forked from quadrantsec/sagan-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathazureEventHub_windows-powershell.rules
189 lines (115 loc) · 50 KB
/
azureEventHub_windows-powershell.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
# Sagan windows-powershell.rules
# Copyright (c) 2009-2023. Quadrant Information Security <www.quadrantsec.com>
# All rights reserved.
#
# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list
#
#*************************************************************
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# 4798.rules all_windows.rules azureEventHub_notes.txt logs rules test.rules to_azureEventHub.sh Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# 4798.rules all_windows.rules azureEventHub_notes.txt logs rules test.rules to_azureEventHub.sh Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# 4798.rules all_windows.rules azureEventHub_notes.txt logs rules test.rules to_azureEventHub.sh Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
# Make sure you have powershell logging enabled!
# 2021/04/19 - Steven Drenning (sdrenning _AT_ quadrantsec.com)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[WINDOWS-POWERSHELL] Powershell History Cleared Detected [1/4]"; program: *PowerShell*; content: "HistorySave"; content: "del|20 28|Get|2D|PSReadlineOption|29 2E|HistorySavePath"; classtype: suspicious-command; reference: url,github.com/SigmaHQ/sigma/blob/master/rules/powershell; sid:5009305; metadata: created_on 2022_11_22, old_sid 5005747; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[WINDOWS-POWERSHELL] Powershell History Cleared Detected [2/4]"; program: *PowerShell*; content: "HistorySave"; content: "Set|2D|PSReadlineOption |2D|HistorySaveStyle SaveNothing"; classtype: suspicious-command; reference: url,github.com/SigmaHQ/sigma/blob/master/rules/powershell; sid:5009306; metadata: created_on 2022_11_22, old_sid 5005748; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[WINDOWS-POWERSHELL] Powershell History Cleared Detected [3/4]"; program: *PowerShell*; content: "HistorySave"; content: "Remove|2D|Item |28|Get|2D|PSReadlineOption|29 2E|HistorySavePath";classtype: suspicious-command; reference: url,github.com/SigmaHQ/sigma/blob/master/rules/powershell; sid:5009307; metadata: created_on 2022_11_22, old_sid 5005749; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[WINDOWS-POWERSHELL] Powershell History Cleared Detected [4/4]"; program: *PowerShell*; content: "HistorySave"; content: "rm |28|Get|2D|PSReadlineOption|29 2E|HistorySavePath";classtype: suspicious-command; reference: url,github.com/SigmaHQ/sigma/blob/master/rules/powershell; sid:5009308; metadata: created_on 2022_11_22, old_sid 5005750; rev:1;)
#--
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[WINDOWS-POWERSHELL] Powershell created local user [1/3]"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4104; program: *PowerShell*; content: "New|2D|LocalUser |2D|Name"; content: "|2D|NoPassword"; distance: 0; classtype: suspicious-command; reference: url,github.com/SigmaHQ/sigma/blob/master/rules/powershell; sid:5009309; metadata: created_on 2022_11_22, old_sid 5005751; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[WINDOWS-POWERSHELL] Powershell created local user [2/3]"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4104; program: *PowerShell*; content: "net user |2F|add"; classtype: suspicious-command; reference: url,github.com/SigmaHQ/sigma/blob/master/rules/powershell; sid:5009310; metadata: created_on 2022_11_22, old_sid 5005752; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[WINDOWS-POWERSHELL] Powershell created local user [3/3]"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4104; program: *PowerShell*; content: "net localgroup administrators"; content: "|2F|add"; classtype: suspicious-command; reference: url,github.com/SigmaHQ/sigma/blob/master/rules/powershell; sid:5009311; metadata: created_on 2022_11_22, old_sid 5005753; rev:1;)
#--
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[WINDOWS-POWERSHELL] DNSCAT VPN over DNS start up detected *CRITICAL AND CALL*"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4104; program: *PowerShell*; content: "Start|2D|Dnscat2"; nocase; classtype: suspicious-command; reference: url,github.com/SigmaHQ/sigma/blob/master/rules/powershell; reference: url,github.com/iagox86/dnscat2; sid:5009312; metadata: created_on 2022_11_22, old_sid 5005754; rev:1;)
#--
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[WINDOWS-POWERSHELL] Powershell Possible Downgrade Attempt"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 800,4104; program: *PowerShell*; content: "PowerShell |2D|Version"; pcre: "/PowerShell |2D|Version [0-6]/"; classtype: suspicious-command; reference: url,github.com/SigmaHQ/sigma/blob/master/rules/powershell; sid:5009313; metadata: created_on 2022_11_22, old_sid 5005755; rev:1;)
#--
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[WINDOWS-POWERSHELL] PowerShell Auto Login Enabled, Possible Persistance Attempt [1/2]"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4104; program: *PowerShell*; content: "CurrentVersion|5C|Winlogon"; content: "Set|2D|ItemProperty"; classtype: suspicious-command; reference: url,github.com/SigmaHQ/sigma/blob/master/rules/powershell; sid:5009314; metadata: created_on 2022_11_22, old_sid 5005756; rev:1;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[WINDOWS-POWERSHELL] PowerShell Auto Login Enabled, Possible Persistance Attempt [2/2]"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4104; program: *PowerShell*; content: "CurrentVersion|5C|Winlogon"; content: "New|2D|Item"; classtype: suspicious-command; reference: url,github.com/SigmaHQ/sigma/blob/master/rules/powershell; sid:5009315; metadata: created_on 2022_11_22, old_sid 5005757; rev:1;)
#Note: Host and Engine Mix Match is an IOC of a malicious program running.
