CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add: sigma rules (#175)

Browse Source
This commit is contained in:
itiB
2021-11-22 08:45:44 +09:00
committed by GitHub
parent b53342218c
commit 034f9c0957
1086 changed files with 40715 additions and 192 deletions
Download Patch File Download Diff File Expand all files Collapse all files

74
rules/sigma/windows/powershell/powershell_script/powershell_accessing_win_api.yml Normal file
View File

@@ -0,0 +1,74 @@
title: Accessing WinAPI in PowerShell
author: Nikita Nazarov, oscd.community
date: 2020/10/06
description: Detecting use WinAPI Functions in PowerShell
detection:
SELECTION_1:
EventID: 4104
SELECTION_2:
ScriptBlockText:
- '*WaitForSingleObject*'
- '*QueueUserApc*'
- '*RtlCreateUserThread*'
- '*OpenProcess*'
- '*VirtualAlloc*'
- '*VirtualFree*'
- '*WriteProcessMemory*'
- '*CreateUserThread*'
- '*CloseHandle*'
- '*GetDelegateForFunctionPointer*'
- '*CreateThread*'
- '*memcpy*'
- '*LoadLibrary*'
- '*GetModuleHandle*'
- '*GetProcAddress*'
- '*VirtualProtect*'
- '*FreeLibrary*'
- '*ReadProcessMemory*'
- '*CreateRemoteThread*'
- '*AdjustTokenPrivileges*'
- '*WriteByte*'
- '*WriteInt32*'
- '*OpenThreadToken*'
- '*PtrToString*'
- '*FreeHGlobal*'
- '*ZeroFreeGlobalAllocUnicode*'
- '*OpenProcessToken*'
- '*GetTokenInformation*'
- '*SetThreadToken*'
- '*ImpersonateLoggedOnUser*'
- '*RevertToSelf*'
- '*GetLogonSessionData*'
- '*CreateProcessWithToken*'
- '*DuplicateTokenEx*'
- '*OpenWindowStation*'
- '*OpenDesktop*'
- '*MiniDumpWriteDump*'
- '*AddSecurityPackage*'
- '*EnumerateSecurityPackages*'
- '*GetProcessHandle*'
- '*DangerousGetHandle*'
- '*kernel32*'
- '*Advapi32*'
- '*msvcrt*'
- '*ntdll*'
- '*user32*'
- '*secur32*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Carbon PowerShell Module (https://github.com/webmd-health-services/Carbon)
id: 03d83090-8cba-44a0-b02f-0b756a050306
level: high
logsource:
definition: Script block logging must be enabled
product: windows
service: powershell
modified: 2021/08/04
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1106

30
rules/sigma/windows/powershell/powershell_script/powershell_adrecon_execution.yml Normal file
View File

@@ -0,0 +1,30 @@
title: PowerShell ADRecon Execution
author: Bhabesh Raj
date: 2021/07/16
description: Detects execution of ADRecon.ps1 for AD reconnaissance which has been
reported to be actively used by FIN7
detection:
SELECTION_1:
EventID: 4104
SELECTION_2:
ScriptBlockText:
- '*Function Get-ADRExcelComOb*'
- '*ADRecon-Report.xlsx*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: bf72941a-cba0-41ea-b18c-9aca3925690d
level: high
logsource:
definition: Script block logging must be enabled
product: windows
service: powershell
references:
- https://github.com/sense-of-security/ADRecon
- https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319
status: experimental
tags:
- attack.discovery
- attack.execution
- attack.t1059.001

41
rules/sigma/windows/powershell/powershell_script/powershell_automated_collection.yml Normal file
View File

@@ -0,0 +1,41 @@
title: Automated Collection Command PowerShell
author: frack113
date: 2021/07/28
description: Once established within a system or network, an adversary may use automated
techniques for collecting internal data.
detection:
SELECTION_1:
EventID: 4104
SELECTION_2:
ScriptBlockText:
- '*.doc*'
- '*.docx*'
- '*.xls*'
- '*.xlsx*'
- '*.ppt*'
- '*.pptx*'
- '*.rtf*'
- '*.pdf*'
- '*.txt*'
SELECTION_3:
ScriptBlockText: '*Get-ChildItem*'
SELECTION_4:
ScriptBlockText: '* -Recurse *'
SELECTION_5:
ScriptBlockText: '* -Include *'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
falsepositives:
- Unknown
id: c1dda054-d638-4c16-afc8-53e007f3fbc5
level: medium
logsource:
definition: Script block logging must be enabled
product: windows
service: powershell
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md
status: experimental
tags:
- attack.collection
- attack.t1119

29
rules/sigma/windows/powershell/powershell_script/powershell_cl_invocation_lolscript.yml Normal file
View File

@@ -0,0 +1,29 @@
title: Execution via CL_Invocation.ps1
author: oscd.community, Natalia Shornikova
date: 2020/10/14
description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module
detection:
SELECTION_1:
EventID: 4104
SELECTION_2:
ScriptBlockText: '*CL_Invocation.ps1*'
SELECTION_3:
ScriptBlockText: '*SyncInvoke*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Unknown
id: 4cd29327-685a-460e-9dac-c3ab96e549dc
level: high
logsource:
definition: Script block logging must be enabled
product: windows
service: powershell
modified: 2021/05/21
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml
- https://twitter.com/bohops/status/948061991012327424
status: experimental
tags:
- attack.defense_evasion
- attack.t1216

30
rules/sigma/windows/powershell/powershell_script/powershell_cl_invocation_lolscript_count.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Execution via CL_Invocation.ps1 (2 Lines)
author: oscd.community, Natalia Shornikova
date: 2020/10/14
description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module
detection:
SELECTION_1:
EventID: 4104
SELECTION_2:
ScriptBlockText:
- '*CL_Invocation.ps1*'
- '*SyncInvoke*'
condition: (SELECTION_1 and SELECTION_2) | count(ScriptBlockText) by Computer >
2
falsepositives:
- Unknown
id: f588e69b-0750-46bb-8f87-0e9320d57536
level: high
logsource:
definition: Script block logging must be enabled
product: windows
service: powershell
modified: 2021/05/21
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml
- https://twitter.com/bohops/status/948061991012327424
status: experimental
tags:
- attack.defense_evasion
- attack.t1216

30
rules/sigma/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Execution via CL_Mutexverifiers.ps1
author: oscd.community, Natalia Shornikova
date: 2020/10/14
description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1
module
detection:
SELECTION_1:
EventID: 4104
SELECTION_2:
ScriptBlockText: '*CL_Mutexverifiers.ps1*'
SELECTION_3:
ScriptBlockText: '*runAfterCancelProcess*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Unknown
id: 39776c99-1c7b-4ba0-b5aa-641525eee1a4
level: high
logsource:
definition: Script block logging must be enabled
product: windows
service: powershell
modified: 2021/05/21
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml
- https://twitter.com/pabraeken/status/995111125447577600
status: experimental
tags:
- attack.defense_evasion
- attack.t1216

31
rules/sigma/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript_count.yml Normal file
View File

