Merge pull request #2131 from frack113/Powershell

Powershell order

rules/windows/powershell/powershell_module/powershell_alternate_powershell_hosts.yml

@@ -14,7 +14,7 @@ tags:
 logsource:
     product: windows
     service: powershell
-    definition: ModuleLogging must be enable
+    definition: PowerShell Module Logging must be enabled
 detection:
     selection:
         EventID: 4103

rules/windows/powershell/powershell_module/powershell_bad_opsec_artifacts.yml

@@ -1,5 +1,8 @@
 title: Bad Opsec Powershell Code Artifacts
-id: 73e733cc-1ace-3212-a107-ff2523cc9fc3
+id: 8d31a8ce-46b5-4dd6-bdc3-680931f1db86
+related:
+    - id: 73e733cc-1ace-3212-a107-ff2523cc9fc3
+      type: derived
 description: Focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads that often undergo minimal changes by attackers due to bad opsec.
 status: experimental
 references:
@@ -8,7 +11,7 @@ references:
     - https://www.mdeditor.tw/pl/pgRt
 author: 'ok @securonix invrep_de, oscd.community'
 date: 2020/10/09
-modified: 2020/10/09
+modified: 2021/10/07
 tags:
     - attack.execution
     - attack.t1059.001
@@ -16,17 +19,8 @@ tags:
 logsource:
     product: windows
     service: powershell
-    definition: Script block logging must be enabled for 4104 , Module Logging must be enable for 4103
+    definition: PowerShell Module Logging must be enabled
 detection:
-    selection_4104:
-        EventID: 4104
-        ScriptBlockText|contains:
-            - '$DoIt'
-            - 'harmj0y'
-            - 'mattifestation'
-            - '_RastaMouse'
-            - 'tifkin_'
-            - '0xdeadbeef'
     selection_4103:
         EventID: 4103
         Payload|contains:
@@ -36,7 +30,7 @@ detection:
             - '_RastaMouse'
             - 'tifkin_'
             - '0xdeadbeef'
-    condition: selection_4104 or selection_4103
+    condition: selection_4103
 falsepositives:
     - 'Moderate-to-low; Despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments.'
 level: critical

rules/windows/powershell/powershell_module/powershell_clear_powershell_history.yml

@@ -1,5 +1,8 @@
 title: Clear PowerShell History
-id: dfba4ce1-e0ea-495f-986e-97140f31af2d
+id: f99276ad-d122-4989-a09a-d00904a5f9d2
+related:
+    - id: dfba4ce1-e0ea-495f-986e-97140f31af2d
+      type: derived
 status: experimental
 description: Detects keywords that could indicate clearing PowerShell history
 date: 2019/10/25
@@ -14,38 +17,23 @@ tags:
 logsource:
     product: windows
     service: powershell
-    definition: 4104 Script block logging must be enabled , 4103 Module Logging must be enabled
+    definition: PowerShell Module Logging must be enabled
 detection:
-    selection_1:
+    selection_id:
-        EventID: 4104
-    selection_2:
-        ScriptBlockText|contains:
-            - 'del'
-            - 'Remove-Item'
-            - 'rm'
-        ScriptBlockText|contains|all:
-            - '(Get-PSReadlineOption).HistorySavePath'
-    selection_3:
-        ScriptBlockText|contains|all:
-            - 'Set-PSReadlineOption'
-            - '–HistorySaveStyle'
-            - 'SaveNothing'
-    selection_4:
         EventID: 4103
-    selection_5:
+    selection_payload_1:
         Payload|contains:
             - 'del'
             - 'Remove-Item'
             - 'rm'
         Payload|contains|all:
             - '(Get-PSReadlineOption).HistorySavePath'
-    selection_6:
+    selection_payload_2:
         Payload|contains|all:
             - 'Set-PSReadlineOption'
             - '–HistorySaveStyle'
             - 'SaveNothing'
-    condition: selection_1 and ( selection_2 or selection_3 ) or 
+    condition: selection_id and ( selection_payload_1 or selection_payload_2 ) 
-               selection_4 and ( selection_5 or selection_6 ) 
 falsepositives:
     - Legitimate PowerShell scripts
 level: medium

