Added Sigma Rules

2021-11-14 11:00:56 +09:00
parent ac3ea7b20b
commit 50aebce32e
1078 changed files with 45490 additions and 0 deletions
@@ -0,0 +1,34 @@
+title: Powershell Detect Virtualization Environment
+author: frack113
+date: 2021/08/03
+description: Adversaries may employ various system checks to detect and avoid virtualization
+    and analysis environments. This may include changing behaviors based on the results
+    of checks for the presence of artifacts indicative of a virtual machine environment
+    (VME) or sandbox
+detection:
+    SELECTION_1:
+        ScriptBlockText: '*Get-WmiObject*'
+    SELECTION_2:
+        ScriptBlockText: '*MSAcpi_ThermalZoneTemperature*'
+    SELECTION_3:
+        ScriptBlockText: '*Win32_ComputerSystem*'
+    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
+falsepositives:
+- Unknown
+id: d93129cd-1ee0-479f-bc03-ca6f129882e3
+level: medium
+logsource:
+    category: ps_script
+    definition: EnableScriptBlockLogging must be set to enable
+    product: windows
+modified: 2021/10/16
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md
+- https://techgenix.com/malicious-powershell-scripts-evade-detection/
+status: experimental
+tags:
+- attack.defense_evasion
+- attack.t1497.001
+yml_filename: powershell_detect_vm_env.yml
+yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
+