From 2e96df4a11078ee4f79560d43df1aa7e2218862e Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 2 Jul 2023 12:23:12 +0200 Subject: [PATCH 1/5] Add posh_ps_reg_query_registry Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> --- .../posh_ps_reg_query_registry.yml | 38 +++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 rules/windows/powershell/powershell_script/posh_ps_reg_query_registry.yml diff --git a/rules/windows/powershell/powershell_script/posh_ps_reg_query_registry.yml b/rules/windows/powershell/powershell_script/posh_ps_reg_query_registry.yml new file mode 100644 index 00000000000..1174a760ada --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_reg_query_registry.yml @@ -0,0 +1,38 @@ +title: Potential Configuration And Service Reconnaissance Via Powershell +id: 064060aa-09fb-4636-817f-020a32aa7e9e +related: + - id: 970007b7-ce32-49d0-a4a4-fbef016950bd + type: similar +status: experimental +description: Detects the usage of Powershell in order to query reconnaissance information from the registry. Adversaries may interact with the Windows registry to gather information about credentials, the system, configuration, and installed software. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1012/T1012.md +author: frack113 +date: 2023/07/02 +tags: + - attack.discovery + - attack.t1012 + - attack.t1007 +logsource: + product: windows + category: ps_script + definition: 'Requirements: Script Block Logging must be enabled' +detection: + selection_cmdlet: + ScriptBlockText|contains: + - 'Get-Item' + - 'Get-ChildItem' + selection_flag: + ScriptBlockText|contains: '-Path' + selection_key: + ScriptBlockText|contains: + - 'CurrentVersion\Windows' + - 'winlogon\' + - 'CurrentVersion\ShellServiceObjectDelayLoad' + - 'CurrentVersion\Run' # Also covers the strings "RunOnce", "RunOnceEx" and "runServicesOnce" + - 'CurrentVersion\Policies\Explorer\Run' + - 'currentcontrolset\services' + condition: all of selection_* +falsepositives: + - Unknown +level: medium From 99914ba9f863c14494d761c003d06667d0e258d4 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 14 Jul 2023 09:00:33 +0200 Subject: [PATCH 2/5] Move to Hunting Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> --- .../powershell/powershell_script/posh_ps_reg_query_registry.yml | 1 + 1 file changed, 1 insertion(+) rename {rules => rules-threat-hunting}/windows/powershell/powershell_script/posh_ps_reg_query_registry.yml (97%) diff --git a/rules/windows/powershell/powershell_script/posh_ps_reg_query_registry.yml b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_reg_query_registry.yml similarity index 97% rename from rules/windows/powershell/powershell_script/posh_ps_reg_query_registry.yml rename to rules-threat-hunting/windows/powershell/powershell_script/posh_ps_reg_query_registry.yml index 1174a760ada..812bc3926c1 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_reg_query_registry.yml +++ b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_reg_query_registry.yml @@ -13,6 +13,7 @@ tags: - attack.discovery - attack.t1012 - attack.t1007 + - detection.threat_hunting logsource: product: windows category: ps_script From d3cf1892fced57a3d005408a566dbe36b8f51c79 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 14 Jul 2023 10:19:28 +0200 Subject: [PATCH 3/5] chore: update metadata --- ...try.yml => posh_ps_registry_reconnaissance.yml} | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) rename rules-threat-hunting/windows/powershell/powershell_script/{posh_ps_reg_query_registry.yml => posh_ps_registry_reconnaissance.yml} (70%) diff --git a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_reg_query_registry.yml b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_registry_reconnaissance.yml similarity index 70% rename from rules-threat-hunting/windows/powershell/powershell_script/posh_ps_reg_query_registry.yml rename to rules-threat-hunting/windows/powershell/powershell_script/posh_ps_registry_reconnaissance.yml index 812bc3926c1..8f3e4722b74 100644 --- a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_reg_query_registry.yml +++ b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_registry_reconnaissance.yml @@ -1,10 +1,10 @@ -title: Potential Configuration And Service Reconnaissance Via Powershell +title: Potential Registry Reconnaissance Via Powershell Script id: 064060aa-09fb-4636-817f-020a32aa7e9e related: - id: 970007b7-ce32-49d0-a4a4-fbef016950bd type: similar status: experimental -description: Detects the usage of Powershell in order to query reconnaissance information from the registry. Adversaries may interact with the Windows registry to gather information about credentials, the system, configuration, and installed software. +description: Detects PowerShell script with potential registry reconnaissance capabilities. Adversaries may interact with the Windows registry to gather information about the system credentials, configuration, and installed software. