-
Notifications
You must be signed in to change notification settings - Fork 499
/
defense_evasion_powershell_clear_logs_script.toml
112 lines (97 loc) · 3.45 KB
/
defense_evasion_powershell_clear_logs_script.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
[metadata]
creation_date = "2023/07/06"
integration = ["windows"]
maturity = "production"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
min_stack_version = "8.14.0"
updated_date = "2024/10/28"
[rule]
author = ["Elastic"]
description = """
Identifies the use of Cmdlets and methods related to Windows event log deletion activities. This is often done by
attackers in an attempt to evade detection or destroy forensic evidence on a system.
"""
from = "now-119m"
interval = "60m"
index = ["winlogbeat-*", "logs-windows.powershell*"]
language = "kuery"
license = "Elastic License v2"
name = "PowerShell Script with Log Clear Capabilities"
references = [
"https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventlog.clear",
"https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventing.reader.eventlogsession.clearlog"
]
risk_score = 21
rule_id = "3d3aa8f9-12af-441f-9344-9f31053e316d"
setup = """## Setup
The 'PowerShell Script Block Logging' logging policy must be enabled.
Steps to implement the logging policy with Advanced Audit Configuration:
```
Computer Configuration >
Administrative Templates >
Windows PowerShell >
Turn on PowerShell Script Block Logging (Enable)
```
Steps to implement the logging policy via registry:
```
reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
```
"""
severity = "low"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs", "Rule Type: BBR"]
timestamp_override = "event.ingested"
type = "query"
building_block_type = "default"
query = '''
event.category:process and host.os.type:windows and
powershell.file.script_block_text : (
"Clear-EventLog" or
"Remove-EventLog" or
("Eventing.Reader.EventLogSession" and ".ClearLog") or
("Diagnostics.EventLog" and ".Clear")
) and
not powershell.file.script_block_text : (
"CmdletsToExport=@(\"Add-Content\""
) and
not file.directory : "C:\Program Files\WindowsAdminCenter\PowerShellModules\Microsoft.WindowsAdminCenter.Configuration"
'''
[[rule.filters]]
[rule.filters.meta]
negate = true
[rule.filters.query.wildcard."file.path"]
"case_insensitive" = true
"value" = "?:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\Modules\\\\Microsoft.PowerShell.Management\\\\*.psd1"
[[rule.filters]]
[rule.filters.meta]
negate = true
[rule.filters.query.wildcard."file.path"]
"case_insensitive" = true
"value" = "?:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\Health Service State\\\\Resources\\\\*\\\\M365Library.ps1"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1070"
name = "Indicator Removal"
reference = "https://attack.mitre.org/techniques/T1070/"
[[rule.threat.technique.subtechnique]]
id = "T1070.001"
name = "Clear Windows Event Logs"
reference = "https://attack.mitre.org/techniques/T1070/001/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.001"
name = "PowerShell"
reference = "https://attack.mitre.org/techniques/T1059/001/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"