LoFP / legitimate powershell scripts

Techniques

• t1003
• t1003.003
• t1003.006
• t1033
• t1036
• t1036.003
• t1057
• t1070
• t1070.003
• t1083
• t1201
• t1546
• t1546.015
• t1553
• t1553.005
• t1562
• t1562.001
• t1564
• t1564.006
• t1615

Sample rules

Tamper Windows Defender Remove-MpPreference

• source: sigma
• technicques:
  • t1562
  • t1562.001

Description

Detects attempts to remove Windows Defender configurations using the ‘MpPreference’ cmdlet

Detection logic

condition: all of selection_*
selection_remove:
  CommandLine|contains: Remove-MpPreference
selection_tamper:
  CommandLine|contains:
  - '-ControlledFolderAccessProtectedFolders '
  - '-AttackSurfaceReductionRules_Ids '
  - '-AttackSurfaceReductionRules_Actions '
  - '-CheckForSignaturesBeforeRunningScan '

Clear PowerShell History - PowerShell Module

• source: sigma
• technicques:
  • t1070
  • t1070.003

Description

Detects keywords that could indicate clearing PowerShell history

Detection logic

condition: 1 of selection_payload_* or all of selection_1*
selection_1a_payload:
  Payload|contains:
  - del
  - Remove-Item
  - rm
selection_1b_payload:
  Payload|contains: (Get-PSReadlineOption).HistorySavePath
selection_payload_2:
  Payload|contains|all:
  - Set-PSReadlineOption
  - "\u2013HistorySaveStyle"
  - SaveNothing
selection_payload_3:
  Payload|contains|all:
  - Set-PSReadlineOption
  - -HistorySaveStyle
  - SaveNothing

Suspicious Get-ADReplAccount

• source: sigma
• technicques:
  • t1003
  • t1003.006

Description

The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.

Detection logic

condition: selection
selection:
  ScriptBlockText|contains|all:
  - Get-ADReplAccount
  - '-All '
  - '-Server '

Suspicious PowerShell Get Current User

• source: sigma
• technicques:
  • t1033

Description

Detects the use of PowerShell to identify the current logged user.

Detection logic

condition: selection
selection:
  ScriptBlockText|contains:
  - '[System.Environment]::UserName'
  - $env:UserName
  - '[System.Security.Principal.WindowsIdentity]::GetCurrent()'

Suspicious Unblock-File

• source: sigma
• technicques:
  • t1553
  • t1553.005

Description

Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet.

Detection logic

condition: selection
selection:
  ScriptBlockText|contains|all:
  - 'Unblock-File '
  - '-Path '

Powershell Directory Enumeration

• source: sigma
• technicques:
  • t1083

Description

Detects technique used by MAZE ransomware to enumerate directories using Powershell

Detection logic

condition: selection
selection:
  ScriptBlockText|contains|all:
  - foreach
  - Get-ChildItem
  - '-Path '
  - '-ErrorAction '
  - SilentlyContinue
  - 'Out-File '
  - -append

Create Volume Shadow Copy with Powershell

• source: sigma
• technicques:
  • t1003
  • t1003.003

Description

Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information

Detection logic

condition: selection
selection:
  ScriptBlockText|contains|all:
  - Win32_ShadowCopy
  - ).Create(
  - ClientAccessible

Suspicious GPO Discovery With Get-GPO

• source: sigma
• technicques:
  • t1615

Description

Detect use of Get-GPO to get one GPO or all the GPOs in a domain.

Detection logic

condition: selection
selection:
  ScriptBlockText|contains: Get-GPO

Suspicious Mount-DiskImage

• source: sigma
• technicques:
  • t1553
  • t1553.005

Description

Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.

Detection logic

condition: selection
selection:
  ScriptBlockText|contains|all:
  - 'Mount-DiskImage '
  - '-ImagePath '

Suspicious Start-Process PassThru

• source: sigma
• technicques:
  • t1036
  • t1036.003

Description

Powershell use PassThru option to start in background

Detection logic

condition: selection
selection:
  ScriptBlockText|contains|all:
  - Start-Process
  - '-PassThru '
  - '-FilePath '

Suspicious GetTypeFromCLSID ShellExecute

• source: sigma
• technicques:
  • t1546
  • t1546.015

Description

Detects suspicious Powershell code that execute COM Objects

Detection logic

condition: selection
selection:
  ScriptBlockText|contains|all:
  - ::GetTypeFromCLSID(
  - .ShellExecute(

Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy

• source: sigma
• technicques:
  • t1201

Description

Detetcts PowerShell activity in which Get-Addefaultdomainpasswordpolicy is used to get the default password policy for an Active Directory domain.

Detection logic

condition: selection
selection:
  ScriptBlockText|contains: Get-AdDefaultDomainPasswordPolicy

Suspicious Invoke-Item From Mount-DiskImage

• source: sigma
• technicques:
  • t1553
  • t1553.005

Description

Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.

Detection logic

condition: selection
selection:
  ScriptBlockText|contains|all:
  - 'Mount-DiskImage '
  - '-ImagePath '
  - Get-Volume
  - .DriveLetter
  - 'invoke-item '
  - ):\

Get-ADUser Enumeration Using UserAccountControl Flags

• source: sigma
• technicques:
  • t1033

Description

Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication.

Detection logic

condition: selection
selection:
  ScriptBlockText|contains|all:
  - Get-ADUser
  - -Filter
  - useraccountcontrol
  - -band
  - '4194304'

Clear PowerShell History - PowerShell

• source: sigma
• technicques:
  • t1070
  • t1070.003

Description

Detects keywords that could indicate clearing PowerShell history

Detection logic

condition: 1 of selection_* or all of selection1*
selection1a:
  ScriptBlockText|contains:
  - del
  - Remove-Item
  - rm
selection1b:
  ScriptBlockText|contains: (Get-PSReadlineOption).HistorySavePath
selection_2:
  ScriptBlockText|contains|all:
  - Set-PSReadlineOption
  - "\u2013HistorySaveStyle"
  - SaveNothing
selection_3:
  ScriptBlockText|contains|all:
  - Set-PSReadlineOption
  - -HistorySaveStyle
  - SaveNothing

Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging

• source: sigma
• technicques:
  • t1562
  • t1562.001

Description

Detects attempts to remove Windows Defender configuration using the ‘MpPreference’ cmdlet

Detection logic

condition: all of selection_*
selection_remove:
  ScriptBlockText|contains: Remove-MpPreference
selection_tamper:
  ScriptBlockText|contains:
  - '-ControlledFolderAccessProtectedFolders '
  - '-AttackSurfaceReductionRules_Ids '
  - '-AttackSurfaceReductionRules_Actions '
  - '-CheckForSignaturesBeforeRunningScan '

Suspicious Hyper-V Cmdlets

• source: sigma
• technicques:
  • t1564
  • t1564.006

Description

Adversaries may carry out malicious operations using a virtual instance to avoid detection

Detection logic

condition: selection
selection:
  ScriptBlockText|contains:
  - New-VM
  - Set-VMFirmware
  - Start-VM

Suspicious IO.FileStream

• source: sigma
• technicques:
  • t1070
  • t1070.003

Description

Open a handle on the drive volume via the \.\ DOS device path specifier and perform direct access read of the first few bytes of the volume.

Detection logic

condition: selection
selection:
  ScriptBlockText|contains|all:
  - New-Object
  - IO.FileStream
  - \\\\.\\

Suspicious Process Discovery With Get-Process

• source: sigma
• technicques:
  • t1057

Description

Get the processes that are running on the local computer.

Detection logic

condition: selection
selection:
  ScriptBlockText|contains: Get-Process