Potential WinAPI Calls Via PowerShell Scripts
Detects use of WinAPI functions in PowerShell scripts
Sigma rule (View on GitHub)
1title: Potential WinAPI Calls Via PowerShell Scripts
2id: 03d83090-8cba-44a0-b02f-0b756a050306
3related:
4 - id: ba3f5c1b-6272-4119-9dbd-0bc8d21c2702
5 type: similar
6status: test
7description: Detects use of WinAPI functions in PowerShell scripts
8references:
9 - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
10author: Nasreddine Bencherchali (Nextron Systems), Nikita Nazarov, oscd.community
11date: 2020-10-06
12modified: 2023-06-20
13tags:
14 - attack.execution
15 - attack.t1059.001
16 - attack.t1106
17logsource:
18 product: windows
19 category: ps_script
20 definition: 'Requirements: Script Block Logging must be enabled'
21detection:
22 # Note: Add more suspicious combinations in the form of different selections
23 selection_injection:
24 ScriptBlockText|contains|all:
25 - 'VirtualAlloc'
26 - 'OpenProcess'
27 - 'WriteProcessMemory'
28 - 'CreateRemoteThread'
29 selection_token_steal:
30 ScriptBlockText|contains|all:
31 - 'OpenProcessToken'
32 - 'LookupPrivilegeValue'
33 - 'AdjustTokenPrivileges'
34 selection_duplicate_token:
35 ScriptBlockText|contains|all:
36 - 'OpenProcessToken'
37 - 'DuplicateTokenEx'
38 - 'CloseHandle'
39 selection_process_write_read:
40 ScriptBlockText|contains|all:
41 - 'WriteProcessMemory'
42 - 'VirtualAlloc'
43 - 'ReadProcessMemory'
44 - 'VirtualFree'
45 condition: 1 of selection_*
46falsepositives:
47 - Unknown
48level: high
References
-
PowerShell is the favorit tool of IT guys, who are responsible for administration of Windows infrastructures. It allows them to manage differen services…
Read More
Related rules
- AWS EC2 Startup Shell Script Change
- Alternate PowerShell Hosts - PowerShell Module
- BPFDoor Abnormal Process ID or Lock File Accessed
- Bad Opsec Powershell Code Artifacts
- BloodHound Collection Files