#--
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[WINDOWS-POWERSHELL] HostVersion and EngineVersion MixMatched [1/7]"; program: *PowerShell*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 400; content: "HostVersion|3D|1"; content:!"EngineVersion|3D| "; content:!"EngineVersion|3D|1"; content:!"ServerRemoteHost";nocase; content:!"Veeam";nocase; content:!"wsmprovhost|2e|exe";nocase; content:!"SolarWinds|2e|APM|2e|Probes";nocase; content:!"HostName|3d|ApmPSHost";nocase; content:!"MonitoringHost|2e|exe";nocase; content:!"HostName|3d|OpsMgr";nocase; content:!"mmc|2e|exe";nocase; content:!"LegacyVSTSPowerShellHost|2e|exe";nocase; content:!"MSExchangePowerShell";nocase; content:! "JAMSHost";nocase; content:!"Citrix";nocase; content:! "Ivanti|5c 5c|Automation";nocase; content:! "PowerShellEditorServices|2e|VSCode";nocase; content:! "BigfinPSHostImplementation";nocase; content:!"dsac|2e|exe";nocase; content:!"ADMUX";nocase; content:!"WaPSHost";nocase; content:!"Ivanti Cloud Agent";nocase; content:!"N-able Technologies"; nocase; content:!"Microsoft BizTalk Server"; nocase; content:!"stealthbits"; nocase; pcre: "/EngineVersion=[2-7]/"; classtype: suspicious-traffic; threshold: type limit, track by_username, count 1, seconds 300; reference: url,github.com/SigmaHQ/sigma/blob/master/rules/powershell; reference: url, adsecurity.org/?p=2921; sid:5009316; metadata: created_on 2022_11_22, old_sid 5005758; rev:7;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[WINDOWS-POWERSHELL] HostVersion and EngineVersion MixMatched [2/7]"; program: *PowerShell*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 400; content: "HostVersion|3D|2"; content:!"EngineVersion|3D| "; content:!"EngineVersion|3D|2"; content:!"ServerRemoteHost"; content:!"Veeam"; nocase; content:!"wsmprovhost|2e|exe"; nocase; content:!"SolarWinds|2e|APM|2e|Probes"; nocase; content:!"HostName|3d|ApmPSHost"; nocase; content:!"MonitoringHost|2e|exe"; nocase; content:!"HostName|3d|OpsMgr";nocase; content:!"mmc|2e|exe"; nocase; content:!"LegacyVSTSPowerShellHost|2e|exe"; nocase; content:!"MSExchangePowerShell";nocase; content:! "JAMSHost";nocase; content:!"Citrix";nocase; content:! "Ivanti|5c 5c|Automation";nocase; content:! "PowerShellEditorServices|2e|VSCode";nocase; content:! "BigfinPSHostImplementation"; nocase; content:!"dsac|2e|exe";nocase; content:!"ADMUX"; nocase; content:!"WaPSHost"; nocase; content:!"Ivanti Cloud Agent"; nocase; content:!"N-able Technologies"; nocase; content:!"Microsoft BizTalk Server"; nocase; content:!"stealthbits"; nocase; pcre: "/EngineVersion=[1,3-7]/"; classtype: suspicious-traffic; threshold: type limit, track by_username, count 1, seconds 300; reference: url,github.com/SigmaHQ/sigma/blob/master/rules/powershell; reference: url, adsecurity.org/?p=2921; sid:5009317; metadata: created_on 2022_11_22, old_sid 5005759; rev:6;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[WINDOWS-POWERSHELL] HostVersion and EngineVersion MixMatched [3/7]"; program: *PowerShell*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 400; content: "HostVersion|3D|3"; content:!"EngineVersion|3D| "; content:!"EngineVersion|3D|3"; content:!"ServerRemoteHost"; nocase; content:!"Veeam"; nocase; content:!"wsmprovhost|2e|exe"; nocase; content:!"SolarWinds|2e|APM|2e|Probes"; nocase; content:!"HostName|3d|ApmPSHost"; nocase; content:!"MonitoringHost|2e|exe"; nocase; content:!"HostName|3d|OpsMgr"; nocase; content:!"mmc|2e|exe"; nocase; content:!"LegacyVSTSPowerShellHost|2e|exe"; nocase; content:!"MSExchangePowerShell"; nocase; content:! "JAMSHost"; nocase; content:!"Citrix"; nocase; content:!"Ivanti|5c 5c|Automation"; nocase; content:!"PowerShellEditorServices|2e|VSCode"; nocase; content:!"BigfinPSHostImplementation"; nocase; content:!"dsac|2e|exe"; nocase; content:!"ADMUX"; nocase; content:!"WaPSHost"; nocase; content:!"Ivanti Cloud Agent"; nocase; content:!"N-able Technologies"; nocase; content:!"Microsoft BizTalk Server"; nocase; content:!"stealthbits"; nocase; pcre: "/EngineVersion=[1,2,4-7]/"; classtype: suspicious-traffic; threshold: type limit, track by_username, count 1, seconds 300; reference: url,github.com/SigmaHQ/sigma/blob/master/rules/powershell; reference: url, adsecurity.org/?p=2921; sid:5009318; metadata: created_on 2022_11_22, old_sid 5005760; rev:6;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[WINDOWS-POWERSHELL] HostVersion and EngineVersion MixMatched[4/7]"; program: *PowerShell*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 400; content: "HostVersion|3D|4"; content:!"EngineVersion|3D| "; content:!"EngineVersion|3D|4"; content:!"ServerRemoteHost"; nocase; content:!"Veeam"; nocase; content:!"wsmprovhost|2e|exe"; nocase; content:!"SolarWinds|2e|APM|2e|Probes"; nocase; content:!"HostName|3d|ApmPSHost"; nocase; content:!"MonitoringHost|2e|exe"; nocase; content:!"HostName|3d|OpsMgr"; nocase; content:!"mmc|2e|exe"; nocase; content:!"LegacyVSTSPowerShellHost|2e|exe"; nocase; content:!"MSExchangePowerShell"; nocase; content:! "JAMSHost"; nocase; content:!"Citrix"; nocase; content:!"Ivanti|5c 5c|Automation"; nocase; content:!"PowerShellEditorServices|2e|VSCode"; nocase; content:! "BigfinPSHostImplementation"; nocase; content:!"dsac|2e|exe"; nocase; content:!"ADMUX"; nocase; content:!"WaPSHost"; nocase; content:!"Ivanti Cloud