rules/windows/powershell/powershell_module/powershell_decompress_commands.yml

@@ -1,8 +1,12 @@
 title: PowerShell Decompress Commands
-id: 81fbdce6-ee49-485a-908d-1a728c5dcb09
+id: 1ddc1472-8e52-4f7d-9f11-eab14fc171f5
+related:
+    - id: 81fbdce6-ee49-485a-908d-1a728c5dcb09
+      type: derived
 description: A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files.
 status: experimental
 date: 2020/05/02
+modified: 2021/10/07
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 tags:
     - attack.defense_evasion
@@ -13,15 +17,12 @@ references:
 logsource:
     product: windows
     service: powershell
-    definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103
+    definition: PowerShell Module Logging must be enabled
 detection:
-    selection1:
+    selection_4103:
-        EventID: 4104
-        ScriptBlockText|contains: 'Expand-Archive'
-    selection2:
         EventID: 4103
         Payload|contains: 'Expand-Archive'
-    condition: selection1 or selection2
+    condition: selection_4103
 falsepositives:
     - unknown
 level: informational

rules/windows/powershell/powershell_module/powershell_get_clipboard.yml

@@ -1,8 +1,12 @@
 title: PowerShell Get Clipboard
-id: 5486f63a-aa4c-488d-9a61-c9192853099f
+id: 4cbd4f12-2e22-43e3-882f-bff3247ffb78
+related:
+    - id: 5486f63a-aa4c-488d-9a61-c9192853099f
+      type: derived
 description: A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.
 status: experimental
 date: 2020/05/02
+modified: 2021/10/07
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 tags:
     - attack.collection
@@ -13,15 +17,12 @@ references:
 logsource:
     product: windows
     service: powershell
-    definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103
+    definition: PowerShell Module Logging must be enabled
 detection:
-    selection1:
+    selection_4103:
-        EventID: 4104
-        ScriptBlockText|contains: 'Get-Clipboard'
-    selection2:
         EventID: 4103
         Payload|contains: 'Get-Clipboard'
-    condition: selection1 or selection2
+    condition: selection_4103
 falsepositives:
     - unknown
 level: medium

rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_clip.yml

@@ -0,0 +1,29 @@
+title: Invoke-Obfuscation CLIP+ Launcher
+id: a136cde0-61ad-4a61-9b82-8dc490e60dd2
+related:
+    - id: 73e67340-0d25-11eb-adc1-0242ac120002
+      type: derived
+description: Detects Obfuscated use of Clip.exe to execute PowerShell
+status: experimental
+author: Jonathan Cheong, oscd.community
+date: 2020/10/13
+modified: 2021/10/07
+references:
+     - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26)
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001
+logsource:
+    product: windows
+    service: powershell
+    definition: PowerShell Module Logging must be enabled
+detection:
+    selection_4103:
+        EventID: 4103
+        Payload|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"'
+    condition: selection_4103
+falsepositives:
+    - Unknown
+level: high

rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_obfuscated_iex.yml

@@ -0,0 +1,35 @@
+title: Invoke-Obfuscation Obfuscated IEX Invocation
+id: 2f211361-7dce-442d-b78a-c04039677378
+related:
+    - id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7
+      type: derived
+description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888"
+status: experimental
+author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
+date: 2019/11/08
+modified: 2021/10/07
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001
+    - attack.t1086  #an old one
+logsource:
+    product: windows
+    service: powershell
+    definition: PowerShell Module Logging must be enabled
+detection:
+    selection_id:
+        EventID: 4103
+    selection_payload:
+        - Payload|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
+        - Payload|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
+        - Payload|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
+        - Payload|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}'
+        - Payload|re: '\\\\*mdr\\\\*\W\s*\)\.Name'
+        - Payload|re: '\$VerbosePreference\.ToString\('
+        - Payload|re: '\String\]\s*\$VerbosePreference'
+    condition: selection_id and selection_payload
+falsepositives:
+    - Unknown
+level: high

rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_stdin.yml

@@ -0,0 +1,28 @@
+title: Invoke-Obfuscation STDIN+ Launcher
+id: 9ac8b09b-45de-4a07-9da1-0de8c09304a3
+related:
+    - id: 779c8c12-0eb1-11eb-adc1-0242ac120002
+      type: derived    
+description: Detects Obfuscated use of stdin to execute PowerShell
+status: experimental
+author: Jonathan Cheong, oscd.community
+date: 2020/10/15
+references:
+     - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25)
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001
+logsource:
+    product: windows
+    service: powershell
+    definition: PowerShell Module Logging must be enabled
+detection:
+    selection_4103:
+        EventID: 4103
+        Payload|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"'
+    condition: selection_4103
+falsepositives:
+    - Unknown
+level: high

rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_var.yml

@@ -0,0 +1,28 @@
+title: Invoke-Obfuscation VAR+ Launcher
+id: 6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e
+related:
+    - id: 0adfbc14-0ed1-11eb-adc1-0242ac120002
+      type: derived
+description: Detects Obfuscated use of Environment Variables to execute PowerShell
+status: experimental
+author: Jonathan Cheong, oscd.community
+date: 2020/10/15
+references:
+     - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24)
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001
+logsource:
+    product: windows
+    service: powershell
+    definition: PowerShell Module Logging must be enabled
+detection:
+    selection_4103:
+        EventID: 4103
+        Payload|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
+    condition: selection_4103
+falsepositives:
+    - Unknown
+level: high

rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_compress.yml

@@ -0,0 +1,29 @@
+title: Invoke-Obfuscation COMPRESS OBFUSCATION
+id: 7034cbbb-cc55-4dc2-8dad-36c0b942e8f1
+related:
+    - id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07
+      type: derived
+description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
+status: experimental
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/18
+modified: 2021/10/07
+references:
+    - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19)
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001
+logsource:
+    product: windows
+    service: powershell
+    definition: PowerShell Module Logging must be enabled
+detection:
+    selection_4103:
+        EventID: 4103
+        Payload|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend'
+    condition: selection_4103
+falsepositives:
+    - unknown
+level: medium

rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_rundll.yml

@@ -0,0 +1,29 @@
+title: Invoke-Obfuscation RUNDLL LAUNCHER
+id: a23791fe-8846-485a-b16b-ca691e1b03d4
+related:
+    - id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0
+      type: derived
+description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
+status: experimental
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/18
+modified: 2021/10/07
+references:
+    - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23)
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001
+logsource:
+    product: windows
+    service: powershell
+    definition: PowerShell Module Logging must be enabled
+detection:
+    selection_4103:
+        EventID: 4103
+        Payload|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"'
+    condition: selection_4103
+falsepositives:
+    - Unknown
+level: medium

rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_stdin.yml

@@ -0,0 +1,28 @@
+title: Invoke-Obfuscation Via Stdin
+id: c72aca44-8d52-45ad-8f81-f96c4d3c755e
+related:
+    - id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7
+      type: derived
+description: Detects Obfuscated Powershell via Stdin in Scripts
+status: experimental
+author: Nikita Nazarov, oscd.community
+date: 2020/10/12
+references:
+     - https://github.com/Neo23x0/sigma/issues/1009 #(Task28)
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001
+logsource:
+    product: windows
+    service: powershell
+    definition: PowerShell Module Logging must be enabled
+detection:
+    selection_4103:
+        EventID: 4103
+        Payload|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"'
+    condition: selection_4103
+falsepositives:
+    - Unknown
+level: high

rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_clip.yml

@@ -0,0 +1,28 @@
+title: Invoke-Obfuscation Via Use Clip
+id: ebdf49d8-b89c-46c9-8fdf-2c308406f6bd
+related:
+    - id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0
+      type: derived
+description: Detects Obfuscated Powershell via use Clip.exe in Scripts
+status: experimental
+author: Nikita Nazarov, oscd.community
+date: 2020/10/09
+references:
+     - https://github.com/Neo23x0/sigma/issues/1009 #(Task29)
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001
+logsource:
+    product: windows
+    service: powershell
+    definition: PowerShell Module Logging must be enabled
+detection:
+    selection_4103:
+        EventID: 4103
+        Payload|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*'
+    condition: selection_4103
+falsepositives:
+    - Unknown
+level: high

rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_mhsta.yml

@@ -0,0 +1,29 @@
+title: Invoke-Obfuscation Via Use MSHTA
+id: 07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb
+related:
+    - id: e55a5195-4724-480e-a77e-3ebe64bd3759
+      type: derived
+description: Detects Obfuscated Powershell via use MSHTA in Scripts
+status: experimental
+author: Nikita Nazarov, oscd.community
+date: 2020/10/08
+modified: 2021/10/07
+references:
+    - https://github.com/Neo23x0/sigma/issues/1009 #(Task31)
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001
+logsource:
+    product: windows
+    service: powershell
+    definition: PowerShell Module Logging must be enabledd
+detection:
+    selection_4103:
+        EventID: 4103
+        Payload|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"'
+    condition: selection_4103
+falsepositives:
+    - Unknown
+level: high

rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_use_rundll32.yml

@@ -0,0 +1,29 @@
+title: Invoke-Obfuscation Via Use Rundll32
+id: 88a22f69-62f9-4b8a-aa00-6b0212f2f05a
+related:
+    - id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b
+      type: derived
+description: Detects Obfuscated Powershell via use Rundll32 in Scripts
+status: experimental
+author: Nikita Nazarov, oscd.community
+date: 2019/10/08
+modified: 2021/10/07
+references:
+    - https://github.com/Neo23x0/sigma/issues/1009
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001
+logsource:
+    product: windows
+    service: powershell
+    definition: PowerShell Module Logging must be enabled
+detection:
+    selection_4103:
+        EventID: 4103
+        Payload|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"'
+    condition: selection_4103
+falsepositives:
+    - Unknown
+level: high

rules/windows/powershell/powershell_module/powershell_invoke_obfuscation_via_var.yml

@@ -0,0 +1,29 @@
+title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
+id: f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6
+related:
+    - id: e54f5149-6ba3-49cf-b153-070d24679126
+      type: derived
+description: Detects Obfuscated Powershell via VAR++ LAUNCHER
+status: experimental
+author: Timur Zinniatullin, oscd.community
+date: 2020/10/13
+modified: 2021/10/07
+references:
+    - https://github.com/Neo23x0/sigma/issues/1009 #(Task27)
+tags:
+    - attack.defense_evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001
+logsource:
+    product: windows
+    service: powershell
+    definition: PowerShell Module Logging must be enabledd
+detection:
+    selection_4103:
+        EventID: 4103
+        Payload|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
+    condition: selection_4103
+falsepositives:
+    - Unknown
+level: high

rules/windows/powershell/powershell_module/powershell_powercat.yml

@@ -15,7 +15,7 @@ tags:
 logsource:
     product: windows
     service: powershell
-    definition: Module Logging must be enable
+    definition: PowerShell Module Logging must be enabled
 detection:
     selection:
         EventID: 4103

rules/windows/powershell/powershell_module/powershell_remote_powershell_session.yml

@@ -17,7 +17,7 @@ tags:
 logsource:
     product: windows
     service: powershell
-    definition: Module Logging must be enable and fields have to be extract from event
+    definition: PowerShell Module Logging must be enabled
 detection:
     selection:
         EventID: 4103 

rules/windows/powershell/powershell_module/powershell_susp_athremotefxvgpudisablementcommand.yml

@@ -14,7 +14,7 @@ tags:
 logsource:
     product: windows
     service: powershell
-    definition: Module Logging must be enabled
+    definition: PowerShell Module Logging must be enabledd
 detection:
     selection_id:
         EventID: 4103

rules/windows/powershell/powershell_module/powershell_susp_zip_compress.yml

@@ -0,0 +1,31 @@
+title: Zip A Folder With PowerShell For Staging In Temp
+id: daf7eb81-35fd-410d-9d7a-657837e602bb
+related:
+    - id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9
+      type: derived
+status: experimental
+author: frack113
+date: 2021/07/20
+modified: 2021/10/09
+description: Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md
+tags:
+    - attack.collection
+    - attack.t1074.001
+logsource:
+    product: windows
+    service: powershell
+    definition: PowerShell Module Logging must be enabledd
+detection:
+    selection_4103:
+        EventID: 4103
+        ContextInfo|contains|all:
+            - 'Compress-Archive '
+            - ' -Path '
+            - ' -DestinationPath '
+            - '$env:TEMP\'
+    condition: selection_4103
+falsepositives:
+    - Unknown
+level: medium

rules/windows/powershell/powershell_script/powershell_cl_invocation_lolscript_count.yml

