CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Feature/rm submodule (#312)

Browse Source 
* rm: submodule

* Add: rules

* Fix: hayabusa-rules to c9c10a
This commit is contained in:
itiB
2021-12-20 21:14:32 +09:00
committed by GitHub
parent 1aebdca160
commit 83d891b2fa
1196 changed files with 46186 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
rules/sigma/powershell/powershell_classic/powershell_classic_alternate_powershell_hosts.yml Normal file
View File

@@ -0,0 +1,34 @@
title: Alternate PowerShell Hosts
ruletype: Sigma
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019/08/11
description: Detects alternate PowerShell hosts potentially bypassing detections looking
for powershell.exe
detection:
SELECTION_1:
HostApplication: '*'
SELECTION_2:
HostApplication: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe*
condition: (SELECTION_1 and not (SELECTION_2))
falsepositives:
- Programs using PowerShell directly without invocation of a dedicated interpreter
- MSP Detection Searcher
- Citrix ConfigSync.ps1
id: d7326048-328b-4d5e-98af-86e84b17c765
level: medium
logsource:
category: ps_classic_start
definition: fields have to be extract from event
product: windows
modified: 2021/10/16
references:
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html
related:
- id: 64e8e417-c19a-475a-8d19-98ea705394cc
type: derived
status: test
tags:
- attack.execution
- attack.t1059.001
- attack.t1086

33
rules/sigma/powershell/powershell_classic/powershell_classic_powercat.yml Normal file
View File

@@ -0,0 +1,33 @@
title: Netcat The Powershell Version
ruletype: Sigma
author: frack113
date: 2021/07/21
description: Adversaries may use a non-application layer protocol for communication
between host and C2 server or among infected hosts within a network
detection:
SELECTION_1:
HostApplication:
- '*powercat *'
- '*powercat.ps1*'
condition: SELECTION_1
falsepositives:
- Unknown
id: c5b20776-639a-49bf-94c7-84f912b91c15
level: medium
logsource:
category: ps_classic_start
definition: fields have to be extract from event
product: windows
modified: 2021/10/16
references:
- https://nmap.org/ncat/
- https://github.com/besimorhino/powercat
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md
related:
- id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2
type: derived
status: experimental
tags:
- attack.command_and_control
- attack.t1095

34
rules/sigma/powershell/powershell_classic/powershell_classic_remote_powershell_session.yml Normal file
View File

@@ -0,0 +1,34 @@
title: Remote PowerShell Session
ruletype: Sigma
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019/08/10
description: Detects remote PowerShell sessions
detection:
SELECTION_1:
HostName: ServerRemoteHost
SELECTION_2:
HostApplication: '*wsmprovhost.exe*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Legitimate use remote PowerShell sessions
id: 60167e5c-84b2-4c95-a7ac-86281f27c445
level: high
logsource:
category: ps_classic_start
definition: fields have to be extract from event
product: windows
modified: 2021/10/16
references:
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
related:
- id: 96b9f619-aa91-478f-bacb-c3e50f8df575
type: derived
status: test
tags:
- attack.execution
- attack.t1059.001
- attack.t1086
- attack.lateral_movement
- attack.t1021.006
- attack.t1028

41
rules/sigma/powershell/powershell_classic/powershell_classic_susp_athremotefxvgpudisablementcommand.yml Normal file
View File

@@ -0,0 +1,41 @@
title: Abusable Invoke-ATHRemoteFXvGPUDisablementCommand
ruletype: Sigma
author: frack113
date: 2021/07/13
description: RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable
that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).
detection:
SELECTION_1:
HostApplication: '*Invoke-ATHRemoteFXvGPUDisablementCommand *'
SELECTION_2:
HostApplication:
- '*-ModuleName *'
- '*-ModulePath *'
- '*-ScriptBlock *'
- '*-RemoteFXvGPUDisablementFilePath*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
id: f65e22f9-819e-4f96-9c7b-498364ae7a25
level: medium
logsource:
definition: fields have to be extract from event
product: windows
service: powershell-classic
modified: 2021/09/07
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
- https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
related:
- id: 38a7625e-b2cb-485d-b83d-aff137d859f4
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1218

35
rules/sigma/powershell/powershell_classic/powershell_classic_susp_zip_compress.yml Normal file
View File

@@ -0,0 +1,35 @@
title: Zip A Folder With PowerShell For Staging In Temp
ruletype: Sigma
author: frack113
date: 2021/07/20
description: Use living off the land tools to zip a file and stage it in the Windows
temporary folder for later exfiltration
detection:
SELECTION_1:
HostApplication: '*Compress-Archive *'
SELECTION_2:
HostApplication: '* -Path *'
SELECTION_3:
HostApplication: '* -DestinationPath *'
SELECTION_4:
HostApplication: '*$env:TEMP\\*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Unknown
id: 71ff406e-b633-4989-96ec-bc49d825a412
level: medium
logsource:
definition: fields have to be extract from event
product: windows
service: powershell-classic
modified: 2021/09/07
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md
related:
- id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9
type: derived
status: experimental
tags:
- attack.collection
- attack.t1074.001

31
rules/sigma/powershell/powershell_classic/powershell_classic_suspicious_download.yml Normal file
View File

@@ -0,0 +1,31 @@
title: Suspicious PowerShell Download
ruletype: Sigma
author: Florian Roth
date: 2017/03/05
description: Detects suspicious PowerShell download command
detection:
SELECTION_1:
HostApplication: '*System.Net.WebClient*'
SELECTION_2:
HostApplication: '*.DownloadFile(*'
SELECTION_3:
HostApplication: '*.DownloadString(*'
condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
falsepositives:
- PowerShell scripts that download content from the Internet
id: 3236fcd0-b7e3-4433-b4f8-86ad61a9af2d
level: medium
logsource:
category: ps_classic_start
definition: fields have to be extract from event
product: windows
modified: 2021/10/16
related:
- id: 65531a81-a694-4e31-ae04-f8ba5bc33759
type: derived
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086

36
rules/sigma/powershell/powershell_classic/powershell_delete_volume_shadow_copies.yml Normal file
View File

@@ -0,0 +1,36 @@
title: Delete Volume Shadow Copies Via WMI With PowerShell
ruletype: Sigma
author: frack113
date: 2021/06/03
description: Shadow Copies deletion using operating systems utilities via PowerShell
detection:
SELECTION_1:
HostApplication: '*Get-WmiObject*'
SELECTION_2:
HostApplication: '* Win32_Shadowcopy*'
SELECTION_3:
HostApplication:
- '*Delete()*'
- '*Remove-WmiObject*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Legitimate Administrator deletes Shadow Copies using operating systems utilities
for legitimate reason
fields:
- HostApplication
id: 87df9ee1-5416-453a-8a08-e8d4a51e9ce1
level: critical
logsource:
category: ps_classic_start
definition: fields have to be extract from event
product: windows
modified: 2021/10/16
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md
- https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_shadow_copies_deletion.yml
- https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods
status: experimental
tags:
- attack.impact
- attack.t1490

31
rules/sigma/powershell/powershell_classic/powershell_downgrade_attack.yml Normal file
View File

@@ -0,0 +1,31 @@
title: PowerShell Downgrade Attack
ruletype: Sigma
author: Florian Roth (rule), Lee Holmes (idea), Harish Segar (improvements)
date: 2017/03/22
description: Detects PowerShell downgrade attack by comparing the host versions with
the actually used engine version 2.0
detection:
SELECTION_1:
EngineVersion: 2.*
SELECTION_2:
HostVersion: 2.*
condition: (SELECTION_1 and not (SELECTION_2))
falsepositives:
- Penetration Test
- Unknown
id: 6331d09b-4785-4c13-980f-f96661356249
level: medium
logsource:
category: ps_classic_start
definition: fields have to be extract from event
product: windows
modified: 2021/10/16
references:
- http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
status: experimental
tags:
- attack.defense_evasion
- attack.execution
- attack.t1059.001
- attack.t1086

34
rules/sigma/powershell/powershell_classic/powershell_exe_calling_ps.yml Normal file
View File

@@ -0,0 +1,34 @@
title: PowerShell Called from an Executable Version Mismatch
ruletype: Sigma
author: Sean Metcalf (source), Florian Roth (rule)
date: 2017/03/05
description: Detects PowerShell called from an executable by the version mismatch
method
detection:
SELECTION_1:
EngineVersion:
- 2.*
- 4.*
- 5.*
SELECTION_2:
HostVersion: 3.*
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Penetration Tests
- Unknown
id: c70e019b-1479-4b65-b0cc-cd0c6093a599
level: high
logsource:
category: ps_classic_start
definition: fields have to be extract from event
product: windows
modified: 2021/10/16
references:
- https://adsecurity.org/?p=2921
status: experimental
tags:
- attack.defense_evasion
- attack.execution
- attack.t1059.001
- attack.t1086

30
rules/sigma/powershell/powershell_classic/powershell_renamed_powershell.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Renamed Powershell Under Powershell Channel
ruletype: Sigma
author: Harish Segar, frack113
date: 2020/06/29
description: Detects renamed powershell
detection:
SELECTION_1:
HostName: ConsoleHost
SELECTION_2:
HostApplication:
- powershell.exe*
- C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe*
condition: (SELECTION_1 and not (SELECTION_2))
falsepositives:
- unknown
id: 30a8cb77-8eb3-4cfb-8e79-ad457c5a4592
level: low
logsource:
category: ps_classic_start
definition: fields have to be extract from event
product: windows
modified: 2021/10/16
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
status: test
tags:
- attack.execution
- attack.t1086
- attack.t1059.001

32
rules/sigma/powershell/powershell_classic/powershell_tamper_with_windows_defender.yml Normal file
View File

@@ -0,0 +1,32 @@
title: Tamper Windows Defender
ruletype: Sigma
author: frack113
date: 2021/06/07
description: Attempting to disable scheduled scanning and other parts of windows defender
atp.
detection:
SELECTION_1:
HostApplication: '*Set-MpPreference*'
SELECTION_2:
HostApplication:
- '*-DisableRealtimeMonitoring 1*'
- '*-DisableBehaviorMonitoring 1*'
- '*-DisableScriptScanning 1*'
- '*-DisableBlockAtFirstSeen 1*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: ec19ebab-72dc-40e1-9728-4c0b805d722c
level: high
logsource:
category: ps_classic_provider_start
definition: fields have to be extract from event
product: windows
modified: 2021/10/16
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
status: experimental
tags:
- attack.defense_evasion
- attack.t1562.001

32
rules/sigma/powershell/powershell_classic/powershell_wsman_com_provider_no_powershell.yml Normal file
View File

@@ -0,0 +1,32 @@
title: Suspicious Non PowerShell WSMAN COM Provider
ruletype: Sigma
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/06/24
description: Detects suspicious use of the WSMAN provider without PowerShell.exe as
the host application.
detection:
SELECTION_1:
ProviderName: WSMan
SELECTION_2:
HostApplication: '*powershell*'
condition: (SELECTION_1 and not (SELECTION_2))
falsepositives:
- Unknown
id: df9a0e0e-fedb-4d6c-8668-d765dfc92aa7
level: medium
logsource:
definition: fields have to be extract from event
product: windows
service: powershell-classic
modified: 2021/08/30
references:
- https://twitter.com/chadtilbury/status/1275851297770610688
- https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/
- https://github.com/bohops/WSMan-WinRM
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.lateral_movement
- attack.t1021.003

30
rules/sigma/powershell/powershell_classic/powershell_xor_commandline.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Suspicious XOR Encoded PowerShell Command Line
ruletype: Sigma
author: Teymur Kheirkhabarov, Harish Segar (rule)
date: 2020/06/29
description: Detects suspicious powershell process which includes bxor command, alternative
obfuscation method to b64 encoded commands.
detection:
SELECTION_1:
HostName: ConsoleHost
SELECTION_2:
HostApplication:
- '*bxor*'
- '*join*'
- '*char*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- unknown
id: 812837bb-b17f-45e9-8bd0-0ec35d2e3bd6
level: medium
logsource:
category: ps_classic_start
definition: fields have to be extract from event
product: windows
modified: 2021/10/16
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086

