlockText: '*Get-ProcAddress user32.dll GetForegroundWindow*'
condition: (SELECTION_1 or (SELECTION_2 and SELECTION_3))
falsepositives:
- Unknown
id: 34f90d3c-c297-49e9-b26d-911b05a4866c
level: medium
logsource:
category: ps_script
definition: EnableScriptBlockLogging must be set to enable
product: windows
modified: 2021/10/16
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/src/Get-Keystrokes.ps1
status: experimental
tags:
- attack.collection
- attack.t1056.001

123
rules/sigma/powershell/powershell_script/powershell_malicious_commandlets.yml Normal file
View File

@@ -0,0 +1,123 @@
title: Malicious PowerShell Commandlets
author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update),
oscd.community (update)
date: 2017/03/05
description: Detects Commandlet names from well-known PowerShell exploitation frameworks
detection:
SELECTION_1:
ScriptBlockText:
- '*Invoke-DllInjection*'
- '*Invoke-Shellcode*'
- '*Invoke-WmiCommand*'
- '*Get-GPPPassword*'
- '*Get-Keystrokes*'
- '*Get-TimedScreenshot*'
- '*Get-VaultCredential*'
- '*Invoke-CredentialInjection*'
- '*Invoke-Mimikatz*'
- '*Invoke-NinjaCopy*'
- '*Invoke-TokenManipulation*'
- '*Out-Minidump*'
- '*VolumeShadowCopyTools*'
- '*Invoke-ReflectivePEInjection*'
- '*Invoke-UserHunter*'
- '*Find-GPOLocation*'
- '*Invoke-ACLScanner*'
- '*Invoke-DowngradeAccount*'
- '*Get-ServiceUnquoted*'
- '*Get-ServiceFilePermission*'
- '*Get-ServicePermission*'
- '*Invoke-ServiceAbuse*'
- '*Install-ServiceBinary*'
- '*Get-RegAutoLogon*'
- '*Get-VulnAutoRun*'
- '*Get-VulnSchTask*'
- '*Get-UnattendedInstallFile*'
- '*Get-ApplicationHost*'
- '*Get-RegAlwaysInstallElevated*'
- '*Get-Unconstrained*'
- '*Add-RegBackdoor*'
- '*Add-ScrnSaveBackdoor*'
- '*Gupt-Backdoor*'
- '*Invoke-ADSBackdoor*'
- '*Enabled-DuplicateToken*'
- '*Invoke-PsUaCme*'
- '*Remove-Update*'
- '*Check-VM*'
- '*Get-LSASecret*'
- '*Get-PassHashes*'
- '*Show-TargetScreen*'
- '*Port-Scan*'
- '*Invoke-PoshRatHttp*'
- '*Invoke-PowerShellTCP*'
- '*Invoke-PowerShellWMI*'
- '*Add-Exfiltration*'
- '*Add-Persistence*'
- '*Do-Exfiltration*'
- '*Start-CaptureServer*'
- '*Get-ChromeDump*'
- '*Get-ClipboardContents*'
- '*Get-FoxDump*'
- '*Get-IndexedItem*'
- '*Get-Screenshot*'
- '*Invoke-Inveigh*'
- '*Invoke-NetRipper*'
- '*Invoke-EgressCheck*'
- '*Invoke-PostExfil*'
- '*Invoke-PSInject*'
- '*Invoke-RunAs*'
- '*MailRaider*'
- '*New-HoneyHash*'
- '*Set-MacAttribute*'
- '*Invoke-DCSync*'
- '*Invoke-PowerDump*'
- '*Exploit-Jboss*'
- '*Invoke-ThunderStruck*'
- '*Invoke-VoiceTroll*'
- '*Set-Wallpaper*'
- '*Invoke-InveighRelay*'
- '*Invoke-PsExec*'
- '*Invoke-SSHCommand*'
- '*Get-SecurityPackages*'
- '*Install-SSP*'
- '*Invoke-BackdoorLNK*'
- '*PowerBreach*'
- '*Get-SiteListPassword*'
- '*Get-System*'
- '*Invoke-BypassUAC*'
- '*Invoke-Tater*'
- '*Invoke-WScriptBypassUAC*'
- '*PowerUp*'
- '*PowerView*'
- '*Get-RickAstley*'
- '*Find-Fruit*'
- '*HTTP-Login*'
- '*Find-TrustedDocuments*'
- '*Invoke-Paranoia*'
- '*Invoke-WinEnum*'
- '*Invoke-ARPScan*'
- '*Invoke-PortScan*'
- '*Invoke-ReverseDNSLookup*'
- '*Invoke-SMBScanner*'
- '*Invoke-Mimikittenz*'
- '*Invoke-AllChecks*'
SELECTION_2:
ScriptBlockText: '*Get-SystemDriveInfo*'
condition: (SELECTION_1 and not (SELECTION_2))
falsepositives:
- Penetration testing
id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
level: high
logsource:
category: ps_script
definition: Script Block Logging must be enable
product: windows
modified: 2021/10/16
references:
- https://adsecurity.org/?p=2921
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086

46
rules/sigma/powershell/powershell_script/powershell_malicious_keywords.yml Normal file
View File