@@ -16,12 +16,12 @@ logsource:
     service: powershell
     definition: Script block logging must be enabled
 detection:
-    selection2:
+    selection:
         EventID: 4104
         ScriptBlockText|contains:
           - 'CL_Invocation.ps1'
           - 'SyncInvoke'
-    condition: selection2 | count(ScriptBlockText) by Computer > 2
+    condition: selection | count(ScriptBlockText) by Computer > 2
       # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Invocation.ps1
       # PS > SyncInvoke c:\Evil.exe
 falsepositives:

rules/windows/powershell/powershell_script/powershell_cl_mutexverifiers_lolscript_count.yml

@@ -16,12 +16,12 @@ logsource:
     service: powershell
     definition: Script block logging must be enabled
 detection:
-    selection2:
+    selection:
         EventID: 4104
         ScriptBlockText|contains:
           - 'CL_Mutexverifiers.ps1'
           - 'runAfterCancelProcess'
-    condition: selection2 | count(ScriptBlockText) by Computer > 2
+    condition: selection | count(ScriptBlockText) by Computer > 2
       # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1
       # PS > runAfterCancelProcess c:\Evil.exe
 falsepositives:

rules/windows/powershell/powershell_script/powershell_detect_vm_env.yml

@@ -23,7 +23,7 @@ detection:
         ScriptBlockText|contains: 
             - MSAcpi_ThermalZoneTemperature
             - Win32_ComputerSystem
-    condition: all of selection_*
+    condition: all of them
 falsepositives:
     - Unknown
 level: medium

rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_clip_in_scriptblocktext.yml

@@ -4,6 +4,7 @@ description: Detects Obfuscated use of Clip.exe to execute PowerShell
 status: experimental
 author: Jonathan Cheong, oscd.community
 date: 2020/10/13
+modified: 2021/10/07
 references:
      - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26)
 tags:
@@ -14,15 +15,12 @@ tags:
 logsource:
     product: windows
     service: powershell
-    definition: Script block logging must be enabled for 4104 , Module Logging must be enabled for 4103
+    definition: Script block logging must be enabled
 detection:
-    selection_1:
+    selection_4104:
         EventID: 4104
         ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"'
-    selection_2:
+    condition: selection_4104
-        EventID: 4103
-        Payload|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"'
-    condition: 1 of them
 falsepositives:
     - Unknown
 level: high

rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_obfuscated_iex_in_scriptblocktext.yml

@@ -4,7 +4,7 @@ description: "Detects all variations of obfuscated powershell IEX invocation cod
 status: experimental
 author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
 date: 2019/11/08
-modified: 2020/08/24
+modified: 2021/10/07
 tags:
     - attack.defense_evasion
     - attack.t1027
@@ -14,7 +14,7 @@ tags:
 logsource:
     product: windows
     service: powershell
-    definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103
+    definition: Script block logging must be enabled
 detection:
     selection_1:
         EventID: 4104
@@ -26,17 +26,7 @@ detection:
         - ScriptBlockText|re: '\\\\*mdr\\\\*\W\s*\)\.Name'
         - ScriptBlockText|re: '\$VerbosePreference\.ToString\('
         - ScriptBlockText|re: '\String\]\s*\$VerbosePreference'
-    selection_3:
+    condition: selection_1 and selection_2
-        EventID: 4103
-    selection_4:
-        - Payload|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
-        - Payload|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
-        - Payload|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
-        - Payload|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}'
-        - Payload|re: '\\\\*mdr\\\\*\W\s*\)\.Name'
-        - Payload|re: '\$VerbosePreference\.ToString\('
-        - Payload|re: '\String\]\s*\$VerbosePreference'
-    condition: ( selection_1 and selection_2 ) or ( selection_3 and selection_4 )
 falsepositives:
     - Unknown
 level: high

rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_stdin_in_scriptblocktext.yml