31
rules/sigma/powershell/powershell_module/powershell_alternate_powershell_hosts.yml Normal file
View File

@@ -0,0 +1,31 @@
title: Alternate PowerShell Hosts
ruletype: Sigma
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019/08/11
description: Detects alternate PowerShell hosts potentially bypassing detections looking
for powershell.exe
detection:
SELECTION_1:
ContextInfo: '*'
SELECTION_2:
ContextInfo: '*powershell.exe*'
condition: (SELECTION_1 and not (SELECTION_2))
falsepositives:
- Programs using PowerShell directly without invocation of a dedicated interpreter
- MSP Detection Searcher
- Citrix ConfigSync.ps1
id: 64e8e417-c19a-475a-8d19-98ea705394cc
level: medium
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html
status: test
tags:
- attack.execution
- attack.t1059.001
- attack.t1086

41
rules/sigma/powershell/powershell_module/powershell_bad_opsec_artifacts.yml Normal file
View File

@@ -0,0 +1,41 @@
title: Bad Opsec Powershell Code Artifacts
ruletype: Sigma
author: ok @securonix invrep_de, oscd.community
date: 2020/10/09
description: Focuses on trivial artifacts observed in variants of prevalent offensive
ps1 payloads, including Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire,
Powersploit, and other attack payloads that often undergo minimal changes by attackers
due to bad opsec.
detection:
SELECTION_1:
Payload:
- '*$DoIt*'
- '*harmj0y*'
- '*mattifestation*'
- '*_RastaMouse*'
- '*tifkin_*'
- '*0xdeadbeef*'
condition: SELECTION_1
falsepositives:
- Moderate-to-low; Despite the shorter length/lower entropy for some of these, because
of high specificity, fp appears to be fairly limited in many environments.
id: 8d31a8ce-46b5-4dd6-bdc3-680931f1db86
level: critical
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/
- https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/
- https://www.mdeditor.tw/pl/pgRt
related:
- id: 73e733cc-1ace-3212-a107-ff2523cc9fc3
type: derived
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086

40
rules/sigma/powershell/powershell_module/powershell_clear_powershell_history.yml Normal file
View File

@@ -0,0 +1,40 @@
title: Clear PowerShell History
ruletype: Sigma
author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
date: 2019/10/25
description: Detects keywords that could indicate clearing PowerShell history
detection:
SELECTION_1:
Payload:
- '*del*'
- '*Remove-Item*'
- '*rm*'
SELECTION_2:
Payload: '*(Get-PSReadlineOption).HistorySavePath*'
SELECTION_3:
Payload: '*Set-PSReadlineOption*'
SELECTION_4:
Payload: '*HistorySaveStyle*'
SELECTION_5:
Payload: '*SaveNothing*'
condition: ((SELECTION_1 and SELECTION_2) or (SELECTION_3 and SELECTION_4 and SELECTION_5))
falsepositives:
- Legitimate PowerShell scripts
id: f99276ad-d122-4989-a09a-d00904a5f9d2
level: medium
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a
related:
- id: dfba4ce1-e0ea-495f-986e-97140f31af2d
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1070.003
- attack.t1146

30
rules/sigma/powershell/powershell_module/powershell_decompress_commands.yml Normal file
View File

@@ -0,0 +1,30 @@
title: PowerShell Decompress Commands
ruletype: Sigma
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/05/02
description: A General detection for specific decompress commands in PowerShell logs.
This could be an adversary decompressing files.
detection:
SELECTION_1:
Payload: '*Expand-Archive*'
condition: SELECTION_1
falsepositives:
- unknown
id: 1ddc1472-8e52-4f7d-9f11-eab14fc171f5
level: informational
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/8
- https://threathunterplaybook.com/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.html
related:
- id: 81fbdce6-ee49-485a-908d-1a728c5dcb09
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1140

30
rules/sigma/powershell/powershell_module/powershell_get_clipboard.yml Normal file
View File

@@ -0,0 +1,30 @@
title: PowerShell Get Clipboard
ruletype: Sigma
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/05/02
description: A General detection for the Get-Clipboard commands in PowerShell logs.
This could be an adversary capturing clipboard contents.
detection:
SELECTION_1:
Payload: '*Get-Clipboard*'
condition: SELECTION_1
falsepositives:
- unknown
id: 4cbd4f12-2e22-43e3-882f-bff3247ffb78
level: medium
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/16
- https://threathunterplaybook.com/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.html
related:
- id: 5486f63a-aa4c-488d-9a61-c9192853099f
type: derived
status: experimental
tags:
- attack.collection
- attack.t1115

30
rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Invoke-Obfuscation CLIP+ Launcher
ruletype: Sigma
author: Jonathan Cheong, oscd.community
date: 2020/10/13
description: Detects Obfuscated use of Clip.exe to execute PowerShell
detection:
SELECTION_1:
Payload|re: .*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+\-f.+"
condition: SELECTION_1
falsepositives:
- Unknown
id: a136cde0-61ad-4a61-9b82-8dc490e60dd2
level: high
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
related:
- id: 73e67340-0d25-11eb-adc1-0242ac120002
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

43
rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml Normal file
View File

@@ -0,0 +1,43 @@
title: Invoke-Obfuscation Obfuscated IEX Invocation
ruletype: Sigma
author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
date: 2019/11/08
description: Detects all variations of obfuscated powershell IEX invocation code generated
by Invoke-Obfuscation framework from the following code block — https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888
detection:
SELECTION_1:
Payload|re: \$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[
SELECTION_2:
Payload|re: \$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[
SELECTION_3:
Payload|re: \$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[
SELECTION_4:
Payload|re: \$env:ComSpec\[(\s*\d{1,3}\s*,){2}
SELECTION_5:
Payload|re: \\\\*mdr\\\\*\W\s*\)\.Name
SELECTION_6:
Payload|re: \$VerbosePreference\.ToString\(
SELECTION_7:
Payload|re: \String\]\s*\$VerbosePreference
condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
or SELECTION_6 or SELECTION_7)
falsepositives:
- Unknown
id: 2f211361-7dce-442d-b78a-c04039677378
level: high
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabled
product: windows
modified: 2021/10/16
related:
- id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001
- attack.t1086

30
rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Invoke-Obfuscation STDIN+ Launcher
ruletype: Sigma
author: Jonathan Cheong, oscd.community
date: 2020/10/15
description: Detects Obfuscated use of stdin to execute PowerShell
detection:
SELECTION_1:
Payload|re: .*cmd.{0,5}(?:/c|/r).+powershell.+(?:\$\{?input\}?|noexit).+"
condition: SELECTION_1
falsepositives:
- Unknown
id: 9ac8b09b-45de-4a07-9da1-0de8c09304a3
level: high
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
related:
- id: 779c8c12-0eb1-11eb-adc1-0242ac120002
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

30
rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_var.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Invoke-Obfuscation VAR+ Launcher
ruletype: Sigma
author: Jonathan Cheong, oscd.community
date: 2020/10/15
description: Detects Obfuscated use of Environment Variables to execute PowerShell
detection:
SELECTION_1:
Payload|re: .*cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?\-f(?:.*\)){1,}.*"
condition: SELECTION_1
falsepositives:
- Unknown
id: 6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e
level: high
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
related:
- id: 0adfbc14-0ed1-11eb-adc1-0242ac120002
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

30
rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Invoke-Obfuscation COMPRESS OBFUSCATION
ruletype: Sigma
author: Timur Zinniatullin, oscd.community
date: 2020/10/18
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
detection:
SELECTION_1:
Payload|re: (?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend
condition: SELECTION_1
falsepositives:
- unknown
id: 7034cbbb-cc55-4dc2-8dad-36c0b942e8f1
level: medium
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
related:
- id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

30
rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Invoke-Obfuscation RUNDLL LAUNCHER
ruletype: Sigma
author: Timur Zinniatullin, oscd.community
date: 2020/10/18
description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
detection:
SELECTION_1:
Payload|re: (?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*"
condition: SELECTION_1
falsepositives:
- Unknown
id: a23791fe-8846-485a-b16b-ca691e1b03d4
level: medium
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
related:
- id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

30
rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Invoke-Obfuscation Via Stdin
ruletype: Sigma
author: Nikita Nazarov, oscd.community
date: 2020/10/12
description: Detects Obfuscated Powershell via Stdin in Scripts
detection:
SELECTION_1:
Payload|re: (?i).*(set).*&&\s?set.*(environment|invoke|\$\{?input).*&&.*"
condition: SELECTION_1
falsepositives:
- Unknown
id: c72aca44-8d52-45ad-8f81-f96c4d3c755e
level: high
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
related:
- id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

30
rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Invoke-Obfuscation Via Use Clip
ruletype: Sigma
author: Nikita Nazarov, oscd.community
date: 2020/10/09
description: Detects Obfuscated Powershell via use Clip.exe in Scripts
detection:
SELECTION_1:
Payload|re: (?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*
condition: SELECTION_1
falsepositives:
- Unknown
id: ebdf49d8-b89c-46c9-8fdf-2c308406f6bd
level: high
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
related:
- id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

30
rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Invoke-Obfuscation Via Use MSHTA
ruletype: Sigma
author: Nikita Nazarov, oscd.community
date: 2020/10/08
description: Detects Obfuscated Powershell via use MSHTA in Scripts
detection:
SELECTION_1:
Payload|re: (?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"
condition: SELECTION_1
falsepositives:
- Unknown
id: 07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb
level: high
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabledd
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
related:
- id: e55a5195-4724-480e-a77e-3ebe64bd3759
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

30
rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Invoke-Obfuscation Via Use Rundll32
ruletype: Sigma
author: Nikita Nazarov, oscd.community
date: 2019/10/08
description: Detects Obfuscated Powershell via use Rundll32 in Scripts
detection:
SELECTION_1:
Payload|re: (?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"
condition: SELECTION_1
falsepositives:
- Unknown
id: 88a22f69-62f9-4b8a-aa00-6b0212f2f05a
level: high
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
related:
- id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

30
rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
ruletype: Sigma
author: Timur Zinniatullin, oscd.community
date: 2020/10/13
description: Detects Obfuscated Powershell via VAR++ LAUNCHER
detection:
SELECTION_1:
Payload|re: (?i).*&&set.*(\{\d\}){2,}\\"\s+?\-f.*&&.*cmd.*/c
condition: SELECTION_1
falsepositives:
- Unknown
id: f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6
level: high
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabledd
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
related:
- id: e54f5149-6ba3-49cf-b153-070d24679126
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

30
rules/sigma/powershell/powershell_module/powershell_powercat.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Netcat The Powershell Version
ruletype: Sigma
author: frack113
date: 2021/07/21
description: Adversaries may use a non-application layer protocol for communication
between host and C2 server or among infected hosts within a network
detection:
SELECTION_1:
ContextInfo:
- '*powercat *'
- '*powercat.ps1*'
condition: SELECTION_1
falsepositives:
- Unknown
id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2
level: medium
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://nmap.org/ncat/
- https://github.com/besimorhino/powercat
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md
status: experimental
tags:
- attack.command_and_control
- attack.t1095

31
rules/sigma/powershell/powershell_module/powershell_remote_powershell_session.yml Normal file
View File

@@ -0,0 +1,31 @@
title: Remote PowerShell Session
ruletype: Sigma
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019/08/10
description: Detects remote PowerShell sessions
detection:
SELECTION_1:
ContextInfo: '* = ServerRemoteHost *'
SELECTION_2:
ContextInfo: '*wsmprovhost.exe*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Legitimate use remote PowerShell sessions
id: 96b9f619-aa91-478f-bacb-c3e50f8df575
level: high
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
status: test
tags:
- attack.execution
- attack.t1059.001
- attack.t1086
- attack.lateral_movement
- attack.t1021.006
- attack.t1028

38
rules/sigma/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml Normal file
View File

