Try in Splunk Security Cloud

Description

This detection identifies access to PowerSploit modules that enable illegal control of services and processes, such as installing or spoofing of malicious services, injecting malicious code in DLLs and EXEs, invoking shell code and WMI commands, modifying access to service objects, etc.

  • Type: TTP
  • Product: Splunk Behavioral Analytics
  • Datamodel:
  • Last Updated: 2020-11-09
  • Author: Stanislav Miskovic, Splunk
  • ID: 0e910e5b-309d-4bc3-8af2-0030c02aa353

ATT&CK

ID Technique Tactic
T1055 Process Injection Defense Evasion, Privilege Escalation
T1106 Native API Execution
T1569 System Services Execution

| from read_ssa_enriched_events()

| eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null), event_id=ucast(map_get(input_event, "event_id"), "string", null) 
| where cmd_line != null AND ( match_regex(cmd_line, /(?i)Install-SSP/)=true OR match_regex(cmd_line, /(?i)Set-CriticalProcess/)=true OR match_regex(cmd_line, /(?i)Install-ServiceBinary/)=true OR match_regex(cmd_line, /(?i)Restore-ServiceBinary/)=true OR match_regex(cmd_line, /(?i)Write-ServiceBinary/)=true OR match_regex(cmd_line, /(?i)Set-ServiceBinaryPath/)=true OR match_regex(cmd_line, /(?i)Invoke-ReflectivePEInjection/)=true OR match_regex(cmd_line, /(?i)Invoke-DllInjection/)=true OR match_regex(cmd_line, /(?i)Invoke-ServiceAbuse/)=true OR match_regex(cmd_line, /(?i)Invoke-Shellcode/)=true OR match_regex(cmd_line, /(?i)Invoke-WScriptUACBypass/)=true OR match_regex(cmd_line, /(?i)Invoke-WmiCommand/)=true OR match_regex(cmd_line, /(?i)Write-HijackDll/)=true OR match_regex(cmd_line, /(?i)Add-ServiceDacl/)=true )


| eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body=create_map(["event_id", event_id,  "cmd_line", cmd_line]) 
| into write_ssa_detected_events();

Associated Analytic Story

How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • dest_device_id
  • dest_user_id
  • process
  • _time

Kill Chain Phase

  • Actions on Objectives

Known False Positives

None identified.

RBA

Risk Score Impact Confidence Message
90.0 90 100 PowerSploit malware is controlling computer's processess and services. Operation is performed at the device $dest_device_id$, by the account $dest_user_id$ via command $cmd_line$

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1