Merge pull request SigmaHQ#3189 from redsand/fp_encoded_powershell_minor_indicator_due_to_devops

reducing level due to low indicator, per devops processes

Author: Neo23x0

rules/windows/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml

@@ -0,0 +1,25 @@
+title: Encoded PowerShell Command Line Usage of ConvertTo-SecureString
+id: 74403157-20f5-415d-89a7-c505779585cf
+status: test
+description: Detects specific encoding method of cOnvErTTO-SECUreStRIng in the PowerShell command lines
+author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton
+references:
+  - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65
+date: 2020/10/11
+modified: 2022/06/30
+logsource:
+  category: process_creation
+  product: windows
+detection:
+  selection:
+    Image|endswith: '\powershell.exe'
+    CommandLine|contains: 'ConvertTo-SecureString'
+  condition: selection
+falsepositives:
+  - Unlikely
+level: high
+tags:
+  - attack.defense_evasion
+  - attack.t1027
+  - attack.execution
+  - attack.t1059.001

rules/windows/process_creation/proc_creation_win_powershell_cmdline_specific_comb_methods.yml

@@ -1,22 +1,20 @@
 title: Encoded PowerShell Command Line
 id: cdf05894-89e7-4ead-b2b0-0a5f97a90f2f
 status: test
+related:
+  - id: 5b572dcf-254b-425c-a8c5-d9af6bea35a6
+    type: similar
 description: Detects specific combinations of encoding methods in the PowerShell command lines
-author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community
+author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton
 references:
   - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65
 date: 2020/10/11
-modified: 2021/11/27
+modified: 2022/07/06
 logsource:
   category: process_creation
   product: windows
 detection:
-  selection1:
-    Image|endswith: '\powershell.exe'
-    CommandLine|contains|all:
-      - 'char'
-      - 'join'
-  selection2:
+  selection_to_1:
     Image|endswith: '\powershell.exe'
     CommandLine|contains:
       - 'ToInt'
@@ -25,29 +23,25 @@ detection:
       - 'ToUint'
       - 'ToSingle'
       - 'ToSByte'
-  selection3:
-    Image|endswith: '\powershell.exe'
+  selection_to_2:
     CommandLine|contains:
       - 'ToChar'
       - 'ToString'
       - 'String'
-  selection4:
+  selection_gen_1:
     Image|endswith: '\powershell.exe'
     CommandLine|contains|all:
-      - 'split'
+      - 'char'
       - 'join'
-  selection5:
+  selection_gen_2:
     Image|endswith: '\powershell.exe'
     CommandLine|contains|all:
-      - 'ForEach'
-      - 'Xor'
-  selection6:
-    Image|endswith: '\powershell.exe'
-    CommandLine|contains: 'cOnvErTTO-SECUreStRIng'
-  condition: (selection2 and selection3) or selection1 or selection4 or selection5 or selection6
+      - 'split'
+      - 'join'
+  condition: all of selection_to_* or 1 of selection_gen_*
 falsepositives:
   - Unlikely
-level: medium
+level: low
 tags:
   - attack.defense_evasion
   - attack.t1027

rules/windows/process_creation/proc_creation_win_powershell_cmdline_susp_comb_methods.yml

@@ -0,0 +1,29 @@
+title: Suspicious Encoded PowerShell Command Line
+id: 5b572dcf-254b-425c-a8c5-d9af6bea35a6
+status: test
+related:
+  - id: cdf05894-89e7-4ead-b2b0-0a5f97a90f2f
+    type: similar
+description: Detects specific combinations of encoding methods in the PowerShell command lines
+author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton
+references:
+  - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65
+date: 2022/07/06
+logsource:
+  category: process_creation
+  product: windows
+detection:
+  selection:
+    Image|endswith: '\powershell.exe'
+    CommandLine|contains|all:
+      - 'ForEach'
+      - 'Xor'
+  condition: selection
+falsepositives:
+  - Unlikely
+level: medium
+tags:
+  - attack.defense_evasion
+  - attack.t1027
+  - attack.execution
+  - attack.t1059.001