Threat Huntmediumtest

WinAPI Library Calls Via PowerShell Scripts

Detects calls to WinAPI libraries from PowerShell scripts. Attackers can often leverage these APIs to avoid detection based on typical PowerShell function calls. Use this rule as a basis to hunt for interesting scripts.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nikita Nazarov, oscd.community, Nasreddine Bencherchali (Nextron Systems)Created Fri Jul 2119d65a1c-8540-4140-8062-8eb00db0bba5windows

Hunting Hypothesis

Log Source

WindowsPowerShell Script

ProductWindows← raw: windows

CategoryPowerShell Script← raw: ps_script

Definition

Requirements: Script Block Logging must be enabled

Detection Logic

detection:
    selection:
        ScriptBlockText|contains:
            - 'Advapi32.dll'
            - 'kernel32.dll'
            - 'KernelBase.dll'
            - 'ntdll.dll'
            - 'secur32.dll'
            - 'user32.dll'
    condition: selection

False Positives

Carbon PowerShell Module (https://github.com/webmd-health-services/Carbon)

Chocolatey scripts

References

Resolving title…

speakerdeck.com

MITRE ATT&CK

Tactics

TA0002 · Execution

Techniques

T1106 · Native API

Sub-techniques

T1059.001 · PowerShell

Other

detection.threat-hunting

Related Rules

SimilarDetectionhigh

Potential WinAPI Calls Via CommandLine

Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec

Detects similar activity. Both rules may fire on overlapping events.

SimilarDetectionhigh

Potential WinAPI Calls Via PowerShell Scripts

Detects use of WinAPI functions in PowerShell scripts

Detects similar activity. Both rules may fire on overlapping events.

SimilarThreat Huntmedium

WinAPI Function Calls Via PowerShell Scripts

Detects calls to WinAPI functions from PowerShell scripts. Attackers can often leverage these APIs to avoid detection based on typical PowerShell function calls. Use this rule as a basis to hunt for interesting scripts.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

19d65a1c-8540-4140-8062-8eb00db0bba5

Status

test

Level

medium

Type

Threat Hunt

Created

Fri Jul 21

Author

Nikita Nazarov, oscd.community, Nasreddine Bencherchali (Nextron Systems)

Path

rules-threat-hunting/windows/powershell/powershell_script/posh_ps_win_api_functions_access.yml

Raw Tags

attack.executionattack.t1059.001attack.t1106detection.threat-hunting

View on GitHub