@@ -0,0 +1,38 @@
title: Abusable Invoke-ATHRemoteFXvGPUDisablementCommand
ruletype: Sigma
author: frack113
date: 2021/07/13
description: RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable
that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).
detection:
SELECTION_1:
ContextInfo: '*Invoke-ATHRemoteFXvGPUDisablementCommand *'
SELECTION_2:
ContextInfo:
- '*-ModuleName *'
- '*-ModulePath *'
- '*-ScriptBlock *'
- '*-RemoteFXvGPUDisablementFilePath*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
id: 38a7625e-b2cb-485d-b83d-aff137d859f4
level: medium
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabledd
product: windows
modified: 2021/10/16
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
- https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
status: experimental
tags:
- attack.defense_evasion
- attack.t1218

35
rules/sigma/powershell/powershell_module/powershell_susp_zip_compress.yml Normal file
View File

@@ -0,0 +1,35 @@
title: Zip A Folder With PowerShell For Staging In Temp
ruletype: Sigma
author: frack113
date: 2021/07/20
description: Use living off the land tools to zip a file and stage it in the Windows
temporary folder for later exfiltration
detection:
SELECTION_1:
ContextInfo: '*Compress-Archive *'
SELECTION_2:
ContextInfo: '* -Path *'
SELECTION_3:
ContextInfo: '* -DestinationPath *'
SELECTION_4:
ContextInfo: '*$env:TEMP\\*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Unknown
id: daf7eb81-35fd-410d-9d7a-657837e602bb
level: medium
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabledd
product: windows
modified: 2021/10/16
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md
related:
- id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9
type: derived
status: experimental
tags:
- attack.collection
- attack.t1074.001

30
rules/sigma/powershell/powershell_module/powershell_suspicious_download_in_contextinfo.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Suspicious PowerShell Download
ruletype: Sigma
author: Florian Roth
date: 2017/03/05
description: Detects suspicious PowerShell download command
detection:
SELECTION_1:
ContextInfo: '*System.Net.WebClient*'
SELECTION_2:
ContextInfo:
- '*.DownloadFile(*'
- '*.DownloadString(*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- PowerShell scripts that download content from the Internet
id: de41232e-12e8-49fa-86bc-c05c7e722df9
level: medium
logsource:
category: ps_module
product: windows
modified: 2021/10/18
related:
- id: 65531a81-a694-4e31-ae04-f8ba5bc33759
type: derived
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086

38
rules/sigma/powershell/powershell_module/powershell_suspicious_invocation_generic_in_contextinfo.yml Normal file
View File

@@ -0,0 +1,38 @@
title: Suspicious PowerShell Invocations - Generic
ruletype: Sigma
author: Florian Roth (rule)
date: 2017/03/12
description: Detects suspicious PowerShell invocation command parameters
detection:
SELECTION_1:
ContextInfo:
- '* -enc *'
- '* -EncodedCommand *'
SELECTION_2:
ContextInfo:
- '* -w hidden *'
- '* -window hidden *'
- '* -windowstyle hidden *'
SELECTION_3:
ContextInfo:
- '* -noni *'
- '* -noninteractive *'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Penetration tests
- Very special / sneaky PowerShell scripts
id: bbb80e91-5746-4fbe-8898-122e2cafdbf4
level: high
logsource:
category: ps_module
product: windows
modified: 2021/12/02
related:
- id: 3d304fda-78aa-43ed-975c-d740798a49c1
type: derived
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086

95
rules/sigma/powershell/powershell_module/powershell_suspicious_invocation_specific_in_contextinfo.yml Normal file
View File

@@ -0,0 +1,95 @@
title: Suspicious PowerShell Invocations - Specific
ruletype: Sigma
author: Florian Roth (rule), Jonhnathan Ribeiro
date: 2017/03/05
description: Detects suspicious PowerShell invocation command parameters
detection:
SELECTION_1:
ContextInfo: '*-nop*'
SELECTION_10:
ContextInfo: '* -c *'
SELECTION_11:
ContextInfo: '*iex*'
SELECTION_12:
ContextInfo: '*New-Object*'
SELECTION_13:
ContextInfo: '* -w *'
SELECTION_14:
ContextInfo: '*hidden*'
SELECTION_15:
ContextInfo: '*-ep*'
SELECTION_16:
ContextInfo: '*bypass*'
SELECTION_17:
ContextInfo: '*-Enc*'
SELECTION_18:
ContextInfo: '*powershell*'
SELECTION_19:
ContextInfo: '*reg*'
SELECTION_2:
ContextInfo: '* -w *'
SELECTION_20:
ContextInfo: '*add*'
SELECTION_21:
ContextInfo: '*HKCU\software\microsoft\windows\currentversion\run*'
SELECTION_22:
ContextInfo: '*bypass*'
SELECTION_23:
ContextInfo: '*-noprofile*'
SELECTION_24:
ContextInfo: '*-windowstyle*'
SELECTION_25:
ContextInfo: '*hidden*'
SELECTION_26:
ContextInfo: '*new-object*'
SELECTION_27:
ContextInfo: '*system.net.webclient*'
SELECTION_28:
ContextInfo: '*.download*'
SELECTION_29:
ContextInfo: '*iex*'
SELECTION_3:
ContextInfo: '*hidden*'
SELECTION_30:
ContextInfo: '*New-Object*'
SELECTION_31:
ContextInfo: '*Net.WebClient*'
SELECTION_32:
ContextInfo: '*.Download*'
SELECTION_4:
ContextInfo: '* -c *'
SELECTION_5:
ContextInfo: '*[Convert]::FromBase64String*'
SELECTION_6:
ContextInfo: '* -w *'
SELECTION_7:
ContextInfo: '*hidden*'
SELECTION_8:
ContextInfo: '*-noni*'
SELECTION_9:
ContextInfo: '*-nop*'
condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
or (SELECTION_6 and SELECTION_7 and SELECTION_8 and SELECTION_9 and SELECTION_10
and SELECTION_11 and SELECTION_12) or (SELECTION_13 and SELECTION_14 and SELECTION_15
and SELECTION_16 and SELECTION_17) or (SELECTION_18 and SELECTION_19 and SELECTION_20
and SELECTION_21) or (SELECTION_22 and SELECTION_23 and SELECTION_24 and SELECTION_25
and SELECTION_26 and SELECTION_27 and SELECTION_28) or (SELECTION_29 and SELECTION_30
and SELECTION_31 and SELECTION_32))
falsepositives:
- Penetration tests
id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090
level: high
logsource:
category: ps_module
definition: Script block logging must be enabled
product: windows
modified: 2021/10/18
related:
- id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
type: derived
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086

30
rules/sigma/powershell/powershell_module/powershell_syncappvpublishingserver_exe_in_contextinfo.yml Normal file
View File

@@ -0,0 +1,30 @@
title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction
ruletype: Sigma
author: Ensar Şamil, @sblmsrsn, OSCD Community
date: 2020/10/05
description: Detects SyncAppvPublishingServer process execution which usually utilized
by adversaries to bypass PowerShell execution restrictions.
detection:
SELECTION_1:
ContextInfo: '*SyncAppvPublishingServer.exe*'
condition: SELECTION_1
falsepositives:
- App-V clients
id: fe5ce7eb-dad8-467c-84a9-31ec23bd644a
level: medium
logsource:
category: ps_module
product: windows
modified: 2021/10/18
references:
- https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
related:
- id: fde7929d-8beb-4a4c-b922-be9974671667
type: derived
- id: 9f7aa113-9da6-4a8d-907c-5f1a4b908299
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1218

73
rules/sigma/powershell/powershell_script/powershell_accessing_win_api.yml Normal file
View File

@@ -0,0 +1,73 @@
title: Accessing WinAPI in PowerShell
ruletype: Sigma
author: Nikita Nazarov, oscd.community
date: 2020/10/06
description: Detecting use WinAPI Functions in PowerShell
detection:
SELECTION_1:
ScriptBlockText:
- '*WaitForSingleObject*'
- '*QueueUserApc*'
- '*RtlCreateUserThread*'
- '*OpenProcess*'
- '*VirtualAlloc*'
- '*VirtualFree*'
- '*WriteProcessMemory*'
- '*CreateUserThread*'
- '*CloseHandle*'
- '*GetDelegateForFunctionPointer*'
- '*CreateThread*'
- '*memcpy*'
- '*LoadLibrary*'
- '*GetModuleHandle*'
- '*GetProcAddress*'
- '*VirtualProtect*'
- '*FreeLibrary*'
- '*ReadProcessMemory*'
- '*CreateRemoteThread*'
- '*AdjustTokenPrivileges*'
- '*WriteByte*'
- '*WriteInt32*'
- '*OpenThreadToken*'
- '*PtrToString*'
- '*FreeHGlobal*'
- '*ZeroFreeGlobalAllocUnicode*'
- '*OpenProcessToken*'
- '*GetTokenInformation*'
- '*SetThreadToken*'
- '*ImpersonateLoggedOnUser*'
- '*RevertToSelf*'
- '*GetLogonSessionData*'
- '*CreateProcessWithToken*'
- '*DuplicateTokenEx*'
- '*OpenWindowStation*'
- '*OpenDesktop*'
- '*MiniDumpWriteDump*'
- '*AddSecurityPackage*'
- '*EnumerateSecurityPackages*'
- '*GetProcessHandle*'
- '*DangerousGetHandle*'
- '*kernel32*'
- '*Advapi32*'
- '*msvcrt*'
- '*ntdll*'
- '*user32*'
- '*secur32*'
condition: SELECTION_1
falsepositives:
- Carbon PowerShell Module (https://github.com/webmd-health-services/Carbon)
id: 03d83090-8cba-44a0-b02f-0b756a050306
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1106

30
rules/sigma/powershell/powershell_script/powershell_adrecon_execution.yml Normal file
View File

@@ -0,0 +1,30 @@
title: PowerShell ADRecon Execution
ruletype: Sigma
author: Bhabesh Raj
date: 2021/07/16
description: Detects execution of ADRecon.ps1 for AD reconnaissance which has been
reported to be actively used by FIN7
detection:
SELECTION_1:
ScriptBlockText:
- '*Function Get-ADRExcelComOb*'
- '*ADRecon-Report.xlsx*'
condition: SELECTION_1
falsepositives:
- Unknown
id: bf72941a-cba0-41ea-b18c-9aca3925690d
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/sense-of-security/ADRecon
- https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319
status: experimental
tags:
- attack.discovery
- attack.execution
- attack.t1059.001

41
rules/sigma/powershell/powershell_script/powershell_automated_collection.yml Normal file
View File

@@ -0,0 +1,41 @@
title: Automated Collection Command PowerShell
ruletype: Sigma
author: frack113
date: 2021/07/28
description: Once established within a system or network, an adversary may use automated
techniques for collecting internal data.
detection:
SELECTION_1:
ScriptBlockText:
- '*.doc*'
- '*.docx*'
- '*.xls*'
- '*.xlsx*'
- '*.ppt*'
- '*.pptx*'
- '*.rtf*'
- '*.pdf*'
- '*.txt*'
SELECTION_2:
ScriptBlockText: '*Get-ChildItem*'
SELECTION_3:
ScriptBlockText: '* -Recurse *'
SELECTION_4:
ScriptBlockText: '* -Include *'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Unknown
id: c1dda054-d638-4c16-afc8-53e007f3fbc5
level: medium
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/12/02
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md
status: experimental
tags:
- attack.collection
- attack.t1119

32
rules/sigma/powershell/powershell_script/powershell_azurehound_commands.yml Normal file
View File

@@ -0,0 +1,32 @@
title: AzureHound PowerShell Commands
ruletype: Sigma
author: Austin Songer (@austinsonger)
date: 2021/10/23
description:
detection:
SELECTION_1:
ScriptBlockText:
- '*Invoke-AzureHound*'
condition: SELECTION_1
falsepositives:
- Penetration testing
id: 83083ac6-1816-4e76-97d7-59af9a9ae46e
level: high
logsource:
category: ps_script
definition: Script Block Logging must be enable
product: windows
references:
- https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/AzureHound.ps1
- https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
status: experimental
tags:
- attack.discovery
- attack.t1482
- attack.t1087
- attack.t1087.001
- attack.t1087.002
- attack.t1069.001
- attack.t1069.002
- attack.t1069

28
rules/sigma/powershell/powershell_script/powershell_cl_invocation_lolscript.yml Normal file
View File

