Проблема со скриптом для определения, установлено программное обеспечение в локальных данных приложения

от

Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder

Sigma rule (View on GitHub)

PowerShell Script Run in AppDataDetects a suspicious command line execution that invokes PowerShell with reference to an AppData folderFlorian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community- all of selection*
 $registryPath = "HKU:\*\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome"
    
    
    $outputFile = "\\FileShare\NewFolder\Chrome.txt"
    
    if (Test-Path $registryPath) {
        $InstallLocation = (Get-ItemProperty -Path $registryPath -Name InstallLocation).InstallLocation
        $displayVersion = (Get-ItemProperty -Path $registryPath -Name DisplayVersion).DisplayVersion
        
    
        $output = "$($env:COMPUTERNAME), $InstallLocation, $displayVersion, $(Get-Date -Format ""dd-MM-yyyy HH:mm:ss"")"
        $output | Out-File -Append -FilePath $outputFile
    
        Write-Host "Checking ready."
    } else {
        #Registry key not found
        Write-Error "Can't find the registry"
    }

Thank you in advance.

Newbie to powershell, so be gentle 🙂

I’m creating a firewall rule script that allows an app that is installed into the localappdata folder to be allowed.

New-NetFirewallRule -Program "$env:LOCALAPPDATA\SurpassViewer\Surpass Viewer.exe" -Action Allow -Profile Domain, Private, Public -DisplayName “Surpass Viewer Inbound” -Description “Surpass Viewer Inbound” -Direction Inbound

The error I get:

New-NetFirewallRule : A positional parameter cannot be found that accepts argument 'Viewer'.
At line:1 char:1
+ New-NetFirewallRule -Program ${env:LOCALAPPDATA\SurpassViewer\Surpass ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [New-NetFirewallRule], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,New-NetFirewallRule

I’ve read through stack overflow, spiceworks. All point to it should work, but it doesn’t.

Any help greatly appreciated!

Description

Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder. This rule is adapted from https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_susp_ps_appdata.yml

MITRE ATT&CK® Techniques

Command and Scripting Interpreter: PowerShell

Adversaries may abuse PowerShell commands and scripts for execution. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code.

Remediation Guidance

No remediation guidance specified

:/>  Как открыть редактор локальной групповой политики Windows 10, 8.1 и Windows 7

Trigger Conditions

Filter

MITRE ATT&CK® Tactics

Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery.

Data Source

Windows Sysmon via FortiSIEM Agent

Incident Attribute Mapping

This section defines which fields in matching raw events should be mapped to the incident attributes in the resulting incident.

The available raw event attributes to map are limited to the group by attributes and the aggregate event constraint fields for each subpattern

command = Filter.command,
hostName = Filter.hostName

Time Window

300 seconds

SubPattern Definitions

SubPattern Name: Filter

This is the named definition of the event query, this is important if multiple subpatterns are defined to distinguish them.

SubPattern Query

This is the query logic that matches incoming events

eventType="Win-Sysmon-1-Create-Process" AND command REGEXP ".*\\powershell.*|.*\\pwsh.*|.*powershell\.exe.*|.*pwsh\.exe.*" AND command REGEXP ".*/c .*" AND command REGEXP ".*\\AppData\\.*" AND command REGEXP ".*Local\\.*|.*Roaming\\.*"

Group by Attributes

This defines how matching events are aggregated, only events with the same matching attribute values are grouped into one unique incident ID

command,hostName

Aggregate Constraint

This is most typically a numerical constraint that defines when the rule should trigger an incident

COUNT(*) >= 1

Похожее:

«Изменение размера шрифта для устройств Nokia по сравнению с изменением общего масштаба шрифта приложения на Android с использованием Configuration.fontScale»?«Изменение размера шрифта для устройств Nokia по сравнению с изменением общего масштаба шрифта приложения на Android с использованием Configuration.fontScale»? Что такое файл hosts, зачем он нужен и как его исправить?Что такое файл hosts, зачем он нужен и как его исправить? Политики аудита изменений в Active DirectoryПолитики аудита изменений в Active Directory Default ThumbnailИспользование get ad user для получения разной информации о пользователях домена ad

Оставьте комментарий