CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
034f9c0957aea6c623ea8a7dd633312ebfb2bb33
hayabusa/rules/alert-rules/sigma/powershell_accessing_win_api.yml
Tanaka Zakku 771c86edbf change rules dir structure. addlogon timeline.
2021-11-18 08:43:13 +09:00

129 lines
4.4 KiB
YAML
Raw Blame History

title: Accessing WinAPI in PowerShell
author: Nikita Nazarov, oscd.community
date: 2020/10/06
description: Detecting use WinAPI Functions in PowerShell
detection:
SELECTION_1:
ScriptBlockText: '*WaitForSingleObject*'
SELECTION_10:
ScriptBlockText: '*GetDelegateForFunctionPointer*'
SELECTION_11:
ScriptBlockText: '*CreateThread*'
SELECTION_12:
ScriptBlockText: '*memcpy*'
SELECTION_13:
ScriptBlockText: '*LoadLibrary*'
SELECTION_14:
ScriptBlockText: '*GetModuleHandle*'
SELECTION_15:
ScriptBlockText: '*GetProcAddress*'
SELECTION_16:
ScriptBlockText: '*VirtualProtect*'
SELECTION_17:
ScriptBlockText: '*FreeLibrary*'
SELECTION_18:
ScriptBlockText: '*ReadProcessMemory*'
SELECTION_19:
ScriptBlockText: '*CreateRemoteThread*'
SELECTION_2:
ScriptBlockText: '*QueueUserApc*'
SELECTION_20:
ScriptBlockText: '*AdjustTokenPrivileges*'
SELECTION_21:
ScriptBlockText: '*WriteByte*'
SELECTION_22:
ScriptBlockText: '*WriteInt32*'
SELECTION_23:
ScriptBlockText: '*OpenThreadToken*'
SELECTION_24:
ScriptBlockText: '*PtrToString*'
SELECTION_25:
ScriptBlockText: '*FreeHGlobal*'
SELECTION_26:
ScriptBlockText: '*ZeroFreeGlobalAllocUnicode*'
SELECTION_27:
ScriptBlockText: '*OpenProcessToken*'
SELECTION_28:
ScriptBlockText: '*GetTokenInformation*'
SELECTION_29:
ScriptBlockText: '*SetThreadToken*'
SELECTION_3:
ScriptBlockText: '*RtlCreateUserThread*'
SELECTION_30:
ScriptBlockText: '*ImpersonateLoggedOnUser*'
SELECTION_31:
ScriptBlockText: '*RevertToSelf*'
SELECTION_32:
ScriptBlockText: '*GetLogonSessionData*'
SELECTION_33:
ScriptBlockText: '*CreateProcessWithToken*'
SELECTION_34:
ScriptBlockText: '*DuplicateTokenEx*'
SELECTION_35:
ScriptBlockText: '*OpenWindowStation*'
SELECTION_36:
ScriptBlockText: '*OpenDesktop*'
SELECTION_37:
ScriptBlockText: '*MiniDumpWriteDump*'
SELECTION_38:
ScriptBlockText: '*AddSecurityPackage*'
SELECTION_39:
ScriptBlockText: '*EnumerateSecurityPackages*'
SELECTION_4:
ScriptBlockText: '*OpenProcess*'
SELECTION_40:
ScriptBlockText: '*GetProcessHandle*'
SELECTION_41:
ScriptBlockText: '*DangerousGetHandle*'
SELECTION_42:
ScriptBlockText: '*kernel32*'
SELECTION_43:
ScriptBlockText: '*Advapi32*'
SELECTION_44:
ScriptBlockText: '*msvcrt*'
SELECTION_45:
ScriptBlockText: '*ntdll*'
SELECTION_46:
ScriptBlockText: '*user32*'
SELECTION_47:
ScriptBlockText: '*secur32*'
SELECTION_5:
ScriptBlockText: '*VirtualAlloc*'
SELECTION_6:
ScriptBlockText: '*VirtualFree*'
SELECTION_7:
ScriptBlockText: '*WriteProcessMemory*'
SELECTION_8:
ScriptBlockText: '*CreateUserThread*'
SELECTION_9:
ScriptBlockText: '*CloseHandle*'
condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20
or SELECTION_21 or SELECTION_22 or SELECTION_23 or SELECTION_24 or SELECTION_25
or SELECTION_26 or SELECTION_27 or SELECTION_28 or SELECTION_29 or SELECTION_30
or SELECTION_31 or SELECTION_32 or SELECTION_33 or SELECTION_34 or SELECTION_35
or SELECTION_36 or SELECTION_37 or SELECTION_38 or SELECTION_39 or SELECTION_40
or SELECTION_41 or SELECTION_42 or SELECTION_43 or SELECTION_44 or SELECTION_45
or SELECTION_46 or SELECTION_47)
falsepositives:
- Carbon PowerShell Module (https://github.com/webmd-health-services/Carbon)
id: 03d83090-8cba-44a0-b02f-0b756a050306
level: high
logsource:
category: ps_script
definition: Script block logging must be enabled
product: windows
modified: 2021/10/16
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
status: experimental
tags:
- attack.execution
- attack.t1059.001
- attack.t1106
yml_filename: powershell_accessing_win_api.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script
Reference in New Issue View Git Blame Copy Permalink