Adding analytics for ps crypto namespace hunting

SigmaHQ · Nov 30, 2023 · 15972bb · 15972bb
1 parent 6e4644c
commit 15972bb
Show file tree

Hide file tree

Showing 2 changed files with 90 additions and 0 deletions.
diff --git a/...threat-hunting/windows/process_creation/proc_creation_win_powershell_crypto_namespace.yml b/...threat-hunting/windows/process_creation/proc_creation_win_powershell_crypto_namespace.yml
@@ -0,0 +1,44 @@
+title: Invocation Of Crypto-classes From The "Cryptography" PowerShell Namespace.
+id: ad856965-f44d-42a8-945e-bbf7bd03d05a
+status: experimental
+description: |
+  The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption.
+  This analytic detects the invocation of said classes that can be used for e.g. decrypting malicious payload for defense evasion.
+references:
+  - https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography?view=net-8.0
+  - https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html
+  - https://www.virustotal.com/gui/file/39102fb7bb6a74a9c8cb6d46419f9015b381199ea8524c1376672b30fffd69d2
+author: Andreas Braathen (mnemonic.io)
+date: 2023/12/01
+modified: 2023/12/01
+tags:
+  - attack.defense_evasion
+  - attack.t1059.001
+  - attack.t1027.010
+  - detection.threat_hunting
+logsource:
+  product: windows
+  category: process_creation
+detection:
+  selection_img:
+    - Image|endswith:
+      - '\powershell.exe'
+      - '\pwsh.exe'
+    - OriginalFileName:
+      - 'PowerShell.EXE'
+      - 'pwsh.dll'
+  selection_cmdlet_namespace:
+    CommandLine|contains: 'System.Security.Cryptography.'
+  selection_cmdlet_classes:
+    CommandLine|contains:
+      - '.AesCryptoServiceProvider'
+      - '.RSACryptoServiceProvider'
+      - '.TripleDESCryptoServiceProvider'
+      - '.RC2CryptoServiceProvider'
+      - '.DSACryptoServiceProvider'
+      - '.DESCryptoServiceProvider'
+      - '.Rijndael'
+  condition: all of selection_*
+falsepositives:
+  - Classes are legitimately used, but less so when e.g. parent with low prevalence or decryption of content in temporary folders.
+level: medium
diff --git a/...threat-hunting/windows/registry/registry_set/registry_set_powershell_crypto_namespace.yml b/...threat-hunting/windows/registry/registry_set/registry_set_powershell_crypto_namespace.yml
@@ -0,0 +1,46 @@
+title: Registry creation with Crypto-classes From The "Cryptography" PowerShell namespace.
+id: 1c2a3268-3881-414a-80af-a5b313b14c0e
+status: experimental
+description: |
+  The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption.
+  This analytic detects creation of registry runkeys with said classes that can be used for e.g. decrypting malicious payload for defense evasion.
+references:
+  - https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography?view=net-8.0
+  - https://squiblydoo.blog/2023/11/07/october-2023-solarmarker/
+author: Andreas Braathen (mnemonic.io)
+date: 2023/12/01
+modified: 2023/12/01
+tags:
+  - attack.defense_evasion
+  - attack.t1059.001
+  - attack.t1027.010
+  - attack.t1547.001
+  - detection.threat_hunting
+logsource:
+  product: windows
+  category: registry_set
+detection:
+  selection_key:
+    EventType: SetValue
+    TargetObject|contains:
+      - '\Shell\Open\Command'
+  selection_value_img:
+    Details|contains:
+      - 'powershell'
+      - 'pwsh'
+  selection_value_namespace:
+    Details|contains:
+      - 'System.Security.Cryptography.'
+  selection_value_classes:
+    Details|contains:
+      - '.AesCryptoServiceProvider'
+      - '.RSACryptoServiceProvider'
+      - '.TripleDESCryptoServiceProvider'
+      - '.RC2CryptoServiceProvider'
+      - '.DSACryptoServiceProvider'
+      - '.DESCryptoServiceProvider'
+      - '.Rijndael'
+  condition: all of selection_*
+falsepositives:
+  - Classes are legitimately used, but less so when e.g. parent with low prevalence or decryption of content in temporary folders.
+level: medium