Agent"; nocase; content:!"N-able Technologies"; nocase; content:!"Microsoft BizTalk Server"; nocase; content:!"stealthbits"; nocase; pcre: "/EngineVersion=[1-3,5-7]/"; classtype: suspicious-traffic; threshold: type limit, track by_username, count 1, seconds 300; reference: url,github.com/SigmaHQ/sigma/blob/master/rules/powershell; reference: url, adsecurity.org/?p=2921; sid:5009319; metadata: created_on 2022_11_22, old_sid 5005761; rev:6;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[WINDOWS-POWERSHELL] HostVersion and EngineVersion MixMatched[5/7]"; program: *PowerShell*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 400; content: "HostVersion|3D|5"; content:!"EngineVersion|3D| "; content:!"EngineVersion|3D|5"; content:!"ServerRemoteHost"; nocase; content:!"Veeam"; nocase; content:!"wsmprovhost|2e|exe"; nocase; content:!"SolarWinds|2e|APM|2e|Probes"; nocase; content:!"HostName|3d|ApmPSHost"; nocase; content:!"MonitoringHost|2e|exe"; nocase; content:!"HostName|3d|OpsMgr"; nocase; content:!"mmc|2e|exe"; nocase; content:!"LegacyVSTSPowerShellHost|2e|exe"; nocase; content:!"MSExchangePowerShell"; nocase; content:!"JAMSHost"; nocase; content:!"Citrix"; nocase; content:!"Ivanti|5c 5c|Automation"; nocase; content:!"PowerShellEditorServices|2e|VSCode"; nocase; content:!"BigfinPSHostImplementation"; nocase; content:!"dsac|2e|exe"; nocase; content:!"ADMUX"; nocase; content:!"WaPSHost"; nocase; content:!"Ivanti Cloud Agent"; nocase; content:!"N-able Technologies"; nocase; content:!"Microsoft BizTalk Server"; nocase; content:!"stealthbits"; nocase; pcre: "/EngineVersion=[1-4,6,7]/"; classtype: suspicious-traffic; threshold: type limit, track by_username, count 1, seconds 300; reference: url,github.com/SigmaHQ/sigma/blob/master/rules/powershell; reference: url, adsecurity.org/?p=2921; sid:5009320; metadata: created_on 2022_11_22, old_sid 5005762; rev:6;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[WINDOWS-POWERSHELL] HostVersion and EngineVersion MixMatched[6/7]"; program: *PowerShell*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 400; content: "HostVersion|3D|6"; content:!"EngineVersion|3D| "; content:!"EngineVersion|3D|6"; content:!"ServerRemoteHost"; nocase; content:!"Veeam"; nocase; content:!"wsmprovhost|2e|exe"; nocase; content:!"SolarWinds|2e|APM|2e|Probes"; nocase; content:!"HostName|3d|ApmPSHost"; nocase; content:!"MonitoringHost|2e|exe"; nocase; content:!"HostName|3d|OpsMgr"; nocase; content:!"mmc|2e|exe"; nocase; content:!"LegacyVSTSPowerShellHost|2e|exe"; nocase; content:!"MSExchangePowerShell"; nocase; content:! "JAMSHost"; nocase; content:!"Citrix"; nocase; content:!"Ivanti|5c 5c|Automation"; nocase; content:!"PowerShellEditorServices|2e|VSCode"; nocase; content:!"BigfinPSHostImplementation"; nocase; content:!"dsac|2e|exe"; nocase; content:!"ADMUX"; nocase; content:!"WaPSHost"; nocase; content:!"Ivanti Cloud Agent"; nocase; content:!"N-able Technologies"; nocase; content:!"Microsoft BizTalk Server"; nocase; content:!"stealthbits"; nocase; pcre: "/EngineVersion=[1-5,7]/"; classtype: suspicious-traffic; threshold: type limit, track by_username, count 1, seconds 300; reference: url,github.com/SigmaHQ/sigma/blob/master/rules/powershell; reference: url,adsecurity.org/?p=2921; sid:5009321; metadata: created_on 2022_11_22, old_sid 5005763; rev:6;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[WINDOWS-POWERSHELL] HostVersion and EngineVersion MixMatched[7/7]"; program: *PowerShell*; json_map:"event_id",".EventID"; json_map:"username",".Computer"; json_map:"message",".RenderedDescription"; event_id: 400; content: "HostVersion|3D|7"; content:!"EngineVersion|3D| "; content:!"EngineVersion|3D|7"; content:!"ServerRemoteHost"; nocase; content:!"Veeam"; nocase; content:!"wsmprovhost|2e|exe"; nocase; content:!"SolarWinds|2e|APM|2e|Probes"; nocase; content:!"HostName|3d|ApmPSHost"; nocase; content:!"MonitoringHost|2e|exe"; nocase; content:!"HostName|3d|OpsMgr"; nocase; content:!"mmc|2e|exe"; nocase; content:!"LegacyVSTSPowerShellHost|2e|exe"; nocase; content:!"MSExchangePowerShell"; nocase; content:!"JAMSHost"; nocase; content:!"Citrix"; nocase; content:!"Ivanti|5c 5c|Automation"; nocase; content:!"PowerShellEditorServices|2e|VSCode"; nocase; content:!"BigfinPSHostImplementation"; nocase; content:!"dsac|2e|exe"; nocase; content:!"ADMUX"; nocase; content:!"WaPSHost"; nocase; content:!"Ivanti Cloud Agent"; nocase; content:!"N-able Technologies"; nocase; content:!"Microsoft BizTalk Server"; nocase; content:!"stealthbits"; nocase; pcre: "/EngineVersion=[1-6]/"; classtype: suspicious-traffic; threshold: type limit, track by_username, count 1, seconds 300; reference: url,github.com/SigmaHQ/sigma/blob/master/rules/powershell; reference: url,adsecurity.org/?p=2921; sid:5009322; metadata: created_on 2022_11_22, old_sid 5005764; rev:7;)
# Writen by Chris Snyder for Hafnium, Modified by S.D. for generic sus activity in PS.
alert any $HOME_NET any -> $EXTERNAL_NET any (msg: "[WINDOWS-POWERSHELL] Suspicious Download using IEX"; program: *PowerShell*; content: "IEX |28|New|2d|Object Net|2e|WebClient|29 2e|downloadstring"; nocase; classtype: bad-unknown; reference: url,fireeye.com/blog/threat-research/2018/07/malicious-powershell-detection-via-machine-learning.html; sid:5009323; metadata: created_on 2022_11_22, old_sid 5005765; rev:3;)