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1012/T1012.md author: frack113 @@ -27,13 +27,13 @@ detection: ScriptBlockText|contains: '-Path' selection_key: ScriptBlockText|contains: + - 'currentcontrolset\services' + - 'CurrentVersion\Policies\Explorer\Run' + - 'CurrentVersion\Run' # Also covers the strings "RunOnce", "RunOnceEx" and "runServicesOnce" + - 'CurrentVersion\ShellServiceObjectDelayLoad' - 'CurrentVersion\Windows' - 'winlogon\' - - 'CurrentVersion\ShellServiceObjectDelayLoad' - - 'CurrentVersion\Run' # Also covers the strings "RunOnce", "RunOnceEx" and "runServicesOnce" - - 'CurrentVersion\Policies\Explorer\Run' - - 'currentcontrolset\services' condition: all of selection_* falsepositives: - - Unknown + - Due to the nature of the script block, the matching of the string could sometimes result in a false positive. Use this rule to hunt for potential malicious or suspicious scripts. level: medium From 6761b32a04c4c9cf0fce5f93390849c434428229 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 17 Jul 2023 09:54:51 +0200 Subject: [PATCH 4/5] Change to regex --- .../posh_ps_registry_reconnaissance.yml | 18 +++--------------- 1 file changed, 3 insertions(+), 15 deletions(-) diff --git a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_registry_reconnaissance.yml b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_registry_reconnaissance.yml index 8f3e4722b74..e602aba0b55 100644 --- a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_registry_reconnaissance.yml +++ b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_registry_reconnaissance.yml @@ -19,21 +19,9 @@ logsource: category: ps_script definition: 'Requirements: Script Block Logging must be enabled' detection: - selection_cmdlet: - ScriptBlockText|contains: - - 'Get-Item' - - 'Get-ChildItem' - selection_flag: - ScriptBlockText|contains: '-Path' - selection_key: - ScriptBlockText|contains: - - 'currentcontrolset\services' - - 'CurrentVersion\Policies\Explorer\Run' - - 'CurrentVersion\Run' # Also covers the strings "RunOnce", "RunOnceEx" and "runServicesOnce" - - 'CurrentVersion\ShellServiceObjectDelayLoad' - - 'CurrentVersion\Windows' - - 'winlogon\' - condition: all of selection_* + selection: + ScriptBlockText|re: '(Get-Item|gci|Get-ChildItem).{1,64}-Path.{1,64}\\(currentcontrolset\\services|CurrentVersion\\Policies\\Explorer\\Run|CurrentVersion\\Run|CurrentVersion\\ShellServiceObjectDelayLoad|CurrentVersion\\Windows\winlogon)\\' + condition: selection falsepositives: - Due to the nature of the script block, the matching of the string could sometimes result in a false positive. Use this rule to hunt for potential malicious or suspicious scripts. level: medium From 981ceebab2c49f45f3a34f150265b7e86b490212 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 17 Jul 2023 12:04:58 +0200 Subject: [PATCH 5/5] feat: apply suggestions from code review Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> --- .../powershell_script/posh_ps_registry_reconnaissance.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_registry_reconnaissance.yml b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_registry_reconnaissance.yml index e602aba0b55..3369c27b556 100644 --- a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_registry_reconnaissance.yml +++ b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_registry_reconnaissance.yml @@ -1,10 +1,10 @@ -title: Potential Registry Reconnaissance Via Powershell Script +title: Potential Registry Reconnaissance Via PowerShell Script id: 064060aa-09fb-4636-817f-020a32aa7e9e related: - id: 970007b7-ce32-49d0-a4a4-fbef016950bd type: similar status: experimental -description: Detects PowerShell script with potential registry reconnaissance capabilities. Adversaries may interact with the Windows registry to gather information about the system credentials, configuration, and installed software. +description: Detects PowerShell scripts with potential registry reconnaissance capabilities. Adversaries may interact with the Windows registry to gather information about the system credentials, configuration, and installed software. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1012/T1012.md author: frack113 @@ -20,6 +20,7 @@ logsource: definition: 'Requirements: Script Block Logging must be enabled' detection: selection: + # TODO: switch to |re|i: after sigma specification v2 is released ScriptBlockText|re: '(Get-Item|gci|Get-ChildItem).{1,64}-Path.{1,64}\\(currentcontrolset\\services|CurrentVersion\\Policies\\Explorer\\Run|CurrentVersion\\Run|CurrentVersion\\ShellServiceObjectDelayLoad|CurrentVersion\\Windows\winlogon)\\' condition: selection falsepositives: