PowerShell Invoke CIMMethod CIMSession

Try in Splunk Security Cloud

Description

The following analytic detects the creation of a New-CIMSession cmdlet followed by the use of the Invoke-CIMMethod cmdlet within PowerShell. It leverages PowerShell Script Block Logging to identify these specific cmdlets in the ScriptBlockText field. This activity is significant because it mirrors the behavior of the Invoke-WMIMethod cmdlet, often used for remote code execution via NTLMv2 pass-the-hash authentication. If confirmed malicious, this could allow an attacker to execute commands remotely, potentially leading to unauthorized access and control over targeted systems.

• Type: Anomaly

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud

• Last Updated: 2024-05-31
• Author: Michael Haag, Splunk
• ID: 651ee958-a433-471c-b264-39725b788b83

Annotations

ATT&CK

ATT&CK

ID	Technique	Tactic
T1047	Windows Management Instrumentation	Execution

Kill Chain Phase

• Installation

NIST

• DE.AE

CIS20

• CIS 10

CVE

Search

`powershell` EventCode=4104 ScriptBlockText IN ("*invoke-CIMMethod*", "*New-CimSession*") 
| stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `powershell_invoke_cimmethod_cimsession_filter`

Macros

The SPL above uses the following Macros:

• powershell
• security_content_ctime

powershell_invoke_cimmethod_cimsession_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

• _time
• EventCode
• ScriptBlockText
• Computer

How To Implement

To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.

Known False Positives

False positives may be present based on third-party applications or administrators using CIM. It is recommended to apply appropriate filters as needed to minimize the number of false positives.

Associated Analytic Story

• Malicious PowerShell
• Active Directory Lateral Movement

RBA

Risk Score	Impact	Confidence	Message
25.0	50	50	PowerShell was identified running a Invoke-CIMMethod Invoke-CIMSession on $Computer$.

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

• https://learn.microsoft.com/en-us/powershell/module/cimcmdlets/invoke-cimmethod?view=powershell-7.3

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 2