@@ -0,0 +1,31 @@
title: Execution via CL_Mutexverifiers.ps1 (2 Lines)
author: oscd.community, Natalia Shornikova
date: 2020/10/14
description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1
module
detection:
SELECTION_1:
EventID: 4104
SELECTION_2:
ScriptBlockText:
- '*CL_Mutexverifiers.ps1*'
- '*runAfterCancelProcess*'
condition: (SELECTION_1 and SELECTION_2) | count(ScriptBlockText) by Computer >
2
falsepositives:
- Unknown
id: 6609c444-9670-4eab-9636-fe4755a851ce
level: high
logsource:
definition: Script block logging must be enabled
product: windows
service: powershell
modified: 2021/05/21
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml
- https://twitter.com/pabraeken/status/995111125447577600
status: experimental
tags:
- attack.defense_evasion
- attack.t1216

30
rules/sigma/windows/powershell/powershell_script/powershell_create_local_user.yml Normal file
View File

@@ -0,0 +1,30 @@
title: PowerShell Create Local User
author: '@ROxPinTeddy'
date: 2020/04/11
description: Detects creation of a local user via PowerShell
detection:
SELECTION_1:
EventID: 4104
SELECTION_2:
ScriptBlockText: '*New-LocalUser*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Legitimate user creation
id: 243de76f-4725-4f2e-8225-a8a69b15ad61
level: medium
logsource:
definition: Script block logging must be enabled
product: windows
service: powershell
modified: 2021/08/04
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086
- attack.persistence
- attack.t1136.001
- attack.t1136

33
rules/sigma/windows/powershell/powershell_script/powershell_data_compressed.yml Normal file
View File

@@ -0,0 +1,33 @@
title: Data Compressed - PowerShell
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
description: An adversary may compress data (e.g., sensitive documents) that is collected
prior to exfiltration in order to make it portable and minimize the amount of data
sent over the network.
detection:
SELECTION_1:
EventID: 4104
SELECTION_2:
ScriptBlockText: '*-Recurse*'
SELECTION_3:
ScriptBlockText: '*|*'
SELECTION_4:
ScriptBlockText: '*Compress-Archive*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Highly likely if archive operations are done via PowerShell.
id: 6dc5d284-69ea-42cf-9311-fb1c3932a69a
level: low
logsource:
definition: Script block logging must be enabled
product: windows
service: powershell
modified: 2021/07/06
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md
status: experimental
tags:
- attack.exfiltration
- attack.t1560
- attack.t1002

33
rules/sigma/windows/powershell/powershell_script/powershell_detect_vm_env.yml Normal file
View File

@@ -0,0 +1,33 @@
title: Powershell Detect Virtualization Environment
author: frack113
date: 2021/08/03
description: Adversaries may employ various system checks to detect and avoid virtualization
and analysis environments. This may include changing behaviors based on the results
of checks for the presence of artifacts indicative of a virtual machine environment
(VME) or sandbox
detection:
SELECTION_1:
EventID: 4104
SELECTION_2:
ScriptBlockText: '*Get-WmiObject*'
SELECTION_3:
ScriptBlockText:
- '*MSAcpi_ThermalZoneTemperature*'
- '*Win32_ComputerSystem*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Unknown
id: d93129cd-1ee0-479f-bc03-ca6f129882e3
level: medium
logsource:
definition: EnableScriptBlockLogging must be set to enable
product: windows
service: powershell
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md
- https://techgenix.com/malicious-powershell-scripts-evade-detection/
status: experimental
tags:
- attack.defense_evasion
- attack.t1497.001

27
rules/sigma/windows/powershell/powershell_script/powershell_dnscat_execution.yml Normal file
View File

@@ -0,0 +1,27 @@
title: Dnscat Execution
author: Daniil Yugoslavskiy, oscd.community
date: 2019/10/24
description: Dnscat exfiltration tool execution
detection:
SELECTION_1:
EventID: 4104
SELECTION_2:
ScriptBlockText: '*Start-Dnscat2*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Legitimate usage of PowerShell Dnscat2 — DNS Exfiltration tool (unlikely)
id: a6d67db4-6220-436d-8afc-f3842fe05d43
level: critical
logsource:
definition: Script block logging must be enabled
product: windows
service: powershell
modified: 2020/08/24
status: experimental
tags:
- attack.exfiltration
- attack.t1048
- attack.execution
- attack.t1059.001
- attack.t1086

31
rules/sigma/windows/powershell/powershell_script/powershell_icmp_exfiltration.yml Normal file
View File

@@ -0,0 +1,31 @@
title: PowerShell ICMP Exfiltration
author: Bartlomiej Czyz @bczyz1, oscd.community
date: 2020/10/10
description: Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may
steal data by exfiltrating it over an un-encrypted network protocol other than that
of the existing command and control channel.
detection:
SELECTION_1:
EventID: 4104
SELECTION_2:
ScriptBlockText: '*New-Object*'
SELECTION_3:
ScriptBlockText: '*System.Net.NetworkInformation.Ping*'
SELECTION_4:
ScriptBlockText: '*.Send(*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Legitimate usage of System.Net.NetworkInformation.Ping class
id: 4c4af3cd-2115-479c-8193-6b8bfce9001c
level: medium
logsource:
definition: Script block logging must be enabled
product: windows
service: powershell
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md#atomic-test-2---exfiltration-over-alternative-protocol---icmp
status: experimental
tags:
- attack.exfiltration
- attack.t1048.003

25
rules/sigma/windows/powershell/powershell_script/powershell_invoke_nightmare.yml Normal file
View File

@@ -0,0 +1,25 @@
title: PrintNightmare Powershell Exploitation
author: Max Altgelt, Tobias Michalski
date: 2021/08/09
description: Detects Commandlet name for PrintNightmare exploitation.
detection:
SELECTION_1:
EventID: 4104
SELECTION_2:
ScriptBlockText: '*Invoke-Nightmare*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 6d3f1399-a81c-4409-aff3-1ecfe9330baf
level: high
logsource:
definition: Script Block Logging must be enable
product: windows
service: powershell
modified: 2021/08/31
references:
- https://github.com/calebstewart/CVE-2021-1675
status: test
tags:
- attack.privilege_escalation

28
rules/sigma/windows/powershell/powershell_script/powershell_invoke_obfuscation_clip_in_scriptblocktext.yml Normal file
View File

@@ -0,0 +1,28 @@
title: Invoke-Obfuscation CLIP+ Launcher
author: Jonathan Cheong, oscd.community
date: 2020/10/13
description: Detects Obfuscated use of Clip.exe to execute PowerShell
detection:
SELECTION_1:
EventID: 4104
SELECTION_2:
ScriptBlockText|re: .*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+\-f.+"
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 73e67340-0d25-11eb-adc1-0242ac120002
level: high
logsource:
definition: Script block logging must be enabled
product: windows
service: powershell
modified: 2021/10/07
references:
- https://github.com/Neo23x0/sigma/issues/1009
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

41
rules/sigma/windows/powershell/powershell_script/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml Normal file
View File