@@ -0,0 +1,46 @@
title: Malicious PowerShell Keywords
author: Sean Metcalf (source), Florian Roth (rule)
date: 2017/03/05
description: Detects keywords from well-known PowerShell exploitation frameworks
detection:
SELECTION_1:
ScriptBlockText:
- '*AdjustTokenPrivileges*'
- '*IMAGE_NT_OPTIONAL_HDR64_MAGIC*'
- '*Microsoft.Win32.UnsafeNativeMethods*'
- '*ReadProcessMemory.Invoke*'
- '*SE_PRIVILEGE_ENABLED*'
- '*LSA_UNICODE_STRING*'
- '*MiniDumpWriteDump*'
- '*PAGE_EXECUTE_READ*'
- '*SECURITY_DELEGATION*'
- '*TOKEN_ADJUST_PRIVILEGES*'
- '*TOKEN_ALL_ACCESS*'
- '*TOKEN_ASSIGN_PRIMARY*'
- '*TOKEN_DUPLICATE*'
- '*TOKEN_ELEVATION*'
- '*TOKEN_IMPERSONATE*'
- '*TOKEN_INFORMATION_CLASS*'
- '*TOKEN_PRIVILEGES*'
- '*TOKEN_QUERY*'
- '*Metasploit*'
- '*Mimikatz*'
condition: SELECTION_1
falsepositives:
- Penetration tests
id: f62176f3-8128-4faa-bf6c-83261322e5eb
level: high
logsource:
category: ps_script
definition: It is recommended to use the new "Script Block Logging" of PowerShell
v5 https://adsecurity.org/?p=2277
product: windows
modified: 2021/10/16
references:
- https://adsecurity.org/?p=2921
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086

26
rules/sigma/powershell/powershell_script/powershell_memorydump_getstoragediagnosticinfo.yml Normal file
View File

@@ -0,0 +1,26 @@
title: Live Memory Dump Using Powershell
author: Max Altgelt
date: 2021/09/21
description: Detects usage of a PowerShell command to dump the live memory of a Windows
machine
detection:
SELECTION_1:
ScriptBlockText: '*Get-StorageDiagnosticInfo*'
SELECTION_2:
ScriptBlockText: '*-IncludeLiveDump*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Diagnostics
id: cd185561-4760-45d6-a63e-a51325112cae
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://docs.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo
status: experimental
tags:
- attack.t1003

96
rules/sigma/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml Normal file
View File

@@ -0,0 +1,96 @@
title: Malicious Nishang PowerShell Commandlets
author: Alec Costello
date: 2019/05/16
description: Detects Commandlet names and arguments from the Nishang exploitation
framework
detection:
SELECTION_1:
ScriptBlockText:
- '*Add-ConstrainedDelegationBackdoor*'
- '*Set-DCShadowPermissions*'
- '*DNS_TXT_Pwnage*'
- '*Execute-OnTime*'
- '*HTTP-Backdoor*'
- '*Set-RemotePSRemoting*'
- '*Set-RemoteWMI*'
- '*Invoke-AmsiBypass*'
- '*Out-CHM*'
- '*Out-HTA*'
- '*Out-SCF*'
- '*Out-SCT*'
- '*Out-Shortcut*'
- '*Out-WebQuery*'
- '*Out-Word*'
- '*Enable-Duplication*'
- '*Remove-Update*'
- '*Download-Execute-PS*'
- '*Download_Execute*'
- '*Execute-Command-MSSQL*'
- '*Execute-DNSTXT-Code*'
- '*Out-RundllCommand*'
- '*Copy-VSS*'
- '*FireBuster*'
- '*FireListener*'
- '*Get-Information*'
- '*Get-PassHints*'
- '*Get-WLAN-Keys*'
- '*Get-Web-Credentials*'
- '*Invoke-CredentialsPhish*'
- '*Invoke-MimikatzWDigestDowngrade*'
- '*Invoke-SSIDExfil*'
- '*Invoke-SessionGopher*'
- '*Keylogger*'
- '*Invoke-Interceptor*'
- '*Create-MultipleSessions*'
- '*Invoke-NetworkRelay*'
- '*Run-EXEonRemote*'
- '*Invoke-Prasadhak*'
- '*Invoke-BruteForce*'
- '*Password-List*'
- '*Invoke-JSRatRegsvr*'
- '*Invoke-JSRatRundll*'
- '*Invoke-PoshRatHttps*'
- '*Invoke-PowerShellIcmp*'
- '*Invoke-PowerShellUdp*'
- '*Invoke-PSGcat*'
- '*Invoke-PsGcatAgent*'
- '*Remove-PoshRat*'
- '*Add-Persistance*'
- '*ExetoText*'
- '*Invoke-Decode*'
- '*Invoke-Encode*'
- '*Parse_Keys*'
- '*Remove-Persistence*'
- '*StringtoBase64*'
- '*TexttoExe*'
- '*Powerpreter*'
- '*Nishang*'
- '*DataToEncode*'
- '*LoggedKeys*'
- '*OUT-DNSTXT*'
- '*ExfilOption*'
- '*DumpCerts*'
- '*DumpCreds*'
- '*Shellcode32*'
- '*Shellcode64*'
- '*NotAllNameSpaces*'
- '*exfill*'
- '*FakeDC*'
condition: SELECTION_1
falsepositives:
- Penetration testing
id: f772cee9-b7c2-4cb2-8f07-49870adc02e0
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/samratashok/nishang
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086

35
rules/sigma/powershell/powershell_script/powershell_ntfs_ads_access.yml Normal file
View File