@@ -4,6 +4,7 @@ description: Detects Obfuscated use of stdin to execute PowerShell
 status: experimental
 author: Jonathan Cheong, oscd.community
 date: 2020/10/15
+modified: 2021/10/07
 references:
      - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25)
 tags:
@@ -14,15 +15,12 @@ tags:
 logsource:
     product: windows
     service: powershell
-    definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103
+    definition: Script block logging must be enabled
 detection:
-    selection_1:
+    selection_4104:
         EventID: 4104
         ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"'
-    selection_2:
+    condition: selection_4104
-        EventID: 4103
-        Payload|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"'
-    condition: 1 of them
 falsepositives:
     - Unknown
 level: high

rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_var_in_scriptblocktext.yml

@@ -4,6 +4,7 @@ description: Detects Obfuscated use of Environment Variables to execute PowerShe
 status: experimental
 author: Jonathan Cheong, oscd.community
 date: 2020/10/15
+modified: 2021/10/07
 references:
      - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24)
 tags:
@@ -14,15 +15,12 @@ tags:
 logsource:
     product: windows
     service: powershell
-    definition: Script block logging must be enabled for 4104,Module Logging must be enabled for 4103
+    definition: Script block logging must be enabled
 detection:
-    selection_1:
+    selection_4104:
         EventID: 4104
         ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
-    selection_2:
+    condition: selection_4104
-        EventID: 4103
-        Payload|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
-    condition: 1 of them
 falsepositives:
     - Unknown
 level: high

rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_compress_in_scriptblocktext.yml

@@ -4,6 +4,7 @@ description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
 status: experimental
 author: Timur Zinniatullin, oscd.community
 date: 2020/10/18
+modified: 2021/10/07
 references:
     - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19)
 tags:
@@ -14,15 +15,12 @@ tags:
 logsource:
     product: windows
     service: powershell
-    definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103
+    definition: Script block logging must be enabled
 detection:
-    selection_1:
+    selection_4104:
         EventID: 4104
         ScriptBlockText|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend'
-    selection_2:
+    condition: selection_4104
-        EventID: 4103
-        Payload|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend'
-    condition: 1 of them
 falsepositives:
     - unknown
 level: medium

rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_rundll_in_scriptblocktext.yml

@@ -4,6 +4,7 @@ description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
 status: experimental
 author: Timur Zinniatullin, oscd.community
 date: 2020/10/18
+modified: 2021/10/07
 references:
     - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23)
 tags:
@@ -14,15 +15,12 @@ tags:
 logsource:
     product: windows
     service: powershell
-    definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103
+    definition: Script block logging must be enabled
 detection:
-    selection_1:
+    selection_4104:
         EventID: 4104
         ScriptBlockText|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"'
-    selection_2:
+    condition: selection_4104
-        EventID: 4103
-        Payload|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"'
-    condition: 1 of them
 falsepositives:
     - Unknown
 level: medium

rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_stdin_in_scriptblocktext.yml

@@ -4,6 +4,7 @@ description: Detects Obfuscated Powershell via Stdin in Scripts
 status: experimental
 author: Nikita Nazarov, oscd.community
 date: 2020/10/12
+modified: 2021/10/07
 references:
      - https://github.com/Neo23x0/sigma/issues/1009 #(Task28)
 tags:
@@ -14,15 +15,12 @@ tags:
 logsource:
     product: windows
     service: powershell
-    definition: Script block logging must be enabled for 4104, Module Logging must be enable for 4103
+    definition: Script block logging must be enabled
 detection:
-    selection_1:
+    selection_4104:
         EventID: 4104
         ScriptBlockText|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"'
-    selection_2:
+    condition: selection_4104
-        EventID: 4103
-        Payload|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"'
-    condition: 1 of them
 falsepositives:
     - Unknown
 level: high

rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_clip_in_scriptblocktext.yml

@@ -4,6 +4,7 @@ description: Detects Obfuscated Powershell via use Clip.exe in Scripts
 status: experimental
 author: Nikita Nazarov, oscd.community
 date: 2020/10/09
+modified: 2021/10/07
 references:
      - https://github.com/Neo23x0/sigma/issues/1009 #(Task29)
 tags:
@@ -14,15 +15,12 @@ tags:
 logsource:
     product: windows
     service: powershell
-    definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103
+    definition: Script block logging must be enabled
 detection:
-    selection_1:
+    selection_4104:
         EventID: 4104
         ScriptBlockText|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*'
-    selection_2:
+    condition: selection_4104
-        EventID: 4103
-        Payload|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*'
-    condition: 1 of them
 falsepositives:
     - Unknown
 level: high

rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_mhsta_in_scriptblocktext.yml

