CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Feature/rm submodule (#312)

Browse Source 
* rm: submodule

* Add: rules

* Fix: hayabusa-rules to c9c10a
This commit is contained in:
itiB
2021-12-20 21:14:32 +09:00
committed by GitHub
parent 1aebdca160
commit 83d891b2fa
1196 changed files with 46186 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
rules/sigma/powershell/powershell_module/powershell_alternate_powershell_hosts.yml Normal file
View File

@@ -0,0 +1,31 @@
title: Alternate PowerShell Hosts
ruletype: Sigma
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019/08/11
description: Detects alternate PowerShell hosts potentially bypassing detections looking
for powershell.exe
detection:
SELECTION_1:
ContextInfo: '*'
SELECTION_2:
ContextInfo: '*powershell.exe*'
condition: (SELECTION_1 and not (SELECTION_2))
falsepositives:
- Programs using PowerShell directly without invocation of a dedicated interpreter
- MSP Detection Searcher
- Citrix ConfigSync.ps1
id: 64e8e417-c19a-475a-8d19-98ea705394cc
level: medium
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html
status: test
tags:
- attack.execution
- attack.t1059.001
- attack.t1086

41
rules/sigma/powershell/powershell_module/powershell_bad_opsec_artifacts.yml Normal file
View File

@@ -0,0 +1,41 @@
title: Bad Opsec Powershell Code Artifacts
ruletype: Sigma
author: ok @securonix invrep_de, oscd.community
date: 2020/10/09
description: Focuses on trivial artifacts observed in variants of prevalent offensive
ps1 payloads, including Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire,
Powersploit, and other attack payloads that often undergo minimal changes by attackers
due to bad opsec.
detection:
SELECTION_1:
Payload:
- '*$DoIt*'
- '*harmj0y*'
- '*mattifestation*'
- '*_RastaMouse*'
- '*tifkin_*'
- '*0xdeadbeef*'
condition: SELECTION_1
falsepositives:
- Moderate-to-low; Despite the shorter length/lower entropy for some of these, because
of high specificity, fp appears to be fairly limited in many environments.
id: 8d31a8ce-46b5-4dd6-bdc3-680931f1db86
level: critical
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/
- https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/
- https://www.mdeditor.tw/pl/pgRt
related:
- id: 73e733cc-1ace-3212-a107-ff2523cc9fc3
type: derived
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086

40
rules/sigma/powershell/powershell_module/powershell_clear_powershell_history.yml Normal file
View File

@@ -0,0 +1,40 @@
title: Clear PowerShell History
ruletype: Sigma
author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
date: 2019/10/25
description: Detects keywords that could indicate clearing PowerShell history
detection:
SELECTION_1:
Payload:
- '*del*'
- '*Remove-Item*'
- '*rm*'
SELECTION_2:
Payload: '*(Get-PSReadlineOption).HistorySavePath*'
SELECTION_3:
Payload: '*Set-PSReadlineOption*'
SELECTION_4:
Payload: '*HistorySaveStyle*'
SELECTION_5:
Payload: '*SaveNothing*'
condition: ((SELECTION_1 and SELECTION_2) or (SELECTION_3 and SELECTION_4 and SELECTION_5))
falsepositives:
- Legitimate PowerShell scripts
id: f99276ad-d122-4989-a09a-d00904a5f9d2
level: medium
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a
related:
- id: dfba4ce1-e0ea-495f-986e-97140f31af2d
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1070.003
- attack.t1146

30
rules/sigma/powershell/powershell_module/powershell_decompress_commands.yml Normal file
View File

@@ -0,0 +1,30 @@
title: PowerShell Decompress Commands
ruletype: Sigma
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/05/02
description: A General detection for specific decompress commands in PowerShell logs.
This could be an adversary decompressing files.
detection:
SELECTION_1:
Payload: '*Expand-Archive*'
condition: SELECTION_1
falsepositives:
- unknown
id: 1ddc1472-8e52-4f7d-9f11-eab14fc171f5
level: informational
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/8
- https://threathunterplaybook.com/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.html
related:
- id: 81fbdce6-ee49-485a-908d-1a728c5dcb09
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1140

