Selective Exclusion

DeviceProcessEvents
| where TimeGenerated > ago(1h)
| where FileName in~ ("powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "cmd.exe", "mshta.exe")
| where ProcessCommandLine matches regex @"(?i)(\.(dll|exe|lnk|sys|msi|bat|cmd|ini|url|drv|ocx|pif|com).*){3,}"
    or ProcessCommandLine matches regex @"(?i)(exclu|skip|avoid|ignore|bypass).{0,60}\.(dll|exe|lnk|sys|msi)"
    or ProcessCommandLine matches regex @"(?i)(-notmatch|-notlike|-notcontains|-notin|-ne).{0,80}\.(dll|exe|lnk|sys)"
| extend ExtensionCount = array_length(extract_all(@"(?i)\.(dll|exe|lnk|sys|msi|bat|cmd|ini|url|drv|ocx|pif|com)", ProcessCommandLine))
| where ExtensionCount >= 3
| extend ExclusionIndicatorType = case(
    ProcessCommandLine matches regex @"(?i)(exclu|skip|avoid|ignore|bypass)", "ExplicitExclusionKeyword",
    ProcessCommandLine matches regex @"(?i)(-notmatch|-notlike|-notcontains|-notin)", "PowerShellExclusionOperator",
    ProcessCommandLine matches regex @"(?i)(\.(dll|exe|lnk|sys|msi).*){4,}", "MultipleSystemExtensions",
    "Other"
  )
| project TimeGenerated, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, ExtensionCount, ExclusionIndicatorType
| order by ExtensionCount desc

index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    (Image="*\\powershell.exe" OR Image="*\\pwsh.exe" OR Image="*\\wscript.exe" OR Image="*\\cscript.exe" OR Image="*\\cmd.exe" OR Image="*\\mshta.exe")
| eval cmd_lower=lower(CommandLine)
| eval has_exclusion_keyword=if(match(cmd_lower, "exclu|skip|avoid|ignore|bypass|-notmatch|-notlike|-notcontains"), 1, 0)
| eval dll_refs=mvcount(split(cmd_lower, ".dll")) - 1
| eval exe_refs=mvcount(split(cmd_lower, ".exe")) - 1
| eval sys_refs=mvcount(split(cmd_lower, ".sys")) - 1
| eval lnk_refs=mvcount(split(cmd_lower, ".lnk")) - 1
| eval msi_refs=mvcount(split(cmd_lower, ".msi")) - 1
| eval bat_refs=mvcount(split(cmd_lower, ".bat")) - 1
| eval drv_refs=mvcount(split(cmd_lower, ".drv")) - 1
| eval total_ext_refs=dll_refs + exe_refs + sys_refs + lnk_refs + msi_refs + bat_refs + drv_refs
| where total_ext_refs >= 3 OR has_exclusion_keyword=1
| eval risk_score=case(
    has_exclusion_keyword=1 AND total_ext_refs >= 4, "HIGH",
    has_exclusion_keyword=1 AND total_ext_refs >= 2, "MEDIUM",
    total_ext_refs >= 6, "MEDIUM",
    1=1, "LOW"
  )
| table _time, ComputerName, User, Image, CommandLine, ParentImage, ParentCommandLine, total_ext_refs, has_exclusion_keyword, risk_score
| sort - total_ext_refs

process where event.type == "start" and (
  process.name in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe") or
  process.parent.name in~ ("cmd.exe", "powershell.exe", "wscript.exe")
) and (
  process.command_line : ("*t1679*", "*suspicious*") or
  process.args : ("*encoded*", "*bypass*", "*hidden*")
) and not process.code_signature.trusted == true

