Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 587da70

Browse files
fukusuketnasbench
fukusuket
and
nasbench
authored
Merge PR SigmaHQ#4519 from @fukusuket - Update PowerShell Classic Rule To Use Data Field
update: Suspicious XOR Encoded PowerShell Command Line - PowerShell update: Uncommon PowerShell Hosts update: Delete Volume Shadow Copies Via WMI With PowerShell update: PowerShell Downgrade Attack - PowerShell update: PowerShell Called from an Executable Version Mismatch update: Netcat The Powershell Version update: Remote PowerShell Session (PS Classic) update: Renamed Powershell Under Powershell Channel update: Suspicious PowerShell Download update: Use Get-NetTCPConnection update: Zip A Folder With PowerShell For Staging In Temp - PowerShell update: Tamper Windows Defender - PSClassic update: Suspicious Non PowerShell WSMAN COM Provider update: Suspicious XOR Encoded PowerShell Command Line - PowerShell --------- Co-authored-by: Nasreddine Bencherchali <[email protected]>
1 parent 3f8eb89 commit 587da70

14 files changed

Lines changed: 90 additions & 89 deletions

rules/windows/powershell/powershell_classic/posh_pc_abuse_nslookup_with_dns_records.yml

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -4,27 +4,27 @@ related:
44
- id: 1b3b01c7-84e9-4072-86e5-fc285a41ff23
55
type: similar
66
status: test
7-
description: Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records
7+
description: Detects a powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records.
88
references:
99
- https://twitter.com/Alh4zr3d/status/1566489367232651264
1010
author: Sai Prashanth Pulisetti @pulisettis, Aishwarya Singam
1111
date: 2022/12/10
12-
modified: 2022/12/19
12+
modified: 2023/10/27
1313
tags:
1414
- attack.execution
1515
- attack.t1059.001
1616
logsource:
1717
product: windows
1818
category: ps_classic_start
19-
definition: fields have to be extract from event
2019
detection:
2120
selection:
22-
HostApplication|contains|all:
21+
Data|contains|all:
2322
- 'powershell'
2423
- 'nslookup'
25-
HostApplication|contains:
26-
- '-q=txt'
27-
- '-querytype=txt'
24+
- '[1]'
25+
Data|contains:
26+
- '-q=txt http'
27+
- '-querytype=txt http'
2828
condition: selection
2929
falsepositives:
3030
- Unknown

rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml

Lines changed: 15 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
title: Alternate PowerShell Hosts
1+
title: Uncommon PowerShell Hosts
22
id: d7326048-328b-4d5e-98af-86e84b17c765
33
related:
44
- id: 64e8e417-c19a-475a-8d19-98ea705394cc
@@ -9,24 +9,28 @@ references:
99
- https://threathunterplaybook.com/hunts/windows/190815-RemoteServiceInstallation/notebook.html
1010
author: Roberto Rodriguez @Cyb3rWard0g
1111
date: 2019/08/11
12-
modified: 2023/04/12
12+
modified: 2023/10/27
1313
tags:
1414
- attack.execution
1515
- attack.t1059.001
1616
logsource:
1717
product: windows
1818
category: ps_classic_start
19-
definition: fields have to be extract from event
2019
detection:
2120
selection:
22-
HostApplication|contains: '*'
23-
filter:
24-
# If you extracted the fields from this event. Use the filter list described in 64e8e417-c19a-475a-8d19-98ea705394cc to filter FPs
25-
- HostApplication|startswith:
26-
- 'powershell'
27-
- 'C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe'
28-
- ContextInfo|contains: 'Citrix\ConfigSync\ConfigSync.ps1'
29-
condition: selection and not filter
21+
Data|contains: 'HostApplication='
22+
# Note: Powershell Logging Data is localized. Meaning that "HostApplication" field will be translated to a different field on a non english layout. This rule doesn't take this into account due to the sheer ammount of possibilities. It's up to the user to add these cases.
23+
filter_main_ps:
24+
Data|contains:
25+
- 'HostApplication=powershell'
26+
- 'HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell'
27+
- 'HostApplication=C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell'
28+
# In some cases powershell was invoked with inverted slashes
29+
- 'HostApplication=C:/Windows/System32/WindowsPowerShell/v1.0/powershell'
30+
- 'HostApplication=C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell'
31+
filter_optional_citrix:
32+
Data|contains: 'Citrix\ConfigSync\ConfigSync.ps1*'
33+
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
3034
falsepositives:
3135
- Programs using PowerShell directly without invocation of a dedicated interpreter
3236
- MSP Detection Searcher

rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml

Lines changed: 4 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -7,25 +7,22 @@ references:
77
- https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods
88
author: frack113
99
date: 2021/06/03
10-
modified: 2021/10/16
10+
modified: 2023/10/27
1111
tags:
1212
- attack.impact
1313
- attack.t1490
1414
logsource:
1515
product: windows
1616
category: ps_classic_start
17-
definition: fields have to be extract from event
1817
detection:
1918
selection:
20-
HostApplication|contains|all:
19+
Data|contains|all:
2120
- 'Get-WmiObject'
22-
- ' Win32_Shadowcopy'
23-
HostApplication|contains:
21+
- 'Win32_Shadowcopy'
22+
Data|contains:
2423
- 'Delete()'
2524
- 'Remove-WmiObject'
2625
condition: selection
27-
fields:
28-
- HostApplication
2926
falsepositives:
3027
- Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason
3128
level: high

rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml

Lines changed: 5 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -6,21 +6,20 @@ references:
66
- http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
77
author: Florian Roth (Nextron Systems), Lee Holmes (idea), Harish Segar (improvements)
88
date: 2017/03/22
9-
modified: 2022/12/02
9+
modified: 2023/10/27
1010
tags:
1111
- attack.defense_evasion
1212
- attack.execution
1313
- attack.t1059.001
1414
logsource:
1515
product: windows
1616
category: ps_classic_start
17-
definition: fields have to be extract from event
1817
detection:
1918
selection:
20-
EngineVersion|startswith: '2.'
21-
filter:
22-
HostVersion|startswith: '2.'
23-
condition: selection and not filter
19+
Data|contains: 'EngineVersion=2.'
20+
filter_main:
21+
Data|contains: 'HostVersion=2.'
22+
condition: selection and not filter_main
2423
falsepositives:
2524
- Unknown
2625
level: medium

rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -6,23 +6,23 @@ references:
66
- https://adsecurity.org/?p=2921
77
author: Sean Metcalf (source), Florian Roth (Nextron Systems)
88
date: 2017/03/05
9-
modified: 2022/12/25
9+
modified: 2023/10/27
1010
tags:
1111
- attack.defense_evasion
1212
- attack.execution
1313
- attack.t1059.001
1414
logsource:
1515
product: windows
1616
category: ps_classic_start
17-
definition: fields have to be extract from event
1817
detection:
19-
selection1:
20-
EngineVersion|startswith:
21-
- '2.'
22-
- '4.'
23-
- '5.'
24-
HostVersion|startswith: '3.'
25-
condition: selection1
18+
selection_engine:
19+
Data|contains:
20+
- 'EngineVersion=2.'
21+
- 'EngineVersion=4.'
22+
- 'EngineVersion=5.'
23+
selection_host:
24+
Data|contains: 'HostVersion=3.'
25+
condition: all of selection_*
2626
falsepositives:
2727
- Unknown
2828
level: high

rules/windows/powershell/powershell_classic/posh_pc_powercat.yml

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -11,17 +11,16 @@ references:
1111
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md
1212
author: frack113
1313
date: 2021/07/21
14-
modified: 2022/12/25
14+
modified: 2023/10/27
1515
tags:
1616
- attack.command_and_control
1717
- attack.t1095
1818
logsource:
1919
product: windows
2020
category: ps_classic_start
21-
definition: fields have to be extract from event
2221
detection:
2322
selection:
24-
HostApplication|contains:
23+
Data|contains:
2524
- 'powercat '
2625
- 'powercat.ps1'
2726
condition: selection

rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ references:
99
- https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html
1010
author: Roberto Rodriguez @Cyb3rWard0g
1111
date: 2019/08/10
12-
modified: 2022/06/20
12+
modified: 2023/10/27
1313
tags:
1414
- attack.execution
1515
- attack.t1059.001
@@ -18,11 +18,11 @@ tags:
1818
logsource:
1919
product: windows
2020
category: ps_classic_start
21-
definition: fields have to be extract from event
2221
detection:
2322
selection:
24-
HostName: 'ServerRemoteHost'
25-
HostApplication|contains: 'wsmprovhost.exe'
23+
Data|contains|all:
24+
- 'HostName=ServerRemoteHost'
25+
- 'wsmprovhost.exe'
2626
condition: selection
2727
falsepositives:
2828
- Legitimate use remote PowerShell sessions

rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml

Lines changed: 12 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -6,22 +6,26 @@ references:
66
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
77
author: Harish Segar, frack113
88
date: 2020/06/29
9-
modified: 2021/10/16
9+
modified: 2023/10/27
1010
tags:
1111
- attack.execution
1212
- attack.t1059.001
1313
logsource:
1414
product: windows
1515
category: ps_classic_start
16-
definition: fields have to be extract from event
1716
detection:
1817
selection:
19-
HostName: ConsoleHost
20-
filter:
21-
HostApplication|startswith:
22-
- powershell.exe
23-
- C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
24-
condition: selection and not filter
18+
Data|contains: 'HostName=ConsoleHost'
19+
# Note: Powershell Logging Data is localized. Meaning that "HostApplication" field will be translated to a different field on a non english layout. This rule doesn't take this into account due to the sheer ammount of possibilities. It's up to the user to add these cases.
20+
filter_main_ps:
21+
Data|contains:
22+
- 'HostApplication=powershell'
23+
- 'HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell'
24+
- 'HostApplication=C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell'
25+
# In some cases powershell was invoked with inverted slashes
26+
- 'HostApplication=C:/Windows/System32/WindowsPowerShell/v1.0/powershell'
27+
- 'HostApplication=C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell'
28+
condition: selection and not 1 of filter_main_*
2529
falsepositives:
2630
- Unknown
2731
level: low

rules/windows/powershell/powershell_classic/posh_pc_susp_download.yml

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -9,19 +9,18 @@ references:
99
- https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html
1010
author: Florian Roth (Nextron Systems)
1111
date: 2017/03/05
12-
modified: 2022/11/09
12+
modified: 2023/10/27
1313
tags:
1414
- attack.execution
1515
- attack.t1059.001
1616
logsource:
1717
product: windows
1818
category: ps_classic_start
19-
definition: fields have to be extract from event
2019
detection:
2120
selection_webclient:
22-
HostApplication|contains: 'Net.WebClient'
21+
Data|contains: 'Net.WebClient'
2322
selection_download:
24-
HostApplication|contains:
23+
Data|contains:
2524
- '.DownloadFile('
2625
- '.DownloadString('
2726
condition: all of selection_*

rules/windows/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -6,17 +6,16 @@ references:
66
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell
77
author: frack113
88
date: 2021/12/10
9-
modified: 2022/12/25
9+
modified: 2023/10/27
1010
tags:
1111
- attack.discovery
1212
- attack.t1049
1313
logsource:
1414
product: windows
1515
category: ps_classic_start
16-
definition: fields have to be extract from event
1716
detection:
1817
selection:
19-
HostApplication|contains: Get-NetTCPConnection
18+
Data|contains: 'Get-NetTCPConnection'
2019
condition: selection
2120
falsepositives:
2221
- Unknown

0 commit comments

Comments
 (0)