@@ -0,0 +1,35 @@
title: NTFS Alternate Data Stream
author: Sami Ruohonen
date: 2018/07/24
description: Detects writing data into NTFS alternate data streams from powershell.
Needs Script Block Logging.
detection:
SELECTION_1:
ScriptBlockText:
- '*set-content*'
- '*add-content*'
SELECTION_2:
ScriptBlockText:
- '*-stream*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- unknown
id: 8c521530-5169-495d-a199-0a3a881ad24e
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- http://www.powertheshell.com/ntfsstreams/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md
status: experimental
tags:
- attack.defense_evasion
- attack.t1564.004
- attack.t1096
- attack.execution
- attack.t1059.001
- attack.t1086

149
rules/sigma/powershell/powershell_script/powershell_powerview_malicious_commandlets.yml Normal file
View File

@@ -0,0 +1,149 @@
title: Malicious PowerView PowerShell Commandlets
author: Bhabesh Raj
date: 2021/05/18
description: Detects Commandlet names from PowerView of PowerSploit exploitation framework.
detection:
SELECTION_1:
ScriptBlockText:
- '*Export-PowerViewCSV*'
- '*Get-IPAddress*'
- '*Resolve-IPAddress*'
- '*Convert-NameToSid*'
- '*ConvertTo-SID*'
- '*Convert-ADName*'
- '*ConvertFrom-UACValue*'
- '*Add-RemoteConnection*'
- '*Remove-RemoteConnection*'
- '*Invoke-UserImpersonation*'
- '*Invoke-RevertToSelf*'
- '*Request-SPNTicket*'
- '*Get-DomainSPNTicket*'
- '*Invoke-Kerberoast*'
- '*Get-PathAcl*'
- '*Get-DNSZone*'
- '*Get-DomainDNSZone*'
- '*Get-DNSRecord*'
- '*Get-DomainDNSRecord*'
- '*Get-NetDomain*'
- '*Get-Domain*'
- '*Get-NetDomainController*'
- '*Get-DomainController*'
- '*Get-NetForest*'
- '*Get-Forest*'
- '*Get-NetForestDomain*'
- '*Get-ForestDomain*'
- '*Get-NetForestCatalog*'
- '*Get-ForestGlobalCatalog*'
- '*Find-DomainObjectPropertyOutlier*'
- '*Get-NetUser*'
- '*Get-DomainUser*'
- '*New-DomainUser*'
- '*Set-DomainUserPassword*'
- '*Get-UserEvent*'
- '*Get-DomainUserEvent*'
- '*Get-NetComputer*'
- '*Get-DomainComputer*'
- '*Get-ADObject*'
- '*Get-DomainObject*'
- '*Set-ADObject*'
- '*Set-DomainObject*'
- '*Get-ObjectAcl*'
- '*Get-DomainObjectAcl*'
- '*Add-ObjectAcl*'
- '*Add-DomainObjectAcl*'
- '*Invoke-ACLScanner*'
- '*Find-InterestingDomainAcl*'
- '*Get-NetOU*'
- '*Get-DomainOU*'
- '*Get-NetSite*'
- '*Get-DomainSite*'
- '*Get-NetSubnet*'
- '*Get-DomainSubnet*'
- '*Get-DomainSID*'
- '*Get-NetGroup*'
- '*Get-DomainGroup*'
- '*New-DomainGroup*'
- '*Find-ManagedSecurityGroups*'
- '*Get-DomainManagedSecurityGroup*'
- '*Get-NetGroupMember*'
- '*Get-DomainGroupMember*'
- '*Add-DomainGroupMember*'
- '*Get-NetFileServer*'
- '*Get-DomainFileServer*'
- '*Get-DFSshare*'
- '*Get-DomainDFSShare*'
- '*Get-NetGPO*'
- '*Get-DomainGPO*'
- '*Get-NetGPOGroup*'
- '*Get-DomainGPOLocalGroup*'
- '*Find-GPOLocation*'
- '*Get-DomainGPOUserLocalGroupMapping*'
- '*Find-GPOComputerAdmin*'
- '*Get-DomainGPOComputerLocalGroupMapping*'
- '*Get-DomainPolicy*'
- '*Get-NetLocalGroup*'
- '*Get-NetLocalGroupMember*'
- '*Get-NetShare*'
- '*Get-NetLoggedon*'
- '*Get-NetSession*'
- '*Get-LoggedOnLocal*'
- '*Get-RegLoggedOn*'
- '*Get-NetRDPSession*'
- '*Invoke-CheckLocalAdminAccess*'
- '*Test-AdminAccess*'
- '*Get-SiteName*'
- '*Get-NetComputerSiteName*'
- '*Get-Proxy*'
- '*Get-WMIRegProxy*'
- '*Get-LastLoggedOn*'
- '*Get-WMIRegLastLoggedOn*'
- '*Get-CachedRDPConnection*'
- '*Get-WMIRegCachedRDPConnection*'
- '*Get-RegistryMountedDrive*'
- '*Get-WMIRegMountedDrive*'
- '*Get-NetProcess*'
- '*Get-WMIProcess*'
- '*Find-InterestingFile*'
- '*Invoke-UserHunter*'
- '*Find-DomainUserLocation*'
- '*Invoke-ProcessHunter*'
- '*Find-DomainProcess*'
- '*Invoke-EventHunter*'
- '*Find-DomainUserEvent*'
- '*Invoke-ShareFinder*'
- '*Find-DomainShare*'
- '*Invoke-FileFinder*'
- '*Find-InterestingDomainShareFile*'
- '*Find-LocalAdminAccess*'
- '*Invoke-EnumerateLocalAdmin*'
- '*Find-DomainLocalGroupMember*'
- '*Get-NetDomainTrust*'
- '*Get-DomainTrust*'
- '*Get-NetForestTrust*'
- '*Get-ForestTrust*'
- '*Find-ForeignUser*'
- '*Get-DomainForeignUser*'
- '*Find-ForeignGroup*'
- '*Get-DomainForeignGroupMember*'
- '*Invoke-MapDomainTrust*'
- '*Get-DomainTrustMapping*'
condition: SELECTION_1
falsepositives:
- Should not be any as administrators do not use this tool
id: dcd74b95-3f36-4ed9-9598-0490951643aa
level: high
logsource:
category: ps_script
definition: Script Block Logging must be enable
product: windows
modified: 2021/10/16
references:
- https://powersploit.readthedocs.io/en/stable/Recon/README
- https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
- https://thedfirreport.com/2020/10/08/ryuks-return
- https://adsecurity.org/?p=2277
status: experimental
tags:
- attack.execution
- attack.t1059.001