# Good general signatures originally used to detect Kaseya / REvil randomware.
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[WINDOWS-POWERSHELL] Powershell DisableIntrusionPreventionSystem detected"; program: *PowerShell*; content: "DisableIntrusionPreventionSystem"; content: !"|5f|cmdletization|5f|defaultValueIsPresent";nocase; content:!"ValidateNotNullOrEmpty";nocase; classtype: suspicious-command; sid:5009324; metadata: created_on 2022_11_22, old_sid 5005914; rev:1;)
#Update to 5005915 (v2) designed to prevent FP's when configuring Defender via master config file. Mod by CGoggins, pushed by sdrenning! 20220306
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[WINDOWS-POWERSHELL] Powershell DisableScriptScanning detected"; program: *PowerShell*; content: "DisableScriptScanning"; content: !"this.AntiVirusSignatureVersion|20 3d 20|antiVirusSignatureVersion"; content: !"|5B|System|2E|IO|2E|File|5D 3A 3A|Open|28 27|C|3A 5C|ProgramData|5C|Microsoft|5C|Windows Defender Advanced Threat Protection|5C|DataCollection|0A|"; content: !"|5f|cmdletization|5f|defaultValueIsPresent";nocase; content:!"ValidateNotNullOrEmpty";nocase; content:!"Path: C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\"; classtype: suspicious-command; sid:5009325; metadata: created_on 2022_11_22, old_sid 5005915; rev:3;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[WINDOWS-POWERSHELL] Powershell DisableRealtimeMonitoring detected"; program: *PowerShell*; content:"Set-MpPreference"; nocase; content: "DisableRealtimeMonitoring"; nocase; content: !"|5f|cmdletization|5f|defaultValueIsPresent";nocase; content:!"ValidateNotNullOrEmpty";nocase; content:!"Path: C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\"; classtype: suspicious-command; sid:5009326; metadata: created_on 2022_11_22, old_sid 5005916; rev:2;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[WINDOWS-POWERSHELL] Powershell MAPSReporting Disabled detected"; program: *PowerShell*; content: "MAPSReporting Disabled"; content: !"|5f|cmdletization|5f|defaultValueIsPresent";nocase; content:!"ValidateNotNullOrEmpty";nocase; classtype: suspicious-command; sid:5009327; metadata: created_on 2022_11_22, old_sid 5005917; rev:1;)
# Rules written to detect the export of Secret Key via PowerShell Command: General sus activity in PS. By S.Drenning off of IOCs for Golden Saml Attack
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-POWERSHELL] Powershell Command to Export Secret Key Detected [1/2]"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4103,4104; program: *PowerShell*; content: "Export|2d|PfxCertificate";nocase; content:!"CmdletsToExport"; classtype: suspicious-command; reference: url,github.com/SigmaHQ/sigma/blob/master/rules/powershell; reference: url,sygnia.co/golden-saml-advisory; sid:5009328; metadata: created_on 2022_11_22, old_sid 5005954; rev:2;)
alert any $HOME_NET any -> $EXTERNAL_NET any (msg:"[WINDOWS-POWERSHELL] Powershell Command to Export Secret Key Detected [2/2]"; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id: 4103,4104; program: *PowerShell*; content: "certutil |2d|exportPFX";nocase; classtype: suspicious-command; reference: url,github.com/SigmaHQ/sigma/blob/master/rules/powershell; reference: url,sygnia.co/golden-saml-advisory; sid:5009329; metadata: created_on 2022_11_22, old_sid 5005955; rev:1;)
#IOC's for 5005984-5005986 developed from Malware in the wild. sdrenning 20220306
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-POWERSHELL] Suspicious Pingtest"; program: *PowerShell*; content:"|24|ping |3d| test|2d|connection";nocase; content:"|2d|comp"; distance: 1; within: 25; content:"|2d|count"; distance:1; within: 25; content:"|2d|Quiet";nocase; distance:1; within:25; classtype: suspicious-command; sid:5009330; metadata: created_on 2022_11_22, old_sid 5005984; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-POWERSHELL] Obfuscated New-Object Command (1/2)"; program: *PowerShell*; content:"RightToLeft";nocase; content:"|27|eW.teN ct|27 20 2B 20 27|ejbO|2d|weN|28 27|";classtype: suspicious-command; sid:5009331; metadata: created_on 2022_11_22, old_sid 5005985; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-POWERSHELL] Obfuscated New-Object Command (2/2)"; program: *PowerShell*; content:"RightToLeft";nocase; content:"tneilCbeW.teN ctejbO|2d|weN";classtype: suspicious-command; sid:5009332; metadata: created_on 2022_11_22, old_sid 5005986; rev:2;)
#5006106 Less specific rule to detect Malicious Download using IEX to account for differences in spacing/ Augment Existing rule 5005765. .5006107 Rule to detect powershell loging of AV blocking malicious scripts. sdrenning! 20220507
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-POWERSHELL] Suspicious Download using IEX"; program: *PowerShell*; content: "IEX"; nocase; content: "New|2d|Object"; distance: 1; nocase; content: "Net|2e|WebClient|29 2e|downloadstring"; nocase; distance: 1; content:!"chocolatey.org/"; within:100; threshold: type suppress, track by_username, count 1, seconds 3600; classtype: suspicious-command; reference: url,fireeye.com/blog/threat-research/2018/07/malicious-powershell-detection-via-machine-learning.html; sid:5009333; metadata: created_on 2022_11_22, old_sid 5006106; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-POWERSHELL] Anti-virus Has Blocked Malicious Content"; program: *PowerShell*; content: "malicious content"; nocase; content: "blocked"; nocase; distance:1; content: "antivirus software"; nocase; distance: 1; threshold: type suppress, track by_username, count 1, seconds 3600; classtype: bad-unknown; sid:5009334; metadata: created_on 2022_11_22, old_sid 5006107; rev:1;)
alert any $EXTERNAL_NET any -> any any (msg: "[WINDOWS-POWERSHELL] MSDT PCWDiagnostic Call to Powershell Detected (CVE-2022-30190)"; content: "ms-msd|3a 2f|id"; nocase; content: "PCWDiagnostic"; nocase; meta_content: "%sagan%",Invoke,IT_RebrowseForFile,IT_LaunchMethod,IT_SelectProgram,IEX; meta_nocase; classtype: suspicious-command; reference: url,www.huntress.com/blog/microsoft-office-remote-code-execution-follina-msdt-bug; sid:5009335; metadata: created_on 2022_11_22, old_sid 5006520; rev: 1;)
#Rule written to detect AV blocking Malicious Content which was observed during a log4j event.
