Home
  •  

Secuity Monitoring Forwarded Events: PowerSploit FindAV Signature Tool is in Use

Security.Monitoring.ForwardedEvents.FindAVSignature (Rule)

Find-AVSignature is used to split a file into smaller chunks to detect which piece is being identified by AV. That part can be redesigned to avoid detection.

Element properties:

TargetWindowsEventCollectorDiscovery.EventLogCollectorServer
CategoryAlert
EnabledTrue
Event_ID800
Alert GenerateTrue
Alert SeverityError
Alert PriorityNormal
RemotableTrue
Alert Message
Secuity Monitoring Forwarded Events: PowerSploit FindAV Signature Tool is in Use

Find-AVSignature is used to split a file into smaller chunks to detect which piece is being identified by AV. That part can be redesigned to avoid detection. See https://nathangau.wordpress.com/2017/05/24/security-monitoring-mp-powershell-exploit-toolkit-rules/ for links to the tools and additional details.

Logging Computer: {0}

User Name: {1}

Event Description: {2}
Event LogForwardedEvents

Member Modules:

ID Module Type TypeId RunAs 
DS DataSource Microsoft.Windows.EventProvider Default
Alert WriteAction System.Health.GenerateAlert Default

Source Code:

<Rule ID="Security.Monitoring.ForwardedEvents.FindAVSignature" Target="WindowsEventCollectorDiscovery!WindowsEventCollectorDiscovery.EventLogCollectorServer" Enabled="true" ConfirmDelivery="false" Remotable="true" Priority="Normal" DiscardLevel="100">

  <Category>Alert</Category>

  <DataSources>

    <DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">

      <ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

      <LogName>ForwardedEvents</LogName>

      <AllowProxying>true</AllowProxying>

      <Expression>

        <And>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value Type="UnsignedInteger">800</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

          <Expression>

            <RegExExpression>

              <ValueExpression>

                <XPathQuery Type="String">EventDescription</XPathQuery>

              </ValueExpression>

              <Operator>ContainsSubstring</Operator>

              <Pattern>Find-AVSignature</Pattern>

            </RegExExpression>

          </Expression>

        </And>

      </Expression>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">

      <Priority>1</Priority>

      <Severity>2</Severity>

      <AlertMessageId>$MPElement[Name="Security.Monitoring.ForwardedEvents.FindAVSignature.AlertMessage"]$</AlertMessageId>

      <AlertParameters>

        <AlertParameter1>$Data/LoggingComputer$</AlertParameter1>

        <AlertParameter2>$Data/UserName$</AlertParameter2>

        <AlertParameter3>$Data/EventDescription$</AlertParameter3>

      </AlertParameters>

      <Suppression>

        <SuppressionValue>$Data/LoggingComputer$</SuppressionValue>

      </Suppression>

      <Custom1/>

      <Custom2/>

      <Custom3/>

      <Custom4/>

      <Custom5/>

      <Custom6/>

      <Custom7/>

      <Custom8/>

      <Custom9/>

      <Custom10>Security Monitoring Forwarded Events</Custom10>

    </WriteAction>

  </WriteActions>

</Rule>