@@ -4,6 +4,7 @@ description: Detects Obfuscated Powershell via use MSHTA in Scripts
 status: experimental
 author: Nikita Nazarov, oscd.community
 date: 2020/10/08
+modified: 2021/10/07
 references:
     - https://github.com/Neo23x0/sigma/issues/1009 #(Task31)
 tags:
@@ -14,15 +15,12 @@ tags:
 logsource:
     product: windows
     service: powershell
-    definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103
+    definition: Script block logging must be enabled
 detection:
-    selection_1:
+    selection_4104:
         EventID: 4104
         ScriptBlockText|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"'
-    selection_2:
+    condition: selection_4104
-        EventID: 4103
-        Payload|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"'
-    condition: 1 of them
 falsepositives:
     - Unknown
 level: high

rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_use_rundll32_in_scriptblocktext.yml

@@ -4,6 +4,7 @@ description: Detects Obfuscated Powershell via use Rundll32 in Scripts
 status: experimental
 author: Nikita Nazarov, oscd.community
 date: 2019/10/08
+modified: 2021/10/07
 references:
     - https://github.com/Neo23x0/sigma/issues/1009
 tags:
@@ -14,15 +15,12 @@ tags:
 logsource:
     product: windows
     service: powershell
-    definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103
+    definition: Script block logging must be enabled
 detection:
-    selection_1:
+    selection_4104:
         EventID: 4104
         ScriptBlockText|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"'
-    selection_2:
+    condition: selection_4104
-        EventID: 4103
-        Payload|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"'
-    condition: 1 of them
 falsepositives:
     - Unknown
 level: high

rules/windows/powershell/powershell_script/powershell_invoke_obfuscation_via_var_in_scriptblocktext.yml

@@ -4,7 +4,7 @@ description: Detects Obfuscated Powershell via VAR++ LAUNCHER
 status: experimental
 author: Timur Zinniatullin, oscd.community
 date: 2020/10/13
-modified: 2021/07/15
+modified: 2021/10/07
 references:
     - https://github.com/Neo23x0/sigma/issues/1009 #(Task27)
 tags:
@@ -15,15 +15,12 @@ tags:
 logsource:
     product: windows
     service: powershell
-    definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103
+    definition: Script block logging must be enabled
 detection:
-    selection_1:
+    selection_4104:
         EventID: 4104
         ScriptBlockText|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
-    selection_2:
+    condition: selection_4104
-        EventID: 4103
-        Payload|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
-    condition: selection_1 or selection_2
 falsepositives:
     - Unknown
 level: high

rules/windows/powershell/powershell_script/powershell_susp_zip_compress_in_scriptblocktext.yml

@@ -3,7 +3,7 @@ id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9
 status: experimental
 author: frack113
 date: 2021/07/20
-modified: 2021/09/30
+modified: 2021/10/09
 description: Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md
@@ -13,15 +13,8 @@ tags:
 logsource:
     product: windows
     service: powershell
-    definition: 4103 Module Logging must be enabled , 4104 Script Block Logging must be enable
+    definition: Script Block Logging must be enable
 detection:
-    selection_4103:
-        EventID: 4103
-        ContextInfo|contains|all:
-            - 'Compress-Archive '
-            - ' -Path '
-            - ' -DestinationPath '
-            - '$env:TEMP\'
     selection_4104:
         EventID: 4104
         ScriptBlockText|contains|all:
@@ -29,7 +22,7 @@ detection:
             - ' -Path '
             - ' -DestinationPath '
             - '$env:TEMP\'
-    condition: selection_4103 or  selection_4104
+    condition: selection_4104
 falsepositives:
     - Unknown
 level: medium

rules/windows/powershell/powershell_script/powershell_wmi_persistence.yml

@@ -28,7 +28,7 @@ detection:
             - '-Namespace root/subscription '
             - '-ClassName CommandLineEventConsumer '
             - '-Property ' #is a variable name 
-    condition: all of them
+    condition: selection_id and selection_ioc
 falsepositives:
     - Unknown
 level: medium