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-POWERSHELL] Anti-virus Has Blocked Malicious Content"; program: *PowerShell*; content: "malicious content"; nocase; content: "blocked"; nocase; content: "antivirus software"; nocase; threshold: type suppress, track by_username, count 1, seconds 3600; classtype: bad-unknown; sid:5009336; metadata: created_on 2022_11_22, old_sid 5006609; rev:1;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-POWERSHELL] Suspicious Download using IEX"; program: *PowerShell*; content: "IEX"; nocase; content: "New|2d|Object"; nocase; content: "Net|2e|WebClient|29 2e|downloadstring"; nocase; threshold: type suppress, track by_username, count 1, seconds 3600; classtype: suspicious-command; reference: url,fireeye.com/blog/threat-research/2018/07/malicious-powershell-detection-via-machine-learning.html; sid:5009337; metadata: created_on 2022_11_22, old_sid 5006610; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-POWERSHELL] Possible Ransomware Script Detected"; program: *PowerShell*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:400,800,4103,4104; content:"System.Security.Cryptography"; nocase; content:".CreateKeyExchange"; nocase; content:"get-childitem"; nocase; content:"-Path"; nocase; within:30; content:"-Recurse"; within:30; reference:url,bazaar.abuse.ch/sample/565da2dc95c58ad79201ec83ca77bf0e5814b7ccefe168778b02679fd872ae40/; classtype:suspicious-command; sid:5009338; metadata: created_on 2022_11_22, old_sid 5007125; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-POWERSHELL] Microsoft Defender Security Registry Access"; program: *PowerShell*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:400,800,4103,4104,800; meta_content:"%sagan%",Set-ItemProperty,query; meta_nocase; content:"\\Microsoft\\Windows Defender"; nocase; within:100; meta_content:"%sagan%",DisableRealtimeMonitoring,DisableAntiSpyware,DisableBehaviorMonitoring,DisableIOAVProtection,DisableIntrusionPreventionSystem,DisableInboundConnectionFiltering; meta_nocase; within:200; content:"Path: C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\"; reference:url,github.com/mdecrevoisier/SIGMA-detection-rules/blob/main/windows-defender/defender-critical%20security%20components%20disabled%20(PowerShell).yaml; reference:url,https://bidouillesecurity.com/disable-windows-defender-in-powershell/; classtype:suspicious-command; sid:5009339; metadata: created_on 2022_11_22, old_sid 5007126; rev:3;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-POWERSHELL] Possible Reverse Shell Detected"; program: *PowerShell*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:400,800,4103,4104; content:"System.Net.Sockets"; nocase; content:"while|28|"; nocase; pcre:"/(\$\w+)\s*=\s*\$\w+\.GetStream\(\).*\1.Read\(.*\1.Write\(/i"; reference:url,bazaar.abuse.ch/sample/60432d413022568476a12ceb8f9c03b5db0feecb794241a2eccf3b2f7cc4ea72/; classtype:suspicious-command; sid:5009340; metadata: created_on 2022_11_22, old_sid 5007127; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-POWERSHELL] IEX Command Encoded as Base64"; program: *PowerShell*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:400,800,4103,4104; content:"-e"; content:"SQBFAFgA"; within:30; reference:url,bazaar.abuse.ch/sample/62949e30ce539616cb75d980c8e03ce4b45a2a1f2f52cbee620e52aae5c4b9c9/; classtype:suspicious-command; sid:5009341; metadata: created_on 2022_11_22, old_sid 5007128; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-POWERSHELL] Suspicious Rundll32.exe Execution"; program: *PowerShell*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:400,800,4103,4104; meta_content:"c|3a|\\Windows\\%sagan%\\rundll32.exe",SysWow64,System32; meta_nocase; meta_content:"%sagan%",|5c 5c|AppData|5c 5c|,|5c 5c|ProgramData|5c 5c|,|5c 5c|Public|5c 5c|; meta_nocase; meta_distance:0; meta_within:100; reference:url,bazaar.abuse.ch/sample/2166c66f90ef87f21dc4f2b48f2b47ec3b401caca1ad068c2093fff713ef73bc/; classtype:suspicious-command; sid:5009342; metadata: created_on 2022_11_22, old_sid 5007129; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-POWERSHELL] Possible Keylogger Detected"; program: *PowerShell*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:400,800,4103,4104; content:"DllImport(|22|user32.dll"; nocase; content:"GetAsyncKeyState|28|"; nocase; within:200; reference:url,isc.sans.edu/diary/Simple+Powershell+Keyloggers+are+Back/24676; classtype:suspicious-command; sid:5009343; metadata: created_on 2022_11_22, old_sid 5007130; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-POWERSHELL] Keylogger Detected"; program: *PowerShell*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:400,800,4103,4104; content:"$SMTPServer"; nocase; content:"$credentials"; nocase; content:"function Start-Keylogger"; nocase; reference:url,isc.sans.edu/diary/Simple+Powershell+Keyloggers+are+Back/24676; reference:url,bazaar.abuse.ch/sample/d43651ebd0e9e15930fae7a88faa919a509f2d90c31a196d1533fb2548b2a6e2/; classtype:suspicious-command; sid:5009344; metadata: created_on 2022_11_22, old_sid 5007131; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-POWERSHELL] Possible Memory Allocation and Shellcode v1"; program: *PowerShell*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:400,800,4103,4104; content:"DllImport|28 22|kernel32.dll"; nocase; content:"VirtualAlloc|28|"; nocase; within:200; pcre:"//Byte\\[.*?=\s*(?:0x[0-9a-f]{1,2},){200}"; reference:url,bazaar.abuse.ch/sample/1373d61f65df4004490791ade8a04490db396c2e7a248f680896c524e0f5ffd5/; classtype:suspicious-command; sid:5009345; metadata: created_on 2022_11_22, old_sid 5007132; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-POWERSHELL] Possible Memory Allocation and Shellcode v2"; program: *PowerShell*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:400,800,4103,4104; content:"kernel32.dll"; nocase; content:"VirtualAlloc"; nocase; within:200; pcre:"//Byte\\[.*?