通过 Windows 脚本执行可疑 PowerShell

编辑

通过 Windows 脚本执行可疑 PowerShell

编辑

识别来自 Windows 脚本宿主进程 (cscript 或 wscript.exe) 的可疑 PowerShell 执行。

规则类型: eql

规则索引:

winlogbeat-*
logs-windows.*
logs-system.security*
logs-windows.sysmon_operational-*
logs-sentinel_one_cloud_funnel.*
logs-m365_defender.event-*

严重性: 高

风险评分: 73

每隔: 5 分钟

搜索索引自: now-9m (日期数学格式，另请参阅 额外回溯时间)

每次执行的最大告警数: 100

参考: 无

标签:

领域: 端点
操作系统: Windows
用例: 威胁检测
战术: 执行
数据源: 系统
数据源: Sysmon
数据源: SentinelOne
数据源: Microsoft Defender for Endpoint

版本: 201

规则作者:

Elastic

规则许可证: Elastic License v2

规则查询

编辑

process where host.os.type == "windows" and event.action == "start" and
  process.name : ("powershell.exe", "pwsh.exe") and
  process.parent.name : ("wscript.exe", "cscript.exe", "mshta.exe") and
   (
   process.args_count == 1 or
   process.command_line :
             ("*^*^*^*^*^*^*^*^*^*",
              "*''*''*''*",
              "*`*`*`*`*",
              "*{*{*{*{*{*{*{*{*{*{*{*{*{*{*{*{*{*{*{*",
              "*+*+*+*+*+*",
              "*$*$*$*$*",
              "*[char[]](*)*-join",
              "*Base64String*",
              "*[*Convert]*",
              "*.Text.Encoding*",
              "*.Compression.*",
              "*.replace(*",
              "*MemoryStream*",
              "*WriteAllBytes*",
              "* -en* *",
              "* -ec *",
              "* -e *",
              "* -ep *",
              "* /e *",
              "* /en* *",
              "* /ec *",
              "* /ep *",
              "*WebClient*",
              "*DownloadFile*",
              "*DownloadString*",
              "*BitsTransfer*",
              "*Invoke-Exp*",
              "*invoke-web*",
              "*iex*",
              "*iwr*",
              "*Reflection.Assembly*",
              "*Assembly.GetType*",
              "*.Sockets.*",
              "*Add-MpPreference*ExclusionPath*",
              "*raw.githubusercontent*")
   ) and

   /* many legit powershell commands uses those non shortened execution flags excluding Sync-AppvPublishingServer lolbas */
   not (process.args : ("-EncodedCommand", "Import-Module*", "-NonInteractive") and
        process.args : "-ExecutionPolicy" and not process.args : "Sync-AppvPublishingServer") and

   /* third party installation related FPs */
   not ?process.parent.args : "?:\\Windows\\system32\\gatherNetworkInfo.vbs" and
   not (?process.parent.args : "Microsoft.SystemCenter.ICMPProbe.WithConsecutiveSamples.vbs" and process.args : "Get-SCOMAgent") and
   not (process.command_line : "*WEBLOGIC_ARGS_CURRENT_1.DATA*" and ?process.parent.command_line : "*Impact360*") and
   not process.args :  "$package = Get-AppxPackage Microsoft.Office.Desktop -allUsers;*" and
   not process.command_line : ("*.Access.IdentityReference*win32_SID.SID*", "*AGIAbQB4AC0AYQBwAC4AcwAzAC4AdQBzAC0AZQBhAHMAd*") and
   not (?process.parent.args : "?:\\Users\\Prestige\\AppData\\Local\\Temp\\Rar$*\\KMS_VL_ALL_AIO.cmd  -elevated" and process.command_line : "*KMS_VL_ALL_AIO.cmd*") and
   not process.args : "iwr https://*.s3.us-east-1.amazonaws.com/scripts/Start-SpeedTest.ps1 -UserAgent * -UseBasicParsing | invoke-expression" and
   not (process.parent.name : "wscript.exe" and
        ?process.parent.args : "C:\\Program Files (x86)\\Telivy\\Telivy Agent\\telivy.js")

框架: MITRE ATT&CK^TM

战术
- 名称: 执行
- ID: TA0002
- 参考网址: https://attack.mitre.org/tactics/TA0002/
技术
- 名称: 命令和脚本解释器
- ID: T1059
- 参考网址: https://attack.mitre.org/techniques/T1059/
子技术
- 名称: PowerShell
- ID: T1059.001
- 参考网址: https://attack.mitre.org/techniques/T1059/001/
子技术
- 名称: Visual Basic
- ID: T1059.005
- 参考网址: https://attack.mitre.org/techniques/T1059/005/

« 可疑 PowerShell 引擎 ImageLoad 可疑 PowerShell 脚本 »