Security Software Discovery Via Powershell Script

calendar Oct 28, 2023 · attack.discovery attack.t1518.001  ·
Share on: linkedin copy

Detects calls to "get-process" where the output is piped to a "where-object" filter to search for security solution processes. Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus

Sigma rule (View on GitHub)

 1title: Security Software Discovery Via Powershell Script
 2id: 904e8e61-8edf-4350-b59c-b905fc8e810c
 3status: experimental
 4description: |
 5    Detects calls to "get-process" where the output is piped to a "where-object" filter to search for security solution processes.
 6    Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus    
 7references:
 8    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-2---security-software-discovery---powershell
 9author: frack113, Anish Bogati, Nasreddine Bencherchali (Nextron Systems)
10date: 2021/12/16
11modified: 2023/10/24
12tags:
13    - attack.discovery
14    - attack.t1518.001
15logsource:
16    product: windows
17    category: ps_script
18    definition: 'Requirements: Script Block Logging must be enabled'
19detection:
20    selection_cmdlet:
21        ScriptBlockText|contains:
22            - 'get-process | \?'
23            - 'get-process | where'
24            - 'gps | \?'
25            - 'gps | where'
26    selection_field:
27        ScriptBlockText|contains:
28            - 'Company -like'
29            - 'Description -like'
30            - 'Name -like'
31            - 'Path -like'
32            - 'Product -like'
33    selection_keywords:
34        ScriptBlockText|contains:
35            # Note: These strings are using wildcard assuming the search is using the "-like" operator.
36            #       You can add specific variant with the actual process names to increase coverage
37            - '\*avira\*'
38            - '\*carbonblack\*'
39            - '\*cylance\*'
40            - '\*defender\*'
41            - '\*kaspersky\*'
42            - '\*malware\*'
43            - '\*sentinel\*'
44            - '\*symantec\*'
45            - '\*virus\*'
46    condition: all of selection_*
47falsepositives:
48    - False positives might occur due to the nature of the ScriptBlock being ingested as a big blob. Initial tuning is required.
49    - As the "selection_cmdlet" is common in scripts the matching engine might slow down the search. Change into regex or a more accurate string to avoid heavy resource consumption if experienced
50level: medium

References

Related rules

to-top