-
Notifications
You must be signed in to change notification settings - Fork 502
/
collection_posh_compression.toml
138 lines (119 loc) · 4.03 KB
/
collection_posh_compression.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
[metadata]
bypass_bbr_timing = true
creation_date = "2023/07/06"
integration = ["windows"]
maturity = "production"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
min_stack_version = "8.14.0"
updated_date = "2024/10/28"
[rule]
author = ["Elastic"]
description = """
Identifies the use of Cmdlets and methods related to archive compression activities. Adversaries will often compress and
encrypt data in preparation for exfiltration.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-windows.powershell*"]
language = "kuery"
license = "Elastic License v2"
name = "PowerShell Script with Archive Compression Capabilities"
risk_score = 21
rule_id = "27071ea3-e806-4697-8abc-e22c92aa4293"
setup = """## Setup
The 'PowerShell Script Block Logging' logging policy must be enabled.
Steps to implement the logging policy with Advanced Audit Configuration:
```
Computer Configuration >
Administrative Templates >
Windows PowerShell >
Turn on PowerShell Script Block Logging (Enable)
```
Steps to implement the logging policy via registry:
```
reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
```
"""
severity = "low"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs", "Rule Type: BBR"]
timestamp_override = "event.ingested"
type = "query"
building_block_type = "default"
query = '''
event.category:process and host.os.type:windows and
(
powershell.file.script_block_text : (
"IO.Compression.ZipFile" or
"IO.Compression.ZipArchive" or
"ZipFile.CreateFromDirectory" or
"IO.Compression.BrotliStream" or
"IO.Compression.DeflateStream" or
"IO.Compression.GZipStream" or
"IO.Compression.ZLibStream"
) and
powershell.file.script_block_text : (
"CompressionLevel" or
"CompressionMode" or
"ZipArchiveMode"
) or
powershell.file.script_block_text : "Compress-Archive"
) and
not powershell.file.script_block_text : (
"Compress-Archive -Path 'C:\ProgramData\Lenovo\Udc\diagnostics\latest" or
("Copyright: (c) 2017, Ansible Project" and "Ansible.ModuleUtils.Backup")
) and
not file.directory : "C:\Program Files\Microsoft Dependency Agent\plugins\lib"
'''
[[rule.filters]]
[rule.filters.meta]
negate = true
[rule.filters.query.wildcard."file.path"]
"case_insensitive" = true
"value" = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\\\\*"
[[rule.filters]]
[rule.filters.meta]
negate = true
[rule.filters.query.wildcard."file.path"]
"case_insensitive" = true
"value" = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\\\\*"
[[rule.filters]]
[rule.filters.meta]
negate = true
[rule.filters.query.wildcard."file.path"]
"case_insensitive" = true
"value" = "?:\\\\Program Files\\\\WindowsPowerShell\\\\Modules\\\\dbatools\\\\*\\\\optional\\\\Expand-Archive.ps1"
[[rule.filters]]
[rule.filters.meta]
negate = true
[rule.filters.query.wildcard."file.path"]
"case_insensitive" = true
"value" = "?:\\\\Program Files\\\\WindowsPowerShell\\\\Modules\\\\dbatools\\\\*\\\\optional\\\\Compress-Archive.ps1"
[[rule.filters]]
[rule.filters.meta]
negate = true
[rule.filters.query.wildcard."file.path"]
"case_insensitive" = true
"value" = "?:\\\\Program Files\\\\Azure\\\\StorageSyncAgent\\\\AFSDiag.ps1"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1560"
name = "Archive Collected Data"
reference = "https://attack.mitre.org/techniques/T1560/"
[rule.threat.tactic]
id = "TA0009"
name = "Collection"
reference = "https://attack.mitre.org/tactics/TA0009/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.001"
name = "PowerShell"
reference = "https://attack.mitre.org/techniques/T1059/001/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"