=\s*(?:0x[0-9a-f]{1,2},){200}"; reference:url,bazaar.abuse.ch/sample/0411b1c23bfb671d36136760706cf85a11af5cfd16f8de47a330a8ca915f1eef; classtype:suspicious-command; sid:5009346; metadata: created_on 2022_11_22, old_sid 5007133; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-POWERSHELL] Possible Obfuscated Variable Names Technique"; program: *PowerShell*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:400,800,4103,4104; content:"ForEach-Object"; nocase; content:"-join"; nocase; content:"-split"; pcre:"/\${[\!\-\%\(\)\[\]\-\+\/\#\'\`]{1,3}}.*?\${[\!\-\%\(\)\[\]\-\+\/\#\'\`]{1,3}}.*?\${[\!\-\%\(\)\[\]\-\+\/\#\'\`]{1,3}}/"; reference:url,bazaar.abuse.ch/download/08ce501a984a5cb366de6a40c762738fafaed6643a3be1268e13331f0196cf46/; reference:url,github.com/danielbohannon/Invoke-Obfuscation; classtype:suspicious-command; sid:5009347; metadata: created_on 2022_11_22, old_sid 5007134; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-POWERSHELL] Powershell StrReverse Obfuscation"; program: *PowerShell*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:400,800,4103,4104; content:"StrReverse|28|"; nocase; content:"llehSrewoP"; nocase; reference:url,bazaar.abuse.ch/download/aa87d136aacebb0496371be929657834d541209ef53695e45dc0acc8b65663a7/; classtype:suspicious-command; sid:5009348; metadata: created_on 2022_11_22, old_sid 5007135; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-POWERSHELL] Suspicious Shorten Get-Variable and Set-Variable Commands"; program: *PowerShell*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:400,800,4103,4104; content:"Hidden"; nocase; meta_content:"%sagan%",-Command,-c; meta_nocase; content:"sv"; content:"gv"; pcre:"/sv\s\w{1,3}\s\\-/"; reference:url,tria.ge/220615-hsm8vseed2/behavioral2; classtype:suspicious-command; sid:5009349; metadata: created_on 2022_11_22, old_sid 5007136; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-POWERSHELL] Possible .docx or .lnk file created"; program: *PowerShell*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:400,800,4103,4104; content:"Out-String"; nocase; meta_content:"%sagan%",-Command,-c; meta_nocase; meta_content:"%sagan%",.docx,.lnk; reference:url,tria.ge/220426-cazahsafg2/behavioral2; classtype:suspicious-command; sid:5009350; metadata: created_on 2022_11_22, old_sid 5007137; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-POWERSHELL] .NET Assembly Loaded"; program: *PowerShell*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:400,800,4103,4104; content:">Reflection.Assembly<"; content:"aspnet_compiler.exe"; reference:url,bazaar.abuse.ch/sample/fa74335c09c138eab6256c1fbb176aee9a8334aac65cff3bf9b602d9dc9dd554/; classtype:suspicious-command; sid:5009351; metadata: created_on 2022_11_22, old_sid 5007138; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-POWERSHELL] Powershell Options StrReverse Obfuscation"; program: *PowerShell*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:400,800,4103,4104; content:"StrReverse|28|"; nocase; content:"ssapyB yciloPnoitucexE-"; nocase; content:"eliforPoN-"; nocase; reference:url,bazaar.abuse.ch/download/aa87d136aacebb0496371be929657834d541209ef53695e45dc0acc8b65663a7/; classtype:suspicious-command; sid:5009352; metadata: created_on 2022_11_22, old_sid 5007139; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-POWERSHELL] Path to ProgramData PS1 Script"; program: *PowerShell*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:400,800,4103,4104; content:"-Path"; nocase; content:"c|3a|\\ProgramData"; nocase; pcre:"/C:\\ProgramDatai\(?:[\-\w]+\)+\w+.ps1/i"; reference:url,bazaar.abuse.ch/download/aa87d136aacebb0496371be929657834d541209ef53695e45dc0acc8b65663a7/; classtype:suspicious-command; sid:5009353; metadata: created_on 2022_11_22, old_sid 5007140; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-POWERSHELL] Suspicious XOR Command"; program: *PowerShell*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:400,800,4103,4104; content:!"SentinelOne"; content:" -bxor "; nocase; content:"char"; nocase; content:" -join "; reference:url,github.com/SigmaHQ/sigma/blob/master/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml; classtype:suspicious-command; sid:5009354; metadata: created_on 2022_11_22, old_sid 5007141; rev:2;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-POWERSHELL] Suspicious Base64 Encoded Commands [2/2]"; program: *PowerShell*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:400,800,4103,4104; meta_content:" -%sagan% ",e,ec,enc,EncodedCommand; meta_content:" %sagan%",JAB,TVq,SUVY,SQBFAF,SQBuAH,aWV4,aQBlA,Y21k,Qzpc,Yzpc,UEs; meta_within:100; reference:url,gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639; classtype:suspicious-command; sid:5009355; metadata: created_on 2022_11_22, old_sid 5007142; rev:2;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-POWERSHELL] Suspicious FromBase64String Encoded Commands"; program: *PowerShell*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:400,800,4103,4104; content:"FromBase64String"; meta_content:"%sagan%",JAB,TVq,SUVY,SQBFAF,SQBuAH,aWV4,aQBlA,Y21k,Qzpc,Yzpc,UEs; within:100; reference:url,gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639; classtype:suspicious-command; sid:5009356; metadata: created_on 2022_11_22, old_sid 5007143; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-POWERSHELL] String Format Detected - Posible Obfuscation"; program: *PowerShell*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:400,800,4103,4104; content:"{3}"; content:"-f"; nocase; within:20; pcre:"/{\\d}{\\d}{\\d}\\*"\s*-f/"; classtype:suspicious-command; sid:5009357; metadata: created_on 2022_11_22, old_sid 5007144; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-POWERSHELL] Registry Query for WDigest UseLogonCredential"; program: *PowerShell*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:400,800,4103,4104; content:"reg query"; content:"HKLM\\"; within:10; content:"WDigest"; nocase; content:"UseLogonCredential"; nocase; within:30; reference:url,thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/; reference:url,github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/Enable