80 lines
1.8 KiB
YAML
80 lines
1.8 KiB
YAML
|
|
title: Suspicious PowerShell Invocations - Specific
|
|
ruletype: Sigma
|
|
author: Florian Roth (rule), Jonhnathan Ribeiro
|
|
date: 2017/03/05
|
|
description: Detects suspicious PowerShell invocation command parameters
|
|
detection:
|
|
SELECTION_1:
|
|
- ' -w '
|
|
SELECTION_10:
|
|
- bypass
|
|
SELECTION_11:
|
|
- -Enc
|
|
SELECTION_12:
|
|
- powershell
|
|
SELECTION_13:
|
|
- reg
|
|
SELECTION_14:
|
|
- add
|
|
SELECTION_15:
|
|
- HKCU\software\microsoft\windows\currentversion\run
|
|
SELECTION_16:
|
|
- bypass
|
|
SELECTION_17:
|
|
- -noprofile
|
|
SELECTION_18:
|
|
- -windowstyle
|
|
SELECTION_19:
|
|
- hidden
|
|
SELECTION_2:
|
|
- hidden
|
|
SELECTION_20:
|
|
- new-object
|
|
SELECTION_21:
|
|
- system.net.webclient
|
|
SELECTION_22:
|
|
- .download
|
|
SELECTION_23:
|
|
- iex
|
|
SELECTION_24:
|
|
- New-Object
|
|
SELECTION_25:
|
|
- Net.WebClient
|
|
SELECTION_26:
|
|
- .Download
|
|
SELECTION_3:
|
|
- -nop
|
|
SELECTION_4:
|
|
- ' -c '
|
|
SELECTION_5:
|
|
- '[Convert]::FromBase64String'
|
|
SELECTION_6:
|
|
- -noni
|
|
SELECTION_7:
|
|
- iex
|
|
SELECTION_8:
|
|
- New-Object
|
|
SELECTION_9:
|
|
- -ep
|
|
condition: ((((SELECTION_1 and SELECTION_2 and ((SELECTION_3 and SELECTION_4 and
|
|
((SELECTION_6 and SELECTION_7 and SELECTION_8) or SELECTION_5)) or (SELECTION_9
|
|
and SELECTION_10 and SELECTION_11))) or (SELECTION_12 and SELECTION_13 and SELECTION_14
|
|
and SELECTION_15)) or (SELECTION_16 and SELECTION_17 and SELECTION_18 and SELECTION_19
|
|
and SELECTION_20 and SELECTION_21 and SELECTION_22)) or (SELECTION_23 and SELECTION_24
|
|
and SELECTION_25 and SELECTION_26))
|
|
falsepositives:
|
|
- Penetration tests
|
|
id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
|
|
level: high
|
|
logsource:
|
|
definition: Script block logging must be enabled for 4104, Module Logging must be
|
|
enabled for 4103
|
|
product: windows
|
|
service: powershell
|
|
status: deprecated
|
|
tags:
|
|
- attack.execution
|
|
- attack.t1059.001
|
|
- attack.t1086
|