@@ -0,0 +1,41 @@
title: Invoke-Obfuscation Obfuscated IEX Invocation
author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
date: 2019/11/08
description: Detects all variations of obfuscated powershell IEX invocation code generated
by Invoke-Obfuscation framework from the following code block — https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888
detection:
SELECTION_1:
EventID: 4104
SELECTION_2:
ScriptBlockText|re: \$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[
SELECTION_3:
ScriptBlockText|re: \$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[
SELECTION_4:
ScriptBlockText|re: \$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[
SELECTION_5:
ScriptBlockText|re: \$env:ComSpec\[(\s*\d{1,3}\s*,){2}
SELECTION_6:
ScriptBlockText|re: \\\\*mdr\\\\*\W\s*\)\.Name
SELECTION_7:
ScriptBlockText|re: \$VerbosePreference\.ToString\(
SELECTION_8:
ScriptBlockText|re: \String\]\s*\$VerbosePreference
condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
or SELECTION_6 or SELECTION_7 or SELECTION_8))
falsepositives:
- Unknown
id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7
level: high
logsource:
definition: Script block logging must be enabled
product: windows
service: powershell
modified: 2021/10/07
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001
- attack.t1086

28
rules/sigma/windows/powershell/powershell_script/powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml Normal file
View File

@@ -0,0 +1,28 @@
title: Invoke-Obfuscation STDIN+ Launcher
author: Jonathan Cheong, oscd.community
date: 2020/10/15
description: Detects Obfuscated use of stdin to execute PowerShell
detection:
SELECTION_1:
EventID: 4104
SELECTION_2:
ScriptBlockText|re: .*cmd.{0,5}(?:/c|/r).+powershell.+(?:\$\{?input\}?|noexit).+"
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 779c8c12-0eb1-11eb-adc1-0242ac120002
level: high
logsource:
definition: Script block logging must be enabled
product: windows
service: powershell
modified: 2021/10/07
references:
- https://github.com/Neo23x0/sigma/issues/1009
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

28
rules/sigma/windows/powershell/powershell_script/powershell_invoke_obfuscation_var_in_scriptblocktext.yml Normal file
View File

@@ -0,0 +1,28 @@
title: Invoke-Obfuscation VAR+ Launcher
author: Jonathan Cheong, oscd.community
date: 2020/10/15
description: Detects Obfuscated use of Environment Variables to execute PowerShell
detection:
SELECTION_1:
EventID: 4104
SELECTION_2:
ScriptBlockText|re: .*cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?\-f(?:.*\)){1,}.*"
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 0adfbc14-0ed1-11eb-adc1-0242ac120002
level: high
logsource:
definition: Script block logging must be enabled
product: windows
service: powershell
modified: 2021/10/07
references:
- https://github.com/Neo23x0/sigma/issues/1009
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

28
rules/sigma/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml Normal file
View File

@@ -0,0 +1,28 @@
title: Invoke-Obfuscation COMPRESS OBFUSCATION
author: Timur Zinniatullin, oscd.community
date: 2020/10/18
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
detection:
SELECTION_1:
EventID: 4104
SELECTION_2:
ScriptBlockText|re: (?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- unknown
id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07
level: medium
logsource:
definition: Script block logging must be enabled
product: windows
service: powershell
modified: 2021/10/07
references:
- https://github.com/Neo23x0/sigma/issues/1009
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

28
rules/sigma/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml Normal file
View File

@@ -0,0 +1,28 @@
title: Invoke-Obfuscation RUNDLL LAUNCHER
author: Timur Zinniatullin, oscd.community
date: 2020/10/18
description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
detection:
SELECTION_1:
EventID: 4104
SELECTION_2:
ScriptBlockText|re: (?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*"
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0
level: medium
logsource:
definition: Script block logging must be enabled
product: windows
service: powershell
modified: 2021/10/07
references:
- https://github.com/Neo23x0/sigma/issues/1009
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

28
rules/sigma/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml Normal file
View File

@@ -0,0 +1,28 @@
title: Invoke-Obfuscation Via Stdin
author: Nikita Nazarov, oscd.community
date: 2020/10/12
description: Detects Obfuscated Powershell via Stdin in Scripts
detection:
SELECTION_1:
EventID: 4104
SELECTION_2:
ScriptBlockText|re: (?i).*(set).*&&\s?set.*(environment|invoke|\$\{?input).*&&.*"
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7
level: high
logsource:
definition: Script block logging must be enabled
product: windows
service: powershell
modified: 2021/10/07
references:
- https://github.com/Neo23x0/sigma/issues/1009
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

28
rules/sigma/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml Normal file
View File

@@ -0,0 +1,28 @@
title: Invoke-Obfuscation Via Use Clip
author: Nikita Nazarov, oscd.community
date: 2020/10/09
description: Detects Obfuscated Powershell via use Clip.exe in Scripts
detection:
SELECTION_1:
EventID: 4104
SELECTION_2:
ScriptBlockText|re: (?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0
level: high
logsource:
definition: Script block logging must be enabled
product: windows
service: powershell
modified: 2021/10/07
references:
- https://github.com/Neo23x0/sigma/issues/1009
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

28
rules/sigma/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml Normal file
View File

@@ -0,0 +1,28 @@
title: Invoke-Obfuscation Via Use MSHTA
author: Nikita Nazarov, oscd.community
date: 2020/10/08
description: Detects Obfuscated Powershell via use MSHTA in Scripts
detection:
SELECTION_1:
EventID: 4104
SELECTION_2:
ScriptBlockText|re: (?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: e55a5195-4724-480e-a77e-3ebe64bd3759
level: high
logsource:
definition: Script block logging must be enabled
product: windows
service: powershell
modified: 2021/10/07
references:
- https://github.com/Neo23x0/sigma/issues/1009
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

28
rules/sigma/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml Normal file
View File

@@ -0,0 +1,28 @@
title: Invoke-Obfuscation Via Use Rundll32
author: Nikita Nazarov, oscd.community
date: 2019/10/08
description: Detects Obfuscated Powershell via use Rundll32 in Scripts
detection:
SELECTION_1:
EventID: 4104
SELECTION_2:
ScriptBlockText|re: (?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b
level: high
logsource:
definition: Script block logging must be enabled
product: windows
service: powershell
modified: 2021/10/07
references:
- https://github.com/Neo23x0/sigma/issues/1009
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

28
rules/sigma/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml Normal file
View File

@@ -0,0 +1,28 @@
title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
author: Timur Zinniatullin, oscd.community
date: 2020/10/13
description: Detects Obfuscated Powershell via VAR++ LAUNCHER
detection:
SELECTION_1:
EventID: 4104
SELECTION_2:
ScriptBlockText|re: (?i).*&&set.*(\{\d\}){2,}\\"\s+?\-f.*&&.*cmd.*/c
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: e54f5149-6ba3-49cf-b153-070d24679126
level: high
logsource:
definition: Script block logging must be enabled
product: windows
service: powershell
modified: 2021/10/07
references:
- https://github.com/Neo23x0/sigma/issues/1009
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

31
rules/sigma/windows/powershell/powershell_script/powershell_keylogging.yml Normal file
View File

@@ -0,0 +1,31 @@
title: Powershell Keylogging
author: frack113
date: 2021/07/30
description: Adversaries may log user keystrokes to intercept credentials as the user
types them.
detection:
SELECTION_1:
EventID: 4104
SELECTION_2:
ScriptBlockText: '*Get-Keystrokes*'
SELECTION_3:
ScriptBlockText: '*Get-ProcAddress user32.dll GetAsyncKeyState*'
SELECTION_4:
ScriptBlockText: '*Get-ProcAddress user32.dll GetForegroundWindow*'
condition: (SELECTION_1 and (SELECTION_2 or (SELECTION_3 and SELECTION_4)))
falsepositives:
- Unknown
id: 34f90d3c-c297-49e9-b26d-911b05a4866c
level: medium
logsource:
definition: EnableScriptBlockLogging must be set to enable
product: windows
service: powershell
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/src/Get-Keystrokes.ps1
status: experimental
tags:
- attack.collection
- attack.t1056.001

