mirror of
https://github.com/valitydev/atomic-threat-coverage.git
synced 2024-11-06 09:35:21 +00:00
5.5 KiB
5.5 KiB
| Title | PowerShell Script Run in AppData |
|---|---|
| Description | Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder |
| ATT&CK Tactic | |
| ATT&CK Technique | |
| Data Needed | |
| Trigger | |
| Severity Level | medium |
| False Positives |
|
| Development Status | experimental |
| References | |
| Author | Florian Roth |
Detection Rules
Sigma rule
title: PowerShell Script Run in AppData
id: ac175779-025a-4f12-98b0-acdaeb77ea85
status: experimental
description: Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder
references:
- https://twitter.com/JohnLaTwC/status/1082851155481288706
- https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03
tags:
- attack.execution
- attack.t1059.001
- attack.t1086 # an old one
author: Florian Roth
date: 2019/01/09
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine:
- '* /c powershell*\AppData\Local\\*'
- '* /c powershell*\AppData\Roaming\\*'
condition: selection
falsepositives:
- Administrative scripts
level: medium
powershell
Get-WinEvent | where {($_.message -match "CommandLine.*.* /c powershell.*\\\\AppData\\\\Local\\\\.*" -or $_.message -match "CommandLine.*.* /c powershell.*\\\\AppData\\\\Roaming\\\\.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
es-qs
winlog.event_data.CommandLine.keyword:(*\\ \\/c\\ powershell*\\\\AppData\\\\Local\\\\* OR *\\ \\/c\\ powershell*\\\\AppData\\\\Roaming\\\\*)
xpack-watcher
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/ac175779-025a-4f12-98b0-acdaeb77ea85 <<EOF\n{\n "metadata": {\n "title": "PowerShell Script Run in AppData",\n "description": "Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder",\n "tags": [\n "attack.execution",\n "attack.t1059.001",\n "attack.t1086"\n ],\n "query": "winlog.event_data.CommandLine.keyword:(*\\\\ \\\\/c\\\\ powershell*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\* OR *\\\\ \\\\/c\\\\ powershell*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\*)"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "winlog.event_data.CommandLine.keyword:(*\\\\ \\\\/c\\\\ powershell*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\* OR *\\\\ \\\\/c\\\\ powershell*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\*)",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": [\n "winlogbeat-*"\n ]\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "throttle_period": "15m",\n "email": {\n "profile": "standard",\n "from": "root@localhost",\n "to": "root@localhost",\n "subject": "Sigma Rule \'PowerShell Script Run in AppData\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
graylog
CommandLine.keyword:(* \\/c powershell*\\\\AppData\\\\Local\\\\* * \\/c powershell*\\\\AppData\\\\Roaming\\\\*)
splunk
(CommandLine="* /c powershell*\\\\AppData\\\\Local\\\\*" OR CommandLine="* /c powershell*\\\\AppData\\\\Roaming\\\\*")
logpoint
CommandLine IN ["* /c powershell*\\\\AppData\\\\Local\\\\*", "* /c powershell*\\\\AppData\\\\Roaming\\\\*"]
grep
grep -P '^(?:.*.* /c powershell.*\\AppData\\Local\\\\.*|.*.* /c powershell.*\\AppData\\Roaming\\\\.*)'