Potential PowerShell HackTool Script by Author

Detects known PowerShell offensive tooling author's name in PowerShell scripts. Attackers commonly use out-of-the-box offensive tools without modifying the code, which may still contain the author artifacts. This rule identifies common author handles found in popular PowerShell scripts used for red team exercises.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2024/05/08"
 3integration = ["windows"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Detects known PowerShell offensive tooling author's name in PowerShell scripts. Attackers commonly use out-of-the-box
11offensive tools without modifying the code, which may still contain the author artifacts. This rule identifies common
12author handles found in popular PowerShell scripts used for red team exercises.
13"""
14from = "now-9m"
15index = ["winlogbeat-*", "logs-windows.powershell*"]
16language = "kuery"
17license = "Elastic License v2"
18name = "Potential PowerShell HackTool Script by Author"
19references = [
20    "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md",
21]
22risk_score = 73
23rule_id = "2553a9af-52a4-4a05-bb03-85b2a479a0a0"
24setup = """## Setup
25
26The 'PowerShell Script Block Logging' logging policy must be enabled.
27Steps to implement the logging policy with Advanced Audit Configuration:

Computer Configuration > Administrative Templates > Windows PowerShell > Turn on PowerShell Script Block Logging (Enable)

1
2Steps to implement the logging policy via registry:

reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1

 1"""
 2severity = "high"
 3tags = [
 4    "Domain: Endpoint",
 5    "OS: Windows",
 6    "Use Case: Threat Detection",
 7    "Tactic: Execution",
 8    "Data Source: PowerShell Logs",
 9]
10timestamp_override = "event.ingested"
11type = "query"
12
13query = '''
14host.os.type:windows and event.category:process and
15  powershell.file.script_block_text : (
16      "mattifestation" or "JosephBialek" or
17      "harmj0y" or "ukstufus" or
18      "SecureThisShit" or "Matthew Graeber" or
19      "secabstraction" or "mgeeky" or
20      "oddvarmoe" or "am0nsec" or
21      "obscuresec" or "sixdub" or
22      "darkoperator" or "funoverip" or
23      "rvrsh3ll" or "kevin_robertson" or
24      "dafthack" or "r4wd3r" or
25      "danielhbohannon" or "OneLogicalMyth" or
26      "cobbr_io" or "xorrior" or
27      "PetrMedonos" or "citronneur" or
28      "eladshamir" or "RastaMouse" or
29      "enigma0x3" or "FuzzySec" or
30      "424f424f" or "jaredhaight" or
31      "fullmetalcache" or "Hubbl3" or
32      "curi0usJack" or "Cx01N" or
33      "itm4n" or "nurfed1" or
34      "cfalta" or "Scott Sutherland" or
35      "_nullbind" or "_tmenochet" or
36      "Boe Prox" or "jaredcatkinson" or
37      "ChrisTruncer" or "monoxgas" or
38      "TheRealWover" or "splinter_code"
39  )
40'''
41
42
43[[rule.threat]]
44framework = "MITRE ATT&CK"
45[[rule.threat.technique]]
46id = "T1059"
47name = "Command and Scripting Interpreter"
48reference = "https://attack.mitre.org/techniques/T1059/"
49[[rule.threat.technique.subtechnique]]
50id = "T1059.001"
51name = "PowerShell"
52reference = "https://attack.mitre.org/techniques/T1059/001/"
53
54
55
56[rule.threat.tactic]
57id = "TA0002"
58name = "Execution"
59reference = "https://attack.mitre.org/tactics/TA0002/"

References

Related rules

to-top