From 0d04b469f77815e6d99d121c46cad8a1e3b68964 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 7 Oct 2021 07:40:53 +0200 Subject: [PATCH 1/9] order powershell_classic --- .../powershell_classic_alternate_powershell_hosts.yml | 0 .../{ => powershell_classic}/powershell_classic_powercat.yml | 0 .../powershell_classic_remote_powershell_session.yml | 0 .../powershell_classic_susp_athremotefxvgpudisablementcommand.yml | 0 .../powershell_classic_susp_zip_compress.yml | 0 .../powershell_classic_suspicious_download.yml | 0 .../powershell_delete_volume_shadow_copies.yml | 0 .../{ => powershell_classic}/powershell_downgrade_attack.yml | 0 .../{ => powershell_classic}/powershell_exe_calling_ps.yml | 0 .../{ => powershell_classic}/powershell_renamed_powershell.yml | 0 .../powershell_tamper_with_windows_defender.yml | 0 .../powershell_wsman_com_provider_no_powershell.yml | 0 .../{ => powershell_classic}/powershell_xor_commandline.yml | 0 .../{ => powershell_script}/powershell_accessing_win_api.yml | 0 14 files changed, 0 insertions(+), 0 deletions(-) rename rules/windows/powershell/{ => powershell_classic}/powershell_classic_alternate_powershell_hosts.yml (100%) rename rules/windows/powershell/{ => powershell_classic}/powershell_classic_powercat.yml (100%) rename rules/windows/powershell/{ => powershell_classic}/powershell_classic_remote_powershell_session.yml (100%) rename rules/windows/powershell/{ => powershell_classic}/powershell_classic_susp_athremotefxvgpudisablementcommand.yml (100%) rename rules/windows/powershell/{ => powershell_classic}/powershell_classic_susp_zip_compress.yml (100%) rename rules/windows/powershell/{ => powershell_classic}/powershell_classic_suspicious_download.yml (100%) rename rules/windows/powershell/{ => powershell_classic}/powershell_delete_volume_shadow_copies.yml (100%) rename rules/windows/powershell/{ => powershell_classic}/powershell_downgrade_attack.yml (100%) rename rules/windows/powershell/{ => powershell_classic}/powershell_exe_calling_ps.yml (100%) rename rules/windows/powershell/{ => powershell_classic}/powershell_renamed_powershell.yml (100%) rename rules/windows/powershell/{ => powershell_classic}/powershell_tamper_with_windows_defender.yml (100%) rename rules/windows/powershell/{ => powershell_classic}/powershell_wsman_com_provider_no_powershell.yml (100%) rename rules/windows/powershell/{ => powershell_classic}/powershell_xor_commandline.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_accessing_win_api.yml (100%) diff --git a/rules/windows/powershell/powershell_classic_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_classic/powershell_classic_alternate_powershell_hosts.yml similarity index 100% rename from rules/windows/powershell/powershell_classic_alternate_powershell_hosts.yml rename to rules/windows/powershell/powershell_classic/powershell_classic_alternate_powershell_hosts.yml diff --git a/rules/windows/powershell/powershell_classic_powercat.yml b/rules/windows/powershell/powershell_classic/powershell_classic_powercat.yml similarity index 100% rename from rules/windows/powershell/powershell_classic_powercat.yml rename to rules/windows/powershell/powershell_classic/powershell_classic_powercat.yml diff --git a/rules/windows/powershell/powershell_classic_remote_powershell_session.yml b/rules/windows/powershell/powershell_classic/powershell_classic_remote_powershell_session.yml similarity index 100% rename from rules/windows/powershell/powershell_classic_remote_powershell_session.yml rename to rules/windows/powershell/powershell_classic/powershell_classic_remote_powershell_session.yml diff --git a/rules/windows/powershell/powershell_classic_susp_athremotefxvgpudisablementcommand.yml b/rules/windows/powershell/powershell_classic/powershell_classic_susp_athremotefxvgpudisablementcommand.yml similarity index 100% rename from rules/windows/powershell/powershell_classic_susp_athremotefxvgpudisablementcommand.yml rename to rules/windows/powershell/powershell_classic/powershell_classic_susp_athremotefxvgpudisablementcommand.yml diff --git a/rules/windows/powershell/powershell_classic_susp_zip_compress.yml b/rules/windows/powershell/powershell_classic/powershell_classic_susp_zip_compress.yml similarity index 100% rename from rules/windows/powershell/powershell_classic_susp_zip_compress.yml rename to rules/windows/powershell/powershell_classic/powershell_classic_susp_zip_compress.yml diff --git a/rules/windows/powershell/powershell_classic_suspicious_download.yml b/rules/windows/powershell/powershell_classic/powershell_classic_suspicious_download.yml similarity index 100% rename from rules/windows/powershell/powershell_classic_suspicious_download.yml rename to rules/windows/powershell/powershell_classic/powershell_classic_suspicious_download.yml diff --git a/rules/windows/powershell/powershell_delete_volume_shadow_copies.yml b/rules/windows/powershell/powershell_classic/powershell_delete_volume_shadow_copies.yml similarity index 100% rename from rules/windows/powershell/powershell_delete_volume_shadow_copies.yml rename to rules/windows/powershell/powershell_classic/powershell_delete_volume_shadow_copies.yml diff --git a/rules/windows/powershell/powershell_downgrade_attack.yml b/rules/windows/powershell/powershell_classic/powershell_downgrade_attack.yml similarity index 100% rename from rules/windows/powershell/powershell_downgrade_attack.yml rename to rules/windows/powershell/powershell_classic/powershell_downgrade_attack.yml diff --git a/rules/windows/powershell/powershell_exe_calling_ps.yml b/rules/windows/powershell/powershell_classic/powershell_exe_calling_ps.yml similarity index 100% rename from rules/windows/powershell/powershell_exe_calling_ps.yml rename to rules/windows/powershell/powershell_classic/powershell_exe_calling_ps.yml diff --git a/rules/windows/powershell/powershell_renamed_powershell.yml b/rules/windows/powershell/powershell_classic/powershell_renamed_powershell.yml similarity index 100% rename from rules/windows/powershell/powershell_renamed_powershell.yml rename to rules/windows/powershell/powershell_classic/powershell_renamed_powershell.yml diff --git a/rules/windows/powershell/powershell_tamper_with_windows_defender.yml b/rules/windows/powershell/powershell_classic/powershell_tamper_with_windows_defender.yml similarity index 100% rename from rules/windows/powershell/powershell_tamper_with_windows_defender.yml rename to rules/windows/powershell/powershell_classic/powershell_tamper_with_windows_defender.yml diff --git a/rules/windows/powershell/powershell_wsman_com_provider_no_powershell.yml b/rules/windows/powershell/powershell_classic/powershell_wsman_com_provider_no_powershell.yml similarity index 100% rename from rules/windows/powershell/powershell_wsman_com_provider_no_powershell.yml rename to rules/windows/powershell/powershell_classic/powershell_wsman_com_provider_no_powershell.yml diff --git a/rules/windows/powershell/powershell_xor_commandline.yml b/rules/windows/powershell/powershell_classic/powershell_xor_commandline.yml similarity index 100% rename from rules/windows/powershell/powershell_xor_commandline.yml rename to rules/windows/powershell/powershell_classic/powershell_xor_commandline.yml diff --git a/rules/windows/powershell/powershell_accessing_win_api.yml b/rules/windows/powershell/powershell_script/powershell_accessing_win_api.yml similarity index 100% rename from rules/windows/powershell/powershell_accessing_win_api.yml rename to rules/windows/powershell/powershell_script/powershell_accessing_win_api.yml From fe7fbfd5fca17b13db0683f0e1fa65b635678c82 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 9 Oct 2021 09:50:49 +0200 Subject: [PATCH 2/9] order powershell_module --- .../powershell_alternate_powershell_hosts.yml | 2 +- .../powershell_bad_opsec_artifacts.yml | 20 ++++++---------- .../powershell_clear_powershell_history.yml | 24 +++++-------------- .../powershell_decompress_commands.yml | 13 +++++----- .../powershell_get_clipboard.yml | 13 +++++----- .../powershell_invoke_obfuscation_clip.yml | 15 ++++++------ ...hell_invoke_obfuscation_obfuscated_iex.yml | 21 ++++++---------- .../powershell_invoke_obfuscation_stdin.yml | 14 +++++------ .../powershell_invoke_obfuscation_var.yml | 15 ++++++------ ...rshell_invoke_obfuscation_via_compress.yml | 15 ++++++------ ...wershell_invoke_obfuscation_via_rundll.yml | 15 ++++++------ ...owershell_invoke_obfuscation_via_stdin.yml | 14 +++++------ ...rshell_invoke_obfuscation_via_use_clip.yml | 14 +++++------ ...shell_invoke_obfuscation_via_use_mhsta.yml | 15 ++++++------ ...ll_invoke_obfuscation_via_use_rundll32.yml | 15 ++++++------ .../powershell_invoke_obfuscation_via_var.yml | 16 ++++++------- .../powershell_powercat.yml | 0 .../powershell_remote_powershell_session.yml | 2 +- ...susp_athremotefxvgpudisablementcommand.yml | 0 .../powershell_susp_zip_compress.yml | 18 ++++++-------- 20 files changed, 119 insertions(+), 142 deletions(-) rename rules/windows/powershell/{ => powershell_module}/powershell_alternate_powershell_hosts.yml (94%) rename rules/windows/powershell/{ => powershell_module}/powershell_bad_opsec_artifacts.yml (73%) rename rules/windows/powershell/{ => powershell_module}/powershell_clear_powershell_history.yml (58%) rename rules/windows/powershell/{ => powershell_module}/powershell_decompress_commands.yml (70%) rename rules/windows/powershell/{ => powershell_module}/powershell_get_clipboard.yml (70%) rename rules/windows/powershell/{ => powershell_module}/powershell_invoke_obfuscation_clip.yml (62%) rename rules/windows/powershell/{ => powershell_module}/powershell_invoke_obfuscation_obfuscated_iex.yml (59%) rename rules/windows/powershell/{ => powershell_module}/powershell_invoke_obfuscation_stdin.yml (63%) rename rules/windows/powershell/{ => powershell_module}/powershell_invoke_obfuscation_var.yml (61%) rename rules/windows/powershell/{ => powershell_module}/powershell_invoke_obfuscation_via_compress.yml (61%) rename rules/windows/powershell/{ => powershell_module}/powershell_invoke_obfuscation_via_rundll.yml (64%) rename rules/windows/powershell/{ => powershell_module}/powershell_invoke_obfuscation_via_stdin.yml (64%) rename rules/windows/powershell/{ => powershell_module}/powershell_invoke_obfuscation_via_use_clip.yml (64%) rename rules/windows/powershell/{ => powershell_module}/powershell_invoke_obfuscation_via_use_mhsta.yml (63%) rename rules/windows/powershell/{ => powershell_module}/powershell_invoke_obfuscation_via_use_rundll32.yml (63%) rename rules/windows/powershell/{ => powershell_module}/powershell_invoke_obfuscation_via_var.yml (62%) rename rules/windows/powershell/{ => powershell_module}/powershell_powercat.yml (100%) rename rules/windows/powershell/{ => powershell_module}/powershell_remote_powershell_session.yml (90%) rename rules/windows/powershell/{ => powershell_module}/powershell_susp_athremotefxvgpudisablementcommand.yml (100%) rename rules/windows/powershell/{ => powershell_module}/powershell_susp_zip_compress.yml (63%) diff --git a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_module/powershell_alternate_powershell_hosts.yml similarity index 94% rename from rules/windows/powershell/powershell_alternate_powershell_hosts.yml rename to rules/windows/powershell/powershell_module/powershell_alternate_powershell_hosts.yml index d3ce9723..fb409b13 100644 --- a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_module/powershell_alternate_powershell_hosts.