Techniques
Sample rules
Potential Process Injection via PowerShell
- source: elastic
- technicques:
- T1055
- T1059
- T1106
Description
Detects the use of Windows API functions that are commonly abused by malware and security tools to load malicious code or inject it into remote processes.
Detection logic
event.category:process and host.os.type:windows and
powershell.file.script_block_text : (
(VirtualAlloc or VirtualAllocEx or VirtualProtect or LdrLoadDll or LoadLibrary or LoadLibraryA or
LoadLibraryEx or GetProcAddress or OpenProcess or OpenProcessToken or AdjustTokenPrivileges) and
(WriteProcessMemory or CreateRemoteThread or NtCreateThreadEx or CreateThread or QueueUserAPC or
SuspendThread or ResumeThread or GetDelegateForFunctionPointer)
) and not
file.directory: (
"C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM" or
"C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads"
)
PowerShell Suspicious Discovery Related Windows API Functions
- source: elastic
- technicques:
- T1039
- T1059
- T1069
- T1087
- T1106
- T1135
- T1482
Description
This rule detects the use of discovery-related Windows API functions in PowerShell Scripts. Attackers can use these functions to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.
Detection logic
event.category:process and host.os.type:windows and
powershell.file.script_block_text : (
NetShareEnum or
NetWkstaUserEnum or
NetSessionEnum or
NetLocalGroupEnum or
NetLocalGroupGetMembers or
DsGetSiteName or
DsEnumerateDomainTrusts or
WTSEnumerateSessionsEx or
WTSQuerySessionInformation or
LsaGetLogonSessionData or
QueryServiceObjectSecurity or
GetComputerNameEx or
NetWkstaGetInfo or
GetUserNameEx or
NetUserEnum or
NetUserGetInfo or
NetGroupEnum or
NetGroupGetInfo or
NetGroupGetUsers or
NetWkstaTransportEnum or
NetServerGetInfo or
LsaEnumerateTrustedDomains or
NetScheduleJobEnum or
NetUserModalsGet
) and
not powershell.file.script_block_text : (
("DsGetSiteName" and ("DiscoverWindowsComputerProperties.ps1" and "param($SourceType, $SourceId, $ManagedEntityId, $ComputerIdentity)")) or
("# Copyright: (c) 2018, Ansible Project" and "#Requires -Module Ansible.ModuleUtils.AddType" and "#AnsibleRequires -CSharpUtil Ansible.Basic") or
("Ansible.Windows.Setup" and "Ansible.Windows.Setup" and "NativeMethods.NetWkstaGetInfo(null, 100, out netBuffer);")
)