Added Sigma Rules

rules/Sigma/powershell_bad_opsec_artifacts.yml

@@ -0,0 +1,47 @@
+title: Bad Opsec Powershell Code Artifacts
+author: ok @securonix invrep_de, oscd.community
+date: 2020/10/09
+description: Focuses on trivial artifacts observed in variants of prevalent offensive
+    ps1 payloads, including Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire,
+    Powersploit, and other attack payloads that often undergo minimal changes by attackers
+    due to bad opsec.
+detection:
+    SELECTION_1:
+        Payload: '*$DoIt*'
+    SELECTION_2:
+        Payload: '*harmj0y*'
+    SELECTION_3:
+        Payload: '*mattifestation*'
+    SELECTION_4:
+        Payload: '*_RastaMouse*'
+    SELECTION_5:
+        Payload: '*tifkin_*'
+    SELECTION_6:
+        Payload: '*0xdeadbeef*'
+    condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
+        or SELECTION_6)
+falsepositives:
+- Moderate-to-low; Despite the shorter length/lower entropy for some of these, because
+    of high specificity, fp appears to be fairly limited in many environments.
+id: 8d31a8ce-46b5-4dd6-bdc3-680931f1db86
+level: critical
+logsource:
+    category: ps_module
+    definition: PowerShell Module Logging must be enabled
+    product: windows
+modified: 2021/10/16
+references:
+- https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/
+- https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/
+- https://www.mdeditor.tw/pl/pgRt
+related:
+-   id: 73e733cc-1ace-3212-a107-ff2523cc9fc3
+    type: derived
+status: experimental
+tags:
+- attack.execution
+- attack.t1059.001
+- attack.t1086
+yml_filename: powershell_bad_opsec_artifacts.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_module
+