30
rules/sigma/powershell/powershell_module/powershell_get_clipboard.yml Normal file
View File

@@ -0,0 +1,30 @@
title: PowerShell Get Clipboard
ruletype: Sigma
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/05/02
description: A General detection for the Get-Clipboard commands in PowerShell logs.
This could be an adversary capturing clipboard contents.
detection:
SELECTION_1:
Payload: '*Get-Clipboard*'
condition: SELECTION_1
falsepositives:
- unknown
id: 4cbd4f12-2e22-43e3-882f-bff3247ffb78
level: medium
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/16
- https://threathunterplaybook.com/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.html
related:
- id: 5486f63a-aa4c-488d-9a61-c9192853099f
type: derived
status: experimental
tags:
- attack.collection
- attack.t1115

30
rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Invoke-Obfuscation CLIP+ Launcher
ruletype: Sigma
author: Jonathan Cheong, oscd.community
date: 2020/10/13
description: Detects Obfuscated use of Clip.exe to execute PowerShell
detection:
SELECTION_1:
Payload|re: .*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+\-f.+"
condition: SELECTION_1
falsepositives:
- Unknown
id: a136cde0-61ad-4a61-9b82-8dc490e60dd2
level: high
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
related:
- id: 73e67340-0d25-11eb-adc1-0242ac120002
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

43
rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml Normal file
View File

@@ -0,0 +1,43 @@
title: Invoke-Obfuscation Obfuscated IEX Invocation
ruletype: Sigma
author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
date: 2019/11/08
description: Detects all variations of obfuscated powershell IEX invocation code generated
by Invoke-Obfuscation framework from the following code block — https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888
detection:
SELECTION_1:
Payload|re: \$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[
SELECTION_2:
Payload|re: \$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[
SELECTION_3:
Payload|re: \$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[
SELECTION_4:
Payload|re: \$env:ComSpec\[(\s*\d{1,3}\s*,){2}
SELECTION_5:
Payload|re: \\\\*mdr\\\\*\W\s*\)\.Name
SELECTION_6:
Payload|re: \$VerbosePreference\.ToString\(
SELECTION_7:
Payload|re: \String\]\s*\$VerbosePreference
condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
or SELECTION_6 or SELECTION_7)
falsepositives:
- Unknown
id: 2f211361-7dce-442d-b78a-c04039677378
level: high
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabled
product: windows
modified: 2021/10/16
related:
- id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001
- attack.t1086

30
rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Invoke-Obfuscation STDIN+ Launcher
ruletype: Sigma
author: Jonathan Cheong, oscd.community
date: 2020/10/15
description: Detects Obfuscated use of stdin to execute PowerShell
detection:
SELECTION_1:
Payload|re: .*cmd.{0,5}(?:/c|/r).+powershell.+(?:\$\{?input\}?|noexit).+"
condition: SELECTION_1
falsepositives:
- Unknown
id: 9ac8b09b-45de-4a07-9da1-0de8c09304a3
level: high
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
related:
- id: 779c8c12-0eb1-11eb-adc1-0242ac120002
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

30
rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_var.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Invoke-Obfuscation VAR+ Launcher
ruletype: Sigma
author: Jonathan Cheong, oscd.community
date: 2020/10/15
description: Detects Obfuscated use of Environment Variables to execute PowerShell
detection:
SELECTION_1:
Payload|re: .*cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?\-f(?:.*\)){1,}.*"
condition: SELECTION_1
falsepositives:
- Unknown
id: 6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e
level: high
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
related:
- id: 0adfbc14-0ed1-11eb-adc1-0242ac120002
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

30
rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Invoke-Obfuscation COMPRESS OBFUSCATION
ruletype: Sigma
author: Timur Zinniatullin, oscd.community
date: 2020/10/18
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
detection:
SELECTION_1:
Payload|re: (?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend
condition: SELECTION_1
falsepositives:
- unknown
id: 7034cbbb-cc55-4dc2-8dad-36c0b942e8f1
level: medium
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
related:
- id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