@@ -0,0 +1,28 @@
title: Execution via CL_Invocation.ps1
ruletype: Sigma
author: oscd.community, Natalia Shornikova
date: 2020/10/14
description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module
detection:
SELECTION_1:
ScriptBlockText: '*CL_Invocation.ps1*'
SELECTION_2:
ScriptBlockText: '*SyncInvoke*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 4cd29327-685a-460e-9dac-c3ab96e549dc
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml
- https://twitter.com/bohops/status/948061991012327424
status: experimental
tags:
- attack.defense_evasion
- attack.t1216

28
rules/sigma/powershell/powershell_script/powershell_cl_invocation_lolscript_count.yml Normal file
View File

@@ -0,0 +1,28 @@
title: Execution via CL_Invocation.ps1 (2 Lines)
ruletype: Sigma
author: oscd.community, Natalia Shornikova
date: 2020/10/14
description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module
detection:
SELECTION_1:
ScriptBlockText:
- '*CL_Invocation.ps1*'
- '*SyncInvoke*'
condition: SELECTION_1 | count(ScriptBlockText) by Computer > 2
falsepositives:
- Unknown
id: f588e69b-0750-46bb-8f87-0e9320d57536
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml
- https://twitter.com/bohops/status/948061991012327424
status: experimental
tags:
- attack.defense_evasion
- attack.t1216

29
rules/sigma/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript.yml Normal file
View File

@@ -0,0 +1,29 @@
title: Execution via CL_Mutexverifiers.ps1
ruletype: Sigma
author: oscd.community, Natalia Shornikova
date: 2020/10/14
description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1
module
detection:
SELECTION_1:
ScriptBlockText: '*CL_Mutexverifiers.ps1*'
SELECTION_2:
ScriptBlockText: '*runAfterCancelProcess*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 39776c99-1c7b-4ba0-b5aa-641525eee1a4
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml
- https://twitter.com/pabraeken/status/995111125447577600
status: experimental
tags:
- attack.defense_evasion
- attack.t1216

29
rules/sigma/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript_count.yml Normal file
View File

@@ -0,0 +1,29 @@
title: Execution via CL_Mutexverifiers.ps1 (2 Lines)
ruletype: Sigma
author: oscd.community, Natalia Shornikova
date: 2020/10/14
description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1
module
detection:
SELECTION_1:
ScriptBlockText:
- '*CL_Mutexverifiers.ps1*'
- '*runAfterCancelProcess*'
condition: SELECTION_1 | count(ScriptBlockText) by Computer > 2
falsepositives:
- Unknown
id: 6609c444-9670-4eab-9636-fe4755a851ce
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml
- https://twitter.com/pabraeken/status/995111125447577600
status: experimental
tags:
- attack.defense_evasion
- attack.t1216

37
rules/sigma/powershell/powershell_script/powershell_clearing_windows_console_history.yml Normal file
View File

@@ -0,0 +1,37 @@
title: Clearing Windows Console History
ruletype: Sigma
author: Austin Songer @austinsonger
date: 2021/11/25
description: Identifies when a user attempts to clear console history. An adversary
may clear the command history of a compromised account to conceal the actions undertaken
during an intrusion.
detection:
SELECTION_1:
ScriptBlockText:
- '*Clear-History*'
SELECTION_2:
ScriptBlockText:
- '*Remove-Item*'
- '*rm*'
SELECTION_3:
ScriptBlockText:
- '*ConsoleHost_history.txt*'
- '*(Get-PSReadlineOption).HistorySavePath*'
condition: (SELECTION_1 or (SELECTION_2 and SELECTION_3))
falsepositives:
- Unknown
id: bde47d4b-9987-405c-94c7-b080410e8ea7
level: high
logsource:
category: ps_script
product: windows
references:
- https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/
- https://www.shellhacks.com/clear-history-powershell/
- https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics
status: experimental
tags:
- attack.defense_evasion
- attack.t1070
- attack.t1070.003

29
rules/sigma/powershell/powershell_script/powershell_create_local_user.yml Normal file
View File

@@ -0,0 +1,29 @@
title: PowerShell Create Local User
ruletype: Sigma
author: '@ROxPinTeddy'
date: 2020/04/11
description: Detects creation of a local user via PowerShell
detection:
SELECTION_1:
ScriptBlockText: '*New-LocalUser*'
condition: SELECTION_1
falsepositives:
- Legitimate user creation
id: 243de76f-4725-4f2e-8225-a8a69b15ad61
level: medium
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086
- attack.persistence
- attack.t1136.001
- attack.t1136

32
rules/sigma/powershell/powershell_script/powershell_data_compressed.yml Normal file
View File

@@ -0,0 +1,32 @@
title: Data Compressed - PowerShell
ruletype: Sigma
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
description: An adversary may compress data (e.g., sensitive documents) that is collected
prior to exfiltration in order to make it portable and minimize the amount of data
sent over the network.
detection:
SELECTION_1:
ScriptBlockText: '*-Recurse*'
SELECTION_2:
ScriptBlockText: '*|*'
SELECTION_3:
ScriptBlockText: '*Compress-Archive*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Highly likely if archive operations are done via PowerShell.
id: 6dc5d284-69ea-42cf-9311-fb1c3932a69a
level: low
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md
status: experimental
tags:
- attack.exfiltration
- attack.t1560
- attack.t1002

33
rules/sigma/powershell/powershell_script/powershell_detect_vm_env.yml Normal file
View File

@@ -0,0 +1,33 @@
title: Powershell Detect Virtualization Environment
ruletype: Sigma
author: frack113
date: 2021/08/03
description: Adversaries may employ various system checks to detect and avoid virtualization
and analysis environments. This may include changing behaviors based on the results
of checks for the presence of artifacts indicative of a virtual machine environment
(VME) or sandbox
detection:
SELECTION_1:
ScriptBlockText: '*Get-WmiObject*'
SELECTION_2:
ScriptBlockText:
- '*MSAcpi_ThermalZoneTemperature*'
- '*Win32_ComputerSystem*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: d93129cd-1ee0-479f-bc03-ca6f129882e3
level: medium
logsource:
category: ps_script
definition: EnableScriptBlockLogging must be set to enable
product: windows
modified: 2021/12/02
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md
- https://techgenix.com/malicious-powershell-scripts-evade-detection/
status: experimental
tags:
- attack.defense_evasion
- attack.t1497.001

26
rules/sigma/powershell/powershell_script/powershell_dnscat_execution.yml Normal file
View File

@@ -0,0 +1,26 @@
title: Dnscat Execution
ruletype: Sigma
author: Daniil Yugoslavskiy, oscd.community
date: 2019/10/24
description: Dnscat exfiltration tool execution
detection:
SELECTION_1:
ScriptBlockText: '*Start-Dnscat2*'
condition: SELECTION_1
falsepositives:
- Legitimate usage of PowerShell Dnscat2 — DNS Exfiltration tool (unlikely)
id: a6d67db4-6220-436d-8afc-f3842fe05d43
level: critical
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
status: experimental
tags:
- attack.exfiltration
- attack.t1048
- attack.execution
- attack.t1059.001
- attack.t1086

31
rules/sigma/powershell/powershell_script/powershell_icmp_exfiltration.yml Normal file
View File

@@ -0,0 +1,31 @@
title: PowerShell ICMP Exfiltration
ruletype: Sigma
author: Bartlomiej Czyz @bczyz1, oscd.community
date: 2020/10/10
description: Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may
steal data by exfiltrating it over an un-encrypted network protocol other than that
of the existing command and control channel.
detection:
SELECTION_1:
ScriptBlockText: '*New-Object*'
SELECTION_2:
ScriptBlockText: '*System.Net.NetworkInformation.Ping*'
SELECTION_3:
ScriptBlockText: '*.Send(*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Legitimate usage of System.Net.NetworkInformation.Ping class
id: 4c4af3cd-2115-479c-8193-6b8bfce9001c
level: medium
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md#atomic-test-2---exfiltration-over-alternative-protocol---icmp
status: experimental
tags:
- attack.exfiltration
- attack.t1048.003

25
rules/sigma/powershell/powershell_script/powershell_invoke_nightmare.yml Normal file
View File

@@ -0,0 +1,25 @@
title: PrintNightmare Powershell Exploitation
ruletype: Sigma
author: Max Altgelt, Tobias Michalski
date: 2021/08/09
description: Detects Commandlet name for PrintNightmare exploitation.
detection:
SELECTION_1:
ScriptBlockText: '*Invoke-Nightmare*'
condition: SELECTION_1
falsepositives:
- Unknown
id: 6d3f1399-a81c-4409-aff3-1ecfe9330baf
level: high
logsource:
category: ps_script
definition: Script Block Logging must be enable
product: windows
modified: 2021/10/16
references:
- https://github.com/calebstewart/CVE-2021-1675
status: test
tags:
- attack.privilege_escalation
- attack.t1548

27
rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_clip_in_scriptblocktext.yml Normal file
View File

@@ -0,0 +1,27 @@
title: Invoke-Obfuscation CLIP+ Launcher
ruletype: Sigma
author: Jonathan Cheong, oscd.community
date: 2020/10/13
description: Detects Obfuscated use of Clip.exe to execute PowerShell
detection:
SELECTION_1:
ScriptBlockText|re: .*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+\-f.+"
condition: SELECTION_1
falsepositives:
- Unknown
id: 73e67340-0d25-11eb-adc1-0242ac120002
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

40
rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml Normal file
View File

@@ -0,0 +1,40 @@
title: Invoke-Obfuscation Obfuscated IEX Invocation
ruletype: Sigma
author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
date: 2019/11/08
description: Detects all variations of obfuscated powershell IEX invocation code generated
by Invoke-Obfuscation framework from the following code block — https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888
detection:
SELECTION_1:
ScriptBlockText|re: \$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[
SELECTION_2:
ScriptBlockText|re: \$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[
SELECTION_3:
ScriptBlockText|re: \$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[
SELECTION_4:
ScriptBlockText|re: \$env:ComSpec\[(\s*\d{1,3}\s*,){2}
SELECTION_5:
ScriptBlockText|re: \\\\*mdr\\\\*\W\s*\)\.Name
SELECTION_6:
ScriptBlockText|re: \$VerbosePreference\.ToString\(
SELECTION_7:
ScriptBlockText|re: \String\]\s*\$VerbosePreference
condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
or SELECTION_6 or SELECTION_7)
falsepositives:
- Unknown
id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001
- attack.t1086

27
rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml Normal file
View File

@@ -0,0 +1,27 @@
title: Invoke-Obfuscation STDIN+ Launcher
ruletype: Sigma
author: Jonathan Cheong, oscd.community
date: 2020/10/15
description: Detects Obfuscated use of stdin to execute PowerShell
detection:
SELECTION_1:
ScriptBlockText|re: .*cmd.{0,5}(?:/c|/r).+powershell.+(?:\$\{?input\}?|noexit).+"
condition: SELECTION_1
falsepositives:
- Unknown
id: 779c8c12-0eb1-11eb-adc1-0242ac120002
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

27
rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_var_in_scriptblocktext.yml Normal file
View File

@@ -0,0 +1,27 @@
title: Invoke-Obfuscation VAR+ Launcher
ruletype: Sigma
author: Jonathan Cheong, oscd.community
date: 2020/10/15
description: Detects Obfuscated use of Environment Variables to execute PowerShell
detection:
SELECTION_1:
ScriptBlockText|re: .*cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?\-f(?:.*\)){1,}.*"
condition: SELECTION_1
falsepositives:
- Unknown
id: 0adfbc14-0ed1-11eb-adc1-0242ac120002
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

27
rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml Normal file
View File

@@ -0,0 +1,27 @@
title: Invoke-Obfuscation COMPRESS OBFUSCATION
ruletype: Sigma
author: Timur Zinniatullin, oscd.community
date: 2020/10/18
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
detection:
SELECTION_1:
ScriptBlockText|re: (?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend
condition: SELECTION_1
falsepositives:
- unknown
id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07
level: medium
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

27
rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml Normal file
View File