27
rules/sigma/powershell/powershell_script/powershell_prompt_credentials.yml Normal file
View File

@@ -0,0 +1,27 @@
title: PowerShell Credential Prompt
author: John Lambert (idea), Florian Roth (rule)
date: 2017/04/09
description: Detects PowerShell calling a credential prompt
detection:
SELECTION_1:
ScriptBlockText: '*PromptForCredential*'
condition: SELECTION_1
falsepositives:
- Unknown
id: ca8b77a9-d499-4095-b793-5d5f330d450e
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://twitter.com/JohnLaTwC/status/850381440629981184
- https://t.co/ezOTGy1a1G
status: experimental
tags:
- attack.credential_access
- attack.execution
- attack.t1059.001
- attack.t1086

25
rules/sigma/powershell/powershell_script/powershell_psattack.yml Normal file
View File

@@ -0,0 +1,25 @@
title: PowerShell PSAttack
author: Sean Metcalf (source), Florian Roth (rule)
date: 2017/03/05
description: Detects the use of PSAttack PowerShell hack tool
detection:
SELECTION_1:
ScriptBlockText: '*PS ATTACK!!!*'
condition: SELECTION_1
falsepositives:
- Pentesters
id: b7ec41a4-042c-4f31-a5db-d0fcde9fa5c5
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://adsecurity.org/?p=2921
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086

29
rules/sigma/powershell/powershell_script/powershell_set_policies_to_unsecure_level.yml Normal file
View File

@@ -0,0 +1,29 @@
title: Change PowerShell Policies to a Unsecure Level
author: frack113
date: 2021/10/20
description: Detects use of Set-ExecutionPolicy to set a unsecure policies
detection:
SELECTION_1:
ScriptBlockText: '*Set-ExecutionPolicy*'
SELECTION_2:
ScriptBlockText:
- '*Unrestricted*'
- '*bypass*'
- '*RemoteSigned*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Administrator script
id: 61d0475c-173f-4844-86f7-f3eebae1c66b
level: high
logsource:
category: ps_script
product: windows
references:
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1
- https://adsecurity.org/?p=2604
status: experimental
tags:
- attack.execution
- attack.t1059.001

32
rules/sigma/powershell/powershell_script/powershell_shellcode_b64.yml Normal file
View File

@@ -0,0 +1,32 @@
title: PowerShell ShellCode
author: David Ledbetter (shellcode), Florian Roth (rule)
date: 2018/11/17
description: Detects Base64 encoded Shellcode
detection:
SELECTION_1:
ScriptBlockText: '*AAAAYInlM*'
SELECTION_2:
ScriptBlockText:
- '*OiCAAAAYInlM*'
- '*OiJAAAAYInlM*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 16b37b70-6fcf-4814-a092-c36bd3aafcbd
level: critical
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://twitter.com/cyb3rops/status/1063072865992523776
status: experimental
tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1055
- attack.execution
- attack.t1059.001
- attack.t1086

28
rules/sigma/powershell/powershell_script/powershell_shellintel_malicious_commandlets.yml Normal file
View File

@@ -0,0 +1,28 @@
title: Malicious ShellIntel PowerShell Commandlets
author: Max Altgelt, Tobias Michalski
date: 2021/08/09
description: Detects Commandlet names from ShellIntel exploitation scripts.
detection:
SELECTION_1:
ScriptBlockText:
- '*Invoke-SMBAutoBrute*'
- '*Invoke-GPOLinks*'
- '*Out-Minidump*'
- '*Invoke-Potato*'
condition: SELECTION_1
falsepositives:
- Unknown
id: 402e1e1d-ad59-47b6-bf80-1ee44985b3a7
level: high
logsource:
category: ps_script
definition: Script Block Logging must be enable
product: windows
modified: 2021/10/16
references:
- https://github.com/Shellntel/scripts/
status: experimental
tags:
- attack.execution
- attack.t1059.001

33
rules/sigma/powershell/powershell_script/powershell_software_discovery.yml Normal file
View File

@@ -0,0 +1,33 @@
title: Detected Windows Software Discovery
author: Nikita Nazarov, oscd.community
date: 2020/10/16
description: Adversaries may attempt to enumerate software for a variety of reasons,
such as figuring out what security measures are present or if the compromised system
has a version of software that is vulnerable.
detection:
SELECTION_1:
ScriptBlockText: '*get-itemProperty*'
SELECTION_2:
ScriptBlockText: '*\software\\*'
SELECTION_3:
ScriptBlockText: '*select-object*'
SELECTION_4:
ScriptBlockText: '*format-table*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Legitimate administration activities
id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282
level: medium
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/11/12
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md
- https://github.com/harleyQu1nn/AggressorScripts
status: experimental
tags:
- attack.discovery
- attack.t1518

