Try in Splunk Security Cloud

Description

Attackers are finding stealthy ways “live off the land,” leveraging utilities and tools that come standard on the endpoint–such as PowerShell–to achieve their goals without downloading binary files. These searches can help you detect and investigate PowerShell command-line options that may be indicative of malicious intent.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2017-08-23
  • Author: David Dorsey, Splunk
  • ID: 2c8ff66e-0b57-42af-8ad7-912438a403fc

Narrative

The searches in this Analytic Story monitor for parameters often used for malicious purposes. It is helpful to understand how often the notable events generated by this story occur, as well as the commonalities between some of these events. These factors may provide clues about whether this is a common occurrence of minimal concern or a rare event that may require more extensive investigation. Likewise, it is important to determine whether the issue is restricted to a single user/system or is broader in scope.
The following factors may assist you in determining whether the event is malicious: \

  1. Country of origin \
  2. Responsible party \
  3. Fully qualified domain names associated with the external IP address \
  4. Registration of fully qualified domain names associated with external IP address
    Determining whether it is a dynamic domain frequently visited by others and/or how third parties categorize it can also help you answer some questions surrounding the attacker and details related to the external system. In addition, there are various sources–such as VirusTotal— that can provide some reputation information on the IP address or domain name, which can assist in determining whether the event is malicious. Finally, determining whether there are other events associated with the IP address may help connect data points or show other events that should be brought into scope.
    Gathering data on the system of interest can sometimes help you quickly determine whether something suspicious is happening. Some of these items include finding out who else may have recently logged into the system, whether any unusual scheduled tasks exist, whether the system is communicating on suspicious ports, whether there are modifications to sensitive registry keys, and whether there are any known vulnerabilities on the system. This information can often highlight other activity commonly seen in attack scenarios or give more information about how the system may have been targeted.
    Often, a simple inspection of the process name and path can tell you if the system has been compromised. For example, if svchost.exe is found running from a location other than C:\Windows\System32, it is likely something malicious designed to hide in plain sight when cursorily reviewing process names. Similarly, if the process itself seems legitimate, but the parent process is running from the temporary browser cache, that could be indicative of activity initiated via a compromised website a user visited.
    It can also be very helpful to examine various behaviors of the process of interest or the parent of the process of interest. For example, if it turns out the process of interest is malicious, it would be good to see if the parent to that process spawned other processes that might be worth further scrutiny. If a process is suspect, a review of the network connections made in and around the time of the event and/or whether the process spawned any child processes could be helpful, as well.
    In the event a system is suspected of having been compromised via a malicious website, we suggest reviewing the browsing activity from that system around the time of the event. If categories are given for the URLs visited, that can help you zero in on possible malicious sites.
    Most recently we have added new content related to PowerShell Script Block logging, Windows EventCode 4104. Script block logging presents the deobfuscated and raw script executed on an endpoint. The analytics produced were tested against commonly used attack frameworks - PowerShell-Empire, Cobalt Strike and Covenant. In addition, we sampled publicly available samples that utilize PowerShell and validated coverage. The analytics are here to identify suspicious usage, cmdlets, or script values. 4104 events are enabled via the Windows registry and may generate a large volume of data if enabled globally. Enabling on critical systems or a limited set may be best. During triage of 4104 events, review parallel processes for other processes and command executed. Identify any file modifications and network communication and review accordingly. Fortunately, we get the full script to determine the level of threat identified.

Detections

Name Technique Type
Any Powershell DownloadFile Command and Scripting Interpreter, PowerShell TTP
Any Powershell DownloadString Command and Scripting Interpreter, PowerShell TTP
Credential Extraction indicative of use of DSInternals credential conversion modules OS Credential Dumping TTP
Credential Extraction indicative of use of DSInternals modules OS Credential Dumping TTP
Credential Extraction indicative of use of PowerSploit modules OS Credential Dumping TTP
Credential Extraction via Get-ADDBAccount module present in PowerSploit and DSInternals OS Credential Dumping TTP
Detect Empire with PowerShell Script Block Logging Command and Scripting Interpreter, PowerShell TTP
Detect Mimikatz With PowerShell Script Block Logging OS Credential Dumping TTP
Illegal Access To User Content via PowerSploit modules Remote Services, Screen Capture, Audio Capture, Remote Service Session Hijacking TTP
Illegal Privilege Elevation and Persistence via PowerSploit modules Scheduled Task/Job, Access Token Manipulation, Abuse Elevation Control Mechanism TTP
Illegal Service and Process Control via PowerSploit modules Process Injection, Native API, System Services TTP
Malicious PowerShell Process - Connect To Internet With Hidden Window PowerShell, Command and Scripting Interpreter Hunting
Malicious PowerShell Process - Encoded Command Obfuscated Files or Information Hunting
Malicious PowerShell Process With Obfuscation Techniques Command and Scripting Interpreter, PowerShell TTP
PowerShell 4104 Hunting Command and Scripting Interpreter, PowerShell Hunting
PowerShell Domain Enumeration Command and Scripting Interpreter, PowerShell TTP
PowerShell Loading DotNET into Memory via System Reflection Assembly Command and Scripting Interpreter, PowerShell TTP
Powershell Creating Thread Mutex Obfuscated Files or Information, Indicator Removal from Tools TTP
Powershell Enable SMB1Protocol Feature Obfuscated Files or Information, Indicator Removal from Tools TTP
Powershell Execute COM Object Component Object Model Hijacking, Event Triggered Execution TTP
Powershell Fileless Process Injection via GetProcAddress Command and Scripting Interpreter, Process Injection, PowerShell TTP
Powershell Fileless Script Contains Base64 Encoded Content Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell TTP
Powershell Processing Stream Of Data Command and Scripting Interpreter, PowerShell TTP
Powershell Using memory As Backing Store Deobfuscate/Decode Files or Information TTP
Recon AVProduct Through Pwh or WMI Gather Victim Host Information TTP
Recon Using WMI Class Gather Victim Host Information TTP
Set Default PowerShell Execution Policy To Unrestricted or Bypass Command and Scripting Interpreter, PowerShell TTP
Unloading AMSI via Reflection Impair Defenses TTP
WMI Recon Running Process Or Services Gather Victim Host Information TTP

Reference

source | version: 5