Merge PR #4607 from @netgrain - Adding TH Detections For Powershell C…

…ypto Namespace Usage new: Invocation Of Crypto-Classes From The "Cryptography" PowerShell Namespace new: Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace fix: Import New Module Via PowerShell CommandLine - Fix typo in condition --------- Co-authored-by: nasbench <[email protected]> Co-authored-by: phantinuss <[email protected]>
SigmaHQ · Dec 1, 2023 · c9054fa · c9054fa
1 parent 3990060
commit c9054fa
Show file tree

Hide file tree

Showing 3 changed files with 90 additions and 2 deletions.
diff --git a/...threat-hunting/windows/process_creation/proc_creation_win_powershell_crypto_namespace.yml b/...threat-hunting/windows/process_creation/proc_creation_win_powershell_crypto_namespace.yml
@@ -0,0 +1,44 @@
+title: Invocation Of Crypto-Classes From The "Cryptography" PowerShell Namespace
+id: ad856965-f44d-42a8-945e-bbf7bd03d05a
+status: experimental
+description: |
+    Detects the invocation of PowerShell commands with references to classes from the "System.Security.Cryptography" namespace.
+    The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption.
+    These can be used for example in decrypting malicious payload for defense evasion.
+references:
+    - https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography?view=net-8.0
+    - https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html
+    - https://www.virustotal.com/gui/file/39102fb7bb6a74a9c8cb6d46419f9015b381199ea8524c1376672b30fffd69d2
+author: Andreas Braathen (mnemonic.io)
+date: 2023/12/01
+tags:
+    - attack.defense_evasion
+    - attack.t1059.001
+    - attack.t1027.010
+    - detection.threat_hunting
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection_img:
+        - Image|endswith:
+              - '\powershell.exe'
+              - '\pwsh.exe'
+        - OriginalFileName:
+              - 'PowerShell.EXE'
+              - 'pwsh.dll'
+    selection_cmdlet_namespace:
+        CommandLine|contains: 'System.Security.Cryptography.'
+    selection_cmdlet_classes:
+        CommandLine|contains:
+            - '.AesCryptoServiceProvider'
+            - '.DESCryptoServiceProvider'
+            - '.DSACryptoServiceProvider'
+            - '.RC2CryptoServiceProvider'
+            - '.Rijndael'
+            - '.RSACryptoServiceProvider'
+            - '.TripleDESCryptoServiceProvider'
+    condition: all of selection_*
+falsepositives:
+    - Classes are legitimately used, but less so when e.g. parents with low prevalence or decryption of content in temporary folders.
+level: medium
diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_import_module.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_import_module.yml
@@ -7,7 +7,7 @@ references:
     - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/import-module?view=powershell-5.1
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/05/09
-modified: 2023/11/06
+modified: 2023/12/01
 tags:
     - attack.execution
     - detection.threat_hunting
@@ -33,7 +33,7 @@ detection:
         CommandLine|contains|all:
             - ':\Program Files\Microsoft Visual Studio\'
             - 'Tools\Microsoft.VisualStudio.DevShell.dll'
-    condition: all of selection_* and not all of filter_main_*
+    condition: all of selection_* and not 1 of filter_main_*
 falsepositives:
     - Depending on the environement, many legitimate scripts will import modules inline. This rule is targeted for hunting purposes.
 level: low
diff --git a/...threat-hunting/windows/registry/registry_set/registry_set_powershell_crypto_namespace.yml b/...threat-hunting/windows/registry/registry_set/registry_set_powershell_crypto_namespace.yml
@@ -0,0 +1,44 @@
+title: Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace
+id: 1c2a3268-3881-414a-80af-a5b313b14c0e
+status: experimental
+description: |
+    Detects the setting of a registry inside the "\Shell\Open\Command" value with PowerShell classes from the "System.Security.Cryptography" namespace.
+    The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption.
+    These can be used for example in decrypting malicious payload for defense evasion.
+references:
+    - https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography?view=net-8.0
+    - https://squiblydoo.blog/2023/11/07/october-2023-solarmarker/
+author: Andreas Braathen (mnemonic.io)
+date: 2023/12/01
+tags:
+    - attack.defense_evasion
+    - attack.t1059.001
+    - attack.t1027.010
+    - attack.t1547.001
+    - detection.threat_hunting
+logsource:
+    product: windows
+    category: registry_set
+detection:
+    selection_key:
+        EventType: SetValue
+        TargetObject|contains: '\Shell\Open\Command'
+    selection_value_img:
+        Details|contains:
+            - 'powershell'
+            - 'pwsh'
+    selection_value_namespace:
+        Details|contains: 'System.Security.Cryptography.'
+    selection_value_classes:
+        Details|contains:
+            - '.AesCryptoServiceProvider'
+            - '.DESCryptoServiceProvider'
+            - '.DSACryptoServiceProvider'
+            - '.RC2CryptoServiceProvider'
+            - '.Rijndael'
+            - '.RSACryptoServiceProvider'
+            - '.TripleDESCryptoServiceProvider'
+    condition: all of selection_*
+falsepositives:
+    - Classes are legitimately used, but less so when e.g. parents with low prevalence or decryption of content in temporary folders.
+level: medium