diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_crypto_namespace.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_crypto_namespace.yml new file mode 100644 index 00000000000..f92e4055fa8 --- /dev/null +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_crypto_namespace.yml @@ -0,0 +1,44 @@ +title: Invocation Of Crypto-classes From The "Cryptography" PowerShell Namespace. +id: ad856965-f44d-42a8-945e-bbf7bd03d05a +status: experimental +description: | + The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption. + This analytic detects the invocation of said classes that can be used for e.g. decrypting malicious payload for defense evasion. +references: + - https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography?view=net-8.0 + - https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html + - https://www.virustotal.com/gui/file/39102fb7bb6a74a9c8cb6d46419f9015b381199ea8524c1376672b30fffd69d2 +author: Andreas Braathen (mnemonic.io) +date: 2023/12/01 +modified: 2023/12/01 +tags: + - attack.defense_evasion + - attack.t1059.001 + - attack.t1027.010 + - detection.threat_hunting +logsource: + product: windows + category: process_creation +detection: + selection_img: + - Image|endswith: + - '\powershell.exe' + - '\pwsh.exe' + - OriginalFileName: + - 'PowerShell.EXE' + - 'pwsh.dll' + selection_cmdlet_namespace: + CommandLine|contains: 'System.Security.Cryptography.' + selection_cmdlet_classes: + CommandLine|contains: + - '.AesCryptoServiceProvider' + - '.RSACryptoServiceProvider' + - '.TripleDESCryptoServiceProvider' + - '.RC2CryptoServiceProvider' + - '.DSACryptoServiceProvider' + - '.DESCryptoServiceProvider' + - '.Rijndael' + condition: all of selection_* +falsepositives: + - Classes are legitimately used, but less so when e.g. parent with low prevalence or decryption of content in temporary folders. +level: medium diff --git a/rules-threat-hunting/windows/registry/registry_set/registry_set_powershell_crypto_namespace.yml b/rules-threat-hunting/windows/registry/registry_set/registry_set_powershell_crypto_namespace.yml new file mode 100644 index 00000000000..6a869469cb3 --- /dev/null +++ b/rules-threat-hunting/windows/registry/registry_set/registry_set_powershell_crypto_namespace.yml @@ -0,0 +1,46 @@ +title: Registry creation with Crypto-classes From The "Cryptography" PowerShell namespace. +id: 1c2a3268-3881-414a-80af-a5b313b14c0e +status: experimental +description: | + The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption. + This analytic detects creation of registry runkeys with said classes that can be used for e.g. decrypting malicious payload for defense evasion. +references: + - https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography?view=net-8.0 + - https://squiblydoo.blog/2023/11/07/october-2023-solarmarker/ +author: Andreas Braathen (mnemonic.io) +date: 2023/12/01 +modified: 2023/12/01 +tags: + - attack.defense_evasion + - attack.t1059.001 + - attack.t1027.010 + - attack.t1547.001 + - detection.threat_hunting +logsource: + product: windows + category: registry_set +detection: + selection_key: + EventType: SetValue + TargetObject|contains: + - '\Shell\Open\Command' + selection_value_img: + Details|contains: + - 'powershell' + - 'pwsh' + selection_value_namespace: + Details|contains: + - 'System.Security.Cryptography.' + selection_value_classes: + Details|contains: + - '.AesCryptoServiceProvider' + - '.RSACryptoServiceProvider' + - '.TripleDESCryptoServiceProvider' + - '.RC2CryptoServiceProvider' + - '.DSACryptoServiceProvider' + - '.DESCryptoServiceProvider' + - '.Rijndael' + condition: all of selection_* +falsepositives: + - Classes are legitimately used, but less so when e.g. parent with low prevalence or decryption of content in temporary folders. +level: medium