diff --git a/Rules/SIGMA/other/win_wmi_persistence.ps1 b/Rules/SIGMA/other/win_wmi_persistence.ps1 index f5b6024d..aad4167a 100644 --- a/Rules/SIGMA/other/win_wmi_persistence.ps1 +++ b/Rules/SIGMA/other/win_wmi_persistence.ps1 @@ -1,10 +1,12 @@ +# Get-WinEvent -LogName Microsoft-Windows-WMI-Activity/Operational | where { ((($_.ID -eq "5861" -and ($_.message -match ".*ActiveScriptEventConsumer.*" -or $_.message -match ".*CommandLineEventConsumer.*" -or $_.message -match ".*CommandLineTemplate.*")) -or $_.ID -eq "5859")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message +# Get-WinEvent -LogName Security | where { ($_.ID -eq "4662" -and $_.message -match "ObjectType.*WMI Namespace" -and $_.message -match "ObjectName.*.*subscription.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message function Add-Rule { param ( [bool] $isLiveAnalysis ) $ruleName = "win_wmi_persistence"; - $detectedMessage = "Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs." + $detectedMessage = "Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs."; $detectRule = { function Search-DetectableEvents { @@ -12,8 +14,10 @@ function Add-Rule { $event ) - $result = $event | where {((($_.ID -eq "5861" -and ($_.message -match ".*ActiveScriptEventConsumer.*" -or $_.message -match ".*CommandLineEventConsumer.*" -or $_.message -match ".*CommandLineTemplate.*")) -or $_.ID -eq "5859")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message Get-WinEvent -LogName Security | where {($_.ID -eq "4662" -and $_.message -match "ObjectType.*WMI Namespace" -and $_.message -match "ObjectName.*.*subscription.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message; - if ($result.Count -ne 0) { + $result = $event | where { ((($_.ID -eq "5861" -and ($_.message -match ".*ActiveScriptEventConsumer.*" -or $_.message -match ".*CommandLineEventConsumer.*" -or $_.message -match ".*CommandLineTemplate.*")) -or $_.ID -eq "5859")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + $result2 = $event | where { ($_.ID -eq "4662" -and $_.message -match "ObjectType.*WMI Namespace" -and $_.message -match "ObjectName.*.*subscription.*") } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message + + if (($result.Count -ne 0) -or ($result2.Count -ne 0)) { Write-Host Write-Host "Detected! RuleName:$ruleName" Write-Host diff --git a/Rules/SIGMA/process_creation/win_xsl_script_processing.ps1 b/Rules/SIGMA/process_creation/win_xsl_script_processing.ps1 index 4fe2488b..e62b7ff8 100644 --- a/Rules/SIGMA/process_creation/win_xsl_script_processing.ps1 +++ b/Rules/SIGMA/process_creation/win_xsl_script_processing.ps1 @@ -5,7 +5,7 @@ function Add-Rule { [bool] $isLiveAnalysis ) $ruleName = "win_xsl_script_processing"; - $detectedMessage = "Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. Rule detects when adversaries" + $detectedMessage = "Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. Rule detects when adversaries"; $detectRule = { function Search-DetectableEvents { @@ -13,7 +13,8 @@ function Add-Rule { $event ) - $result = $event | !firstpipe! + $result = $event | where { (($_.ID -eq "1") -and (($_.message -match "Image.*.*\wmic.exe" -and $_.message -match "CommandLine.*.*/format.*") -or $_.message -match "Image.*.*\msxsl.exe")) } | select TimeCreated, Id, RecordId, ProcessId, MachineName, Message; + if ($result.Count -ne 0) { Write-Host Write-Host "Detected! RuleName:$ruleName"