30
rules/sigma/powershell/powershell_script/powershell_store_file_in_alternate_data_stream.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Powershell Store File In Alternate Data Stream
author: frack113
date: 2021/09/02
description: Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.
detection:
SELECTION_1:
ScriptBlockText: '*Start-Process*'
SELECTION_2:
ScriptBlockText: '*-FilePath "$env:comspec" *'
SELECTION_3:
ScriptBlockText: '*-ArgumentList *'
SELECTION_4:
ScriptBlockText: '*>*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Unknown
id: a699b30e-d010-46c8-bbd1-ee2e26765fe9
level: medium
logsource:
category: ps_script
definition: EnableScriptBlockLogging must be set to enable
product: windows
modified: 2021/10/16
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md
status: experimental
tags:
- attack.defense_evasion
- attack.t1564.004

31
rules/sigma/powershell/powershell_script/powershell_susp_zip_compress_in_scriptblocktext.yml Normal file
View File

@@ -0,0 +1,31 @@
title: Zip A Folder With PowerShell For Staging In Temp
author: frack113
date: 2021/07/20
description: Use living off the land tools to zip a file and stage it in the Windows
temporary folder for later exfiltration
detection:
SELECTION_1:
ScriptBlockText: '*Compress-Archive *'
SELECTION_2:
ScriptBlockText: '* -Path *'
SELECTION_3:
ScriptBlockText: '* -DestinationPath *'
SELECTION_4:
ScriptBlockText: '*$env:TEMP\\*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Unknown
id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9
level: medium
logsource:
category: ps_script
definition: Script Block Logging must be enable
product: windows
modified: 2021/10/16
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md
status: experimental
tags:
- attack.collection
- attack.t1074.001

29
rules/sigma/powershell/powershell_script/powershell_suspicious_download_in_scriptblocktext.yml Normal file
View File

@@ -0,0 +1,29 @@
title: Suspicious PowerShell Download
author: Florian Roth
date: 2017/03/05
description: Detects suspicious PowerShell download command
detection:
SELECTION_1:
ScriptBlockText: '*System.Net.WebClient*'
SELECTION_2:
ScriptBlockText:
- '*.DownloadFile(*'
- '*.DownloadString(*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- PowerShell scripts that download content from the Internet
id: 403c2cc0-7f6b-4925-9423-bfa573bed7eb
level: medium
logsource:
category: ps_script
product: windows
modified: 2021/10/18
related:
- id: 65531a81-a694-4e31-ae04-f8ba5bc33759
type: derived
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086

28
rules/sigma/powershell/powershell_script/powershell_suspicious_export_pfxcertificate.yml Normal file
View File

@@ -0,0 +1,28 @@
title: Suspicious Export-PfxCertificate
author: Florian Roth
date: 2021/04/23
description: Detects Commandlet that is used to export certificates from the local
certificate store and sometimes used by threat actors to steal private keys from
compromised machines
detection:
SELECTION_1:
ScriptBlockText: '*Export-PfxCertificate*'
condition: SELECTION_1
falsepositives:
- Legitimate certificate exports invoked by administrators or users (depends on processes
in the environment - filter if unusable)
id: aa7a3fce-bef5-4311-9cc1-5f04bb8c308c
level: high
logsource:
category: ps_script
definition: Script Block Logging must be enable
product: windows
modified: 2021/08/04
references:
- https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a
- https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate
status: experimental
tags:
- attack.credential_access
- attack.t1552.004

26
rules/sigma/powershell/powershell_script/powershell_suspicious_getprocess_lsass.yml Normal file
View File

@@ -0,0 +1,26 @@
title: PowerShell Get-Process LSASS in ScriptBlock
author: Florian Roth
date: 2021/04/23
description: Detects a Get-Process command on lsass process, which is in almost all
cases a sign of malicious activity
detection:
SELECTION_1:
ScriptBlockText: '*Get-Process lsass*'
condition: SELECTION_1
falsepositives:
- Legitimate certificate exports invoked by administrators or users (depends on processes
in the environment - filter if unusable)
id: 84c174ab-d3ef-481f-9c86-a50d0b8e3edb
level: high
logsource:
category: ps_script
definition: Script Block Logging must be enable
product: windows
modified: 2021/10/16
references:
- https://twitter.com/PythonResponder/status/1385064506049630211
status: experimental
tags:
- attack.credential_access
- attack.t1003.001

37
rules/sigma/powershell/powershell_script/powershell_suspicious_invocation_generic_in_scriptblocktext.yml Normal file
View File

@@ -0,0 +1,37 @@
title: Suspicious PowerShell Invocations - Generic
author: Florian Roth (rule)
date: 2017/03/12
description: Detects suspicious PowerShell invocation command parameters
detection:
SELECTION_1:
ScriptBlockText:
- '* -enc *'
- '* -EncodedCommand *'
SELECTION_2:
ScriptBlockText:
- '* -w hidden *'
- '* -window hidden *'
- '* -windowstyle hidden *'
SELECTION_3:
ScriptBlockText:
- '* -noni *'
- '* -noninteractive *'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Penetration tests
- Very special / sneaky PowerShell scripts
id: ed965133-513f-41d9-a441-e38076a0798f
level: high
logsource:
category: ps_script
product: windows
modified: 2021/10/18
related:
- id: 3d304fda-78aa-43ed-975c-d740798a49c1
type: derived
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086