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: ModuleLogging must be enable + definition: Module Logging must be enable detection: selection: EventID: 4103 diff --git a/rules/windows/powershell/powershell_bad_opsec_artifacts.yml b/rules/windows/powershell/powershell_module/powershell_bad_opsec_artifacts.yml similarity index 73% rename from rules/windows/powershell/powershell_bad_opsec_artifacts.yml rename to rules/windows/powershell/powershell_module/powershell_bad_opsec_artifacts.yml index 64bc41c2..dcb92bd0 100644 --- a/rules/windows/powershell/powershell_bad_opsec_artifacts.yml +++ b/rules/windows/powershell/powershell_module/powershell_bad_opsec_artifacts.yml @@ -1,5 +1,8 @@ title: Bad Opsec Powershell Code Artifacts -id: 73e733cc-1ace-3212-a107-ff2523cc9fc3 +id: 8d31a8ce-46b5-4dd6-bdc3-680931f1db86 +related: + - id: 73e733cc-1ace-3212-a107-ff2523cc9fc3 + type: derived description: Focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads that often undergo minimal changes by attackers due to bad opsec. status: experimental references: @@ -8,7 +11,7 @@ references: - https://www.mdeditor.tw/pl/pgRt author: 'ok @securonix invrep_de, oscd.community' date: 2020/10/09 -modified: 2020/10/09 +modified: 2021/10/07 tags: - attack.execution - attack.t1059.001 @@ -16,17 +19,8 @@ tags: logsource: product: windows service: powershell - definition: Script block logging must be enabled for 4104 , Module Logging must be enable for 4103 + definition: Module Logging must be enable detection: - selection_4104: - EventID: 4104 - ScriptBlockText|contains: - - '$DoIt' - - 'harmj0y' - - 'mattifestation' - - '_RastaMouse' - - 'tifkin_' - - '0xdeadbeef' selection_4103: EventID: 4103 Payload|contains: @@ -36,7 +30,7 @@ detection: - '_RastaMouse' - 'tifkin_' - '0xdeadbeef' - condition: selection_4104 or selection_4103 + condition: selection_4103 falsepositives: - 'Moderate-to-low; Despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments.' level: critical diff --git a/rules/windows/powershell/powershell_clear_powershell_history.yml b/rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml similarity index 58% rename from rules/windows/powershell/powershell_clear_powershell_history.yml rename to rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml index 430e9305..fb57e960 100644 --- a/rules/windows/powershell/powershell_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml @@ -1,5 +1,8 @@ title: Clear PowerShell History -id: dfba4ce1-e0ea-495f-986e-97140f31af2d +id: f99276ad-d122-4989-a09a-d00904a5f9d2 +related: + - id: dfba4ce1-e0ea-495f-986e-97140f31af2d + type: derived status: experimental description: Detects keywords that could indicate clearing PowerShell history date: 2019/10/25 @@ -14,22 +17,8 @@ tags: logsource: product: windows service: powershell - definition: 4104 Script block logging must be enabled , 4103 Module Logging must be enabled + definition: Module Logging must be enable detection: - selection_1: - EventID: 4104 - selection_2: - ScriptBlockText|contains: - - 'del' - - 'Remove-Item' - - 'rm' - ScriptBlockText|contains|all: - - '(Get-PSReadlineOption).HistorySavePath' - selection_3: - ScriptBlockText|contains|all: - - 'Set-PSReadlineOption' - - '–HistorySaveStyle' - - 'SaveNothing' selection_4: EventID: 4103 selection_5: @@ -44,8 +33,7 @@ detection: - 'Set-PSReadlineOption' - '–HistorySaveStyle' - 'SaveNothing' - condition: selection_1 and ( selection_2 or selection_3 ) or - selection_4 and ( selection_5 or selection_6 ) + condition: selection_4 and ( selection_5 or selection_6 ) falsepositives: - Legitimate PowerShell scripts level: medium diff --git a/rules/windows/powershell/powershell_decompress_commands.yml b/rules/windows/powershell/powershell_module/powershell_decompress_commands.yml similarity index 70% rename from rules/windows/powershell/powershell_decompress_commands.yml rename to rules/windows/powershell/powershell_module/powershell_decompress_commands.yml index 19028f6a..e30c7fe3 100644 --- a/rules/windows/powershell/powershell_decompress_commands.yml +++ b/rules/windows/powershell/powershell_module/powershell_decompress_commands.yml @@ -1,8 +1,12 @@ title: PowerShell Decompress Commands -id: 81fbdce6-ee49-485a-908d-1a728c5dcb09 +id: 1ddc1472-8e52-4f7d-9f11-eab14fc171f5 +related: + - id: 81fbdce6-ee49-485a-908d-1a728c5dcb09 + type: derived description: A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files. status: experimental date: 2020/05/02 +modified: 2021/10/07 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.defense_evasion @@ -13,15 +17,12 @@ references: logsource: product: windows service: powershell - definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 + definition: Module Logging must be enable detection: - selection1: - EventID: 4104 - ScriptBlockText|contains: 'Expand-Archive' selection2: EventID: 4103 Payload|contains: 'Expand-Archive' - condition: selection1 or selection2 + condition: selection2 falsepositives: - unknown level: informational \ No newline at end of file diff --git a/rules/windows/powershell/powershell_get_clipboard.yml b/rules/windows/powershell/powershell_module/powershell_get_clipboard.yml similarity index 70% rename from rules/windows/powershell/powershell_get_clipboard.yml rename to rules/windows/powershell/powershell_module/powershell_get_clipboard.yml index 542c432c..2902ece6 100644 --- a/rules/windows/powershell/powershell_get_clipboard.yml +++ b/rules/windows/powershell/powershell_module/powershell_get_clipboard.yml @@ -1,8 +1,12 @@ title: PowerShell Get Clipboard -id: 5486f63a-aa4c-488d-9a61-c9192853099f +id: 4cbd4f12-2e22-43e3-882f-bff3247ffb78 +related: + - id: 5486f63a-aa4c-488d-9a61-c9192853099f + type: derived description: A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents. status: experimental date: 2020/05/02 +modified: 2021/10/07 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.collection @@ -13,15 +17,12 @@ references: logsource: product: windows service: powershell - definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 + definition: Module Logging must be enable detection: - selection1: - EventID: 4104 - ScriptBlockText|contains: 'Get-Clipboard' selection2: EventID: 4103 Payload|contains: 'Get-Clipboard' - condition: selection1 or selection2 + condition: selection2 falsepositives: - unknown level: medium \ No newline at end of file diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_clip.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml similarity index 62% rename from rules/windows/powershell/powershell_invoke_obfuscation_clip.yml rename to rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml index 45c57fa3..a203d470 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_clip.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml @@ -1,9 +1,13 @@ title: Invoke-Obfuscation CLIP+ Launcher -id: 73e67340-0d25-11eb-adc1-0242ac120002 +id: a136cde0-61ad-4a61-9b82-8dc490e60dd2 +related : + - id: 73e67340-0d25-11eb-adc1-0242ac120002 + type: derived description: Detects Obfuscated use of Clip.exe to execute PowerShell status: experimental author: Jonathan Cheong, oscd.community date: 2020/10/13 +modified: 2021/10/07 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26) tags: @@ -14,15 +18,12 @@ tags: logsource: product: windows service: powershell - definition: Script block logging must be enabled for 4104 , Module Logging must be enabled for 4103 + definition: Module Logging must be enable detection: - selection_1: - EventID: 4104 - ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' - selection_2: + selection_4103: EventID: 4103 Payload|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' - condition: 1 of them + condition: selection_4103 falsepositives: - Unknown level: high \ No newline at end of file diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_obfuscated_iex.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml similarity index 59% rename from rules/windows/powershell/powershell_invoke_obfuscation_obfuscated_iex.yml rename to rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml index 94164d37..2dcd9ad2 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_obfuscated_iex.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml @@ -1,10 +1,13 @@ title: Invoke-Obfuscation Obfuscated IEX Invocation -id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7 +id: 2f211361-7dce-442d-b78a-c04039677378 +related: + - id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7 + type: derived description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888" status: experimental author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community date: 2019/11/08 -modified: 2020/08/24 +modified: 2021/10/07 tags: - attack.defense_evasion - attack.t1027 @@ -14,18 +17,8 @@ tags: logsource: product: windows service: powershell - definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 + definition: Module Logging must be enable detection: - selection_1: - EventID: 4104 - selection_2: - - ScriptBlockText|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[' - - ScriptBlockText|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[' - - ScriptBlockText|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[' - - ScriptBlockText|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}' - - ScriptBlockText|re: '\\\\*mdr\\\\*\W\s*\)\.Name' - - ScriptBlockText|re: '\$VerbosePreference\.ToString\(' - - ScriptBlockText|re: '\String\]\s*\$VerbosePreference' selection_3: EventID: 4103 selection_4: @@ -36,7 +29,7 @@ detection: - Payload|re: '\\\\*mdr\\\\*\W\s*\)\.Name' - Payload|re: '\$VerbosePreference\.ToString\(' - Payload|re: '\String\]\s*\$VerbosePreference' - condition: ( selection_1 and selection_2 ) or ( selection_3 and selection_4 ) + condition: selection_3 and selection_4 falsepositives: - Unknown level: high diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_stdin.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml similarity index 63% rename from rules/windows/powershell/powershell_invoke_obfuscation_stdin.yml rename to rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml index a8b5d343..d531c87e 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_stdin.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml @@ -1,5 +1,8 @@ title: Invoke-Obfuscation STDIN+ Launcher -id: 779c8c12-0eb1-11eb-adc1-0242ac120002 +id: 9ac8b09b-45de-4a07-9da1-0de8c09304a3 +related: + - id: 779c8c12-0eb1-11eb-adc1-0242ac120002 + type: derived description: Detects Obfuscated use of stdin to execute PowerShell status: experimental author: Jonathan Cheong, oscd.community @@ -14,15 +17,12 @@ tags: logsource: product: windows service: powershell - definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 + definition: Module Logging must be enable detection: - selection_1: - EventID: 4104 - ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' - selection_2: + selection_4103: EventID: 4103 Payload|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' - condition: 1 of them + condition: selection_4103 falsepositives: - Unknown level: high \ No newline at end of file diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml similarity index 61% rename from rules/windows/powershell/powershell_invoke_obfuscation_var.yml rename to rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml index f8476262..6f187cfb 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_var.