Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Nterl0k - T1059 - Generic Malicious Powershell Strings + Lookup #3276

Merged
merged 26 commits into from
Feb 18, 2025
Merged

Nterl0k - T1059 - Generic Malicious Powershell Strings + Lookup #3276

Changes from 1 commit
Commits
Show all changes
26 commits
Select commit Hold shift + click to select a range
47d4505
Add files via upload
nterl0k Jan 13, 2025
f51363b
Add files via upload
nterl0k Jan 13, 2025
35ec736
Update windows_powershell_script_block_with_malicious_string.yml
nterl0k Jan 13, 2025
c16c96c
Update windows_powershell_process_with_malicious_string.yml
nterl0k Jan 13, 2025
a56ed86
Update windows_powershell_script_block_with_malicious_string.yml
nterl0k Jan 13, 2025
81e2d0c
Update lookups/malicious_powershell_strings.yml
nterl0k Jan 31, 2025
500d3f0
Update malicious_powershell_strings_20250113.csv
nterl0k Jan 31, 2025
9448d2e
Update malicious_powershell_strings_20250113.csv
nterl0k Jan 31, 2025
c9000cc
Update malicious_powershell_strings_20250113.csv
nterl0k Jan 31, 2025
ea6f900
Update malicious_powershell_strings.yml
nterl0k Jan 31, 2025
423f2f3
Update malicious_powershell_strings.yml
nterl0k Jan 31, 2025
3f442ad
Update and rename malicious_powershell_strings_20250113.csv to malici…
nterl0k Jan 31, 2025
7712f51
Update malicious_powershell_strings.yml
nterl0k Jan 31, 2025
c612c9a
Update windows_powershell_process_with_malicious_string.yml
nterl0k Jan 31, 2025
9d1b5b0
Update windows_powershell_script_block_with_malicious_string.yml
nterl0k Jan 31, 2025
1b5b3ac
Update windows_powershell_process_with_malicious_string.yml
nterl0k Jan 31, 2025
a96137f
Update windows_powershell_script_block_with_malicious_string.yml
nterl0k Jan 31, 2025
7381c9d
Update windows_powershell_process_with_malicious_string.yml
nterl0k Feb 2, 2025
b0f6697
Update windows_powershell_script_block_with_malicious_string.yml
nterl0k Feb 2, 2025
d831e26
Merge branch 'splunk:develop' into nterl0k-t1059-malicious-powershell…
nterl0k Feb 2, 2025
f1c82c2
Merge branch 'develop' into nterl0k-t1059-malicious-powershell-strings
patel-bhavin Feb 5, 2025
5000d5a
Merge branch 'splunk:develop' into nterl0k-t1059-malicious-powershell…
nterl0k Feb 6, 2025
b1ab004
Update windows_powershell_process_with_malicious_string.yml
nterl0k Feb 14, 2025
30eba31
Update windows_powershell_script_block_with_malicious_string.yml
nterl0k Feb 14, 2025
0c0167e
Merge branch 'splunk:develop' into nterl0k-t1059-malicious-powershell…
nterl0k Feb 14, 2025
f0d6c48
Merge branch 'develop' into nterl0k-t1059-malicious-powershell-strings
patel-bhavin Feb 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
Add files via upload
  • Loading branch information
@nterl0k
nterl0k authored Jan 13, 2025
commit 47d4505e509164fb885bd4513564440e45ff8aa4
76 changes: 76 additions & 0 deletions detections/endpoint/windows_powershell_process_with_malicious_string.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
name: Windows PowerShell Process With Malicious String
id: 5df35d50-e1a3-4a52-a337-92e69d9b1b8a
version: 1
date: '2024-12-19'
author: Steven Dick
status: production
type: TTP
description: The following analytic detects the execution of multiple offensive toolkits and commands through the process execution datamodel. This method captures commands given directly to powershell.exe, allowing for the identification of suspicious activities including several well-known tools used for credential theft, lateral movement, and persistence. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information within the environment.
data_source:
- Windows Security Event ID 4688
- Sysmon Event ID 1
- CrowdStrike ProcessRollup2
search: '| tstats `security_content_summariesonly` count values(Processes.original_file_name) as original_file_name values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` by Processes.user Processes.dest Processes.process_name Processes.parent_process_name Processes.process
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| lookup malicious_powershell_strings command as process
| where isnotnull(toolkit)
| `windows_powershell_process_with_malicious_string_filter`'
how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
known_false_positives: Unknown, possible usage by internal red team or powershell commands with overlap.
references:
- https://attack.mitre.org/techniques/T1059/001/
- https://github.com/PowerShellMafia/PowerSploit
- https://github.com/PowerShellEmpire/
- https://github.com/S3cur3Th1sSh1t/PowerSharpPack
drilldown_searches:
- name: View the detection results for - "$dest$" and "$user$"
search: '%original_detection_search% | search dest = "$dest$" AND user = "$user$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$","$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: Investigate PowerShell on $dest$
search: '| from datamodel:Endpoint.Processes | search dest=$dest|s$ process_name=$process_name$ "*$match$*"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
tags:
analytic_story:
- Malicious PowerShell
asset_type: Endpoint
confidence: 90
impact: 80
message: The user $user$ ran a known malicious PowerShell string matching *$match$* on $dest$
mitre_attack_id:
- T1059
- T1059.001
observable:
- name: dest
type: Hostname
role:
- Victim
- name: user
type: User
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- Processes.user
- Processes.dest
- Processes.process_name
- Processes.process
- Processes.parent_process_name
risk_score: 72
security_domain: threat
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-sysmon.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: XmlWinEventLog
74 changes: 74 additions & 0 deletions detections/endpoint/windows_powershell_script_block_with_malicious_string.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
name: Windows PowerShell Script Block With Malicious String
id: 0f09cedd-10f1-4b9f-bdea-7a8b06ea575d
version: 1
date: '2024-12-19'
author: Steven Dick
status: production
type: TTP
description: The following analytic detects the execution of multiple offensive toolkits and commands by leveraging PowerShell Script Block Logging (EventCode=4104). This method captures and logs the full command sent to PowerShell, allowing for the identification of suspicious activities including several well-known tools used for credential theft, lateral movement, and persistence. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information within the environment.
data_source:
- Powershell Script Block Logging 4104
search: '`powershell` ScriptBlockText EventCode=4104
| stats count min(_time) as firstTime max(_time) as lastTime list(ScriptBlockText) as command Values(OpCode) as reason values(Path) as file_name values(User) as user by ActivityID, Computer, EventCode
| eval command = mvjoin(command,"\n"), dest = Computer, signature = EventCode, signature_id = ActivityID
| lookup malicious_powershell_strings command
| where isnotnull(toolkit)
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_powershell_script_block_with_malicious_string_filter`'
how_to_implement: The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.
known_false_positives: Unknown, possible usage by internal red team or powershell commands with overlap.
references:
- https://attack.mitre.org/techniques/T1059/001/
- https://github.com/PowerShellMafia/PowerSploit
- https://github.com/PowerShellEmpire/
- https://github.com/S3cur3Th1sSh1t/PowerSharpPack
drilldown_searches:
- name: View the detection results for - "$dest$"
search: '%original_detection_search% | search dest = "$dest$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: Investigate PowerShell on $dest$
search: '`powershell` ScriptBlockText EventCode=4104 Computer=$dest|s$ "*$match$*"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
tags:
analytic_story:
- Malicious PowerShell
asset_type: Endpoint
confidence: 90
impact: 80
message: The user $user$ ran a known malicious PowerShell string matching *$match$* on $dest$
mitre_attack_id:
- T1059
- T1059.001
observable:
- name: dest
type: Hostname
role:
- Victim
- name: user
type: User
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- ActivityID
- Computer
- EventCode
- ScriptBlockText
risk_score: 72
security_domain: threat
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.006/powershell_gpp_discovery/win-powershell.log
source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
sourcetype: XmlWinEventLog