94
rules/sigma/powershell/powershell_script/powershell_suspicious_invocation_specific_in_scripblocktext.yml Normal file
View File

@@ -0,0 +1,94 @@
title: Suspicious PowerShell Invocations - Specific
author: Florian Roth (rule), Jonhnathan Ribeiro
date: 2017/03/05
description: Detects suspicious PowerShell invocation command parameters
detection:
SELECTION_1:
ScriptBlockText: '*-nop*'
SELECTION_10:
ScriptBlockText: '* -c *'
SELECTION_11:
ScriptBlockText: '*iex*'
SELECTION_12:
ScriptBlockText: '*New-Object*'
SELECTION_13:
ScriptBlockText: '* -w *'
SELECTION_14:
ScriptBlockText: '*hidden*'
SELECTION_15:
ScriptBlockText: '*-ep*'
SELECTION_16:
ScriptBlockText: '*bypass*'
SELECTION_17:
ScriptBlockText: '*-Enc*'
SELECTION_18:
ScriptBlockText: '*powershell*'
SELECTION_19:
ScriptBlockText: '*reg*'
SELECTION_2:
ScriptBlockText: '* -w *'
SELECTION_20:
ScriptBlockText: '*add*'
SELECTION_21:
ScriptBlockText: '*HKCU\software\microsoft\windows\currentversion\run*'
SELECTION_22:
ScriptBlockText: '*bypass*'
SELECTION_23:
ScriptBlockText: '*-noprofile*'
SELECTION_24:
ScriptBlockText: '*-windowstyle*'
SELECTION_25:
ScriptBlockText: '*hidden*'
SELECTION_26:
ScriptBlockText: '*new-object*'
SELECTION_27:
ScriptBlockText: '*system.net.webclient*'
SELECTION_28:
ScriptBlockText: '*.download*'
SELECTION_29:
ScriptBlockText: '*iex*'
SELECTION_3:
ScriptBlockText: '*hidden*'
SELECTION_30:
ScriptBlockText: '*New-Object*'
SELECTION_31:
ScriptBlockText: '*Net.WebClient*'
SELECTION_32:
ScriptBlockText: '*.Download*'
SELECTION_4:
ScriptBlockText: '* -c *'
SELECTION_5:
ScriptBlockText: '*[Convert]::FromBase64String*'
SELECTION_6:
ScriptBlockText: '* -w *'
SELECTION_7:
ScriptBlockText: '*hidden*'
SELECTION_8:
ScriptBlockText: '*-noni*'
SELECTION_9:
ScriptBlockText: '*-nop*'
condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
or (SELECTION_6 and SELECTION_7 and SELECTION_8 and SELECTION_9 and SELECTION_10
and SELECTION_11 and SELECTION_12) or (SELECTION_13 and SELECTION_14 and SELECTION_15
and SELECTION_16 and SELECTION_17) or (SELECTION_18 and SELECTION_19 and SELECTION_20
and SELECTION_21) or (SELECTION_22 and SELECTION_23 and SELECTION_24 and SELECTION_25
and SELECTION_26 and SELECTION_27 and SELECTION_28) or (SELECTION_29 and SELECTION_30
and SELECTION_31 and SELECTION_32))
falsepositives:
- Penetration tests
id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/18
related:
- id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
type: derived
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086

39
rules/sigma/powershell/powershell_script/powershell_suspicious_keywords.yml Normal file
View File

@@ -0,0 +1,39 @@
title: Suspicious PowerShell Keywords
author: Florian Roth, Perez Diego (@darkquassar)
date: 2019/02/11
description: Detects keywords that could indicate the use of some PowerShell exploitation
framework
detection:
SELECTION_1:
ScriptBlockText:
- '*System.Reflection.Assembly.Load($*'
- '*[System.Reflection.Assembly]::Load($*'
- '*[Reflection.Assembly]::Load($*'
- '*System.Reflection.AssemblyName*'
- '*Reflection.Emit.AssemblyBuilderAccess*'
- '*Runtime.InteropServices.DllImportAttribute*'
- '*SuspendThread*'
- '*rundll32*'
- '*Invoke-WMIMethod*'
- '*http://127.0.0.1*'
condition: SELECTION_1
falsepositives:
- Penetration tests
id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled for 4104
product: windows
modified: 2021/10/16
references:
- https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462
- https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1
- https://github.com/hlldz/Invoke-Phant0m/blob/master/Invoke-Phant0m.ps1
- https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086

30
rules/sigma/powershell/powershell_script/powershell_suspicious_mail_acces.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Powershell Local Email Collection
author: frack113
date: 2021/07/21
description: Adversaries may target user email on local systems to collect sensitive
information. Files containing email data can be acquired from a users local system,
such as Outlook storage or cache files.
detection:
SELECTION_1:
ScriptBlockText:
- '*Get-Inbox.ps1*'
- '*Microsoft.Office.Interop.Outlook*'
- '*Microsoft.Office.Interop.Outlook.olDefaultFolders*'
- '*-comobject outlook.application*'
condition: SELECTION_1
falsepositives:
- Unknown
id: 2837e152-93c8-43d2-85ba-c3cd3c2ae614
level: medium
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md
status: experimental
tags:
- attack.collection
- attack.t1114.001

28
rules/sigma/powershell/powershell_script/powershell_suspicious_mounted_share_deletion.yml Normal file
View File

