Detection rules › Sigma
Security Software Discovery Via Powershell Script
Detects calls to "get-process" where the output is piped to a "where-object" filter to search for security solution processes. Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Discovery | T1518.001 Software Discovery: Security Software Discovery |
Event coverage
| Provider | Event | Title |
|---|---|---|
| PowerShell | Event ID 4104 | Creating Scriptblock text (MessageNumber of MessageTotal). |
Rule body yaml
title: Security Software Discovery Via Powershell Script
id: 904e8e61-8edf-4350-b59c-b905fc8e810c
status: test
description: |
Detects calls to "get-process" where the output is piped to a "where-object" filter to search for security solution processes.
Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-2---security-software-discovery---powershell
author: frack113, Anish Bogati, Nasreddine Bencherchali (Nextron Systems)
date: 2021-12-16
modified: 2023-10-24
tags:
- attack.discovery
- attack.t1518.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_cmdlet:
ScriptBlockText|contains:
- 'get-process | \?'
- 'get-process | where'
- 'gps | \?'
- 'gps | where'
selection_field:
ScriptBlockText|contains:
- 'Company -like'
- 'Description -like'
- 'Name -like'
- 'Path -like'
- 'Product -like'
selection_keywords:
ScriptBlockText|contains:
# Note: These strings are using wildcard assuming the search is using the "-like" operator.
# You can add specific variant with the actual process names to increase coverage
- '\*avira\*'
- '\*carbonblack\*'
- '\*cylance\*'
- '\*defender\*'
- '\*kaspersky\*'
- '\*malware\*'
- '\*sentinel\*'
- '\*symantec\*'
- '\*virus\*'
condition: all of selection_*
falsepositives:
- False positives might occur due to the nature of the ScriptBlock being ingested as a big blob. Initial tuning is required.
- As the "selection_cmdlet" is common in scripts the matching engine might slow down the search. Change into regex or a more accurate string to avoid heavy resource consumption if experienced
level: medium
Stages and Predicates
Stage 0: condition
all of selection_*Stage 1: selection_cmdlet
selection_cmdlet:
ScriptBlockText|contains:
- 'get-process | \?'
- 'get-process | where'
- 'gps | \?'
- 'gps | where'
Stage 2: selection_field
selection_field:
ScriptBlockText|contains:
- 'Company -like'
- 'Description -like'
- 'Name -like'
- 'Path -like'
- 'Product -like'
Stage 3: selection_keywords
selection_keywords:
ScriptBlockText|contains:
- '\*avira\*'
- '\*carbonblack\*'
- '\*cylance\*'
- '\*defender\*'
- '\*kaspersky\*'
- '\*malware\*'
- '\*sentinel\*'
- '\*symantec\*'
- '\*virus\*'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
ScriptBlockText | match |
|