@@ -0,0 +1,27 @@
title: Invoke-Obfuscation RUNDLL LAUNCHER
ruletype: Sigma
author: Timur Zinniatullin, oscd.community
date: 2020/10/18
description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
detection:
SELECTION_1:
ScriptBlockText|re: (?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*"
condition: SELECTION_1
falsepositives:
- Unknown
id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0
level: medium
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

27
rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml Normal file
View File

@@ -0,0 +1,27 @@
title: Invoke-Obfuscation Via Stdin
ruletype: Sigma
author: Nikita Nazarov, oscd.community
date: 2020/10/12
description: Detects Obfuscated Powershell via Stdin in Scripts
detection:
SELECTION_1:
ScriptBlockText|re: (?i).*(set).*&&\s?set.*(environment|invoke|\$\{?input).*&&.*"
condition: SELECTION_1
falsepositives:
- Unknown
id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

27
rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml Normal file
View File

@@ -0,0 +1,27 @@
title: Invoke-Obfuscation Via Use Clip
ruletype: Sigma
author: Nikita Nazarov, oscd.community
date: 2020/10/09
description: Detects Obfuscated Powershell via use Clip.exe in Scripts
detection:
SELECTION_1:
ScriptBlockText|re: (?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*
condition: SELECTION_1
falsepositives:
- Unknown
id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

27
rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml Normal file
View File

@@ -0,0 +1,27 @@
title: Invoke-Obfuscation Via Use MSHTA
ruletype: Sigma
author: Nikita Nazarov, oscd.community
date: 2020/10/08
description: Detects Obfuscated Powershell via use MSHTA in Scripts
detection:
SELECTION_1:
ScriptBlockText|re: (?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"
condition: SELECTION_1
falsepositives:
- Unknown
id: e55a5195-4724-480e-a77e-3ebe64bd3759
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

27
rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml Normal file
View File

@@ -0,0 +1,27 @@
title: Invoke-Obfuscation Via Use Rundll32
ruletype: Sigma
author: Nikita Nazarov, oscd.community
date: 2019/10/08
description: Detects Obfuscated Powershell via use Rundll32 in Scripts
detection:
SELECTION_1:
ScriptBlockText|re: (?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"
condition: SELECTION_1
falsepositives:
- Unknown
id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

27
rules/sigma/powershell/powershell_script/powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml Normal file
View File

@@ -0,0 +1,27 @@
title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
ruletype: Sigma
author: Timur Zinniatullin, oscd.community
date: 2020/10/13
description: Detects Obfuscated Powershell via VAR++ LAUNCHER
detection:
SELECTION_1:
ScriptBlockText|re: (?i).*&&set.*(\{\d\}){2,}\\"\s+?\-f.*&&.*cmd.*/c
condition: SELECTION_1
falsepositives:
- Unknown
id: e54f5149-6ba3-49cf-b153-070d24679126
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

31
rules/sigma/powershell/powershell_script/powershell_keylogging.yml Normal file
View File

@@ -0,0 +1,31 @@
title: Powershell Keylogging
ruletype: Sigma
author: frack113
date: 2021/07/30
description: Adversaries may log user keystrokes to intercept credentials as the user
types them.
detection:
SELECTION_1:
ScriptBlockText: '*Get-Keystrokes*'
SELECTION_2:
ScriptBlockText: '*Get-ProcAddress user32.dll GetAsyncKeyState*'
SELECTION_3:
ScriptBlockText: '*Get-ProcAddress user32.dll GetForegroundWindow*'
condition: (SELECTION_1 or (SELECTION_2 and SELECTION_3))
falsepositives:
- Unknown
id: 34f90d3c-c297-49e9-b26d-911b05a4866c
level: medium
logsource:
category: ps_script
definition: EnableScriptBlockLogging must be set to enable
product: windows
modified: 2021/10/16
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/src/Get-Keystrokes.ps1
status: experimental
tags:
- attack.collection
- attack.t1056.001

126
rules/sigma/powershell/powershell_script/powershell_malicious_commandlets.yml Normal file
View File

@@ -0,0 +1,126 @@
title: Malicious PowerShell Commandlets
ruletype: Sigma
author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update),
oscd.community (update)
date: 2017/03/05
description: Detects Commandlet names from well-known PowerShell exploitation frameworks
detection:
SELECTION_1:
ScriptBlockText:
- '*Invoke-DllInjection*'
- '*Invoke-Shellcode*'
- '*Invoke-WmiCommand*'
- '*Get-GPPPassword*'
- '*Get-Keystrokes*'
- '*Get-TimedScreenshot*'
- '*Get-VaultCredential*'
- '*Invoke-CredentialInjection*'
- '*Invoke-Mimikatz*'
- '*Invoke-NinjaCopy*'
- '*Invoke-TokenManipulation*'
- '*Out-Minidump*'
- '*VolumeShadowCopyTools*'
- '*Invoke-ReflectivePEInjection*'
- '*Invoke-UserHunter*'
- '*Find-GPOLocation*'
- '*Invoke-ACLScanner*'
- '*Invoke-DowngradeAccount*'
- '*Get-ServiceUnquoted*'
- '*Get-ServiceFilePermission*'
- '*Get-ServicePermission*'
- '*Invoke-ServiceAbuse*'
- '*Install-ServiceBinary*'
- '*Get-RegAutoLogon*'
- '*Get-VulnAutoRun*'
- '*Get-VulnSchTask*'
- '*Get-UnattendedInstallFile*'
- '*Get-ApplicationHost*'
- '*Get-RegAlwaysInstallElevated*'
- '*Get-Unconstrained*'
- '*Add-RegBackdoor*'
- '*Add-ScrnSaveBackdoor*'
- '*Gupt-Backdoor*'
- '*Invoke-ADSBackdoor*'
- '*Enabled-DuplicateToken*'
- '*Invoke-PsUaCme*'
- '*Remove-Update*'
- '*Check-VM*'
- '*Get-LSASecret*'
- '*Get-PassHashes*'
- '*Show-TargetScreen*'
- '*Port-Scan*'
- '*Invoke-PoshRatHttp*'
- '*Invoke-PowerShellTCP*'
- '*Invoke-PowerShellWMI*'
- '*Add-Exfiltration*'
- '*Add-Persistence*'
- '*Do-Exfiltration*'
- '*Start-CaptureServer*'
- '*Get-ChromeDump*'
- '*Get-ClipboardContents*'
- '*Get-FoxDump*'
- '*Get-IndexedItem*'
- '*Get-Screenshot*'
- '*Invoke-Inveigh*'
- '*Invoke-NetRipper*'
- '*Invoke-EgressCheck*'
- '*Invoke-PostExfil*'
- '*Invoke-PSInject*'
- '*Invoke-RunAs*'
- '*MailRaider*'
- '*New-HoneyHash*'
- '*Set-MacAttribute*'
- '*Invoke-DCSync*'
- '*Invoke-PowerDump*'
- '*Exploit-Jboss*'
- '*Invoke-ThunderStruck*'
- '*Invoke-VoiceTroll*'
- '*Set-Wallpaper*'
- '*Invoke-InveighRelay*'
- '*Invoke-PsExec*'
- '*Invoke-SSHCommand*'
- '*Get-SecurityPackages*'
- '*Install-SSP*'
- '*Invoke-BackdoorLNK*'
- '*PowerBreach*'
- '*Get-SiteListPassword*'
- '*Get-System*'
- '*Invoke-BypassUAC*'
- '*Invoke-Tater*'
- '*Invoke-WScriptBypassUAC*'
- '*PowerUp*'
- '*PowerView*'
- '*Get-RickAstley*'
- '*Find-Fruit*'
- '*HTTP-Login*'
- '*Find-TrustedDocuments*'
- '*Invoke-Paranoia*'
- '*Invoke-WinEnum*'
- '*Invoke-ARPScan*'
- '*Invoke-PortScan*'
- '*Invoke-ReverseDNSLookup*'
- '*Invoke-SMBScanner*'
- '*Invoke-Mimikittenz*'
- '*Invoke-AllChecks*'
SELECTION_2:
ScriptBlockText:
- '*Get-SystemDriveInfo*'
- '*C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Scripts\Set-Wallpaper.ps1*'
condition: (SELECTION_1 and not (SELECTION_2))
falsepositives:
- Penetration testing
id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
level: high
logsource:
category: ps_script
definition: Script Block Logging must be enable
product: windows
modified: 2021/11/29
references:
- https://adsecurity.org/?p=2921
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086

47
rules/sigma/powershell/powershell_script/powershell_malicious_keywords.yml Normal file
View File

@@ -0,0 +1,47 @@
title: Malicious PowerShell Keywords
ruletype: Sigma
author: Sean Metcalf (source), Florian Roth (rule)
date: 2017/03/05
description: Detects keywords from well-known PowerShell exploitation frameworks
detection:
SELECTION_1:
ScriptBlockText:
- '*AdjustTokenPrivileges*'
- '*IMAGE_NT_OPTIONAL_HDR64_MAGIC*'
- '*Microsoft.Win32.UnsafeNativeMethods*'
- '*ReadProcessMemory.Invoke*'
- '*SE_PRIVILEGE_ENABLED*'
- '*LSA_UNICODE_STRING*'
- '*MiniDumpWriteDump*'
- '*PAGE_EXECUTE_READ*'
- '*SECURITY_DELEGATION*'
- '*TOKEN_ADJUST_PRIVILEGES*'
- '*TOKEN_ALL_ACCESS*'
- '*TOKEN_ASSIGN_PRIMARY*'
- '*TOKEN_DUPLICATE*'
- '*TOKEN_ELEVATION*'
- '*TOKEN_IMPERSONATE*'
- '*TOKEN_INFORMATION_CLASS*'
- '*TOKEN_PRIVILEGES*'
- '*TOKEN_QUERY*'
- '*Metasploit*'
- '*Mimikatz*'
condition: SELECTION_1
falsepositives:
- Penetration tests
id: f62176f3-8128-4faa-bf6c-83261322e5eb
level: high
logsource:
category: ps_script
definition: It is recommended to use the new "Script Block Logging" of PowerShell
v5 https://adsecurity.org/?p=2277
product: windows
modified: 2021/10/16
references:
- https://adsecurity.org/?p=2921
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086

27
rules/sigma/powershell/powershell_script/powershell_memorydump_getstoragediagnosticinfo.yml Normal file
View File

@@ -0,0 +1,27 @@
title: Live Memory Dump Using Powershell
ruletype: Sigma
author: Max Altgelt
date: 2021/09/21
description: Detects usage of a PowerShell command to dump the live memory of a Windows
machine
detection:
SELECTION_1:
ScriptBlockText: '*Get-StorageDiagnosticInfo*'
SELECTION_2:
ScriptBlockText: '*-IncludeLiveDump*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Diagnostics
id: cd185561-4760-45d6-a63e-a51325112cae
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://docs.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo
status: experimental
tags:
- attack.t1003

97
rules/sigma/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml Normal file
View File