WDigest using PowerShell; classtype:suspicious-command; sid:5009358; metadata: created_on 2022_11_22, old_sid 5007145; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-POWERSHELL] Registry Set Value for WDigest UseLogonCredential"; program: *PowerShell*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:400,800,4103,4104; content:"Set-ItemProperty"; nocase; content:"HKLM\\"; within:50; content:"WDigest"; nocase; content:"UseLogonCredential"; nocase; within:30; reference:url,thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/; reference:url,github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/Enable WDigest using PowerShell; classtype:suspicious-command; sid:5009359; metadata: created_on 2022_11_22, old_sid 5007146; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-POWERSHELL] Suspicious Invoke-RestMethod Command (IRM)"; program: *PowerShell*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:400,800,4103,4104; content:"http://"; content:"%{(IRM $_)}"; within:200; content:"Invoke"; nocase; within:200; reference:url,github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/custom_cobalt_strike_command_execution; reference:url,thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/; classtype:suspicious-command; sid:5009360; metadata: created_on 2022_11_22, old_sid 5007147; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-POWERSHELL] Schtask Created to Base64 Decode Payload from Registy"; program: *PowerShell*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:400,800,4103,4104; content:"FromBase64String"; nocase; content:"Get-ItemProperty"; nocase; within:100; content:"HKCU:\\"; within:100; content:"/SC"; reference:url,; reference:url,; classtype:suspicious-command; sid:5009361; metadata: created_on 2022_11_22, old_sid 5007148; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-POWERSHELL] Access to Opera Login/Cookie Data"; program: *PowerShell*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:400,800,4103,4104; meta_content:"%sagan%",\\Opera|20|Software\\Opera|20|Stable\\Login|20|Data,\\Opera|20|Software\\Opera|20|Stable\\Cookies; meta_nocase; reference:url,github.com/SigmaHQ/sigma/blob/master/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml; reference:url,kylemistele.medium.com/stealing-saved-browser-passwords-your-new-favorite-post-exploitation-technique-c5e72c86159; classtype:suspicious-command; sid:5009362; metadata: created_on 2022_11_22, old_sid 5007149; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-POWERSHELL] Access to Chrome Login/Cookie Data"; program: *PowerShell*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:400,800,4103,4104; meta_content:"%sagan%",\\google\\chrome\\user|20|data\\PROFILE\\Login|20|Data,\\google\\chrome\\user|20|data\\PROFILE\\Cookies; meta_nocase; reference:url,github.com/SigmaHQ/sigma/blob/master/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml; reference:url,kylemistele.medium.com/stealing-saved-browser-passwords-your-new-favorite-post-exploitation-technique-c5e72c86159; classtype:suspicious-command; sid:5009363; metadata: created_on 2022_11_22, old_sid 5007150; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-POWERSHELL] Access to Brave Login/Cookie Data"; program: *PowerShell*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:400,800,4103,4104; meta_content:"%sagan%",\\BraveSoftware\\Brave-Browser\\user|20|data\\PROFILE\\Login|20|Data,\\BraveSoftware\\Brave-Browser\\user|20|data\\PROFILE\\Cookies; meta_nocase; reference:url,github.com/SigmaHQ/sigma/blob/master/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml; reference:url,kylemistele.medium.com/stealing-saved-browser-passwords-your-new-favorite-post-exploitation-technique-c5e72c86159; classtype:suspicious-command; sid:5009364; metadata: created_on 2022_11_22, old_sid 5007151; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-POWERSHELL] Access to Firefox Login/Cookie Data"; program: *PowerShell*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:400,800,4103,4104; meta_content:"%sagan%",\\Mozilla\\Firefox\\Profiles; meta_nocase; content:".default"; nocase; within:50; content:!"Path: C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection"; nocase; reference:url,github.com/SigmaHQ/sigma/blob/master/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml; reference:url,kylemistele.medium.com/stealing-saved-browser-passwords-your-new-favorite-post-exploitation-technique-c5e72c86159a; classtype:suspicious-command; sid:5009365; metadata: created_on 2022_11_22, old_sid 5007152; rev:2;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-POWERSHELL] Access to Microsoft Edge Login/Cookie Data"; program: *PowerShell*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:400,800,4103,4104; meta_content:"%sagan%",\\Microsoft\\Edge\\User|20|Data\\Default; meta_nocase; reference:url,github.com/SigmaHQ/sigma/blob/master/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml; reference:url,kylemistele.medium.com/stealing-saved-browser-passwords-your-new-favorite-post-exploitation-technique-c5e72c86159; classtype:suspicious-command; sid:5009366; metadata: created_on 2022_11_22, old_sid 5007153; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-POWERSHELL] Local User Created"; program: *PowerShell*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:400,800,4103,4104; content:"New-LocalUser"; nocase; reference:url,github.com/SigmaHQ/sigma/blob/master/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml; classtype:suspicious-command; sid:5009367; metadata: created_on 2022_11_22, old_sid 5007154; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-POWERSHELL] Cmdlet Scheduled Task Created"; program: *PowerShell*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:400,800,4103,4104; content:"New-ScheduledTask"; nocase; content:"Register-ScheduledTask"; nocase; meta_content:"%sagan%",Invoke-CimMethod,-ClassName,PS_ScheduledTask,-NameSpace,Root\\Microsoft\\Windows\\TaskScheduler; meta_nocase; reference:url,github.com/SigmaHQ/sigma/blob/master/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml; classtype:suspicious-command; sid:5009368; metadata: created_on 2022_11_22, old_sid 5007155; rev:2;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-POWERSHELL] Dnscat Exfil Tool Execution"; program: *PowerShell*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:400,800,4103,4104; content:"Start-Dnscat2"; nocase; reference:url,github.com/SigmaHQ/sigma/blob/master/rules/windows/powershell/powershell_script/posh_ps_dnscat_execution.yml; classtype:suspicious-command; sid:5009369; metadata: created_on 2022_11_22, old_sid 5007156; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-POWERSHELL] Create Volume Shadow Copy"; program: *PowerShell*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:400,800,4103,4104; content:"Win32_ShadowCopy"; nocase; content:".Create|28|"; nocase; content:"ClientAccessible"; nocase; reference:url,www.powershellgallery.com/packages/CPolydorou.ShadowCopy/1.1.2/Content/ShadowCopy.psm1; reference:url,github.com/SigmaHQ/sigma/blob/master/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml; classtype:suspicious-command; sid:5009370; metadata: created_on 2022_11_22, old_sid 5007157; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-POWERSHELL] Possible nslookup command stager"; program:*PowerShell*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:600,800,4104; content:"powershell"; content:"nslookup -q=txt"; nocase; distance:0; content:")[-"; distance:0; reference:url,twitter.com/bugch3ck/status/1566850989927399425; classtype:suspicious-command; sid:5009371; metadata: created_on 2022_11_22, old_sid 5007690; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-POWERSHELL] Possible Resolve-DnsName IEX command stager"; program:*PowerShell*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:600,800,4104; content:"iex"; nocase; content:"Resolve-DnsName"; nocase; distance:0; content:").Strings["; nocase; distance:0; reference:url,twitter.com/bugch3ck/status/1566850989927399425; classtype:suspicious-command; sid:5009372; metadata: created_on 2022_11_22, old_sid 5007691; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-POWERSHELL] Possible Resolve-DnsName Invoke-Expression command stager"; program:*PowerShell*; json_map:"event_id",".EventID"; json_map:"message",".RenderedDescription"; event_id:600,800,4104; content:"Invoke-Expression"; nocase; content:"Resolve-DnsName"; nocase; distance:0; content:").Strings["; nocase; distance:0; reference:url,twitter.com/bugch3ck/status/1566850989927399425; classtype:suspicious-command; sid:5009373; metadata: created_on 2022_11_22, old_sid 5007692; rev:1;)
#The alerts below are based on IOC's for the ProxyShell V2 exploit based on the research of GTSC. These are tracked by CVE-2022-41040 (Authenticated Server-Side Request Forgery) and CVE-2022-41082 (Authenticated Remote Code Execution). I know they are ugly, but they *should* work based on the IOCs! ~sdrenning! 20220930
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-POWERSHELL] Possible ProxyShell V2 execution"; program:*Exchange*|*IIs*|*PowerShell*|*Sysmon*; content:"|22|cmd|22| |2f|c cd |2f|d |22|c|3a 5c 5c|PerfLogs|22 26|certutil.exe |2d|urlcache |2d|split |2d|f http|3a 2f 2f|"; nocase; content:"|3a|8080|2f|themes.aspx c|3a 5c|perflogs|5c 5c|t|26|echo |5b|S|5d 26|cd|26|echo |5b|E|5d|"; nocase; threshold: type suppress, track by_username, count 25, seconds 3600; reference:url,gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html; reference:url,msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server;classtype:suspicious-command; sid:5009374; metadata: created_on 2022_11_22, old_sid 5007709; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-POWERSHELL] Possible ProxyShell V2 execution"; program:*Exchange*|*IIs*|*PowerShell*|*Sysmon*; content:"|22|cmd|22| |2f|c cd |2f|d |22|c|3a 5c 5c|PerfLogs|22 26|certutil.exe |2d|urlcache |2d|split |2d|f https|3a 2f 2f|";nocase; content:"c|3a 5c|test|26|echo |5b|S|5d 26|cd|26|echo |5b|E|5d|";nocase; threshold: type suppress, track by_username, count 25, seconds 3600; reference:url,gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html; reference:url,msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server; classtype:suspicious-command; sid:5009375; metadata: created_on 2022_11_22, old_sid 5007710; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-POWERSHELL] Possible ProxyShell V2 request"; program:*Exchange*|*IIs*|*PowerShell*; content:"autodiscover|2f|autodiscover.json|3f 40|";nocase; content: "|26|Email|3d|autodiscover|2f|autodiscover.json|25|3f|40|"; nocase; threshold: type suppress, track by_username, count 25, seconds 3600; reference:url,gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html; reference:url,msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server;classtype:suspicious-command; sid:5009376; metadata: created_on 2022_11_22, old_sid 5007711; rev:1;)
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-POWERSHELL] Possible Proxyshell Webshell Command Post-exploit"; program:*Exchange*|*IIs*|*PowerShell*; content:"|25|eval|28|System.Text.Encoding.GetEncoding|28|936|29|.GetString|28|System.Convert.FromBase64String|28 27|";nocase; content:"char|28|837|2d|763|29 2b|";nocase; content:"System.Text.Encoding.GetEncoding|28|936|29|.GetString|28|System.Convert.FromBase64String|28|";nocase; content:"|2b|char|28|51450|2f|525|29 2b 27|";nocase; content:"|27 2b|char|28|0640|2d|0462|29 2b|char|28|0x8c28|2f|0x1cc|29|";nocase; content:"|2b|char|28|0212100|2f|01250|29 2b|System.Text.Encoding.GetEncoding|28|936|29|.GetString|28|System.Convert.FromBase64String|28 27|";nocase; content:"|27 29 29 29 3b 25|"; reference:url,gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html; reference:url,msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server; threshold: type suppress, track by_username, count 25, seconds 3600;classtype:suspicious-command; sid:5009377; metadata: created_on 2022_11_22, old_sid 5007712; rev:1;)