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml @@ -1,5 +1,8 @@ title: Invoke-Obfuscation VAR+ Launcher -id: 0adfbc14-0ed1-11eb-adc1-0242ac120002 +id: 6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e +related: + - id: 0adfbc14-0ed1-11eb-adc1-0242ac120002 + type: derived description: Detects Obfuscated use of Environment Variables to execute PowerShell status: experimental author: Jonathan Cheong, oscd.community @@ -14,15 +17,11 @@ tags: logsource: product: windows service: powershell - definition: Script block logging must be enabled for 4104,Module Logging must be enabled for 4103 -detection: - selection_1: - EventID: 4104 - ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' - selection_2: + definition: Module Logging must be enable + selection_4103: EventID: 4103 Payload|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' - condition: 1 of them + condition: selection_4103 falsepositives: - Unknown level: high \ No newline at end of file diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml similarity index 61% rename from rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml rename to rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml index 165d13d2..e4f1400c 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml @@ -1,9 +1,13 @@ title: Invoke-Obfuscation COMPRESS OBFUSCATION -id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07 +id: 7034cbbb-cc55-4dc2-8dad-36c0b942e8f1 +related: + - id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07 + type: derived description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION status: experimental author: Timur Zinniatullin, oscd.community date: 2020/10/18 +modified: 2021/10/07 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19) tags: @@ -14,15 +18,12 @@ tags: logsource: product: windows service: powershell - definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 + definition: Module Logging must be enable detection: - selection_1: - EventID: 4104 - ScriptBlockText|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend' - selection_2: + selection_4103: EventID: 4103 Payload|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend' - condition: 1 of them + condition: selection_4103 falsepositives: - unknown level: medium \ No newline at end of file diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml similarity index 64% rename from rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml rename to rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml index e47cf4f4..82369978 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml @@ -1,9 +1,13 @@ title: Invoke-Obfuscation RUNDLL LAUNCHER -id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0 +id: a23791fe-8846-485a-b16b-ca691e1b03d4 +related: + - id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0 + type: derived description: Detects Obfuscated Powershell via RUNDLL LAUNCHER status: experimental author: Timur Zinniatullin, oscd.community date: 2020/10/18 +modified: 2021/10/07 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23) tags: @@ -14,15 +18,12 @@ tags: logsource: product: windows service: powershell - definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 + definition: Module Logging must be enable detection: - selection_1: - EventID: 4104 - ScriptBlockText|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' - selection_2: + selection_4103: EventID: 4103 Payload|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' - condition: 1 of them + condition: selection_4103 falsepositives: - Unknown level: medium diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml similarity index 64% rename from rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml rename to rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml index 330912c9..15c1e5cd 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml @@ -1,5 +1,8 @@ title: Invoke-Obfuscation Via Stdin -id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7 +id: c72aca44-8d52-45ad-8f81-f96c4d3c755e +related: + - id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7 + type: derived description: Detects Obfuscated Powershell via Stdin in Scripts status: experimental author: Nikita Nazarov, oscd.community @@ -14,15 +17,12 @@ tags: logsource: product: windows service: powershell - definition: Script block logging must be enabled for 4104, Module Logging must be enable for 4103 + definition: Module Logging must be enable detection: - selection_1: - EventID: 4104 - ScriptBlockText|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' - selection_2: + selection_4103: EventID: 4103 Payload|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' - condition: 1 of them + condition: selection_4103 falsepositives: - Unknown level: high diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml similarity index 64% rename from rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml rename to rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml index 30749fc4..482721a0 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml @@ -1,5 +1,8 @@ title: Invoke-Obfuscation Via Use Clip -id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0 +id: ebdf49d8-b89c-46c9-8fdf-2c308406f6bd +related: + - id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0 + type: derived description: Detects Obfuscated Powershell via use Clip.exe in Scripts status: experimental author: Nikita Nazarov, oscd.community @@ -14,15 +17,12 @@ tags: logsource: product: windows service: powershell - definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 + definition: Module Logging must be enable detection: - selection_1: - EventID: 4104 - ScriptBlockText|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' - selection_2: + selection_4103: EventID: 4103 Payload|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' - condition: 1 of them + condition: selection_4103 falsepositives: - Unknown level: high diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml similarity index 63% rename from rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml rename to rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml index ceaab349..ab47039d 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml @@ -1,9 +1,13 @@ title: Invoke-Obfuscation Via Use MSHTA -id: e55a5195-4724-480e-a77e-3ebe64bd3759 +id: 07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb +related: + - id: e55a5195-4724-480e-a77e-3ebe64bd3759 + type: derived description: Detects Obfuscated Powershell via use MSHTA in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/08 +modified: 2021/10/07 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task31) tags: @@ -14,15 +18,12 @@ tags: logsource: product: windows service: powershell - definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 + definition: Module Logging must be enabled detection: - selection_1: - EventID: 4104 - ScriptBlockText|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' - selection_2: + selection_4103: EventID: 4103 Payload|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' - condition: 1 of them + condition: selection_4103 falsepositives: - Unknown level: high diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml similarity index 63% rename from rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml rename to rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml index 445355bc..deee26ed 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml @@ -1,9 +1,13 @@ title: Invoke-Obfuscation Via Use Rundll32 -id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b +id: 88a22f69-62f9-4b8a-aa00-6b0212f2f05a +related: + - id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b + type: derived description: Detects Obfuscated Powershell via use Rundll32 in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2019/10/08 +modified: 2021/10/07 references: - https://github.com/Neo23x0/sigma/issues/1009 tags: @@ -14,15 +18,12 @@ tags: logsource: product: windows service: powershell - definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 + definition: Module Logging must be enable detection: - selection_1: - EventID: 4104 - ScriptBlockText|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' - selection_2: + selection_4103: EventID: 4103 Payload|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' - condition: 1 of them + condition: selection_4103 falsepositives: - Unknown level: high diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_var.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml similarity index 62% rename from rules/windows/powershell/powershell_invoke_obfuscation_via_var.yml rename to rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml index 60a0fe2b..06d3381a 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_var.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml @@ -1,10 +1,13 @@ title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION -id: e54f5149-6ba3-49cf-b153-070d24679126 +id: f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6 +related: + - id: e54f5149-6ba3-49cf-b153-070d24679126 + type: derived description: Detects Obfuscated Powershell via VAR++ LAUNCHER status: experimental author: Timur Zinniatullin, oscd.community date: 2020/10/13 -modified: 2021/07/15 +modified: 2021/10/07 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task27) tags: @@ -15,15 +18,12 @@ tags: logsource: product: windows service: powershell - definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 + definition: Module Logging must be enabled detection: - selection_1: - EventID: 4104 - ScriptBlockText|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r - selection_2: + selection_4103: EventID: 4103 Payload|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r - condition: selection_1 or selection_2 + condition: selection_4103 falsepositives: - Unknown level: high diff --git a/rules/windows/powershell/powershell_powercat.yml b/rules/windows/powershell/powershell_module/powershell_powercat.yml similarity index 100% rename from rules/windows/powershell/powershell_powercat.yml rename to rules/windows/powershell/powershell_module/powershell_powercat.yml diff --git a/rules/windows/powershell/powershell_remote_powershell_session.yml b/rules/windows/powershell/powershell_module/powershell_remote_powershell_session.yml similarity index 90% rename from rules/windows/powershell/powershell_remote_powershell_session.yml rename to rules/windows/powershell/powershell_module/powershell_remote_powershell_session.yml index 146af6e5..c7795387 100644 --- a/rules/windows/powershell/powershell_remote_powershell_session.yml +++ b/rules/windows/powershell/powershell_module/powershell_remote_powershell_session.yml @@ -17,7 +17,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enable and fields have to be extract from event + definition: Module Logging must be enable detection: selection: EventID: 4103 diff --git a/rules/windows/powershell/powershell_susp_athremotefxvgpudisablementcommand.yml b/rules/windows/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml similarity index 100% rename from rules/windows/powershell/powershell_susp_athremotefxvgpudisablementcommand.yml rename to rules/windows/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml diff --git a/rules/windows/powershell/powershell_susp_zip_compress.yml b/rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml similarity index 63% rename from rules/windows/powershell/powershell_susp_zip_compress.yml rename to rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml index 98f882e4..ab97eb0d 100644 --- a/rules/windows/powershell/powershell_susp_zip_compress.yml +++ b/rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml @@ -1,9 +1,12 @@ title: Zip A Folder With PowerShell For Staging In Temp -id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 +id: daf7eb81-35fd-410d-9d7a-657837e602bb +related: + - id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 + related: derived status: experimental author: frack113 date: 2021/07/20 -modified: 2021/09/30 +modified: 2021/10/09 description: Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md @@ -13,7 +16,7 @@ tags: logsource: product: windows service: powershell - definition: 4103 Module Logging must be enabled , 4104 Script Block Logging must be enable + definition: Module Logging must be enabled detection: selection_4103: EventID: 4103 @@ -22,14 +25,7 @@ detection: - ' -Path ' - ' -DestinationPath ' - '$env:TEMP\' - selection_4104: - EventID: 4104 - ScriptBlockText|contains|all: - - 'Compress-Archive ' - - ' -Path ' - - ' -DestinationPath ' - - '$env:TEMP\' - condition: selection_4103 or selection_4104 + condition: selection_4103 falsepositives: - Unknown level: medium From 9b0f744f75ec6c1d2c5043d527cfe7db1a40692c Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 9 Oct 2021 09:57:45 +0200 Subject: [PATCH 3/9] order powershell_script --- ...ke_obfuscation_clip_in_scriptblocktext.yml | 26 +++++++++++++++ ...tion_obfuscated_iex_in_scriptblocktext.yml | 32 +++++++++++++++++++ ...e_obfuscation_stdin_in_scriptblocktext.yml | 26 +++++++++++++++ ...oke_obfuscation_var_in_scriptblocktext.yml | 26 +++++++++++++++ ...cation_via_compress_in_scriptblocktext.yml | 26 +++++++++++++++ ...uscation_via_rundll_in_scriptblocktext.yml | 26 +++++++++++++++ ...fuscation_via_stdin_in_scriptblocktext.yml | 26 +++++++++++++++ ...cation_via_use_clip_in_scriptblocktext.yml | 26 +++++++++++++++ ...ation_via_use_mhsta_in_scriptblocktext.yml | 26 +++++++++++++++ ...on_via_use_rundll32_in_scriptblocktext.yml | 26 +++++++++++++++ ...obfuscation_via_var_in_scriptblocktext.yml | 26 +++++++++++++++ ...l_susp_zip_compress_in_scriptblocktext.yml | 28 ++++++++++++++++ 12 files changed, 320 insertions(+) create mode 100644 rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_clip_in_scriptblocktext.yml create mode 100644 rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml create mode 100644 rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml create mode 100644 rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_var_in_scriptblocktext.yml create mode 100644 rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml create mode 100644 rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml create mode 100644 rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml create mode 100644 rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml create mode 100644 rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml create mode 100644 rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml create mode 100644 rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml create mode 100644 rules/windows/powershell/powershell_script/powershell_susp_zip_compress_in_scriptblocktext.yml diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_clip_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_clip_in_scriptblocktext.yml new file mode 100644 index 00000000..3d0f3df1 --- /dev/null +++ b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_clip_in_scriptblocktext.yml @@ -0,0 +1,26 @@ +title: Invoke-Obfuscation CLIP+ Launcher +id: 73e67340-0d25-11eb-adc1-0242ac120002 +description: Detects Obfuscated use of Clip.exe to execute PowerShell +status: experimental +author: Jonathan Cheong, oscd.community +date: 2020/10/13 +modified: 2021/10/07 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + service: powershell + definition: Script block logging must be enabled +detection: + selection_4104: + EventID: 4104 + ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' + condition: selection_4104 +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml new file mode 100644 index 00000000..3e4126e7 --- /dev/null +++ b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml @@ -0,0 +1,32 @@ +title: Invoke-Obfuscation Obfuscated IEX Invocation +id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7 +description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888" +status: experimental +author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community +date: 2019/11/08 +modified: 2021/10/07 +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 + - attack.t1086 #an old one +logsource: + product: windows + service: powershell + definition: Script block logging must be enabled +detection: + selection_1: + EventID: 4104 + selection_2: + - ScriptBlockText|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[' + - ScriptBlockText|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[' + - ScriptBlockText|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[' + - ScriptBlockText|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}' + - ScriptBlockText|re: '\\\\*mdr\\\\*\W\s*\)\.Name' + - ScriptBlockText|re: '\$VerbosePreference\.ToString\(' + - ScriptBlockText|re: '\String\]\s*\$VerbosePreference' + condition: selection_1 and selection_2 +falsepositives: + - Unknown +level: high diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml new file mode 100644 index 00000000..2cb8ef01 --- /dev/null +++ b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml @@ -0,0 +1,26 @@ +title: Invoke-Obfuscation STDIN+ Launcher +id: 779c8c12-0eb1-11eb-adc1-0242ac120002 +description: Detects Obfuscated use of stdin to execute PowerShell +status: experimental +author: Jonathan Cheong, oscd.community +date: 2020/10/15 +modified: 2021/10/07 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + service: powershell + definition: Script block logging must be enabled +detection: + selection_4104: + EventID: 4104 + ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' + condition: selection_4104 +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_var_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_var_in_scriptblocktext.yml new file mode 100644 index 00000000..c0460b5f --- /dev/null +++ b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_var_in_scriptblocktext.yml @@ -0,0 +1,26 @@ +title: Invoke-Obfuscation VAR+ Launcher +id: 0adfbc14-0ed1-11eb-adc1-0242ac120002 +description: Detects Obfuscated use of Environment Variables to execute PowerShell +status: experimental +author: Jonathan Cheong, oscd.community +date: 2020/10/15 +modified: 2021/10/07 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + service: powershell + definition: Script block logging must be enabled +detection: + selection_4104: + EventID: 4104 + ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' + condition: selection_4104 +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml new file mode 100644 index 00000000..3151cae7 --- /dev/null +++ b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml @@ -0,0 +1,26 @@ +title: Invoke-Obfuscation COMPRESS OBFUSCATION +id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07 +description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION +status: experimental +author: Timur Zinniatullin, oscd.community +date: 2020/10/18 +modified: 2021/10/07 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + service: powershell + definition: Script block logging must be enabled +detection: + selection_4104: + EventID: 4104 + ScriptBlockText|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend' + condition: selection_4104 +falsepositives: + - unknown +level: medium \ No newline at end of file diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml new file mode 100644 index 00000000..b17ab890 --- /dev/null +++ b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml @@ -0,0 +1,26 @@ +title: Invoke-Obfuscation RUNDLL LAUNCHER +id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0 +description: Detects Obfuscated Powershell via RUNDLL LAUNCHER +status: experimental +author: Timur Zinniatullin, oscd.community +date: 2020/10/18 +modified: 2021/10/07 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + service: powershell + definition: Script block logging must be enabled +detection: + selection_4104: + EventID: 4104 + ScriptBlockText|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' + condition: selection_4104 +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml new file mode 100644 index 00000000..c2b5f127 --- /dev/null +++ b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml @@ -0,0 +1,26 @@ +title: Invoke-Obfuscation Via Stdin +id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7 +description: Detects Obfuscated Powershell via Stdin in Scripts +status: experimental +author: Nikita Nazarov, oscd.community +date: 2020/10/12 +modified: 2021/10/07 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task28) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + service: powershell + definition: Script block logging must be enabled +detection: + selection_4104: + EventID: 4104 + ScriptBlockText|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' + condition: selection_4104 +falsepositives: + - Unknown +level: high diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml new file mode 100644 index 00000000..9205a254 --- /dev/null +++ b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml @@ -0,0 +1,26 @@ +title: Invoke-Obfuscation Via Use Clip +id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0 +description: Detects Obfuscated Powershell via use Clip.exe in Scripts +status: experimental +author: Nikita Nazarov, oscd.community +date: 2020/10/09 +modified: 2021/10/07 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task29) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + service: powershell + definition: Script block logging must be enabled +detection: + selection_4104: + EventID: 4104 + ScriptBlockText|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' + condition: selection_4104 +falsepositives: + - Unknown +level: high diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml new file mode 100644 index 00000000..d6455878 --- /dev/null +++ b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml @@ -0,0 +1,26 @@ +title: Invoke-Obfuscation Via Use MSHTA +id: e55a5195-4724-480e-a77e-3ebe64bd3759 +description: Detects Obfuscated Powershell via use MSHTA in Scripts +status: experimental +author: Nikita Nazarov, oscd.community +date: 2020/10/08 +modified: 2021/10/07 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task31) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + service: powershell + definition: Script block logging must be enabled +detection: + selection_4104: + EventID: 4104 + ScriptBlockText|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' + condition: selection_4104 +falsepositives: + - Unknown +level: high diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml new file mode 100644 index 00000000..516fc3fc --- /dev/null +++ b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml @@ -0,0 +1,26 @@ +title: Invoke-Obfuscation Via Use Rundll32 +id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b +description: Detects Obfuscated Powershell via use Rundll32 in Scripts +status: experimental +author: Nikita Nazarov, oscd.community +date: 2019/10/08 +modified: 2021/10/07 +references: + - https://github.com/Neo23x0/sigma/issues/1009 +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + service: powershell + definition: Script block logging must be enabled +detection: + selection_4104: + EventID: 4104 + ScriptBlockText|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' + condition: selection_4104 +falsepositives: + - Unknown +level: high diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml new file mode 100644 index 00000000..cec226f8 --- /dev/null +++ b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml @@ -0,0 +1,26 @@ +title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION +id: e54f5149-6ba3-49cf-b153-070d24679126 +description: Detects Obfuscated Powershell via VAR++ LAUNCHER +status: experimental +author: Timur Zinniatullin, oscd.community +date: 2020/10/13 +modified: 2021/10/07 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task27) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + service: powershell + definition: Script block logging must be enabled +detection: + selection_4104: + EventID: 4104 + ScriptBlockText|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r + condition: selection_4104 +falsepositives: + - Unknown +level: high diff --git a/rules/windows/powershell/powershell_script/powershell_susp_zip_compress_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_susp_zip_compress_in_scriptblocktext.yml new file mode 100644 index 00000000..1073d0a1 --- /dev/null +++ b/rules/windows/powershell/powershell_script/powershell_susp_zip_compress_in_scriptblocktext.yml @@ -0,0 +1,28 @@ +title: Zip A Folder With PowerShell For Staging In Temp +id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 +status: experimental +author: frack113 +date: 2021/07/20 +modified: 2021/10/09 +description: Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md +tags: + - attack.collection + - attack.t1074.001 +logsource: + product: windows + service: powershell + definition: Script Block Logging must be enable +detection: + selection_4104: + EventID: 4104 + ScriptBlockText|contains|all: + - 'Compress-Archive ' + - ' -Path ' + - ' -DestinationPath ' + - '$env:TEMP\' + condition: selection_4104 +falsepositives: + - Unknown +level: medium From 41d098b253859826b007edf7940b2f2127778723 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 9 Oct 2021 09:59:21 +0200 Subject: [PATCH 4/9] fix yml error --- .../powershell_module/powershell_invoke_obfuscation_clip.yml | 2 +- .../powershell_invoke_obfuscation_via_stdin.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml index a203d470..604505ae 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml @@ -1,6 +1,6 @@ title: Invoke-Obfuscation CLIP+ Launcher id: a136cde0-61ad-4a61-9b82-8dc490e60dd2 -related : +related: - id: 73e67340-0d25-11eb-adc1-0242ac120002 type: derived description: Detects Obfuscated use of Clip.exe to execute PowerShell diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml index 15c1e5cd..65fff0f1 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml @@ -19,7 +19,7 @@ logsource: service: powershell definition: Module Logging must be enable detection: - selection_4103: + selection_4103: EventID: 4103 Payload|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' condition: selection_4103 From 77749510b72ff2c3fb9f2f4d3b3879b55f6d5c74 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 9 Oct 2021 10:01:40 +0200 Subject: [PATCH 5/9] fix yml --- ...ell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml index 3e4126e7..687ea802 100644 --- a/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml +++ b/rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml @@ -26,7 +26,7 @@ detection: - ScriptBlockText|re: '\\\\*mdr\\\\*\W\s*\)\.Name' - ScriptBlockText|re: '\$VerbosePreference\.ToString\(' - ScriptBlockText|re: '\String\]\s*\$VerbosePreference' - condition: selection_1 and selection_2 + condition: selection_1 and selection_2 falsepositives: - Unknown level: high From 5c68c42058b88bb830af394a4c2bd2ff99aa28b8 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 9 Oct 2021 10:30:36 +0200 Subject: [PATCH 6/9] order powershell_script --- .../powershell_module/powershell_invoke_obfuscation_var.yml | 1 + .../powershell_module/powershell_susp_zip_compress.yml | 2 +- .../{ => powershell_script}/powershell_adrecon_execution.yml | 0 .../{ => powershell_script}/powershell_automated_collection.yml | 0 .../powershell_cl_invocation_lolscript.yml | 0 .../powershell_cl_invocation_lolscript_count.yml | 0 .../powershell_cl_mutexverifiers_lolscript.yml | 0 .../powershell_cl_mutexverifiers_lolscript_count.yml | 0 .../{ => powershell_script}/powershell_create_local_user.yml | 0 .../{ => powershell_script}/powershell_data_compressed.yml | 0 .../{ => powershell_script}/powershell_detect_vm_env.yml | 0 .../{ => powershell_script}/powershell_dnscat_execution.yml | 0 .../{ => powershell_script}/powershell_icmp_exfiltration.yml | 0 .../{ => powershell_script}/powershell_invoke_nightmare.yml | 0 .../{ => powershell_script}/powershell_keylogging.yml | 0 .../powershell_malicious_commandlets.yml | 0 .../{ => powershell_script}/powershell_malicious_keywords.yml | 0 .../powershell_memorydump_getstoragediagnosticinfo.yml | 0 .../powershell_nishang_malicious_commandlets.yml | 0 .../{ => powershell_script}/powershell_ntfs_ads_access.yml | 0 .../powershell_powerview_malicious_commandlets.yml | 0 .../{ => powershell_script}/powershell_prompt_credentials.yml | 0 .../powershell/{ => powershell_script}/powershell_psattack.yml | 0 .../{ => powershell_script}/powershell_shellcode_b64.yml | 0 .../powershell_shellintel_malicious_commandlets.yml | 0 .../powershell_store_file_in_alternate_data_stream.yml | 0 .../powershell_suspicious_export_pfxcertificate.yml | 0 .../powershell_suspicious_getprocess_lsass.yml | 0 .../{ => powershell_script}/powershell_suspicious_keywords.yml | 0 .../powershell_suspicious_mail_acces.yml | 0 .../powershell_suspicious_mounted_share_deletion.yml | 0 .../{ => powershell_script}/powershell_suspicious_recon.yml | 0 .../powershell_suspicious_win32_pnpentity.yml | 0 .../powershell/{ => powershell_script}/powershell_timestomp.yml | 0 .../{ => powershell_script}/powershell_trigger_profiles.yml | 0 .../{ => powershell_script}/powershell_web_request.yml | 0 .../{ => powershell_script}/powershell_winlogon_helper_dll.yml | 0 .../{ => powershell_script}/powershell_wmi_persistence.yml | 0 .../powershell/{ => powershell_script}/powershell_wmimplant.yml | 0 39 files changed, 2 insertions(+), 1 deletion(-) rename rules/windows/powershell/{ => powershell_script}/powershell_adrecon_execution.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_automated_collection.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_cl_invocation_lolscript.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_cl_invocation_lolscript_count.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_cl_mutexverifiers_lolscript.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_cl_mutexverifiers_lolscript_count.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_create_local_user.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_data_compressed.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_detect_vm_env.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_dnscat_execution.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_icmp_exfiltration.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_invoke_nightmare.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_keylogging.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_malicious_commandlets.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_malicious_keywords.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_memorydump_getstoragediagnosticinfo.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_nishang_malicious_commandlets.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_ntfs_ads_access.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_powerview_malicious_commandlets.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_prompt_credentials.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_psattack.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_shellcode_b64.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_shellintel_malicious_commandlets.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_store_file_in_alternate_data_stream.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_suspicious_export_pfxcertificate.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_suspicious_getprocess_lsass.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_suspicious_keywords.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_suspicious_mail_acces.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_suspicious_mounted_share_deletion.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_suspicious_recon.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_suspicious_win32_pnpentity.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_timestomp.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_trigger_profiles.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_web_request.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_winlogon_helper_dll.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_wmi_persistence.yml (100%) rename rules/windows/powershell/{ => powershell_script}/powershell_wmimplant.yml (100%) diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml index 6f187cfb..e47caf11 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml @@ -18,6 +18,7 @@ logsource: product: windows service: powershell definition: Module Logging must be enable +detection: selection_4103: EventID: 4103 Payload|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' diff --git a/rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml b/rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml index ab97eb0d..26753203 100644 --- a/rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml +++ b/rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml @@ -2,7 +2,7 @@ title: Zip A Folder With PowerShell For Staging In Temp id: daf7eb81-35fd-410d-9d7a-657837e602bb related: - id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 - related: derived + type: derived status: experimental author: frack113 date: 2021/07/20 diff --git a/rules/windows/powershell/powershell_adrecon_execution.yml b/rules/windows/powershell/powershell_script/powershell_adrecon_execution.yml similarity index 100% rename from rules/windows/powershell/powershell_adrecon_execution.yml rename to rules/windows/powershell/powershell_script/powershell_adrecon_execution.yml diff --git a/rules/windows/powershell/powershell_automated_collection.yml b/rules/windows/powershell/powershell_script/powershell_automated_collection.yml similarity index 100% rename from rules/windows/powershell/powershell_automated_collection.yml rename to rules/windows/powershell/powershell_script/powershell_automated_collection.yml diff --git a/rules/windows/powershell/powershell_cl_invocation_lolscript.yml b/rules/windows/powershell/powershell_script/powershell_cl_invocation_lolscript.yml similarity index 100% rename from rules/windows/powershell/powershell_cl_invocation_lolscript.yml rename to rules/windows/powershell/powershell_script/powershell_cl_invocation_lolscript.yml diff --git a/rules/windows/powershell/powershell_cl_invocation_lolscript_count.yml b/rules/windows/powershell/powershell_script/powershell_cl_invocation_lolscript_count.yml similarity index 100% rename from rules/windows/powershell/powershell_cl_invocation_lolscript_count.yml rename to rules/windows/powershell/powershell_script/powershell_cl_invocation_lolscript_count.yml diff --git a/rules/windows/powershell/powershell_cl_mutexverifiers_lolscript.yml b/rules/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript.yml similarity index 100% rename from rules/windows/powershell/powershell_cl_mutexverifiers_lolscript.yml