@@ -0,0 +1,97 @@
title: Malicious Nishang PowerShell Commandlets
ruletype: Sigma
author: Alec Costello
date: 2019/05/16
description: Detects Commandlet names and arguments from the Nishang exploitation
framework
detection:
SELECTION_1:
ScriptBlockText:
- '*Add-ConstrainedDelegationBackdoor*'
- '*Set-DCShadowPermissions*'
- '*DNS_TXT_Pwnage*'
- '*Execute-OnTime*'
- '*HTTP-Backdoor*'
- '*Set-RemotePSRemoting*'
- '*Set-RemoteWMI*'
- '*Invoke-AmsiBypass*'
- '*Out-CHM*'
- '*Out-HTA*'
- '*Out-SCF*'
- '*Out-SCT*'
- '*Out-Shortcut*'
- '*Out-WebQuery*'
- '*Out-Word*'
- '*Enable-Duplication*'
- '*Remove-Update*'
- '*Download-Execute-PS*'
- '*Download_Execute*'
- '*Execute-Command-MSSQL*'
- '*Execute-DNSTXT-Code*'
- '*Out-RundllCommand*'
- '*Copy-VSS*'
- '*FireBuster*'
- '*FireListener*'
- '*Get-Information*'
- '*Get-PassHints*'
- '*Get-WLAN-Keys*'
- '*Get-Web-Credentials*'
- '*Invoke-CredentialsPhish*'
- '*Invoke-MimikatzWDigestDowngrade*'
- '*Invoke-SSIDExfil*'
- '*Invoke-SessionGopher*'
- '*Keylogger*'
- '*Invoke-Interceptor*'
- '*Create-MultipleSessions*'
- '*Invoke-NetworkRelay*'
- '*Run-EXEonRemote*'
- '*Invoke-Prasadhak*'
- '*Invoke-BruteForce*'
- '*Password-List*'
- '*Invoke-JSRatRegsvr*'
- '*Invoke-JSRatRundll*'
- '*Invoke-PoshRatHttps*'
- '*Invoke-PowerShellIcmp*'
- '*Invoke-PowerShellUdp*'
- '*Invoke-PSGcat*'
- '*Invoke-PsGcatAgent*'
- '*Remove-PoshRat*'
- '*Add-Persistance*'
- '*ExetoText*'
- '*Invoke-Decode*'
- '*Invoke-Encode*'
- '*Parse_Keys*'
- '*Remove-Persistence*'
- '*StringtoBase64*'
- '*TexttoExe*'
- '*Powerpreter*'
- '*Nishang*'
- '*DataToEncode*'
- '*LoggedKeys*'
- '*OUT-DNSTXT*'
- '*ExfilOption*'
- '*DumpCerts*'
- '*DumpCreds*'
- '*Shellcode32*'
- '*Shellcode64*'
- '*NotAllNameSpaces*'
- '*exfill*'
- '*FakeDC*'
condition: SELECTION_1
falsepositives:
- Penetration testing
id: f772cee9-b7c2-4cb2-8f07-49870adc02e0
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/samratashok/nishang
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086

36
rules/sigma/powershell/powershell_script/powershell_ntfs_ads_access.yml Normal file
View File

@@ -0,0 +1,36 @@
title: NTFS Alternate Data Stream
ruletype: Sigma
author: Sami Ruohonen
date: 2018/07/24
description: Detects writing data into NTFS alternate data streams from powershell.
Needs Script Block Logging.
detection:
SELECTION_1:
ScriptBlockText:
- '*set-content*'
- '*add-content*'
SELECTION_2:
ScriptBlockText:
- '*-stream*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- unknown
id: 8c521530-5169-495d-a199-0a3a881ad24e
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/12/02
references:
- http://www.powertheshell.com/ntfsstreams/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md
status: experimental
tags:
- attack.defense_evasion
- attack.t1564.004
- attack.t1096
- attack.execution
- attack.t1059.001
- attack.t1086

150
rules/sigma/powershell/powershell_script/powershell_powerview_malicious_commandlets.yml Normal file
View File

@@ -0,0 +1,150 @@
title: Malicious PowerView PowerShell Commandlets
ruletype: Sigma
author: Bhabesh Raj
date: 2021/05/18
description: Detects Commandlet names from PowerView of PowerSploit exploitation framework.
detection:
SELECTION_1:
ScriptBlockText:
- '*Export-PowerViewCSV*'
- '*Get-IPAddress*'
- '*Resolve-IPAddress*'
- '*Convert-NameToSid*'
- '*ConvertTo-SID*'
- '*Convert-ADName*'
- '*ConvertFrom-UACValue*'
- '*Add-RemoteConnection*'
- '*Remove-RemoteConnection*'
- '*Invoke-UserImpersonation*'
- '*Invoke-RevertToSelf*'
- '*Request-SPNTicket*'
- '*Get-DomainSPNTicket*'
- '*Invoke-Kerberoast*'
- '*Get-PathAcl*'
- '*Get-DNSZone*'
- '*Get-DomainDNSZone*'
- '*Get-DNSRecord*'
- '*Get-DomainDNSRecord*'
- '*Get-NetDomain*'
- '*Get-Domain*'
- '*Get-NetDomainController*'
- '*Get-DomainController*'
- '*Get-NetForest*'
- '*Get-Forest*'
- '*Get-NetForestDomain*'
- '*Get-ForestDomain*'
- '*Get-NetForestCatalog*'
- '*Get-ForestGlobalCatalog*'
- '*Find-DomainObjectPropertyOutlier*'
- '*Get-NetUser*'
- '*Get-DomainUser*'
- '*New-DomainUser*'
- '*Set-DomainUserPassword*'
- '*Get-UserEvent*'
- '*Get-DomainUserEvent*'
- '*Get-NetComputer*'
- '*Get-DomainComputer*'
- '*Get-ADObject*'
- '*Get-DomainObject*'
- '*Set-ADObject*'
- '*Set-DomainObject*'
- '*Get-ObjectAcl*'
- '*Get-DomainObjectAcl*'
- '*Add-ObjectAcl*'
- '*Add-DomainObjectAcl*'
- '*Invoke-ACLScanner*'
- '*Find-InterestingDomainAcl*'
- '*Get-NetOU*'
- '*Get-DomainOU*'
- '*Get-NetSite*'
- '*Get-DomainSite*'
- '*Get-NetSubnet*'
- '*Get-DomainSubnet*'
- '*Get-DomainSID*'
- '*Get-NetGroup*'
- '*Get-DomainGroup*'
- '*New-DomainGroup*'
- '*Find-ManagedSecurityGroups*'
- '*Get-DomainManagedSecurityGroup*'
- '*Get-NetGroupMember*'
- '*Get-DomainGroupMember*'
- '*Add-DomainGroupMember*'
- '*Get-NetFileServer*'
- '*Get-DomainFileServer*'
- '*Get-DFSshare*'
- '*Get-DomainDFSShare*'
- '*Get-NetGPO*'
- '*Get-DomainGPO*'
- '*Get-NetGPOGroup*'
- '*Get-DomainGPOLocalGroup*'
- '*Find-GPOLocation*'
- '*Get-DomainGPOUserLocalGroupMapping*'
- '*Find-GPOComputerAdmin*'
- '*Get-DomainGPOComputerLocalGroupMapping*'
- '*Get-DomainPolicy*'
- '*Get-NetLocalGroup*'
- '*Get-NetLocalGroupMember*'
- '*Get-NetShare*'
- '*Get-NetLoggedon*'
- '*Get-NetSession*'
- '*Get-LoggedOnLocal*'
- '*Get-RegLoggedOn*'
- '*Get-NetRDPSession*'
- '*Invoke-CheckLocalAdminAccess*'
- '*Test-AdminAccess*'
- '*Get-SiteName*'
- '*Get-NetComputerSiteName*'
- '*Get-Proxy*'
- '*Get-WMIRegProxy*'
- '*Get-LastLoggedOn*'
- '*Get-WMIRegLastLoggedOn*'
- '*Get-CachedRDPConnection*'
- '*Get-WMIRegCachedRDPConnection*'
- '*Get-RegistryMountedDrive*'
- '*Get-WMIRegMountedDrive*'
- '*Get-NetProcess*'
- '*Get-WMIProcess*'
- '*Find-InterestingFile*'
- '*Invoke-UserHunter*'
- '*Find-DomainUserLocation*'
- '*Invoke-ProcessHunter*'
- '*Find-DomainProcess*'
- '*Invoke-EventHunter*'
- '*Find-DomainUserEvent*'
- '*Invoke-ShareFinder*'
- '*Find-DomainShare*'
- '*Invoke-FileFinder*'
- '*Find-InterestingDomainShareFile*'
- '*Find-LocalAdminAccess*'
- '*Invoke-EnumerateLocalAdmin*'
- '*Find-DomainLocalGroupMember*'
- '*Get-NetDomainTrust*'
- '*Get-DomainTrust*'
- '*Get-NetForestTrust*'
- '*Get-ForestTrust*'
- '*Find-ForeignUser*'
- '*Get-DomainForeignUser*'
- '*Find-ForeignGroup*'
- '*Get-DomainForeignGroupMember*'
- '*Invoke-MapDomainTrust*'
- '*Get-DomainTrustMapping*'
condition: SELECTION_1
falsepositives:
- Should not be any as administrators do not use this tool
id: dcd74b95-3f36-4ed9-9598-0490951643aa
level: high
logsource:
category: ps_script
definition: Script Block Logging must be enable
product: windows
modified: 2021/10/16
references:
- https://powersploit.readthedocs.io/en/stable/Recon/README
- https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
- https://thedfirreport.com/2020/10/08/ryuks-return
- https://adsecurity.org/?p=2277
status: experimental
tags:
- attack.execution
- attack.t1059.001

28
rules/sigma/powershell/powershell_script/powershell_prompt_credentials.yml Normal file
View File

@@ -0,0 +1,28 @@
title: PowerShell Credential Prompt
ruletype: Sigma
author: John Lambert (idea), Florian Roth (rule)
date: 2017/04/09
description: Detects PowerShell calling a credential prompt
detection:
SELECTION_1:
ScriptBlockText: '*PromptForCredential*'
condition: SELECTION_1
falsepositives:
- Unknown
id: ca8b77a9-d499-4095-b793-5d5f330d450e
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://twitter.com/JohnLaTwC/status/850381440629981184
- https://t.co/ezOTGy1a1G
status: experimental
tags:
- attack.credential_access
- attack.execution
- attack.t1059.001
- attack.t1086

26
rules/sigma/powershell/powershell_script/powershell_psattack.yml Normal file
View File

@@ -0,0 +1,26 @@
title: PowerShell PSAttack
ruletype: Sigma
author: Sean Metcalf (source), Florian Roth (rule)
date: 2017/03/05
description: Detects the use of PSAttack PowerShell hack tool
detection:
SELECTION_1:
ScriptBlockText: '*PS ATTACK!!!*'
condition: SELECTION_1
falsepositives:
- Pentesters
id: b7ec41a4-042c-4f31-a5db-d0fcde9fa5c5
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://adsecurity.org/?p=2921
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086

34
rules/sigma/powershell/powershell_script/powershell_set_policies_to_unsecure_level.yml Normal file
View File

@@ -0,0 +1,34 @@
title: Change PowerShell Policies to a Unsecure Level
ruletype: Sigma
author: frack113
date: 2021/10/20
description: Detects use of Set-ExecutionPolicy to set a unsecure policies
detection:
SELECTION_1:
ScriptBlockText: '*Set-ExecutionPolicy*'
SELECTION_2:
ScriptBlockText:
- '*Unrestricted*'
- '*bypass*'
- '*RemoteSigned*'
SELECTION_3:
ParentImage:
- C:\ProgramData\chocolatey\choco.exe
condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3))
falsepositives:
- Administrator script
id: 61d0475c-173f-4844-86f7-f3eebae1c66b
level: high
logsource:
category: ps_script
product: windows
modified: 2021/11/26
references:
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1
- https://adsecurity.org/?p=2604
status: experimental
tags:
- attack.execution
- attack.t1059.001

33
rules/sigma/powershell/powershell_script/powershell_shellcode_b64.yml Normal file
View File

@@ -0,0 +1,33 @@
title: PowerShell ShellCode
ruletype: Sigma
author: David Ledbetter (shellcode), Florian Roth (rule)
date: 2018/11/17
description: Detects Base64 encoded Shellcode
detection:
SELECTION_1:
ScriptBlockText: '*AAAAYInlM*'
SELECTION_2:
ScriptBlockText:
- '*OiCAAAAYInlM*'
- '*OiJAAAAYInlM*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 16b37b70-6fcf-4814-a092-c36bd3aafcbd
level: critical
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://twitter.com/cyb3rops/status/1063072865992523776
status: experimental
tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1055
- attack.execution
- attack.t1059.001
- attack.t1086

29
rules/sigma/powershell/powershell_script/powershell_shellintel_malicious_commandlets.yml Normal file
View File