125
rules/sigma/windows/powershell/powershell_script/powershell_malicious_commandlets.yml Normal file
View File

@@ -0,0 +1,125 @@
title: Malicious PowerShell Commandlets
author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update),
oscd.community (update)
date: 2017/03/05
description: Detects Commandlet names from well-known PowerShell exploitation frameworks
detection:
SELECTION_1:
EventID: 4104
SELECTION_2:
ScriptBlockText:
- '*Invoke-DllInjection*'
- '*Invoke-Shellcode*'
- '*Invoke-WmiCommand*'
- '*Get-GPPPassword*'
- '*Get-Keystrokes*'
- '*Get-TimedScreenshot*'
- '*Get-VaultCredential*'
- '*Invoke-CredentialInjection*'
- '*Invoke-Mimikatz*'
- '*Invoke-NinjaCopy*'
- '*Invoke-TokenManipulation*'
- '*Out-Minidump*'
- '*VolumeShadowCopyTools*'
- '*Invoke-ReflectivePEInjection*'
- '*Invoke-UserHunter*'
- '*Find-GPOLocation*'
- '*Invoke-ACLScanner*'
- '*Invoke-DowngradeAccount*'
- '*Get-ServiceUnquoted*'
- '*Get-ServiceFilePermission*'
- '*Get-ServicePermission*'
- '*Invoke-ServiceAbuse*'
- '*Install-ServiceBinary*'
- '*Get-RegAutoLogon*'
- '*Get-VulnAutoRun*'
- '*Get-VulnSchTask*'
- '*Get-UnattendedInstallFile*'
- '*Get-ApplicationHost*'
- '*Get-RegAlwaysInstallElevated*'
- '*Get-Unconstrained*'
- '*Add-RegBackdoor*'
- '*Add-ScrnSaveBackdoor*'
- '*Gupt-Backdoor*'
- '*Invoke-ADSBackdoor*'
- '*Enabled-DuplicateToken*'
- '*Invoke-PsUaCme*'
- '*Remove-Update*'
- '*Check-VM*'
- '*Get-LSASecret*'
- '*Get-PassHashes*'
- '*Show-TargetScreen*'
- '*Port-Scan*'
- '*Invoke-PoshRatHttp*'
- '*Invoke-PowerShellTCP*'
- '*Invoke-PowerShellWMI*'
- '*Add-Exfiltration*'
- '*Add-Persistence*'
- '*Do-Exfiltration*'
- '*Start-CaptureServer*'
- '*Get-ChromeDump*'
- '*Get-ClipboardContents*'
- '*Get-FoxDump*'
- '*Get-IndexedItem*'
- '*Get-Screenshot*'
- '*Invoke-Inveigh*'
- '*Invoke-NetRipper*'
- '*Invoke-EgressCheck*'
- '*Invoke-PostExfil*'
- '*Invoke-PSInject*'
- '*Invoke-RunAs*'
- '*MailRaider*'
- '*New-HoneyHash*'
- '*Set-MacAttribute*'
- '*Invoke-DCSync*'
- '*Invoke-PowerDump*'
- '*Exploit-Jboss*'
- '*Invoke-ThunderStruck*'
- '*Invoke-VoiceTroll*'
- '*Set-Wallpaper*'
- '*Invoke-InveighRelay*'
- '*Invoke-PsExec*'
- '*Invoke-SSHCommand*'
- '*Get-SecurityPackages*'
- '*Install-SSP*'
- '*Invoke-BackdoorLNK*'
- '*PowerBreach*'
- '*Get-SiteListPassword*'
- '*Get-System*'
- '*Invoke-BypassUAC*'
- '*Invoke-Tater*'
- '*Invoke-WScriptBypassUAC*'
- '*PowerUp*'
- '*PowerView*'
- '*Get-RickAstley*'
- '*Find-Fruit*'
- '*HTTP-Login*'
- '*Find-TrustedDocuments*'
- '*Invoke-Paranoia*'
- '*Invoke-WinEnum*'
- '*Invoke-ARPScan*'
- '*Invoke-PortScan*'
- '*Invoke-ReverseDNSLookup*'
- '*Invoke-SMBScanner*'
- '*Invoke-Mimikittenz*'
- '*Invoke-AllChecks*'
SELECTION_3:
ScriptBlockText: '*Get-SystemDriveInfo*'
condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3))
falsepositives:
- Penetration testing
id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
level: high
logsource:
definition: Script Block Logging must be enable
product: windows
service: powershell
modified: 2021/08/21
references:
- https://adsecurity.org/?p=2921
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086

48
rules/sigma/windows/powershell/powershell_script/powershell_malicious_keywords.yml Normal file
View File

@@ -0,0 +1,48 @@
title: Malicious PowerShell Keywords
author: Sean Metcalf (source), Florian Roth (rule)
date: 2017/03/05
description: Detects keywords from well-known PowerShell exploitation frameworks
detection:
SELECTION_1:
EventID: 4104
SELECTION_2:
ScriptBlockText:
- '*AdjustTokenPrivileges*'
- '*IMAGE_NT_OPTIONAL_HDR64_MAGIC*'
- '*Microsoft.Win32.UnsafeNativeMethods*'
- '*ReadProcessMemory.Invoke*'
- '*SE_PRIVILEGE_ENABLED*'
- '*LSA_UNICODE_STRING*'
- '*MiniDumpWriteDump*'
- '*PAGE_EXECUTE_READ*'
- '*SECURITY_DELEGATION*'
- '*TOKEN_ADJUST_PRIVILEGES*'
- '*TOKEN_ALL_ACCESS*'
- '*TOKEN_ASSIGN_PRIMARY*'
- '*TOKEN_DUPLICATE*'
- '*TOKEN_ELEVATION*'
- '*TOKEN_IMPERSONATE*'
- '*TOKEN_INFORMATION_CLASS*'
- '*TOKEN_PRIVILEGES*'
- '*TOKEN_QUERY*'
- '*Metasploit*'
- '*Mimikatz*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Penetration tests
id: f62176f3-8128-4faa-bf6c-83261322e5eb
level: high
logsource:
definition: It is recommended to use the new "Script Block Logging" of PowerShell
v5 https://adsecurity.org/?p=2277
product: windows
service: powershell
modified: 2021/08/21
references:
- https://adsecurity.org/?p=2921
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086

27
rules/sigma/windows/powershell/powershell_script/powershell_memorydump_getstoragediagnosticinfo.yml Normal file
View File

@@ -0,0 +1,27 @@
title: Live Memory Dump Using Powershell
author: Max Altgelt
date: 2021/09/21
description: Detects usage of a PowerShell command to dump the live memory of a Windows
machine
detection:
SELECTION_1:
EventID: 4104
SELECTION_2:
ScriptBlockText: '*Get-StorageDiagnosticInfo*'
SELECTION_3:
ScriptBlockText: '*-IncludeLiveDump*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Diagnostics
id: cd185561-4760-45d6-a63e-a51325112cae
level: high
logsource:
definition: Script block logging must be enabled
product: windows
service: powershell
references:
- https://docs.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo
status: experimental
tags:
- attack.t1003