@@ -0,0 +1,28 @@
title: PowerShell Deleted Mounted Share
author: oscd.community, @redcanary, Zach Stanford @svch0st
date: 2020/10/08
description: Detects when when a mounted share is removed. Adversaries may remove
share connections that are no longer useful in order to clean up traces of their
operation
detection:
SELECTION_1:
ScriptBlockText:
- '*Remove-SmbShare*'
- '*Remove-FileShare*'
condition: SELECTION_1
falsepositives:
- Administrators or Power users may remove their shares via cmd line
id: 66a4d409-451b-4151-94f4-a55d559c49b0
level: medium
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md
status: experimental
tags:
- attack.defense_evasion
- attack.t1070.005

30
rules/sigma/powershell/powershell_script/powershell_suspicious_recon.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Recon Information for Export with PowerShell
author: frack113
date: 2021/07/30
description: Once established within a system or network, an adversary may use automated
techniques for collecting internal data
detection:
SELECTION_1:
ScriptBlockText:
- '*Get-Service *'
- '*Get-ChildItem *'
- '*Get-Process *'
SELECTION_2:
ScriptBlockText: '*> $env:TEMP\\*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: a9723fcc-881c-424c-8709-fd61442ab3c3
level: medium
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md
status: experimental
tags:
- attack.collection
- attack.t1119

25
rules/sigma/powershell/powershell_script/powershell_suspicious_win32_pnpentity.yml Normal file
View File

@@ -0,0 +1,25 @@
title: Powershell Suspicious Win32_PnPEntity
author: frack113
date: 2021/08/23
description: Adversaries may attempt to gather information about attached peripheral
devices and components connected to a computer system.
detection:
SELECTION_1:
ScriptBlockText: '*Win32_PnPEntity*'
condition: SELECTION_1
falsepositives:
- admin script
id: b26647de-4feb-4283-af6b-6117661283c5
level: low
logsource:
category: ps_script
definition: EnableScriptBlockLogging must be set to enable
product: windows
modified: 2021/10/16
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md
status: experimental
tags:
- attack.discovery
- attack.t1120

28
rules/sigma/powershell/powershell_script/powershell_suspicious_windowstyle.yml Normal file
View File

@@ -0,0 +1,28 @@
title: Suspicious PowerShell WindowStyle Option
author: frack113
date: 2021/10/20
description: Adversaries may use hidden windows to conceal malicious activity from
the plain sight of users. In some cases, windows that would typically be displayed
when an application carries out an operation can be hidden
detection:
SELECTION_1:
ScriptBlockText: '*powershell*'
SELECTION_2:
ScriptBlockText: '*WindowStyle*'
SELECTION_3:
ScriptBlockText: '*Hidden*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Unknown
id: 313fbb0a-a341-4682-848d-6d6f8c4fab7c
level: medium
logsource:
category: ps_script
product: windows
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md
status: experimental
tags:
- attack.defense_evasion
- attack.t1564.003

29
rules/sigma/powershell/powershell_script/powershell_syncappvpublishingserver_exe_in_scriptblocktext.yml Normal file
View File

@@ -0,0 +1,29 @@
title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction
author: Ensar Şamil, @sblmsrsn, OSCD Community
date: 2020/10/05
description: Detects SyncAppvPublishingServer process execution which usually utilized
by adversaries to bypass PowerShell execution restrictions.
detection:
SELECTION_1:
ScriptBlockText: '*SyncAppvPublishingServer.exe*'
condition: SELECTION_1
falsepositives:
- App-V clients
id: dddfebae-c46f-439c-af7a-fdb6bde90218
level: medium
logsource:
category: ps_script
product: windows
modified: 2021/10/18
references:
- https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
related:
- id: fde7929d-8beb-4a4c-b922-be9974671667
type: derived
- id: 9f7aa113-9da6-4a8d-907c-5f1a4b908299
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1218

34
rules/sigma/powershell/powershell_script/powershell_timestomp.yml Normal file
View File

@@ -0,0 +1,34 @@
title: Powershell Timestomp
author: frack113
date: 2021/08/03
description: Adversaries may modify file time attributes to hide new or changes to
existing files. Timestomping is a technique that modifies the timestamps of a file
(the modify, access, create, and change times), often to mimic files that are in
the same folder.
detection:
SELECTION_1:
ScriptBlockText:
- '*.CreationTime =*'
- '*.LastWriteTime =*'
- '*.LastAccessTime =*'
- '*[IO.File]::SetCreationTime*'
- '*[IO.File]::SetLastAccessTime*'
- '*[IO.File]::SetLastWriteTime*'
condition: SELECTION_1
falsepositives:
- legitime admin script
id: c6438007-e081-42ce-9483-b067fbef33c3
level: medium
logsource:
category: ps_script
definition: EnableScriptBlockLogging must be set to enable
product: windows
modified: 2021/10/16
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md
- https://www.offensive-security.com/metasploit-unleashed/timestomp/
status: experimental
tags:
- attack.defense_evasion
- attack.t1070.006

33
rules/sigma/powershell/powershell_script/powershell_trigger_profiles.yml Normal file
View File

