Try in Splunk Security Cloud

Description

Stolen credentials are applied by methods such as user impersonation, credential injection, spoofing of authentication processes or getting hold of critical accounts. This detection indicates such activities carried out by PowerSploit exploit kit APIs.

  • Type: TTP
  • Product: Splunk Behavioral Analytics
  • Datamodel: Endpoint_Processes
  • Last Updated: 2020-11-03
  • Author: Stanislav Miskovic, Splunk
  • ID: 270b482d-2af2-448f-9923-9cf005f61be4

ATT&CK

ID Technique Tactic
T1055 Process Injection Defense Evasion, Privilege Escalation
T1068 Exploitation for Privilege Escalation Privilege Escalation
T1078 Valid Accounts Defense Evasion, Persistence, Privilege Escalation, Initial Access
T1098 Account Manipulation Persistence
T1134 Access Token Manipulation Defense Evasion, Privilege Escalation
T1543 Create or Modify System Process Persistence, Privilege Escalation
T1547 Boot or Logon Autostart Execution Persistence, Privilege Escalation
T1548 Abuse Elevation Control Mechanism Privilege Escalation, Defense Evasion
T1554 Compromise Client Software Binary Persistence
T1555 Credentials from Password Stores Credential Access
T1558 Steal or Forge Kerberos Tickets Credential Access

| from read_ssa_enriched_events()

| eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null), event_id=ucast(map_get(input_event, "event_id"), "string", null) 
| where cmd_line != null AND ( match_regex(cmd_line, /(?i)Invoke-CredentialInjection/)=true OR match_regex(cmd_line, /(?i)Invoke-TokenManipulation/)=true OR match_regex(cmd_line, /(?i)Invoke-UserImpersonation/)=true OR match_regex(cmd_line, /(?i)Get-System/)=true OR match_regex(cmd_line, /(?i)Invoke-RevertToSelf/)=true )

| eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body=create_map(["event_id", event_id, "cmd_line", cmd_line]) 
| into write_ssa_detected_events();

Associated Analytic Story

How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • dest_device_id
  • dest_user_id
  • process
  • _time

Kill Chain Phase

  • Actions on Objectives

Known False Positives

None identified.

RBA

Risk Score Impact Confidence Message
90.0 90 100 PowerSploit malware is violating authentication by injecting stolen credentials, manipulating authentication tokens or impersonating system or user accounts. Operation is performed at the device $dest_device_id$, by the account $dest_user_id$ via command $cmd_line$

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1