98
rules/sigma/windows/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml Normal file
View File

@@ -0,0 +1,98 @@
title: Malicious Nishang PowerShell Commandlets
author: Alec Costello
date: 2019/05/16
description: Detects Commandlet names and arguments from the Nishang exploitation
framework
detection:
SELECTION_1:
EventID: 4104
SELECTION_2:
ScriptBlockText:
- '*Add-ConstrainedDelegationBackdoor*'
- '*Set-DCShadowPermissions*'
- '*DNS_TXT_Pwnage*'
- '*Execute-OnTime*'
- '*HTTP-Backdoor*'
- '*Set-RemotePSRemoting*'
- '*Set-RemoteWMI*'
- '*Invoke-AmsiBypass*'
- '*Out-CHM*'
- '*Out-HTA*'
- '*Out-SCF*'
- '*Out-SCT*'
- '*Out-Shortcut*'
- '*Out-WebQuery*'
- '*Out-Word*'
- '*Enable-Duplication*'
- '*Remove-Update*'
- '*Download-Execute-PS*'
- '*Download_Execute*'
- '*Execute-Command-MSSQL*'
- '*Execute-DNSTXT-Code*'
- '*Out-RundllCommand*'
- '*Copy-VSS*'
- '*FireBuster*'
- '*FireListener*'
- '*Get-Information*'
- '*Get-PassHints*'
- '*Get-WLAN-Keys*'
- '*Get-Web-Credentials*'
- '*Invoke-CredentialsPhish*'
- '*Invoke-MimikatzWDigestDowngrade*'
- '*Invoke-SSIDExfil*'
- '*Invoke-SessionGopher*'
- '*Keylogger*'
- '*Invoke-Interceptor*'
- '*Create-MultipleSessions*'
- '*Invoke-NetworkRelay*'
- '*Run-EXEonRemote*'
- '*Invoke-Prasadhak*'
- '*Invoke-BruteForce*'
- '*Password-List*'
- '*Invoke-JSRatRegsvr*'
- '*Invoke-JSRatRundll*'
- '*Invoke-PoshRatHttps*'
- '*Invoke-PowerShellIcmp*'
- '*Invoke-PowerShellUdp*'
- '*Invoke-PSGcat*'
- '*Invoke-PsGcatAgent*'
- '*Remove-PoshRat*'
- '*Add-Persistance*'
- '*ExetoText*'
- '*Invoke-Decode*'
- '*Invoke-Encode*'
- '*Parse_Keys*'
- '*Remove-Persistence*'
- '*StringtoBase64*'
- '*TexttoExe*'
- '*Powerpreter*'
- '*Nishang*'
- '*DataToEncode*'
- '*LoggedKeys*'
- '*OUT-DNSTXT*'
- '*ExfilOption*'
- '*DumpCerts*'
- '*DumpCreds*'
- '*Shellcode32*'
- '*Shellcode64*'
- '*NotAllNameSpaces*'
- '*exfill*'
- '*FakeDC*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Penetration testing
id: f772cee9-b7c2-4cb2-8f07-49870adc02e0
level: high
logsource:
definition: Script block logging must be enabled
product: windows
service: powershell
modified: 2021/08/21
references:
- https://github.com/samratashok/nishang
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086

37
rules/sigma/windows/powershell/powershell_script/powershell_ntfs_ads_access.yml Normal file
View File

@@ -0,0 +1,37 @@
title: NTFS Alternate Data Stream
author: Sami Ruohonen
date: 2018/07/24
description: Detects writing data into NTFS alternate data streams from powershell.
Needs Script Block Logging.
detection:
SELECTION_1:
EventID: 4104
SELECTION_2:
ScriptBlockText:
- '*set-content*'
- '*add-content*'
SELECTION_3:
ScriptBlockText:
- '*-stream*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- unknown
id: 8c521530-5169-495d-a199-0a3a881ad24e
level: high
logsource:
definition: Script block logging must be enabled
product: windows
service: powershell
modified: 2021/08/21
references:
- http://www.powertheshell.com/ntfsstreams/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md
status: experimental
tags:
- attack.defense_evasion
- attack.t1564.004
- attack.t1096
- attack.execution
- attack.t1059.001
- attack.t1086

151
rules/sigma/windows/powershell/powershell_script/powershell_powerview_malicious_commandlets.yml Normal file
View File

@@ -0,0 +1,151 @@
title: Malicious PowerView PowerShell Commandlets
author: Bhabesh Raj
date: 2021/05/18
description: Detects Commandlet names from PowerView of PowerSploit exploitation framework.
detection:
SELECTION_1:
EventID: 4104
SELECTION_2:
ScriptBlockText:
- '*Export-PowerViewCSV*'
- '*Get-IPAddress*'
- '*Resolve-IPAddress*'
- '*Convert-NameToSid*'
- '*ConvertTo-SID*'
- '*Convert-ADName*'
- '*ConvertFrom-UACValue*'
- '*Add-RemoteConnection*'
- '*Remove-RemoteConnection*'
- '*Invoke-UserImpersonation*'
- '*Invoke-RevertToSelf*'
- '*Request-SPNTicket*'
- '*Get-DomainSPNTicket*'
- '*Invoke-Kerberoast*'
- '*Get-PathAcl*'
- '*Get-DNSZone*'
- '*Get-DomainDNSZone*'
- '*Get-DNSRecord*'
- '*Get-DomainDNSRecord*'
- '*Get-NetDomain*'
- '*Get-Domain*'
- '*Get-NetDomainController*'
- '*Get-DomainController*'
- '*Get-NetForest*'
- '*Get-Forest*'
- '*Get-NetForestDomain*'
- '*Get-ForestDomain*'
- '*Get-NetForestCatalog*'
- '*Get-ForestGlobalCatalog*'
- '*Find-DomainObjectPropertyOutlier*'
- '*Get-NetUser*'
- '*Get-DomainUser*'
- '*New-DomainUser*'
- '*Set-DomainUserPassword*'
- '*Get-UserEvent*'
- '*Get-DomainUserEvent*'
- '*Get-NetComputer*'
- '*Get-DomainComputer*'
- '*Get-ADObject*'
- '*Get-DomainObject*'
- '*Set-ADObject*'
- '*Set-DomainObject*'
- '*Get-ObjectAcl*'
- '*Get-DomainObjectAcl*'
- '*Add-ObjectAcl*'
- '*Add-DomainObjectAcl*'
- '*Invoke-ACLScanner*'
- '*Find-InterestingDomainAcl*'
- '*Get-NetOU*'
- '*Get-DomainOU*'
- '*Get-NetSite*'
- '*Get-DomainSite*'
- '*Get-NetSubnet*'
- '*Get-DomainSubnet*'
- '*Get-DomainSID*'
- '*Get-NetGroup*'
- '*Get-DomainGroup*'
- '*New-DomainGroup*'
- '*Find-ManagedSecurityGroups*'
- '*Get-DomainManagedSecurityGroup*'
- '*Get-NetGroupMember*'
- '*Get-DomainGroupMember*'
- '*Add-DomainGroupMember*'
- '*Get-NetFileServer*'
- '*Get-DomainFileServer*'
- '*Get-DFSshare*'
- '*Get-DomainDFSShare*'
- '*Get-NetGPO*'
- '*Get-DomainGPO*'
- '*Get-NetGPOGroup*'
- '*Get-DomainGPOLocalGroup*'
- '*Find-GPOLocation*'
- '*Get-DomainGPOUserLocalGroupMapping*'
- '*Find-GPOComputerAdmin*'
- '*Get-DomainGPOComputerLocalGroupMapping*'
- '*Get-DomainPolicy*'
- '*Get-NetLocalGroup*'
- '*Get-NetLocalGroupMember*'
- '*Get-NetShare*'
- '*Get-NetLoggedon*'
- '*Get-NetSession*'
- '*Get-LoggedOnLocal*'
- '*Get-RegLoggedOn*'
- '*Get-NetRDPSession*'
- '*Invoke-CheckLocalAdminAccess*'
- '*Test-AdminAccess*'
- '*Get-SiteName*'
- '*Get-NetComputerSiteName*'
- '*Get-Proxy*'
- '*Get-WMIRegProxy*'
- '*Get-LastLoggedOn*'
- '*Get-WMIRegLastLoggedOn*'
- '*Get-CachedRDPConnection*'
- '*Get-WMIRegCachedRDPConnection*'
- '*Get-RegistryMountedDrive*'
- '*Get-WMIRegMountedDrive*'
- '*Get-NetProcess*'
- '*Get-WMIProcess*'
- '*Find-InterestingFile*'
- '*Invoke-UserHunter*'
- '*Find-DomainUserLocation*'
- '*Invoke-ProcessHunter*'
- '*Find-DomainProcess*'
- '*Invoke-EventHunter*'
- '*Find-DomainUserEvent*'
- '*Invoke-ShareFinder*'
- '*Find-DomainShare*'
- '*Invoke-FileFinder*'
- '*Find-InterestingDomainShareFile*'
- '*Find-LocalAdminAccess*'
- '*Invoke-EnumerateLocalAdmin*'
- '*Find-DomainLocalGroupMember*'
- '*Get-NetDomainTrust*'
- '*Get-DomainTrust*'
- '*Get-NetForestTrust*'
- '*Get-ForestTrust*'
- '*Find-ForeignUser*'
- '*Get-DomainForeignUser*'
- '*Find-ForeignGroup*'
- '*Get-DomainForeignGroupMember*'
- '*Invoke-MapDomainTrust*'
- '*Get-DomainTrustMapping*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Should not be any as administrators do not use this tool
id: dcd74b95-3f36-4ed9-9598-0490951643aa
level: high
logsource:
definition: Script Block Logging must be enable
product: windows
service: powershell
modified: 2021/08/21
references:
- https://powersploit.readthedocs.io/en/stable/Recon/README
- https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
- https://thedfirreport.com/2020/10/08/ryuks-return
- https://adsecurity.org/?p=2277
status: experimental
tags:
- attack.execution
- attack.t1059.001