30
rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Invoke-Obfuscation RUNDLL LAUNCHER
ruletype: Sigma
author: Timur Zinniatullin, oscd.community
date: 2020/10/18
description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
detection:
SELECTION_1:
Payload|re: (?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*"
condition: SELECTION_1
falsepositives:
- Unknown
id: a23791fe-8846-485a-b16b-ca691e1b03d4
level: medium
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
related:
- id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

30
rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Invoke-Obfuscation Via Stdin
ruletype: Sigma
author: Nikita Nazarov, oscd.community
date: 2020/10/12
description: Detects Obfuscated Powershell via Stdin in Scripts
detection:
SELECTION_1:
Payload|re: (?i).*(set).*&&\s?set.*(environment|invoke|\$\{?input).*&&.*"
condition: SELECTION_1
falsepositives:
- Unknown
id: c72aca44-8d52-45ad-8f81-f96c4d3c755e
level: high
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
related:
- id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

30
rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Invoke-Obfuscation Via Use Clip
ruletype: Sigma
author: Nikita Nazarov, oscd.community
date: 2020/10/09
description: Detects Obfuscated Powershell via use Clip.exe in Scripts
detection:
SELECTION_1:
Payload|re: (?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*
condition: SELECTION_1
falsepositives:
- Unknown
id: ebdf49d8-b89c-46c9-8fdf-2c308406f6bd
level: high
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
related:
- id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

30
rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Invoke-Obfuscation Via Use MSHTA
ruletype: Sigma
author: Nikita Nazarov, oscd.community
date: 2020/10/08
description: Detects Obfuscated Powershell via use MSHTA in Scripts
detection:
SELECTION_1:
Payload|re: (?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"
condition: SELECTION_1
falsepositives:
- Unknown
id: 07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb
level: high
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabledd
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
related:
- id: e55a5195-4724-480e-a77e-3ebe64bd3759
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

30
rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Invoke-Obfuscation Via Use Rundll32
ruletype: Sigma
author: Nikita Nazarov, oscd.community
date: 2019/10/08
description: Detects Obfuscated Powershell via use Rundll32 in Scripts
detection:
SELECTION_1:
Payload|re: (?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"
condition: SELECTION_1
falsepositives:
- Unknown
id: 88a22f69-62f9-4b8a-aa00-6b0212f2f05a
level: high
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
related:
- id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

30
rules/sigma/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
ruletype: Sigma
author: Timur Zinniatullin, oscd.community
date: 2020/10/13
description: Detects Obfuscated Powershell via VAR++ LAUNCHER
detection:
SELECTION_1:
Payload|re: (?i).*&&set.*(\{\d\}){2,}\\"\s+?\-f.*&&.*cmd.*/c
condition: SELECTION_1
falsepositives:
- Unknown
id: f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6
level: high
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabledd
product: windows
modified: 2021/10/16
references:
- https://github.com/Neo23x0/sigma/issues/1009
related:
- id: e54f5149-6ba3-49cf-b153-070d24679126
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1027
- attack.execution
- attack.t1059.001

30
rules/sigma/powershell/powershell_module/powershell_powercat.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Netcat The Powershell Version
ruletype: Sigma
author: frack113
date: 2021/07/21
description: Adversaries may use a non-application layer protocol for communication
between host and C2 server or among infected hosts within a network
detection:
SELECTION_1:
ContextInfo:
- '*powercat *'
- '*powercat.ps1*'
condition: SELECTION_1
falsepositives:
- Unknown
id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2
level: medium
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://nmap.org/ncat/
- https://github.com/besimorhino/powercat
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md
status: experimental
tags:
- attack.command_and_control
- attack.t1095

31
rules/sigma/powershell/powershell_module/powershell_remote_powershell_session.yml Normal file
View File

@@ -0,0 +1,31 @@
title: Remote PowerShell Session
ruletype: Sigma
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019/08/10
description: Detects remote PowerShell sessions
detection:
SELECTION_1:
ContextInfo: '* = ServerRemoteHost *'
SELECTION_2:
ContextInfo: '*wsmprovhost.exe*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Legitimate use remote PowerShell sessions
id: 96b9f619-aa91-478f-bacb-c3e50f8df575
level: high
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
status: test
tags:
- attack.execution
- attack.t1059.001
- attack.t1086
- attack.lateral_movement
- attack.t1021.006
- attack.t1028