rename to rules/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript.yml diff --git a/rules/windows/powershell/powershell_cl_mutexverifiers_lolscript_count.yml b/rules/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript_count.yml similarity index 100% rename from rules/windows/powershell/powershell_cl_mutexverifiers_lolscript_count.yml rename to rules/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript_count.yml diff --git a/rules/windows/powershell/powershell_create_local_user.yml b/rules/windows/powershell/powershell_script/powershell_create_local_user.yml similarity index 100% rename from rules/windows/powershell/powershell_create_local_user.yml rename to rules/windows/powershell/powershell_script/powershell_create_local_user.yml diff --git a/rules/windows/powershell/powershell_data_compressed.yml b/rules/windows/powershell/powershell_script/powershell_data_compressed.yml similarity index 100% rename from rules/windows/powershell/powershell_data_compressed.yml rename to rules/windows/powershell/powershell_script/powershell_data_compressed.yml diff --git a/rules/windows/powershell/powershell_detect_vm_env.yml b/rules/windows/powershell/powershell_script/powershell_detect_vm_env.yml similarity index 100% rename from rules/windows/powershell/powershell_detect_vm_env.yml rename to rules/windows/powershell/powershell_script/powershell_detect_vm_env.yml diff --git a/rules/windows/powershell/powershell_dnscat_execution.yml b/rules/windows/powershell/powershell_script/powershell_dnscat_execution.yml similarity index 100% rename from rules/windows/powershell/powershell_dnscat_execution.yml rename to rules/windows/powershell/powershell_script/powershell_dnscat_execution.yml diff --git a/rules/windows/powershell/powershell_icmp_exfiltration.yml b/rules/windows/powershell/powershell_script/powershell_icmp_exfiltration.yml similarity index 100% rename from rules/windows/powershell/powershell_icmp_exfiltration.yml rename to rules/windows/powershell/powershell_script/powershell_icmp_exfiltration.yml diff --git a/rules/windows/powershell/powershell_invoke_nightmare.yml b/rules/windows/powershell/powershell_script/powershell_invoke_nightmare.yml similarity index 100% rename from rules/windows/powershell/powershell_invoke_nightmare.yml rename to rules/windows/powershell/powershell_script/powershell_invoke_nightmare.yml diff --git a/rules/windows/powershell/powershell_keylogging.yml b/rules/windows/powershell/powershell_script/powershell_keylogging.yml similarity index 100% rename from rules/windows/powershell/powershell_keylogging.yml rename to rules/windows/powershell/powershell_script/powershell_keylogging.yml diff --git a/rules/windows/powershell/powershell_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml similarity index 100% rename from rules/windows/powershell/powershell_malicious_commandlets.yml rename to rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml diff --git a/rules/windows/powershell/powershell_malicious_keywords.yml b/rules/windows/powershell/powershell_script/powershell_malicious_keywords.yml similarity index 100% rename from rules/windows/powershell/powershell_malicious_keywords.yml rename to rules/windows/powershell/powershell_script/powershell_malicious_keywords.yml diff --git a/rules/windows/powershell/powershell_memorydump_getstoragediagnosticinfo.yml b/rules/windows/powershell/powershell_script/powershell_memorydump_getstoragediagnosticinfo.yml similarity index 100% rename from rules/windows/powershell/powershell_memorydump_getstoragediagnosticinfo.yml rename to rules/windows/powershell/powershell_script/powershell_memorydump_getstoragediagnosticinfo.yml diff --git a/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml similarity index 100% rename from rules/windows/powershell/powershell_nishang_malicious_commandlets.yml rename to rules/windows/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml diff --git a/rules/windows/powershell/powershell_ntfs_ads_access.yml b/rules/windows/powershell/powershell_script/powershell_ntfs_ads_access.yml similarity index 100% rename from rules/windows/powershell/powershell_ntfs_ads_access.yml rename to rules/windows/powershell/powershell_script/powershell_ntfs_ads_access.yml diff --git a/rules/windows/powershell/powershell_powerview_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/powershell_powerview_malicious_commandlets.yml similarity index 100% rename from rules/windows/powershell/powershell_powerview_malicious_commandlets.yml rename to rules/windows/powershell/powershell_script/powershell_powerview_malicious_commandlets.yml diff --git a/rules/windows/powershell/powershell_prompt_credentials.yml b/rules/windows/powershell/powershell_script/powershell_prompt_credentials.yml similarity index 100% rename from rules/windows/powershell/powershell_prompt_credentials.yml rename to rules/windows/powershell/powershell_script/powershell_prompt_credentials.yml diff --git a/rules/windows/powershell/powershell_psattack.yml b/rules/windows/powershell/powershell_script/powershell_psattack.yml similarity index 100% rename from rules/windows/powershell/powershell_psattack.yml rename to rules/windows/powershell/powershell_script/powershell_psattack.yml diff --git a/rules/windows/powershell/powershell_shellcode_b64.yml b/rules/windows/powershell/powershell_script/powershell_shellcode_b64.yml similarity index 100% rename from rules/windows/powershell/powershell_shellcode_b64.yml rename to rules/windows/powershell/powershell_script/powershell_shellcode_b64.yml diff --git a/rules/windows/powershell/powershell_shellintel_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/powershell_shellintel_malicious_commandlets.yml similarity index 100% rename from rules/windows/powershell/powershell_shellintel_malicious_commandlets.yml rename to rules/windows/powershell/powershell_script/powershell_shellintel_malicious_commandlets.yml diff --git a/rules/windows/powershell/powershell_store_file_in_alternate_data_stream.yml b/rules/windows/powershell/powershell_script/powershell_store_file_in_alternate_data_stream.yml similarity index 100% rename from rules/windows/powershell/powershell_store_file_in_alternate_data_stream.yml rename to rules/windows/powershell/powershell_script/powershell_store_file_in_alternate_data_stream.yml diff --git a/rules/windows/powershell/powershell_suspicious_export_pfxcertificate.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_export_pfxcertificate.yml similarity index 100% rename from rules/windows/powershell/powershell_suspicious_export_pfxcertificate.yml rename to rules/windows/powershell/powershell_script/powershell_suspicious_export_pfxcertificate.yml diff --git a/rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_getprocess_lsass.yml similarity index 100% rename from rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml rename to rules/windows/powershell/powershell_script/powershell_suspicious_getprocess_lsass.yml diff --git a/rules/windows/powershell/powershell_suspicious_keywords.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_keywords.yml similarity index 100% rename from rules/windows/powershell/powershell_suspicious_keywords.yml rename to rules/windows/powershell/powershell_script/powershell_suspicious_keywords.yml diff --git a/rules/windows/powershell/powershell_suspicious_mail_acces.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_mail_acces.yml similarity index 100% rename from rules/windows/powershell/powershell_suspicious_mail_acces.yml rename to rules/windows/powershell/powershell_script/powershell_suspicious_mail_acces.yml diff --git a/rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_mounted_share_deletion.yml similarity index 100% rename from rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml rename to rules/windows/powershell/powershell_script/powershell_suspicious_mounted_share_deletion.yml diff --git a/rules/windows/powershell/powershell_suspicious_recon.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_recon.yml similarity index 100% rename from rules/windows/powershell/powershell_suspicious_recon.yml rename to rules/windows/powershell/powershell_script/powershell_suspicious_recon.yml diff --git a/rules/windows/powershell/powershell_suspicious_win32_pnpentity.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_win32_pnpentity.yml similarity index 100% rename from rules/windows/powershell/powershell_suspicious_win32_pnpentity.yml rename to rules/windows/powershell/powershell_script/powershell_suspicious_win32_pnpentity.yml diff --git a/rules/windows/powershell/powershell_timestomp.yml b/rules/windows/powershell/powershell_script/powershell_timestomp.yml similarity index 100% rename from rules/windows/powershell/powershell_timestomp.yml rename to rules/windows/powershell/powershell_script/powershell_timestomp.yml diff --git a/rules/windows/powershell/powershell_trigger_profiles.yml b/rules/windows/powershell/powershell_script/powershell_trigger_profiles.yml similarity index 100% rename from rules/windows/powershell/powershell_trigger_profiles.yml rename to rules/windows/powershell/powershell_script/powershell_trigger_profiles.yml diff --git a/rules/windows/powershell/powershell_web_request.yml b/rules/windows/powershell/powershell_script/powershell_web_request.yml similarity index 100% rename from rules/windows/powershell/powershell_web_request.yml rename to rules/windows/powershell/powershell_script/powershell_web_request.yml diff --git a/rules/windows/powershell/powershell_winlogon_helper_dll.yml b/rules/windows/powershell/powershell_script/powershell_winlogon_helper_dll.yml similarity index 100% rename from rules/windows/powershell/powershell_winlogon_helper_dll.yml rename to rules/windows/powershell/powershell_script/powershell_winlogon_helper_dll.yml diff --git a/rules/windows/powershell/powershell_wmi_persistence.yml b/rules/windows/powershell/powershell_script/powershell_wmi_persistence.yml similarity index 100% rename from rules/windows/powershell/powershell_wmi_persistence.yml rename to rules/windows/powershell/powershell_script/powershell_wmi_persistence.yml diff --git a/rules/windows/powershell/powershell_wmimplant.yml b/rules/windows/powershell/powershell_script/powershell_wmimplant.yml similarity index 100% rename from rules/windows/powershell/powershell_wmimplant.yml rename to rules/windows/powershell/powershell_script/powershell_wmimplant.yml From f475b90ee336c9b8d3de5667dec3c3b4e42ce837 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 9 Oct 2021 16:41:48 +0200 Subject: [PATCH 7/9] fix: typo in description --- .../powershell_module/powershell_alternate_powershell_hosts.yml | 2 +- .../powershell_module/powershell_bad_opsec_artifacts.yml | 2 +- .../powershell_module/powershell_clear_powershell_history.yml | 2 +- .../powershell_module/powershell_decompress_commands.yml | 2 +- .../powershell/powershell_module/powershell_get_clipboard.yml | 2 +- .../powershell_module/powershell_invoke_obfuscation_clip.yml | 2 +- .../powershell_invoke_obfuscation_obfuscated_iex.yml | 2 +- .../powershell_module/powershell_invoke_obfuscation_stdin.yml | 2 +- .../powershell_module/powershell_invoke_obfuscation_var.yml | 2 +- .../powershell_invoke_obfuscation_via_compress.yml | 2 +- .../powershell_invoke_obfuscation_via_rundll.yml | 2 +- .../powershell_invoke_obfuscation_via_stdin.yml | 2 +- .../powershell_invoke_obfuscation_via_use_clip.yml | 2 +- .../powershell_invoke_obfuscation_via_use_mhsta.yml | 2 +- .../powershell_invoke_obfuscation_via_use_rundll32.yml | 2 +- .../powershell_module/powershell_invoke_obfuscation_via_var.yml | 2 +- .../powershell/powershell_module/powershell_powercat.yml | 2 +- .../powershell_module/powershell_remote_powershell_session.yml | 2 +- .../powershell_susp_athremotefxvgpudisablementcommand.yml | 2 +- .../powershell_module/powershell_susp_zip_compress.yml | 2 +- 20 files changed, 20 insertions(+), 20 deletions(-) diff --git a/rules/windows/powershell/powershell_module/powershell_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_module/powershell_alternate_powershell_hosts.yml index fb409b13..7ab2c944 100644 --- a/rules/windows/powershell/powershell_module/powershell_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_module/powershell_alternate_powershell_hosts.