LoFP LoFP / legitimate administrative script

Techniques

Sample rules

Suspicious FromBase64String Usage On Gzip Archive - Process Creation

Description

Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward.

Detection logic

condition: selection
selection:
  CommandLine|contains|all:
  - FromBase64String
  - MemoryStream
  - H4sI

Suspicious X509Enrollment - Process Creation

Description

Detect use of X509Enrollment

Detection logic

condition: selection
selection:
  CommandLine|contains:
  - X509Enrollment.CBinaryConverter
  - 884e2002-217d-11da-b2a4-000e7bbb2b09

Powershell XML Execute Command

Description

Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code

Detection logic

condition: all of selection_*
selection_exec:
  ScriptBlockText|contains:
  - 'IEX '
  - 'Invoke-Expression '
  - 'Invoke-Command '
  - ICM -
selection_xml:
  ScriptBlockText|contains|all:
  - New-Object
  - System.Xml.XmlDocument
  - .Load

Powershell MsXml COM Object

Description

Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code

Detection logic

condition: selection
selection:
  ScriptBlockText|contains|all:
  - New-Object
  - -ComObject
  - MsXml2.
  - XmlHttp

Testing Usage of Uncommonly Used Port

Description

Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443.

Detection logic

condition: selection and not filter
filter:
  ScriptBlockText|contains:
  - ' 443 '
  - ' 80 '
selection:
  ScriptBlockText|contains|all:
  - Test-NetConnection
  - '-ComputerName '
  - '-port '

Service Registry Permissions Weakness Check

Description

Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services

Detection logic

condition: selection
selection:
  ScriptBlockText|contains|all:
  - get-acl
  - REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\

Registry-Free Process Scope COR_PROFILER

Description

Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR. (Citation: Microsoft Profiling Mar 2017) (Citation: Microsoft COR_PROFILER Feb 2013)

Detection logic

condition: selection
selection:
  ScriptBlockText|contains|all:
  - $env:COR_ENABLE_PROFILING
  - $env:COR_PROFILER
  - $env:COR_PROFILER_PATH

Powershell LocalAccount Manipulation

Description

Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups

Detection logic

condition: selection
selection:
  ScriptBlockText|contains:
  - Disable-LocalUser
  - Enable-LocalUser
  - Get-LocalUser
  - Set-LocalUser
  - New-LocalUser
  - Rename-LocalUser
  - Remove-LocalUser

PowerShell Remote Session Creation

Description

Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system

Detection logic

condition: selection
selection:
  ScriptBlockText|contains|all:
  - New-PSSession
  - '-ComputerName '

Manipulation of User Computer or Group Security Principals Across AD

Description

Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain..

Detection logic

condition: selection
selection:
  ScriptBlockText|contains: System.DirectoryServices.AccountManagement

Suspicious X509Enrollment - Ps Script

Description

Detect use of X509Enrollment

Detection logic

condition: selection
selection:
  ScriptBlockText|contains:
  - X509Enrollment.CBinaryConverter
  - 884e2002-217d-11da-b2a4-000e7bbb2b09

Suspicious SSL Connection

Description

Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol.

Detection logic

condition: selection
selection:
  ScriptBlockText|contains|all:
  - System.Net.Security.SslStream
  - Net.Security.RemoteCertificateValidationCallback
  - .AuthenticateAsClient

Suspicious FromBase64String Usage On Gzip Archive - Ps Script

Description

Detects attempts of decoding a base64 Gzip archive in a PowerShell script. This technique is often used as a method to load malicious content into memory afterward.

Detection logic

condition: selection
selection:
  ScriptBlockText|contains|all:
  - FromBase64String
  - MemoryStream
  - H4sI