38
rules/sigma/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml Normal file
View File

@@ -0,0 +1,38 @@
title: Abusable Invoke-ATHRemoteFXvGPUDisablementCommand
ruletype: Sigma
author: frack113
date: 2021/07/13
description: RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable
that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).
detection:
SELECTION_1:
ContextInfo: '*Invoke-ATHRemoteFXvGPUDisablementCommand *'
SELECTION_2:
ContextInfo:
- '*-ModuleName *'
- '*-ModulePath *'
- '*-ScriptBlock *'
- '*-RemoteFXvGPUDisablementFilePath*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Unknown
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
id: 38a7625e-b2cb-485d-b83d-aff137d859f4
level: medium
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabledd
product: windows
modified: 2021/10/16
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
- https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
status: experimental
tags:
- attack.defense_evasion
- attack.t1218

35
rules/sigma/powershell/powershell_module/powershell_susp_zip_compress.yml Normal file
View File

@@ -0,0 +1,35 @@
title: Zip A Folder With PowerShell For Staging In Temp
ruletype: Sigma
author: frack113
date: 2021/07/20
description: Use living off the land tools to zip a file and stage it in the Windows
temporary folder for later exfiltration
detection:
SELECTION_1:
ContextInfo: '*Compress-Archive *'
SELECTION_2:
ContextInfo: '* -Path *'
SELECTION_3:
ContextInfo: '* -DestinationPath *'
SELECTION_4:
ContextInfo: '*$env:TEMP\\*'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Unknown
id: daf7eb81-35fd-410d-9d7a-657837e602bb
level: medium
logsource:
category: ps_module
definition: PowerShell Module Logging must be enabledd
product: windows
modified: 2021/10/16
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md
related:
- id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9
type: derived
status: experimental
tags:
- attack.collection
- attack.t1074.001

30
rules/sigma/powershell/powershell_module/powershell_suspicious_download_in_contextinfo.yml Normal file
View File

@@ -0,0 +1,30 @@
title: Suspicious PowerShell Download
ruletype: Sigma
author: Florian Roth
date: 2017/03/05
description: Detects suspicious PowerShell download command
detection:
SELECTION_1:
ContextInfo: '*System.Net.WebClient*'
SELECTION_2:
ContextInfo:
- '*.DownloadFile(*'
- '*.DownloadString(*'
condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- PowerShell scripts that download content from the Internet
id: de41232e-12e8-49fa-86bc-c05c7e722df9
level: medium
logsource:
category: ps_module
product: windows
modified: 2021/10/18
related:
- id: 65531a81-a694-4e31-ae04-f8ba5bc33759
type: derived
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086

38
rules/sigma/powershell/powershell_module/powershell_suspicious_invocation_generic_in_contextinfo.yml Normal file
View File

@@ -0,0 +1,38 @@
title: Suspicious PowerShell Invocations - Generic
ruletype: Sigma
author: Florian Roth (rule)
date: 2017/03/12
description: Detects suspicious PowerShell invocation command parameters
detection:
SELECTION_1:
ContextInfo:
- '* -enc *'
- '* -EncodedCommand *'
SELECTION_2:
ContextInfo:
- '* -w hidden *'
- '* -window hidden *'
- '* -windowstyle hidden *'
SELECTION_3:
ContextInfo:
- '* -noni *'
- '* -noninteractive *'
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Penetration tests
- Very special / sneaky PowerShell scripts
id: bbb80e91-5746-4fbe-8898-122e2cafdbf4
level: high
logsource:
category: ps_module
product: windows
modified: 2021/12/02
related:
- id: 3d304fda-78aa-43ed-975c-d740798a49c1
type: derived
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086

95
rules/sigma/powershell/powershell_module/powershell_suspicious_invocation_specific_in_contextinfo.yml Normal file
View File