29
rules/sigma/windows/powershell/powershell_script/powershell_prompt_credentials.yml Normal file
View File

@@ -0,0 +1,29 @@
title: PowerShell Credential Prompt
author: John Lambert (idea), Florian Roth (rule)
date: 2017/04/09
description: Detects PowerShell calling a credential prompt
detection:
SELECTION_1:
EventID: 4104
SELECTION_2:
ScriptBlockText: '*PromptForCredential*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: ca8b77a9-d499-4095-b793-5d5f330d450e
level: high
logsource:
definition: Script block logging must be enabled
product: windows
service: powershell
modified: 2021/08/04
references:
- https://twitter.com/JohnLaTwC/status/850381440629981184
- https://t.co/ezOTGy1a1G
status: experimental
tags:
- attack.credential_access
- attack.execution
- attack.t1059.001
- attack.t1086

27
rules/sigma/windows/powershell/powershell_script/powershell_psattack.yml Normal file
View File

@@ -0,0 +1,27 @@
title: PowerShell PSAttack
author: Sean Metcalf (source), Florian Roth (rule)
date: 2017/03/05
description: Detects the use of PSAttack PowerShell hack tool
detection:
SELECTION_1:
EventID: 4104
SELECTION_2:
ScriptBlockText: '*PS ATTACK!!!*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Pentesters
id: b7ec41a4-042c-4f31-a5db-d0fcde9fa5c5
level: high
logsource:
definition: Script block logging must be enabled
product: windows
service: powershell
modified: 2021/08/21
references:
- https://adsecurity.org/?p=2921
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086

34
rules/sigma/windows/powershell/powershell_script/powershell_shellcode_b64.yml Normal file
View File

@@ -0,0 +1,34 @@
title: PowerShell ShellCode
author: David Ledbetter (shellcode), Florian Roth (rule)
date: 2018/11/17
description: Detects Base64 encoded Shellcode
detection:
SELECTION_1:
EventID: 4104
SELECTION_2:
ScriptBlockText: '*AAAAYInlM*'
SELECTION_3:
ScriptBlockText:
- '*OiCAAAAYInlM*'
- '*OiJAAAAYInlM*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Unknown
id: 16b37b70-6fcf-4814-a092-c36bd3aafcbd
level: critical
logsource:
definition: Script block logging must be enabled
product: windows
service: powershell
modified: 2020/12/01
references:
- https://twitter.com/cyb3rops/status/1063072865992523776
status: experimental
tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1055
- attack.execution
- attack.t1059.001
- attack.t1086

30
rules/sigma/windows/powershell/powershell_script/powershell_shellintel_malicious_commandlets.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Malicious ShellIntel PowerShell Commandlets
author: Max Altgelt, Tobias Michalski
date: 2021/08/09
description: Detects Commandlet names from ShellIntel exploitation scripts.
detection:
SELECTION_1:
EventID: 4104
SELECTION_2:
ScriptBlockText:
- '*Invoke-SMBAutoBrute*'
- '*Invoke-GPOLinks*'
- '*Out-Minidump*'
- '*Invoke-Potato*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 402e1e1d-ad59-47b6-bf80-1ee44985b3a7
level: high
logsource:
definition: Script Block Logging must be enable
product: windows
service: powershell
modified: 2021/08/21
references:
- https://github.com/Shellntel/scripts/
status: experimental
tags:
- attack.execution
- attack.t1059.001

31
rules/sigma/windows/powershell/powershell_script/powershell_store_file_in_alternate_data_stream.yml Normal file
View File

@@ -0,0 +1,31 @@
title: Powershell Store File In Alternate Data Stream
author: frack113
date: 2021/09/02
description: Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.
detection:
SELECTION_1:
EventID: 4104
SELECTION_2:
ScriptBlockText: '*Start-Process*'
SELECTION_3:
ScriptBlockText: '*-FilePath "$env:comspec" *'
SELECTION_4:
ScriptBlockText: '*-ArgumentList *'
SELECTION_5:
ScriptBlockText: '*>*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
falsepositives:
- Unknown
id: a699b30e-d010-46c8-bbd1-ee2e26765fe9
level: medium
logsource:
definition: EnableScriptBlockLogging must be set to enable
product: windows
service: powershell
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md
status: experimental
tags:
- attack.defense_evasion
- attack.t1564.004

33
rules/sigma/windows/powershell/powershell_script/powershell_susp_zip_compress_in_scriptblocktext.yml Normal file
View File