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
    LOGSOURCENAME(logsourceid) AS LogSource,
    "username" AS AccountName,
    "CommandLine" AS CommandLine,
    "ParentProcessName" AS ParentProcess,
    "NewProcessName" AS ProcessName,
    CASE
        WHEN "CommandLine" ILIKE '%powershell%' AND "CommandLine" ILIKE '%-enc%' THEN 'EncodedCommand'
        WHEN "CommandLine" ILIKE '%bypass%' THEN 'ExecutionBypass'
        WHEN "CommandLine" ILIKE '%-noprofile%' THEN 'NoProfileExecution'
        ELSE 'SuspiciousProcess'
    END AS DetectionType,
    CASE
        WHEN "username" = 'SYSTEM' THEN 70
        WHEN "CommandLine" ILIKE '%bypass%' THEN 85
        ELSE 60
    END AS RiskScore
FROM events
WHERE
    LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Universal DSM')
    AND eventid IN (4688, 1)
    AND ("NewProcessName" ILIKE '%powershell.exe%'
        OR "NewProcessName" ILIKE '%cmd.exe%'
        OR "NewProcessName" ILIKE '%wscript.exe%'
        OR "NewProcessName" ILIKE '%cscript.exe%'
        OR "NewProcessName" ILIKE '%mshta.exe%')
    AND RiskScore >= 60
ORDER BY EventTime DESC
LAST 1 HOURS

_sourceCategory=windows/sysmon EventCode=1
| json auto
| where process_name in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe")
| where process_cmdline matches /(-enc|-encodedcommand|-bypass|-hidden|invoke-expression|iex\s)/i
    OR process_cmdline matches /(http:\/\/|https:\/\/|ftp:\/\/)/i
| if(process_cmdline matches /-enc/i, "EncodedCommand",
    if(process_cmdline matches /-bypass/i, "BypassExecution",
    if(process_cmdline matches /(invoke-expression|iex)/i, "ScriptExecution",
    "SuspiciousProcess"))) as detection_type
| if(parent_process_name in ("w3wp.exe","httpd.exe","nginx.exe"), 95,
    if(process_cmdline matches /-enc/i, 85,
    if(process_cmdline matches /-bypass/i, 75, 60))) as risk_score
| where risk_score >= 60
| count by host, user, process_name, process_cmdline, parent_process_name, detection_type, risk_score
| sort - risk_score

rule detection_t1679 {
  meta:
    author = "Argus Detection Platform"
    description = "Detects Selective Exclusion - T1679"
    severity = "HIGH"
    mitre_attack = "T1679"
    reference = "https://attack.mitre.org/techniques/T1679/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    $e.target.process.file.full_path = $process_path
    $e.target.process.command_line = $cmdline
    (
      re.regex($e.target.process.file.full_path, `(?i)(powershell|cmd|wscript|cscript|mshta|rundll32)\.exe$`) and
      (
        re.regex($e.target.process.command_line, `(?i)-enc(odedcommand)?`) or
        re.regex($e.target.process.command_line, `(?i)-bypass`) or
        re.regex($e.target.process.command_line, `(?i)(invoke-expression|iex\s)`) or
        re.regex($e.target.process.command_line, `(?i)http://`)
      )
    )
    not re.regex($e.principal.process.file.full_path, `(?i)(trustedinstaller|msiexec|svchost)`)

  condition:
    $e
}

#event_simpleName = "ProcessRollup2"
| ImageFileName = /(?i)(powershell|cmd|wscript|cscript|mshta|rundll32)\.exe$/
| CommandLine = /(?i)(-enc(odedcommand)?|-bypass|-noprofile|invoke-expression|iex\s|http:\/\/)/
| case {
    CommandLine = /(?i)-enc(odedcommand)?/ | DetectionType := "EncodedCommand" ;
    CommandLine = /(?i)-bypass/ | DetectionType := "BypassExecution" ;
    CommandLine = /(?i)(invoke-expression|iex\s)/ | DetectionType := "ScriptExecution" ;
    * | DetectionType := "SuspiciousProcess"
}
| case {
    ParentBaseFileName = /(?i)(w3wp|httpd|nginx|php-cgi)\.exe/ | RiskScore := "Critical" ;
    CommandLine = /(?i)-enc/ | RiskScore := "High" ;
    * | RiskScore := "Medium"
}
| table([ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, DetectionType, RiskScore, ProcessId, ParentProcessId])
| sort(RiskScore, order=desc, limit=100)