@@ -0,0 +1,95 @@
title: Suspicious PowerShell Invocations - Specific
ruletype: Sigma
author: Florian Roth (rule), Jonhnathan Ribeiro
date: 2017/03/05
description: Detects suspicious PowerShell invocation command parameters
detection:
SELECTION_1:
ContextInfo: '*-nop*'
SELECTION_10:
ContextInfo: '* -c *'
SELECTION_11:
ContextInfo: '*iex*'
SELECTION_12:
ContextInfo: '*New-Object*'
SELECTION_13:
ContextInfo: '* -w *'
SELECTION_14:
ContextInfo: '*hidden*'
SELECTION_15:
ContextInfo: '*-ep*'
SELECTION_16:
ContextInfo: '*bypass*'
SELECTION_17:
ContextInfo: '*-Enc*'
SELECTION_18:
ContextInfo: '*powershell*'
SELECTION_19:
ContextInfo: '*reg*'
SELECTION_2:
ContextInfo: '* -w *'
SELECTION_20:
ContextInfo: '*add*'
SELECTION_21:
ContextInfo: '*HKCU\software\microsoft\windows\currentversion\run*'
SELECTION_22:
ContextInfo: '*bypass*'
SELECTION_23:
ContextInfo: '*-noprofile*'
SELECTION_24:
ContextInfo: '*-windowstyle*'
SELECTION_25:
ContextInfo: '*hidden*'
SELECTION_26:
ContextInfo: '*new-object*'
SELECTION_27:
ContextInfo: '*system.net.webclient*'
SELECTION_28:
ContextInfo: '*.download*'
SELECTION_29:
ContextInfo: '*iex*'
SELECTION_3:
ContextInfo: '*hidden*'
SELECTION_30:
ContextInfo: '*New-Object*'
SELECTION_31:
ContextInfo: '*Net.WebClient*'
SELECTION_32:
ContextInfo: '*.Download*'
SELECTION_4:
ContextInfo: '* -c *'
SELECTION_5:
ContextInfo: '*[Convert]::FromBase64String*'
SELECTION_6:
ContextInfo: '* -w *'
SELECTION_7:
ContextInfo: '*hidden*'
SELECTION_8:
ContextInfo: '*-noni*'
SELECTION_9:
ContextInfo: '*-nop*'
condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
or (SELECTION_6 and SELECTION_7 and SELECTION_8 and SELECTION_9 and SELECTION_10
and SELECTION_11 and SELECTION_12) or (SELECTION_13 and SELECTION_14 and SELECTION_15
and SELECTION_16 and SELECTION_17) or (SELECTION_18 and SELECTION_19 and SELECTION_20
and SELECTION_21) or (SELECTION_22 and SELECTION_23 and SELECTION_24 and SELECTION_25
and SELECTION_26 and SELECTION_27 and SELECTION_28) or (SELECTION_29 and SELECTION_30
and SELECTION_31 and SELECTION_32))
falsepositives:
- Penetration tests
id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090
level: high
logsource:
category: ps_module
definition: Script block logging must be enabled
product: windows
modified: 2021/10/18
related:
- id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
type: derived
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1086

30
rules/sigma/powershell/powershell_module/powershell_syncappvpublishingserver_exe_in_contextinfo.yml Normal file
View File

@@ -0,0 +1,30 @@
title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction
ruletype: Sigma
author: Ensar Şamil, @sblmsrsn, OSCD Community
date: 2020/10/05
description: Detects SyncAppvPublishingServer process execution which usually utilized
by adversaries to bypass PowerShell execution restrictions.
detection:
SELECTION_1:
ContextInfo: '*SyncAppvPublishingServer.exe*'
condition: SELECTION_1
falsepositives:
- App-V clients
id: fe5ce7eb-dad8-467c-84a9-31ec23bd644a
level: medium
logsource:
category: ps_module
product: windows
modified: 2021/10/18
references:
- https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
related:
- id: fde7929d-8beb-4a4c-b922-be9974671667
type: derived
- id: 9f7aa113-9da6-4a8d-907c-5f1a4b908299
type: derived
status: experimental
tags:
- attack.defense_evasion
- attack.t1218