@@ -0,0 +1,33 @@
title: Zip A Folder With PowerShell For Staging In Temp
author: frack113
date: 2021/07/20
description: Use living off the land tools to zip a file and stage it in the Windows
temporary folder for later exfiltration
detection:
SELECTION_1:
EventID: 4104
SELECTION_2:
ScriptBlockText: '*Compress-Archive *'
SELECTION_3:
ScriptBlockText: '* -Path *'
SELECTION_4:
ScriptBlockText: '* -DestinationPath *'
SELECTION_5:
ScriptBlockText: '*$env:TEMP\\*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
falsepositives:
- Unknown
id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9
level: medium
logsource:
definition: Script Block Logging must be enable
product: windows
service: powershell
modified: 2021/10/09
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md
status: experimental
tags:
- attack.collection
- attack.t1074.001

30
rules/sigma/windows/powershell/powershell_script/powershell_suspicious_export_pfxcertificate.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Suspicious Export-PfxCertificate
author: Florian Roth
date: 2021/04/23
description: Detects Commandlet that is used to export certificates from the local
certificate store and sometimes used by threat actors to steal private keys from
compromised machines
detection:
SELECTION_1:
EventID: 4104
SELECTION_2:
ScriptBlockText: '*Export-PfxCertificate*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Legitimate certificate exports invoked by administrators or users (depends on processes
in the environment - filter if unusable)
id: aa7a3fce-bef5-4311-9cc1-5f04bb8c308c
level: high
logsource:
definition: Script Block Logging must be enable
product: windows
service: powershell
modified: 2021/08/04
references:
- https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a
- https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate
status: experimental
tags:
- attack.credential_access
- attack.t1552.004

28
rules/sigma/windows/powershell/powershell_script/powershell_suspicious_getprocess_lsass.yml Normal file
View File

@@ -0,0 +1,28 @@
title: PowerShell Get-Process LSASS in ScriptBlock
author: Florian Roth
date: 2021/04/23
description: Detects a Get-Process command on lsass process, which is in almost all
cases a sign of malicious activity
detection:
SELECTION_1:
EventID: 4104
SELECTION_2:
ScriptBlockText: '*Get-Process lsass*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Legitimate certificate exports invoked by administrators or users (depends on processes
in the environment - filter if unusable)
id: 84c174ab-d3ef-481f-9c86-a50d0b8e3edb
level: high
logsource:
definition: Script Block Logging must be enable
product: windows
service: powershell
modified: 2021/08/04
references:
- https://twitter.com/PythonResponder/status/1385064506049630211
status: experimental
tags:
- attack.credential_access
- attack.t1003.001

41
rules/sigma/windows/powershell/powershell_script/powershell_suspicious_keywords.yml Normal file
View File

@@ -0,0 +1,41 @@
title: Suspicious PowerShell Keywords
author: Florian Roth, Perez Diego (@darkquassar)
date: 2019/02/11
description: Detects keywords that could indicate the use of some PowerShell exploitation
framework
detection:
SELECTION_1:
EventID: 4104
SELECTION_2:
ScriptBlockText:
- '*System.Reflection.Assembly.Load($*'
- '*[System.Reflection.Assembly]::Load($*'
- '*[Reflection.Assembly]::Load($*'
- '*System.Reflection.AssemblyName*'
- '*Reflection.Emit.AssemblyBuilderAccess*'
- '*Runtime.InteropServices.DllImportAttribute*'
- '*SuspendThread*'
- '*rundll32*'
- '*Invoke-WMIMethod*'
- '*http://127.0.0.1*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Penetration tests
id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf
level: high
logsource:
definition: Script block logging must be enabled for 4104
product: windows
service: powershell
modified: 2021/08/30
references:
- https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462
- https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1
- https://github.com/hlldz/Invoke-Phant0m/blob/master/Invoke-Phant0m.ps1
- https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086

31
rules/sigma/windows/powershell/powershell_script/powershell_suspicious_mail_acces.yml Normal file
View File

@@ -0,0 +1,31 @@
title: Powershell Local Email Collection
author: frack113
date: 2021/07/21
description: Adversaries may target user email on local systems to collect sensitive
information. Files containing email data can be acquired from a users local system,
such as Outlook storage or cache files.
detection:
SELECTION_1:
EventID: 4104
SELECTION_2:
ScriptBlockText:
- '*Get-Inbox.ps1*'
- '*Microsoft.Office.Interop.Outlook*'
- '*Microsoft.Office.Interop.Outlook.olDefaultFolders*'
- '*-comobject outlook.application*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 2837e152-93c8-43d2-85ba-c3cd3c2ae614
level: medium
logsource:
definition: Script block logging must be enabled
product: windows
service: powershell
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md
status: experimental
tags:
- attack.collection
- attack.t1114.001

29
rules/sigma/windows/powershell/powershell_script/powershell_suspicious_mounted_share_deletion.yml Normal file
View File

@@ -0,0 +1,29 @@
title: PowerShell Deleted Mounted Share
author: oscd.community, @redcanary, Zach Stanford @svch0st
date: 2020/10/08
description: Detects when when a mounted share is removed. Adversaries may remove
share connections that are no longer useful in order to clean up traces of their
operation
detection:
SELECTION_1:
EventID: 4104
SELECTION_2:
ScriptBlockText:
- '*Remove-SmbShare*'
- '*Remove-FileShare*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Administrators or Power users may remove their shares via cmd line
id: 66a4d409-451b-4151-94f4-a55d559c49b0
level: medium
logsource:
definition: Script block logging must be enabled
product: windows
service: powershell
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md
status: experimental
tags:
- attack.defense_evasion
- attack.t1070.005

31
rules/sigma/windows/powershell/powershell_script/powershell_suspicious_recon.yml Normal file
View File

@@ -0,0 +1,31 @@
title: Recon Information for Export with PowerShell
author: frack113
date: 2021/07/30
description: Once established within a system or network, an adversary may use automated
techniques for collecting internal data
detection:
SELECTION_1:
EventID: 4104
SELECTION_2:
ScriptBlockText:
- '*Get-Service *'
- '*Get-ChildItem *'
- '*Get-Process *'
SELECTION_3:
ScriptBlockText: '*> $env:TEMP\\*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Unknown
id: a9723fcc-881c-424c-8709-fd61442ab3c3
level: medium
logsource:
definition: Script block logging must be enabled
product: windows
service: powershell
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md
status: experimental
tags:
- attack.collection
- attack.t1119

26
rules/sigma/windows/powershell/powershell_script/powershell_suspicious_win32_pnpentity.yml Normal file
View File

@@ -0,0 +1,26 @@
title: Powershell Suspicious Win32_PnPEntity
author: frack113
date: 2021/08/23
description: Adversaries may attempt to gather information about attached peripheral
devices and components connected to a computer system.
detection:
SELECTION_1:
EventID: 4104
SELECTION_2:
ScriptBlockText: '*Win32_PnPEntity*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- admin script
id: b26647de-4feb-4283-af6b-6117661283c5
level: low
logsource:
definition: EnableScriptBlockLogging must be set to enable
product: windows
service: powershell
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md
status: experimental
tags:
- attack.discovery
- attack.t1120

35
rules/sigma/windows/powershell/powershell_script/powershell_timestomp.yml Normal file
View File

