Detection: Possible Lateral Movement PowerShell Spawn

Updated Date: 2024-10-17 ID: cb909b3e-512b-11ec-aa31-3e22fbd008af Author: Mauricio Velazco, Michael Haag, Splunk Type: TTP Product: Splunk Enterprise Security

Description

The following analytic detects the spawning of a PowerShell process as a child or grandchild of commonly abused processes like services.exe, wmiprsve.exe, svchost.exe, wsmprovhost.exe, and mmc.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process names, as well as command-line executions. This activity is significant as it often indicates lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this behavior could allow attackers to execute code remotely, escalate privileges, or persist within the environment.

Search

1
2| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=wmiprvse.exe OR Processes.parent_process_name=services.exe OR Processes.parent_process_name=svchost.exe OR Processes.parent_process_name=wsmprovhost.exe OR Processes.parent_process_name=mmc.exe) (Processes.process_name=powershell.exe OR (Processes.process_name=cmd.exe AND Processes.process=*powershell.exe*) OR Processes.process_name=pwsh.exe OR (Processes.process_name=cmd.exe AND Processes.process=*pwsh.exe*)) NOT (Processes.process IN ("*c:\\windows\\ccm\\*")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id 
3| `drop_dm_object_name(Processes)` 
4| `security_content_ctime(firstTime)` 
5| `security_content_ctime(lastTime)` 
6| `possible_lateral_movement_powershell_spawn_filter`

Data Source

Name	Platform	Sourcetype	Source
CrowdStrike ProcessRollup2	N/A	`'crowdstrike:events:sensor'`	`'crowdstrike'`
Sysmon EventID 1	Windows	`'xmlwineventlog'`	`'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'`
Windows Event Log Security 4688	Windows	`'xmlwineventlog'`	`'XmlWinEventLog:Security'`

Macros Used

Name	Value
security_content_ctime	`convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$)`
possible_lateral_movement_powershell_spawn_filter	`search *`

possible_lateral_movement_powershell_spawn_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK

+ Kill Chain Phases

+ NIST

+ CIS

- Threat Actors

ID	Technique	Tactic
T1021	Remote Services	Lateral Movement
T1021.003	Distributed Component Object Model	Lateral Movement
T1021.006	Windows Remote Management	Lateral Movement
T1047	Windows Management Instrumentation	Execution
T1053.005	Scheduled Task	Execution
T1543.003	Windows Service	Persistence
T1059.001	PowerShell	Privilege Escalation
T1218.014	MMC	Persistence

KillChainPhase.EXPLOITAITON

KillChainPhase.INSTALLATION

NistCategory.DE_CM

Cis18Value.CIS_10

Aquatic Panda

Ember Bear

Wizard Spider

Chimera

FIN13

Threat Group-3390

Wizard Spider

APT29

APT32

APT41

Aquatic Panda

Blue Mockingbird

Chimera

Cinnamon Tempest

Deep Panda

Earth Lusca

Ember Bear

FIN13

FIN6

FIN7

FIN8

GALLIUM

Gamaredon Group

INC Ransom

Indrik Spider

Lazarus Group

Leviathan

Magic Hound

MuddyWater

Mustang Panda

Naikon

OilRig

Sandworm Team

Stealth Falcon

TA2541

Threat Group-3390

ToddyCat

Volt Typhoon

Windshift

Wizard Spider

menuPass

APT-C-36

APT29

APT3

APT32

APT33

APT37

APT38

APT39

APT41

BITTER

BRONZE BUTLER

Blue Mockingbird

Chimera

Cobalt Group

Confucius

Daggerfly

Dragonfly

Ember Bear

FIN10

FIN13

FIN6

FIN7

FIN8

Fox Kitten

GALLIUM

Gamaredon Group

HEXANE

Higaisa

Kimsuky

Lazarus Group

LuminousMoth

Machete

Magic Hound

Molerats

Moonstone Sleet

MuddyWater

Mustang Panda

Naikon

OilRig

Patchwork

Rancor

RedCurl

Sandworm Team

Silence

Stealth Falcon

TA2541

ToddyCat

Winter Vivern

Wizard Spider

menuPass

APT19

APT3

APT32

APT38

APT41

Agrius

Aquatic Panda

Blue Mockingbird

Carbanak

Cinnamon Tempest

Cobalt Group

DarkVishnya

Earth Lusca

FIN7

Ke3chang

Kimsuky

Lazarus Group

PROMETHIUM

TeamTNT

Threat Group-3390

Tropic Trooper

Wizard Spider

APT19

APT28

APT29

APT3

APT32

APT33

APT38

APT39

APT41

APT5

Aquatic Panda

BRONZE BUTLER

Blue Mockingbird

CURIUM

Chimera

Cinnamon Tempest

Cobalt Group

Confucius

CopyKittens

Daggerfly

DarkHydrus

DarkVishnya

Deep Panda

Dragonfly

Earth Lusca

Ember Bear

FIN10

FIN13

FIN6

FIN7

FIN8

Fox Kitten

GALLIUM

GOLD SOUTHFIELD

Gallmaker

Gamaredon Group

Gorgon Group

HAFNIUM

HEXANE

Inception

Indrik Spider

Kimsuky

Lazarus Group

LazyScripter

Leviathan

Magic Hound

Molerats

MoustachedBouncer

MuddyWater

Mustang Panda

Nomadic Octopus

OilRig

Patchwork

Play

Poseidon Group

RedCurl

Saint Bear

Sandworm Team

Sidewinder

Silence

Stealth Falcon

TA2541

TA459

TA505

TeamTNT

Threat Group-3390

Thrip

ToddyCat

Tonto Team

Turla

Volt Typhoon

WIRTE

Winter Vivern

Wizard Spider

menuPass

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting	Value
Disabled	true
Cron Schedule	`0 * * * *`
Earliest Time	`-70m@m`
Latest Time	`-10m@m`
Schedule Window	`auto`
Creates Notable	Yes
Rule Title	`%name%`
Rule Description	`%description%`
Notable Event Fields	user, dest
Creates Risk Event	True

This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.

Implementation

The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the Processes node of the Endpoint data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.

Known False Positives

Legitimate applications may spawn PowerShell as a child process of the the identified processes. Filter as needed.

Associated Analytic Story

Risk Based Analytics (RBA)

Risk Message	Risk Score	Impact	Confidence
A PowerShell process was spawned as a child process of typically abused processes on $dest$	45	90	50

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

References

Detection Testing

Test Type	Status	Dataset	Source	Sourcetype
Validation	✅ Passing	N/A	N/A	N/A
Unit	✅ Passing	Dataset	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`	`XmlWinEventLog`
Integration	✅ Passing	Dataset	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`	`XmlWinEventLog`

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 7