@@ -0,0 +1,29 @@
title: Malicious ShellIntel PowerShell Commandlets
ruletype: Sigma
author: Max Altgelt, Tobias Michalski
date: 2021/08/09
description: Detects Commandlet names from ShellIntel exploitation scripts.
detection:
SELECTION_1:
ScriptBlockText:
- '*Invoke-SMBAutoBrute*'
- '*Invoke-GPOLinks*'
- '*Out-Minidump*'
- '*Invoke-Potato*'
condition: SELECTION_1
falsepositives:
- Unknown
id: 402e1e1d-ad59-47b6-bf80-1ee44985b3a7
level: high
logsource:
category: ps_script
definition: Script Block Logging must be enable
product: windows
modified: 2021/10/16
references:
- https://github.com/Shellntel/scripts/
status: experimental
tags:
- attack.execution
- attack.t1059.001

34
rules/sigma/powershell/powershell_script/powershell_software_discovery.yml Normal file
View File

@@ -0,0 +1,34 @@
title: Detected Windows Software Discovery
ruletype: Sigma
author: Nikita Nazarov, oscd.community
date: 2020/10/16
description: Adversaries may attempt to enumerate software for a variety of reasons,
such as figuring out what security measures are present or if the compromised system
has a version of software that is vulnerable.
detection:
SELECTION_1:
ScriptBlockText: '*get-itemProperty*'
SELECTION_2:
ScriptBlockText: '*\software\\*'
SELECTION_3:
ScriptBlockText: '*select-object*'
SELECTION_4:
ScriptBlockText: '*format-table*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Legitimate administration activities
id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282
level: medium
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/11/12
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md
- https://github.com/harleyQu1nn/AggressorScripts
status: experimental
tags:
- attack.discovery
- attack.t1518

31
rules/sigma/powershell/powershell_script/powershell_store_file_in_alternate_data_stream.yml Normal file
View File

@@ -0,0 +1,31 @@
title: Powershell Store File In Alternate Data Stream
ruletype: Sigma
author: frack113
date: 2021/09/02
description: Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.
detection:
SELECTION_1:
ScriptBlockText: '*Start-Process*'
SELECTION_2:
ScriptBlockText: '*-FilePath "$env:comspec" *'
SELECTION_3:
ScriptBlockText: '*-ArgumentList *'
SELECTION_4:
ScriptBlockText: '*>*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Unknown
id: a699b30e-d010-46c8-bbd1-ee2e26765fe9
level: medium
logsource:
category: ps_script
definition: EnableScriptBlockLogging must be set to enable
product: windows
modified: 2021/10/16
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md
status: experimental
tags:
- attack.defense_evasion
- attack.t1564.004

32
rules/sigma/powershell/powershell_script/powershell_susp_zip_compress_in_scriptblocktext.yml Normal file
View File

@@ -0,0 +1,32 @@
title: Zip A Folder With PowerShell For Staging In Temp
ruletype: Sigma
author: frack113
date: 2021/07/20
description: Use living off the land tools to zip a file and stage it in the Windows
temporary folder for later exfiltration
detection:
SELECTION_1:
ScriptBlockText: '*Compress-Archive *'
SELECTION_2:
ScriptBlockText: '* -Path *'
SELECTION_3:
ScriptBlockText: '* -DestinationPath *'
SELECTION_4:
ScriptBlockText: '*$env:TEMP\\*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Unknown
id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9
level: medium
logsource:
category: ps_script
definition: Script Block Logging must be enable
product: windows
modified: 2021/10/16
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md
status: experimental
tags:
- attack.collection
- attack.t1074.001

30
rules/sigma/powershell/powershell_script/powershell_suspicious_download_in_scriptblocktext.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Suspicious PowerShell Download
ruletype: Sigma
author: Florian Roth
date: 2017/03/05
description: Detects suspicious PowerShell download command
detection:
SELECTION_1:
ScriptBlockText: '*System.Net.WebClient*'
SELECTION_2:
ScriptBlockText:
- '*.DownloadFile(*'
- '*.DownloadString(*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- PowerShell scripts that download content from the Internet
id: 403c2cc0-7f6b-4925-9423-bfa573bed7eb
level: medium
logsource:
category: ps_script
product: windows
modified: 2021/10/18
related:
- id: 65531a81-a694-4e31-ae04-f8ba5bc33759
type: derived
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086

29
rules/sigma/powershell/powershell_script/powershell_suspicious_export_pfxcertificate.yml Normal file
View File

@@ -0,0 +1,29 @@
title: Suspicious Export-PfxCertificate
ruletype: Sigma
author: Florian Roth
date: 2021/04/23
description: Detects Commandlet that is used to export certificates from the local
certificate store and sometimes used by threat actors to steal private keys from
compromised machines
detection:
SELECTION_1:
ScriptBlockText: '*Export-PfxCertificate*'
condition: SELECTION_1
falsepositives:
- Legitimate certificate exports invoked by administrators or users (depends on processes
in the environment - filter if unusable)
id: aa7a3fce-bef5-4311-9cc1-5f04bb8c308c
level: high
logsource:
category: ps_script
definition: Script Block Logging must be enable
product: windows
modified: 2021/08/04
references:
- https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a
- https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate
status: experimental
tags:
- attack.credential_access
- attack.t1552.004

27
rules/sigma/powershell/powershell_script/powershell_suspicious_getprocess_lsass.yml Normal file
View File

@@ -0,0 +1,27 @@
title: PowerShell Get-Process LSASS in ScriptBlock
ruletype: Sigma
author: Florian Roth
date: 2021/04/23
description: Detects a Get-Process command on lsass process, which is in almost all
cases a sign of malicious activity
detection:
SELECTION_1:
ScriptBlockText: '*Get-Process lsass*'
condition: SELECTION_1
falsepositives:
- Legitimate certificate exports invoked by administrators or users (depends on processes
in the environment - filter if unusable)
id: 84c174ab-d3ef-481f-9c86-a50d0b8e3edb
level: high
logsource:
category: ps_script
definition: Script Block Logging must be enable
product: windows
modified: 2021/10/16
references:
- https://twitter.com/PythonResponder/status/1385064506049630211
status: experimental
tags:
- attack.credential_access
- attack.t1003.001

38
rules/sigma/powershell/powershell_script/powershell_suspicious_invocation_generic_in_scriptblocktext.yml Normal file
View File

@@ -0,0 +1,38 @@
title: Suspicious PowerShell Invocations - Generic
ruletype: Sigma
author: Florian Roth (rule)
date: 2017/03/12
description: Detects suspicious PowerShell invocation command parameters
detection:
SELECTION_1:
ScriptBlockText:
- '* -enc *'
- '* -EncodedCommand *'
SELECTION_2:
ScriptBlockText:
- '* -w hidden *'
- '* -window hidden *'
- '* -windowstyle hidden *'
SELECTION_3:
ScriptBlockText:
- '* -noni *'
- '* -noninteractive *'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Penetration tests
- Very special / sneaky PowerShell scripts
id: ed965133-513f-41d9-a441-e38076a0798f
level: high
logsource:
category: ps_script
product: windows
modified: 2021/12/02
related:
- id: 3d304fda-78aa-43ed-975c-d740798a49c1
type: derived
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086

95
rules/sigma/powershell/powershell_script/powershell_suspicious_invocation_specific_in_scripblocktext.yml Normal file
View File

@@ -0,0 +1,95 @@
title: Suspicious PowerShell Invocations - Specific
ruletype: Sigma
author: Florian Roth (rule), Jonhnathan Ribeiro
date: 2017/03/05
description: Detects suspicious PowerShell invocation command parameters
detection:
SELECTION_1:
ScriptBlockText: '*-nop*'
SELECTION_10:
ScriptBlockText: '* -c *'
SELECTION_11:
ScriptBlockText: '*iex*'
SELECTION_12:
ScriptBlockText: '*New-Object*'
SELECTION_13:
ScriptBlockText: '* -w *'
SELECTION_14:
ScriptBlockText: '*hidden*'
SELECTION_15:
ScriptBlockText: '*-ep*'
SELECTION_16:
ScriptBlockText: '*bypass*'
SELECTION_17:
ScriptBlockText: '*-Enc*'
SELECTION_18:
ScriptBlockText: '*powershell*'
SELECTION_19:
ScriptBlockText: '*reg*'
SELECTION_2:
ScriptBlockText: '* -w *'
SELECTION_20:
ScriptBlockText: '*add*'
SELECTION_21:
ScriptBlockText: '*HKCU\software\microsoft\windows\currentversion\run*'
SELECTION_22:
ScriptBlockText: '*bypass*'
SELECTION_23:
ScriptBlockText: '*-noprofile*'
SELECTION_24:
ScriptBlockText: '*-windowstyle*'
SELECTION_25:
ScriptBlockText: '*hidden*'
SELECTION_26:
ScriptBlockText: '*new-object*'
SELECTION_27:
ScriptBlockText: '*system.net.webclient*'
SELECTION_28:
ScriptBlockText: '*.download*'
SELECTION_29:
ScriptBlockText: '*iex*'
SELECTION_3:
ScriptBlockText: '*hidden*'
SELECTION_30:
ScriptBlockText: '*New-Object*'
SELECTION_31:
ScriptBlockText: '*Net.WebClient*'
SELECTION_32:
ScriptBlockText: '*.Download*'
SELECTION_4:
ScriptBlockText: '* -c *'
SELECTION_5:
ScriptBlockText: '*[Convert]::FromBase64String*'
SELECTION_6:
ScriptBlockText: '* -w *'
SELECTION_7:
ScriptBlockText: '*hidden*'
SELECTION_8:
ScriptBlockText: '*-noni*'
SELECTION_9:
ScriptBlockText: '*-nop*'
condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
or (SELECTION_6 and SELECTION_7 and SELECTION_8 and SELECTION_9 and SELECTION_10
and SELECTION_11 and SELECTION_12) or (SELECTION_13 and SELECTION_14 and SELECTION_15
and SELECTION_16 and SELECTION_17) or (SELECTION_18 and SELECTION_19 and SELECTION_20
and SELECTION_21) or (SELECTION_22 and SELECTION_23 and SELECTION_24 and SELECTION_25
and SELECTION_26 and SELECTION_27 and SELECTION_28) or (SELECTION_29 and SELECTION_30
and SELECTION_31 and SELECTION_32))
falsepositives:
- Penetration tests
id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/18
related:
- id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
type: derived
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086

40
rules/sigma/powershell/powershell_script/powershell_suspicious_keywords.yml Normal file
View File

@@ -0,0 +1,40 @@
title: Suspicious PowerShell Keywords
ruletype: Sigma
author: Florian Roth, Perez Diego (@darkquassar)
date: 2019/02/11
description: Detects keywords that could indicate the use of some PowerShell exploitation
framework
detection:
SELECTION_1:
ScriptBlockText:
- '*System.Reflection.Assembly.Load($*'
- '*[System.Reflection.Assembly]::Load($*'
- '*[Reflection.Assembly]::Load($*'
- '*System.Reflection.AssemblyName*'
- '*Reflection.Emit.AssemblyBuilderAccess*'
- '*Runtime.InteropServices.DllImportAttribute*'
- '*SuspendThread*'
- '*rundll32*'
- '*Invoke-WMIMethod*'
- '*http://127.0.0.1*'
condition: SELECTION_1
falsepositives:
- Penetration tests
id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled for 4104
product: windows
modified: 2021/10/16
references:
- https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462
- https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1
- https://github.com/hlldz/Invoke-Phant0m/blob/master/Invoke-Phant0m.ps1
- https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086

31
rules/sigma/powershell/powershell_script/powershell_suspicious_mail_acces.yml Normal file
View File

@@ -0,0 +1,31 @@
title: Powershell Local Email Collection
ruletype: Sigma
author: frack113
date: 2021/07/21
description: Adversaries may target user email on local systems to collect sensitive
information. Files containing email data can be acquired from a users local system,
such as Outlook storage or cache files.
detection:
SELECTION_1:
ScriptBlockText:
- '*Get-Inbox.ps1*'
- '*Microsoft.Office.Interop.Outlook*'
- '*Microsoft.Office.Interop.Outlook.olDefaultFolders*'
- '*-comobject outlook.application*'
condition: SELECTION_1
falsepositives:
- Unknown
id: 2837e152-93c8-43d2-85ba-c3cd3c2ae614
level: medium
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md
status: experimental
tags:
- attack.collection
- attack.t1114.001