@@ -0,0 +1,35 @@
title: Powershell Timestomp
author: frack113
date: 2021/08/03
description: Adversaries may modify file time attributes to hide new or changes to
existing files. Timestomping is a technique that modifies the timestamps of a file
(the modify, access, create, and change times), often to mimic files that are in
the same folder.
detection:
SELECTION_1:
EventID: 4104
SELECTION_2:
ScriptBlockText:
- '*.CreationTime =*'
- '*.LastWriteTime =*'
- '*.LastAccessTime =*'
- '*[IO.File]::SetCreationTime*'
- '*[IO.File]::SetLastAccessTime*'
- '*[IO.File]::SetLastWriteTime*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- legitime admin script
id: c6438007-e081-42ce-9483-b067fbef33c3
level: medium
logsource:
definition: EnableScriptBlockLogging must be set to enable
product: windows
service: powershell
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md
- https://www.offensive-security.com/metasploit-unleashed/timestomp/
status: experimental
tags:
- attack.defense_evasion
- attack.t1070.006

34
rules/sigma/windows/powershell/powershell_script/powershell_trigger_profiles.yml Normal file
View File

@@ -0,0 +1,34 @@
title: Powershell Trigger Profiles by Add_Content
author: frack113
date: 2021/08/18
description: Adversaries may gain persistence and elevate privileges by executing
malicious content triggered by PowerShell profiles.
detection:
SELECTION_1:
EventID: 4104
SELECTION_2:
ScriptBlockText: '*Add-Content*'
SELECTION_3:
ScriptBlockText: '*$profile*'
SELECTION_4:
ScriptBlockText: '*-Value*'
SELECTION_5:
ScriptBlockText:
- '*Start-Process*'
- '*""*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
falsepositives:
- Unknown
id: 05b3e303-faf0-4f4a-9b30-46cc13e69152
level: medium
logsource:
definition: EnableScriptBlockLogging must be set to enable
product: windows
service: powershell
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md
status: experimental
tags:
- attack.privilege_escalation
- attack.t1546.013

38
rules/sigma/windows/powershell/powershell_script/powershell_web_request.yml Normal file
View File

@@ -0,0 +1,38 @@
title: Windows PowerShell Web Request
author: James Pemberton / @4A616D6573
date: 2019/10/24
description: Detects the use of various web request methods (including aliases) via
Windows PowerShell command
detection:
SELECTION_1:
EventID: 4104
SELECTION_2:
ScriptBlockText:
- '*Invoke-WebRequest*'
- '*iwr *'
- '*wget *'
- '*curl *'
- '*Net.WebClient*'
- '*Start-BitsTransfer*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer.
id: 1139d2e2-84b1-4226-b445-354492eba8ba
level: medium
logsource:
definition: Script block logging must be enabled
product: windows
service: powershell
modified: 2021/09/21
references:
- https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/
- https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell
related:
- id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d
type: derived
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086

33
rules/sigma/windows/powershell/powershell_script/powershell_windows_firewall_profile_disabled.yml Normal file
View File

@@ -0,0 +1,33 @@
title: Windows Firewall Profile Disabled
author: Austin Songer @austinsonger
date: 2021/10/12
description: Detects when a user disables the Windows Firewall via a Profile to help
evade defense.
detection:
SELECTION_1:
EventID: 4104
SELECTION_2:
ScriptBlockText: '*Set-NetFirewallProfile*'
SELECTION_3:
ScriptBlockText: '*-Profile*'
SELECTION_4:
ScriptBlockText: '*-Enabled*'
SELECTION_5:
ScriptBlockText: '*False*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
falsepositives:
- Unknown
id: 488b44e7-3781-4a71-888d-c95abfacf44d
level: high
logsource:
product: windows
service: powershell
references:
- https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps
- https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell
- http://powershellhelp.space/commands/set-netfirewallrule-psv5.php
- http://woshub.com/manage-windows-firewall-powershell/
status: experimental
tags:
- attack.defense_evasion

37
rules/sigma/windows/powershell/powershell_script/powershell_winlogon_helper_dll.yml Normal file
View File

@@ -0,0 +1,37 @@
title: Winlogon Helper DLL
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
description: Winlogon.exe is a Windows component responsible for actions at logon/logoff
as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry
entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\
and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage
additional helper programs and functionalities that support Winlogon. Malicious
modifications to these Registry keys may cause Winlogon to load and execute malicious
DLLs and/or executables.
detection:
SELECTION_1:
EventID: 4104
SELECTION_2:
ScriptBlockText: '*CurrentVersion\Winlogon*'
SELECTION_3:
ScriptBlockText:
- '*Set-ItemProperty*'
- '*New-Item*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Unknown
id: 851c506b-6b7c-4ce2-8802-c703009d03c0
level: medium
logsource:
definition: Script block logging must be enabled
product: windows
service: powershell
modified: 2020/12/01
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md
status: experimental
tags:
- attack.persistence
- attack.t1547.004
- attack.t1004

37
rules/sigma/windows/powershell/powershell_script/powershell_wmi_persistence.yml Normal file
View File

@@ -0,0 +1,37 @@
title: Powershell WMI Persistence
author: frack113
date: 2021/08/19
description: Adversaries may establish persistence and elevate privileges by executing
malicious content triggered by a Windows Management Instrumentation (WMI) event
subscription.
detection:
SELECTION_1:
EventID: 4104
SELECTION_2:
ScriptBlockText: '*New-CimInstance *'
SELECTION_3:
ScriptBlockText: '*-Namespace root/subscription *'
SELECTION_4:
ScriptBlockText: '*-Property *'
SELECTION_5:
ScriptBlockText: '*-ClassName __EventFilter *'
SELECTION_6:
ScriptBlockText: '*-ClassName CommandLineEventConsumer *'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and (SELECTION_5
or SELECTION_6))
falsepositives:
- Unknown
id: 9e07f6e7-83aa-45c6-998e-0af26efd0a85
level: medium
logsource:
definition: EnableScriptBlockLogging must be set to enable
product: windows
service: powershell
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md
- https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545
status: experimental
tags:
- attack.privilege_escalation
- attack.t1546.003

46
rules/sigma/windows/powershell/powershell_script/powershell_wmimplant.yml Normal file
View File

@@ -0,0 +1,46 @@
title: WMImplant Hack Tool
author: NVISO
date: 2020/03/26
description: Detects parameters used by WMImplant
detection:
SELECTION_1:
EventID: 4104
SELECTION_2:
ScriptBlockText:
- '*WMImplant*'
- '* change_user *'
- '* gen_cli *'
- '* command_exec *'
- '* disable_wdigest *'
- '* disable_winrm *'
- '* enable_wdigest *'
- '* enable_winrm *'
- '* registry_mod *'
- '* remote_posh *'
- '* sched_job *'
- '* service_mod *'
- '* process_kill *'
- '* active_users *'
- '* basic_info *'
- '* power_off *'
- '* vacant_system *'
- '* logon_events *'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Administrative scripts that use the same keywords.
id: 8028c2c3-e25a-46e3-827f-bbb5abf181d7
level: high
logsource:
definition: Script block logging must be enabled
product: windows
service: powershell
modified: 2021/08/30
references:
- https://github.com/FortyNorthSecurity/WMImplant
status: experimental
tags:
- attack.execution
- attack.t1047
- attack.t1059.001
- attack.t1086