@@ -0,0 +1,33 @@
title: Powershell Trigger Profiles by Add_Content
author: frack113
date: 2021/08/18
description: Adversaries may gain persistence and elevate privileges by executing
malicious content triggered by PowerShell profiles.
detection:
SELECTION_1:
ScriptBlockText: '*Add-Content*'
SELECTION_2:
ScriptBlockText: '*$profile*'
SELECTION_3:
ScriptBlockText: '*-Value*'
SELECTION_4:
ScriptBlockText:
- '*Start-Process*'
- '*""*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Unknown
id: 05b3e303-faf0-4f4a-9b30-46cc13e69152
level: medium
logsource:
category: ps_script
definition: EnableScriptBlockLogging must be set to enable
product: windows
modified: 2021/10/16
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md
status: experimental
tags:
- attack.privilege_escalation
- attack.t1546.013

36
rules/sigma/powershell/powershell_script/powershell_web_request.yml Normal file
View File

@@ -0,0 +1,36 @@
title: Windows PowerShell Web Request
author: James Pemberton / @4A616D6573
date: 2019/10/24
description: Detects the use of various web request methods (including aliases) via
Windows PowerShell command
detection:
SELECTION_1:
ScriptBlockText:
- '*Invoke-WebRequest*'
- '*iwr *'
- '*wget *'
- '*curl *'
- '*Net.WebClient*'
- '*Start-BitsTransfer*'
condition: SELECTION_1
falsepositives:
- Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer.
id: 1139d2e2-84b1-4226-b445-354492eba8ba
level: medium
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/
- https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell
related:
- id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d
type: derived
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086

33
rules/sigma/powershell/powershell_script/powershell_windows_firewall_profile_disabled.yml Normal file
View File

@@ -0,0 +1,33 @@
title: Windows Firewall Profile Disabled
author: Austin Songer @austinsonger
date: 2021/10/12
description: Detects when a user disables the Windows Firewall via a Profile to help
evade defense.
detection:
SELECTION_1:
ScriptBlockText: '*Set-NetFirewallProfile*'
SELECTION_2:
ScriptBlockText: '*-Profile*'
SELECTION_3:
ScriptBlockText: '*-Enabled*'
SELECTION_4:
ScriptBlockText: '*False*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Unknown
id: 488b44e7-3781-4a71-888d-c95abfacf44d
level: high
logsource:
category: ps_script
product: windows
modified: 2021/10/16
references:
- https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps
- https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell
- http://powershellhelp.space/commands/set-netfirewallrule-psv5.php
- http://woshub.com/manage-windows-firewall-powershell/
status: experimental
tags:
- attack.defense_evasion
- attack.t1562.004

35
rules/sigma/powershell/powershell_script/powershell_winlogon_helper_dll.yml Normal file
View File

@@ -0,0 +1,35 @@
title: Winlogon Helper DLL
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
description: Winlogon.exe is a Windows component responsible for actions at logon/logoff
as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry
entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\
and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage
additional helper programs and functionalities that support Winlogon. Malicious
modifications to these Registry keys may cause Winlogon to load and execute malicious
DLLs and/or executables.
detection:
SELECTION_1:
ScriptBlockText: '*CurrentVersion\Winlogon*'
SELECTION_2:
ScriptBlockText:
- '*Set-ItemProperty*'
- '*New-Item*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 851c506b-6b7c-4ce2-8802-c703009d03c0
level: medium
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md
status: experimental
tags:
- attack.persistence
- attack.t1547.004
- attack.t1004

35
rules/sigma/powershell/powershell_script/powershell_wmi_persistence.yml Normal file
View File

@@ -0,0 +1,35 @@
title: Powershell WMI Persistence
author: frack113
date: 2021/08/19
description: Adversaries may establish persistence and elevate privileges by executing
malicious content triggered by a Windows Management Instrumentation (WMI) event
subscription.
detection:
SELECTION_1:
ScriptBlockText: '*New-CimInstance *'
SELECTION_2:
ScriptBlockText: '*-Namespace root/subscription *'
SELECTION_3:
ScriptBlockText: '*-Property *'
SELECTION_4:
ScriptBlockText: '*-ClassName __EventFilter *'
SELECTION_5:
ScriptBlockText: '*-ClassName CommandLineEventConsumer *'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and (SELECTION_4 or SELECTION_5))
falsepositives:
- Unknown
id: 9e07f6e7-83aa-45c6-998e-0af26efd0a85
level: medium
logsource:
category: ps_script
definition: EnableScriptBlockLogging must be set to enable
product: windows
modified: 2021/10/16
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md
- https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545
status: experimental
tags:
- attack.privilege_escalation
- attack.t1546.003

44
rules/sigma/powershell/powershell_script/powershell_wmimplant.yml Normal file
View File

@@ -0,0 +1,44 @@
title: WMImplant Hack Tool
author: NVISO
date: 2020/03/26
description: Detects parameters used by WMImplant
detection:
SELECTION_1:
ScriptBlockText:
- '*WMImplant*'
- '* change_user *'
- '* gen_cli *'
- '* command_exec *'
- '* disable_wdigest *'
- '* disable_winrm *'
- '* enable_wdigest *'
- '* enable_winrm *'
- '* registry_mod *'
- '* remote_posh *'
- '* sched_job *'
- '* service_mod *'
- '* process_kill *'
- '* active_users *'
- '* basic_info *'
- '* power_off *'
- '* vacant_system *'
- '* logon_events *'
condition: SELECTION_1
falsepositives:
- Administrative scripts that use the same keywords.
id: 8028c2c3-e25a-46e3-827f-bbb5abf181d7
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/FortyNorthSecurity/WMImplant
status: experimental
tags:
- attack.execution
- attack.t1047
- attack.t1059.001
- attack.t1086