29
rules/sigma/powershell/powershell_script/powershell_suspicious_mounted_share_deletion.yml Normal file
View File

@@ -0,0 +1,29 @@
title: PowerShell Deleted Mounted Share
ruletype: Sigma
author: oscd.community, @redcanary, Zach Stanford @svch0st
date: 2020/10/08
description: Detects when when a mounted share is removed. Adversaries may remove
share connections that are no longer useful in order to clean up traces of their
operation
detection:
SELECTION_1:
ScriptBlockText:
- '*Remove-SmbShare*'
- '*Remove-FileShare*'
condition: SELECTION_1
falsepositives:
- Administrators or Power users may remove their shares via cmd line
id: 66a4d409-451b-4151-94f4-a55d559c49b0
level: medium
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md
status: experimental
tags:
- attack.defense_evasion
- attack.t1070.005

31
rules/sigma/powershell/powershell_script/powershell_suspicious_recon.yml Normal file
View File

@@ -0,0 +1,31 @@
title: Recon Information for Export with PowerShell
ruletype: Sigma
author: frack113
date: 2021/07/30
description: Once established within a system or network, an adversary may use automated
techniques for collecting internal data
detection:
SELECTION_1:
ScriptBlockText:
- '*Get-Service *'
- '*Get-ChildItem *'
- '*Get-Process *'
SELECTION_2:
ScriptBlockText: '*> $env:TEMP\\*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: a9723fcc-881c-424c-8709-fd61442ab3c3
level: medium
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/12/02
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md
status: experimental
tags:
- attack.collection
- attack.t1119

26
rules/sigma/powershell/powershell_script/powershell_suspicious_win32_pnpentity.yml Normal file
View File

@@ -0,0 +1,26 @@
title: Powershell Suspicious Win32_PnPEntity
ruletype: Sigma
author: frack113
date: 2021/08/23
description: Adversaries may attempt to gather information about attached peripheral
devices and components connected to a computer system.
detection:
SELECTION_1:
ScriptBlockText: '*Win32_PnPEntity*'
condition: SELECTION_1
falsepositives:
- admin script
id: b26647de-4feb-4283-af6b-6117661283c5
level: low
logsource:
category: ps_script
definition: EnableScriptBlockLogging must be set to enable
product: windows
modified: 2021/10/16
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md
status: experimental
tags:
- attack.discovery
- attack.t1120

29
rules/sigma/powershell/powershell_script/powershell_suspicious_windowstyle.yml Normal file
View File

@@ -0,0 +1,29 @@
title: Suspicious PowerShell WindowStyle Option
ruletype: Sigma
author: frack113
date: 2021/10/20
description: Adversaries may use hidden windows to conceal malicious activity from
the plain sight of users. In some cases, windows that would typically be displayed
when an application carries out an operation can be hidden
detection:
SELECTION_1:
ScriptBlockText: '*powershell*'
SELECTION_2:
ScriptBlockText: '*WindowStyle*'
SELECTION_3:
ScriptBlockText: '*Hidden*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Unknown
id: 313fbb0a-a341-4682-848d-6d6f8c4fab7c
level: medium
logsource:
category: ps_script
product: windows
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md
status: experimental
tags:
- attack.defense_evasion
- attack.t1564.003

30
rules/sigma/powershell/powershell_script/powershell_syncappvpublishingserver_exe_in_scriptblocktext.yml Normal file
View File

@@ -0,0 +1,30 @@
title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction
ruletype: Sigma
author: Ensar Şamil, @sblmsrsn, OSCD Community
date: 2020/10/05
description: Detects SyncAppvPublishingServer process execution which usually utilized
by adversaries to bypass PowerShell execution restrictions.
detection:
SELECTION_1:
ScriptBlockText: '*SyncAppvPublishingServer.exe*'
condition: SELECTION_1
falsepositives:
- App-V clients
id: dddfebae-c46f-439c-af7a-fdb6bde90218
level: medium
logsource:
category: ps_script
product: windows
modified: 2021/10/18
references:
- https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
related:
- id: fde7929d-8beb-4a4c-b922-be9974671667
type: derived
- id: 9f7aa113-9da6-4a8d-907c-5f1a4b908299
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1218

35
rules/sigma/powershell/powershell_script/powershell_timestomp.yml Normal file
View File

@@ -0,0 +1,35 @@
title: Powershell Timestomp
ruletype: Sigma
author: frack113
date: 2021/08/03
description: Adversaries may modify file time attributes to hide new or changes to
existing files. Timestomping is a technique that modifies the timestamps of a file
(the modify, access, create, and change times), often to mimic files that are in
the same folder.
detection:
SELECTION_1:
ScriptBlockText:
- '*.CreationTime =*'
- '*.LastWriteTime =*'
- '*.LastAccessTime =*'
- '*[IO.File]::SetCreationTime*'
- '*[IO.File]::SetLastAccessTime*'
- '*[IO.File]::SetLastWriteTime*'
condition: SELECTION_1
falsepositives:
- legitime admin script
id: c6438007-e081-42ce-9483-b067fbef33c3
level: medium
logsource:
category: ps_script
definition: EnableScriptBlockLogging must be set to enable
product: windows
modified: 2021/10/16
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md
- https://www.offensive-security.com/metasploit-unleashed/timestomp/
status: experimental
tags:
- attack.defense_evasion
- attack.t1070.006

34
rules/sigma/powershell/powershell_script/powershell_trigger_profiles.yml Normal file
View File

@@ -0,0 +1,34 @@
title: Powershell Trigger Profiles by Add_Content
ruletype: Sigma
author: frack113
date: 2021/08/18
description: Adversaries may gain persistence and elevate privileges by executing
malicious content triggered by PowerShell profiles.
detection:
SELECTION_1:
ScriptBlockText: '*Add-Content*'
SELECTION_2:
ScriptBlockText: '*$profile*'
SELECTION_3:
ScriptBlockText: '*-Value*'
SELECTION_4:
ScriptBlockText:
- '*Start-Process*'
- '*""*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Unknown
id: 05b3e303-faf0-4f4a-9b30-46cc13e69152
level: medium
logsource:
category: ps_script
definition: EnableScriptBlockLogging must be set to enable
product: windows
modified: 2021/10/16
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md
status: experimental
tags:
- attack.privilege_escalation
- attack.t1546.013

37
rules/sigma/powershell/powershell_script/powershell_web_request.yml Normal file
View File

@@ -0,0 +1,37 @@
title: Windows PowerShell Web Request
ruletype: Sigma
author: James Pemberton / @4A616D6573
date: 2019/10/24
description: Detects the use of various web request methods (including aliases) via
Windows PowerShell command
detection:
SELECTION_1:
ScriptBlockText:
- '*Invoke-WebRequest*'
- '*iwr *'
- '*wget *'
- '*curl *'
- '*Net.WebClient*'
- '*Start-BitsTransfer*'
condition: SELECTION_1
falsepositives:
- Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer.
id: 1139d2e2-84b1-4226-b445-354492eba8ba
level: medium
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/
- https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell
related:
- id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d
type: derived
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086

34
rules/sigma/powershell/powershell_script/powershell_windows_firewall_profile_disabled.yml Normal file
View File

@@ -0,0 +1,34 @@
title: Windows Firewall Profile Disabled
ruletype: Sigma
author: Austin Songer @austinsonger
date: 2021/10/12
description: Detects when a user disables the Windows Firewall via a Profile to help
evade defense.
detection:
SELECTION_1:
ScriptBlockText: '*Set-NetFirewallProfile*'
SELECTION_2:
ScriptBlockText: '*-Profile*'
SELECTION_3:
ScriptBlockText: '*-Enabled*'
SELECTION_4:
ScriptBlockText: '*False*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Unknown
id: 488b44e7-3781-4a71-888d-c95abfacf44d
level: high
logsource:
category: ps_script
product: windows
modified: 2021/10/16
references:
- https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps
- https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell
- http://powershellhelp.space/commands/set-netfirewallrule-psv5.php
- http://woshub.com/manage-windows-firewall-powershell/
status: experimental
tags:
- attack.defense_evasion
- attack.t1562.004

36
rules/sigma/powershell/powershell_script/powershell_winlogon_helper_dll.yml Normal file
View File

@@ -0,0 +1,36 @@
title: Winlogon Helper DLL
ruletype: Sigma
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
description: Winlogon.exe is a Windows component responsible for actions at logon/logoff
as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry
entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\
and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage
additional helper programs and functionalities that support Winlogon. Malicious
modifications to these Registry keys may cause Winlogon to load and execute malicious
DLLs and/or executables.
detection:
SELECTION_1:
ScriptBlockText: '*CurrentVersion\Winlogon*'
SELECTION_2:
ScriptBlockText:
- '*Set-ItemProperty*'
- '*New-Item*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
id: 851c506b-6b7c-4ce2-8802-c703009d03c0
level: medium
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md
status: experimental
tags:
- attack.persistence
- attack.t1547.004
- attack.t1004

36
rules/sigma/powershell/powershell_script/powershell_wmi_persistence.yml Normal file
View File

@@ -0,0 +1,36 @@
title: Powershell WMI Persistence
ruletype: Sigma
author: frack113
date: 2021/08/19
description: Adversaries may establish persistence and elevate privileges by executing
malicious content triggered by a Windows Management Instrumentation (WMI) event
subscription.
detection:
SELECTION_1:
ScriptBlockText: '*New-CimInstance *'
SELECTION_2:
ScriptBlockText: '*-Namespace root/subscription *'
SELECTION_3:
ScriptBlockText: '*-Property *'
SELECTION_4:
ScriptBlockText: '*-ClassName __EventFilter *'
SELECTION_5:
ScriptBlockText: '*-ClassName CommandLineEventConsumer *'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and (SELECTION_4 or SELECTION_5))
falsepositives:
- Unknown
id: 9e07f6e7-83aa-45c6-998e-0af26efd0a85
level: medium
logsource:
category: ps_script
definition: EnableScriptBlockLogging must be set to enable
product: windows
modified: 2021/10/16
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md
- https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545
status: experimental
tags:
- attack.privilege_escalation
- attack.t1546.003

45
rules/sigma/powershell/powershell_script/powershell_wmimplant.yml Normal file
View File

@@ -0,0 +1,45 @@
title: WMImplant Hack Tool
ruletype: Sigma
author: NVISO
date: 2020/03/26
description: Detects parameters used by WMImplant
detection:
SELECTION_1:
ScriptBlockText:
- '*WMImplant*'
- '* change_user *'
- '* gen_cli *'
- '* command_exec *'
- '* disable_wdigest *'
- '* disable_winrm *'
- '* enable_wdigest *'
- '* enable_winrm *'
- '* registry_mod *'
- '* remote_posh *'
- '* sched_job *'
- '* service_mod *'
- '* process_kill *'
- '* active_users *'
- '* basic_info *'
- '* power_off *'
- '* vacant_system *'
- '* logon_events *'
condition: SELECTION_1
falsepositives:
- Administrative scripts that use the same keywords.
id: 8028c2c3-e25a-46e3-827f-bbb5abf181d7
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/FortyNorthSecurity/WMImplant
status: experimental
tags:
- attack.execution
- attack.t1047
- attack.t1059.001
- attack.t1086

31
rules/sigma/powershell/powershell_script/win_root_certificate_installed.yml Normal file
View File

@@ -0,0 +1,31 @@
title: Root Certificate Installed
ruletype: Sigma
author: oscd.community, @redcanary, Zach Stanford @svch0st
date: 2020/10/10
description: Adversaries may install a root certificate on a compromised system to
avoid warnings when connecting to adversary controlled web servers.
detection:
SELECTION_1:
ScriptBlockText: '*Cert:\LocalMachine\Root*'
SELECTION_2:
ScriptBlockText: '*Move-Item*'
SELECTION_3:
ScriptBlockText: '*Import-Certificate*'
condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
falsepositives:
- Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to
test if GPO push doesn't trigger FP
id: 42821614-9264-4761-acfc-5772c3286f76
level: medium
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/12/04
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md
status: experimental
tags:
- attack.defense_evasion
- attack.t1553.004