Threat Huntmediumtest

WinAPI Function Calls Via PowerShell Scripts

Detects calls to WinAPI functions from PowerShell scripts. Attackers can often leverage these APIs to avoid detection based on typical PowerShell function calls. Use this rule as a basis to hunt for interesting scripts.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nikita Nazarov, oscd.community, Nasreddine Bencherchali (Nextron Systems)Created Fri Jul 219f22ccd5-a435-453b-af96-bf99cbb594d4windows

Hunting Hypothesis

Log Source

WindowsPowerShell Script

ProductWindows← raw: windows

CategoryPowerShell Script← raw: ps_script

Definition

Requirements: Script Block Logging must be enabled

Detection Logic

detection:
    selection:
        ScriptBlockText|contains:
            - 'AddSecurityPackage'
            - 'AdjustTokenPrivileges'
            - 'CloseHandle'
            - 'CreateProcessWithToken'
            - 'CreateRemoteThread'
            - 'CreateThread'
            - 'CreateUserThread'
            - 'DangerousGetHandle'
            - 'DuplicateTokenEx'
            - 'EnumerateSecurityPackages'
            - 'FreeLibrary'
            - 'GetDelegateForFunctionPointer'
            - 'GetLogonSessionData'
            - 'GetModuleHandle'
            - 'GetProcAddress'
            - 'GetProcessHandle'
            - 'GetTokenInformation'
            - 'ImpersonateLoggedOnUser'
            - 'LoadLibrary'
            - 'memcpy'
            - 'MiniDumpWriteDump'
            - 'OpenDesktop'
            - 'OpenProcess'
            - 'OpenProcessToken'
            - 'OpenThreadToken'
            - 'OpenWindowStation'
            - 'QueueUserApc'
            - 'ReadProcessMemory'
            - 'RevertToSelf'
            - 'RtlCreateUserThread'
            - 'SetThreadToken'
            - 'VirtualAlloc'
            - 'VirtualFree'
            - 'VirtualProtect'
            - 'WaitForSingleObject'
            - 'WriteInt32'
            - 'WriteProcessMemory'
            - 'ZeroFreeGlobalAllocUnicode'
    condition: selection

False Positives

This rule is mainly used for hunting and will generate quite a lot of false positives when applied in production. It's best combined with other fields such as the path of execution, the parent process, etc.

References

Resolving title…

speakerdeck.com

MITRE ATT&CK

Tactics

TA0002 · Execution

Techniques

T1106 · Native API

Sub-techniques

T1059.001 · PowerShell

Other

detection.threat-hunting

Related Rules

SimilarDetectionhigh

Potential WinAPI Calls Via CommandLine

Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec

Detects similar activity. Both rules may fire on overlapping events.

SimilarDetectionhigh

Potential WinAPI Calls Via PowerShell Scripts

Detects use of WinAPI functions in PowerShell scripts

Detects similar activity. Both rules may fire on overlapping events.

SimilarThreat Huntmedium

WinAPI Library Calls Via PowerShell Scripts

Detects calls to WinAPI libraries from PowerShell scripts. Attackers can often leverage these APIs to avoid detection based on typical PowerShell function calls. Use this rule as a basis to hunt for interesting scripts.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

9f22ccd5-a435-453b-af96-bf99cbb594d4

Status

test

Level

medium

Type

Threat Hunt

Created

Fri Jul 21

Author

Nikita Nazarov, oscd.community, Nasreddine Bencherchali (Nextron Systems)

Path

rules-threat-hunting/windows/powershell/powershell_script/posh_ps_win_api_library_access.yml

Raw Tags

attack.executionattack.t1059.001attack.t1106detection.threat-hunting

View on GitHub