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enable + definition: Module Logging must be enabled detection: selection: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_bad_opsec_artifacts.yml b/rules/windows/powershell/powershell_module/powershell_bad_opsec_artifacts.yml index dcb92bd0..c5153e21 100644 --- a/rules/windows/powershell/powershell_module/powershell_bad_opsec_artifacts.yml +++ b/rules/windows/powershell/powershell_module/powershell_bad_opsec_artifacts.yml @@ -19,7 +19,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enable + definition: Module Logging must be enabled detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml b/rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml index fb57e960..48f64acc 100644 --- a/rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml @@ -17,7 +17,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enable + definition: Module Logging must be enabled detection: selection_4: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_decompress_commands.yml b/rules/windows/powershell/powershell_module/powershell_decompress_commands.yml index e30c7fe3..d1c7e564 100644 --- a/rules/windows/powershell/powershell_module/powershell_decompress_commands.yml +++ b/rules/windows/powershell/powershell_module/powershell_decompress_commands.yml @@ -17,7 +17,7 @@ references: logsource: product: windows service: powershell - definition: Module Logging must be enable + definition: Module Logging must be enabled detection: selection2: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_get_clipboard.yml b/rules/windows/powershell/powershell_module/powershell_get_clipboard.yml index 2902ece6..61e99ec3 100644 --- a/rules/windows/powershell/powershell_module/powershell_get_clipboard.yml +++ b/rules/windows/powershell/powershell_module/powershell_get_clipboard.yml @@ -17,7 +17,7 @@ references: logsource: product: windows service: powershell - definition: Module Logging must be enable + definition: Module Logging must be enabled detection: selection2: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml index 604505ae..a825ff6d 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml @@ -18,7 +18,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enable + definition: Module Logging must be enabled detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml index 2dcd9ad2..c94e328d 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml @@ -17,7 +17,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enable + definition: Module Logging must be enabled detection: selection_3: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml index d531c87e..ac820014 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml @@ -17,7 +17,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enable + definition: Module Logging must be enabled detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml index e47caf11..3fb82c2e 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml @@ -17,7 +17,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enable + definition: Module Logging must be enabled detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml index e4f1400c..9faa95df 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml @@ -18,7 +18,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enable + definition: Module Logging must be enabled detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml index 82369978..bff58af6 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml @@ -18,7 +18,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enable + definition: Module Logging must be enabled detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml index 65fff0f1..ef94a8c3 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml @@ -17,7 +17,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enable + definition: Module Logging must be enabled detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml index 482721a0..6e5b5d32 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml @@ -17,7 +17,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enable + definition: Module Logging must be enabled detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml index ab47039d..aecbcfcf 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml @@ -18,7 +18,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enabled + definition: Module Logging must be enabledd detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml index deee26ed..e97a7449 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml @@ -18,7 +18,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enable + definition: Module Logging must be enabled detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml index 06d3381a..4273a271 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml @@ -18,7 +18,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enabled + definition: Module Logging must be enabledd detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_powercat.yml b/rules/windows/powershell/powershell_module/powershell_powercat.yml index f024c450..3feb349e 100644 --- a/rules/windows/powershell/powershell_module/powershell_powercat.yml +++ b/rules/windows/powershell/powershell_module/powershell_powercat.yml @@ -15,7 +15,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enable + definition: Module Logging must be enabled detection: selection: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_remote_powershell_session.yml b/rules/windows/powershell/powershell_module/powershell_remote_powershell_session.yml index c7795387..39a6161c 100644 --- a/rules/windows/powershell/powershell_module/powershell_remote_powershell_session.yml +++ b/rules/windows/powershell/powershell_module/powershell_remote_powershell_session.yml @@ -17,7 +17,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enable + definition: Module Logging must be enabled detection: selection: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml b/rules/windows/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml index 214610d7..18f9e127 100644 --- a/rules/windows/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml +++ b/rules/windows/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enabled + definition: Module Logging must be enabledd detection: selection_id: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml b/rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml index 26753203..761d66b5 100644 --- a/rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml +++ b/rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml @@ -16,7 +16,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enabled + definition: Module Logging must be enabledd detection: selection_4103: EventID: 4103 From 2379907f26168bfaf06ebdcd6a6111486685aefd Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 9 Oct 2021 16:42:42 +0200 Subject: [PATCH 8/9] docs: extended the description by a word --- .../powershell_module/powershell_alternate_powershell_hosts.yml | 2 +- .../powershell_module/powershell_bad_opsec_artifacts.yml | 2 +- .../powershell_module/powershell_clear_powershell_history.yml | 2 +- .../powershell_module/powershell_decompress_commands.yml | 2 +- .../powershell/powershell_module/powershell_get_clipboard.yml | 2 +- .../powershell_module/powershell_invoke_obfuscation_clip.yml | 2 +- .../powershell_invoke_obfuscation_obfuscated_iex.yml | 2 +- .../powershell_module/powershell_invoke_obfuscation_stdin.yml | 2 +- .../powershell_module/powershell_invoke_obfuscation_var.yml | 2 +- .../powershell_invoke_obfuscation_via_compress.yml | 2 +- .../powershell_invoke_obfuscation_via_rundll.yml | 2 +- .../powershell_invoke_obfuscation_via_stdin.yml | 2 +- .../powershell_invoke_obfuscation_via_use_clip.yml | 2 +- .../powershell_invoke_obfuscation_via_use_mhsta.yml | 2 +- .../powershell_invoke_obfuscation_via_use_rundll32.yml | 2 +- .../powershell_module/powershell_invoke_obfuscation_via_var.yml | 2 +- .../powershell/powershell_module/powershell_powercat.yml | 2 +- .../powershell_module/powershell_remote_powershell_session.yml | 2 +- .../powershell_susp_athremotefxvgpudisablementcommand.yml | 2 +- .../powershell_module/powershell_susp_zip_compress.yml | 2 +- 20 files changed, 20 insertions(+), 20 deletions(-) diff --git a/rules/windows/powershell/powershell_module/powershell_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_module/powershell_alternate_powershell_hosts.yml index 7ab2c944..0a5dc88c 100644 --- a/rules/windows/powershell/powershell_module/powershell_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_module/powershell_alternate_powershell_hosts.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enabled + definition: PowerShell Module Logging must be enabled detection: selection: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_bad_opsec_artifacts.yml b/rules/windows/powershell/powershell_module/powershell_bad_opsec_artifacts.yml index c5153e21..dc3a6cdd 100644 --- a/rules/windows/powershell/powershell_module/powershell_bad_opsec_artifacts.yml +++ b/rules/windows/powershell/powershell_module/powershell_bad_opsec_artifacts.yml @@ -19,7 +19,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enabled + definition: PowerShell Module Logging must be enabled detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml b/rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml index 48f64acc..63ab1d2d 100644 --- a/rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml @@ -17,7 +17,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enabled + definition: PowerShell Module Logging must be enabled detection: selection_4: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_decompress_commands.yml b/rules/windows/powershell/powershell_module/powershell_decompress_commands.yml index d1c7e564..675257bd 100644 --- a/rules/windows/powershell/powershell_module/powershell_decompress_commands.yml +++ b/rules/windows/powershell/powershell_module/powershell_decompress_commands.yml @@ -17,7 +17,7 @@ references: logsource: product: windows service: powershell - definition: Module Logging must be enabled + definition: PowerShell Module Logging must be enabled detection: selection2: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_get_clipboard.yml b/rules/windows/powershell/powershell_module/powershell_get_clipboard.yml index 61e99ec3..58e7ce4f 100644 --- a/rules/windows/powershell/powershell_module/powershell_get_clipboard.yml +++ b/rules/windows/powershell/powershell_module/powershell_get_clipboard.yml @@ -17,7 +17,7 @@ references: logsource: product: windows service: powershell - definition: Module Logging must be enabled + definition: PowerShell Module Logging must be enabled detection: selection2: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml index a825ff6d..98a298b6 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml @@ -18,7 +18,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enabled + definition: PowerShell Module Logging must be enabled detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml index c94e328d..fe77d74d 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml @@ -17,7 +17,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enabled + definition: PowerShell Module Logging must be enabled detection: selection_3: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml index ac820014..ff0cda53 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml @@ -17,7 +17,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enabled + definition: PowerShell Module Logging must be enabled detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml index 3fb82c2e..f85198cc 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml @@ -17,7 +17,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enabled + definition: PowerShell Module Logging must be enabled detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml index 9faa95df..1ba4b73e 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml @@ -18,7 +18,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enabled + definition: PowerShell Module Logging must be enabled detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml index bff58af6..ccbd2b9a 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml @@ -18,7 +18,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enabled + definition: PowerShell Module Logging must be enabled detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml index ef94a8c3..d5715369 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml @@ -17,7 +17,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enabled + definition: PowerShell Module Logging must be enabled detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml index 6e5b5d32..3c823c36 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml @@ -17,7 +17,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enabled + definition: PowerShell Module Logging must be enabled detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml index aecbcfcf..791c900b 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml @@ -18,7 +18,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enabledd + definition: PowerShell Module Logging must be enabledd detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml index e97a7449..3c12fe92 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml @@ -18,7 +18,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enabled + definition: PowerShell Module Logging must be enabled detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml index 4273a271..2b78501f 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml @@ -18,7 +18,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enabledd + definition: PowerShell Module Logging must be enabledd detection: selection_4103: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_powercat.yml b/rules/windows/powershell/powershell_module/powershell_powercat.yml index 3feb349e..649381c9 100644 --- a/rules/windows/powershell/powershell_module/powershell_powercat.yml +++ b/rules/windows/powershell/powershell_module/powershell_powercat.yml @@ -15,7 +15,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enabled + definition: PowerShell Module Logging must be enabled detection: selection: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_remote_powershell_session.yml b/rules/windows/powershell/powershell_module/powershell_remote_powershell_session.yml index 39a6161c..4bd6369c 100644 --- a/rules/windows/powershell/powershell_module/powershell_remote_powershell_session.yml +++ b/rules/windows/powershell/powershell_module/powershell_remote_powershell_session.yml @@ -17,7 +17,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enabled + definition: PowerShell Module Logging must be enabled detection: selection: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml b/rules/windows/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml index 18f9e127..c6571b75 100644 --- a/rules/windows/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml +++ b/rules/windows/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enabledd + definition: PowerShell Module Logging must be enabledd detection: selection_id: EventID: 4103 diff --git a/rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml b/rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml index 761d66b5..6e9268e7 100644 --- a/rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml +++ b/rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml @@ -16,7 +16,7 @@ tags: logsource: product: windows service: powershell - definition: Module Logging must be enabledd + definition: PowerShell Module Logging must be enabledd detection: selection_4103: EventID: 4103 From 1337116d840c6076cb1f6fa69ab1457384faaec4 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 10 Oct 2021 10:17:24 +0200 Subject: [PATCH 9/9] Cleanup selection name --- .../powershell_clear_powershell_history.yml | 8 ++++---- .../powershell_module/powershell_decompress_commands.yml | 4 ++-- .../powershell_module/powershell_get_clipboard.yml | 4 ++-- .../powershell_invoke_obfuscation_obfuscated_iex.yml | 6 +++--- .../powershell_cl_invocation_lolscript_count.yml | 4 ++-- .../powershell_cl_mutexverifiers_lolscript_count.yml | 4 ++-- .../powershell_script/powershell_detect_vm_env.yml | 2 +- .../powershell_script/powershell_wmi_persistence.yml | 2 +- 8 files changed, 17 insertions(+), 17 deletions(-) diff --git a/rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml b/rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml index 63ab1d2d..46da86f6 100644 --- a/rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml @@ -19,21 +19,21 @@ logsource: service: powershell definition: PowerShell Module Logging must be enabled detection: - selection_4: + selection_id: EventID: 4103 - selection_5: + selection_payload_1: Payload|contains: - 'del' - 'Remove-Item' - 'rm' Payload|contains|all: - '(Get-PSReadlineOption).HistorySavePath' - selection_6: + selection_payload_2: Payload|contains|all: - 'Set-PSReadlineOption' - '–HistorySaveStyle' - 'SaveNothing' - condition: selection_4 and ( selection_5 or selection_6 ) + condition: selection_id and ( selection_payload_1 or selection_payload_2 ) falsepositives: - Legitimate PowerShell scripts level: medium diff --git a/rules/windows/powershell/powershell_module/powershell_decompress_commands.yml b/rules/windows/powershell/powershell_module/powershell_decompress_commands.yml index 675257bd..5107fd70 100644 --- a/rules/windows/powershell/powershell_module/powershell_decompress_commands.yml +++ b/rules/windows/powershell/powershell_module/powershell_decompress_commands.yml @@ -19,10 +19,10 @@ logsource: service: powershell definition: PowerShell Module Logging must be enabled detection: - selection2: + selection_4103: EventID: 4103 Payload|contains: 'Expand-Archive' - condition: selection2 + condition: selection_4103 falsepositives: - unknown level: informational \ No newline at end of file diff --git a/rules/windows/powershell/powershell_module/powershell_get_clipboard.yml b/rules/windows/powershell/powershell_module/powershell_get_clipboard.yml index 58e7ce4f..832dab3d 100644 --- a/rules/windows/powershell/powershell_module/powershell_get_clipboard.yml +++ b/rules/windows/powershell/powershell_module/powershell_get_clipboard.yml @@ -19,10 +19,10 @@ logsource: service: powershell definition: PowerShell Module Logging must be enabled detection: - selection2: + selection_4103: EventID: 4103 Payload|contains: 'Get-Clipboard' - condition: selection2 + condition: selection_4103 falsepositives: - unknown level: medium \ No newline at end of file diff --git a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml index fe77d74d..e00f05f9 100644 --- a/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml +++ b/rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml @@ -19,9 +19,9 @@ logsource: service: powershell definition: PowerShell Module Logging must be enabled detection: - selection_3: + selection_id: EventID: 4103 - selection_4: + selection_payload: - Payload|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[' - Payload|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[' - Payload|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[' @@ -29,7 +29,7 @@ detection: - Payload|re: '\\\\*mdr\\\\*\W\s*\)\.Name' - Payload|re: '\$VerbosePreference\.ToString\(' - Payload|re: '\String\]\s*\$VerbosePreference' - condition: selection_3 and selection_4 + condition: selection_id and selection_payload falsepositives: - Unknown level: high diff --git a/rules/windows/powershell/powershell_script/powershell_cl_invocation_lolscript_count.yml b/rules/windows/powershell/powershell_script/powershell_cl_invocation_lolscript_count.yml index 246803a0..7bce506c 100644 --- a/rules/windows/powershell/powershell_script/powershell_cl_invocation_lolscript_count.yml +++ b/rules/windows/powershell/powershell_script/powershell_cl_invocation_lolscript_count.yml @@ -16,12 +16,12 @@ logsource: service: powershell definition: Script block logging must be enabled detection: - selection2: + selection: EventID: 4104 ScriptBlockText|contains: - 'CL_Invocation.ps1' - 'SyncInvoke' - condition: selection2 | count(ScriptBlockText) by Computer > 2 + condition: selection | count(ScriptBlockText) by Computer > 2 # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Invocation.ps1 # PS > SyncInvoke c:\Evil.exe falsepositives: diff --git a/rules/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript_count.yml b/rules/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript_count.yml index cc7de5f4..ac2c9ed9 100644 --- a/rules/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript_count.yml +++ b/rules/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript_count.yml @@ -16,12 +16,12 @@ logsource: service: powershell definition: Script block logging must be enabled detection: - selection2: + selection: EventID: 4104 ScriptBlockText|contains: - 'CL_Mutexverifiers.ps1' - 'runAfterCancelProcess' - condition: selection2 | count(ScriptBlockText) by Computer > 2 + condition: selection | count(ScriptBlockText) by Computer > 2 # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1 # PS > runAfterCancelProcess c:\Evil.exe falsepositives: diff --git a/rules/windows/powershell/powershell_script/powershell_detect_vm_env.yml b/rules/windows/powershell/powershell_script/powershell_detect_vm_env.yml index 7b810af9..250b71fe 100644 --- a/rules/windows/powershell/powershell_script/powershell_detect_vm_env.yml +++ b/rules/windows/powershell/powershell_script/powershell_detect_vm_env.yml @@ -23,7 +23,7 @@ detection: ScriptBlockText|contains: - MSAcpi_ThermalZoneTemperature - Win32_ComputerSystem - condition: all of selection_* + condition: all of them falsepositives: - Unknown level: medium diff --git a/rules/windows/powershell/powershell_script/powershell_wmi_persistence.yml b/rules/windows/powershell/powershell_script/powershell_wmi_persistence.yml index 514bf453..03fa7e18 100644 --- a/rules/windows/powershell/powershell_script/powershell_wmi_persistence.yml +++ b/rules/windows/powershell/powershell_script/powershell_wmi_persistence.yml @@ -28,7 +28,7 @@ detection: - '-Namespace root/subscription ' - '-ClassName CommandLineEventConsumer ' - '-Property ' #is a variable name - condition: all of them + condition: selection_id and selection_ioc falsepositives: - Unknown level: medium \ No newline at end of file