-
Notifications
You must be signed in to change notification settings - Fork 395
/
Copy pathmalicious_powershell.yml
89 lines (78 loc) · 5.07 KB
/
malicious_powershell.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
name: Malicious PowerShell
id: 2c8ff66e-0b57-42af-8ad7-912438a403fc
version: 5
date: '2017-08-23'
author: David Dorsey, Splunk
status: production
description: Attackers are finding stealthy ways "live off the land," leveraging utilities
and tools that come standard on the endpoint--such as PowerShell--to achieve their
goals without downloading binary files. These searches can help you detect and investigate
PowerShell command-line options that may be indicative of malicious intent.
narrative: 'The searches in this Analytic Story monitor for parameters often used
for malicious purposes. It is helpful to understand how often the notable events
generated by this story occur, as well as the commonalities between some of these
events. These factors may provide clues about whether this is a common occurrence
of minimal concern or a rare event that may require more extensive investigation.
Likewise, it is important to determine whether the issue is restricted to a single
user/system or is broader in scope.
The following factors may assist you in determining whether the event is malicious:
1. Country of origin
1. Responsible party
1. Fully qualified domain names associated with the external IP address
1. Registration of fully qualified domain names associated with external IP address
Determining whether it is a dynamic domain frequently visited by others and/or how
third parties categorize it can also help you answer some questions surrounding
the attacker and details related to the external system. In addition, there are
various sources--such as VirusTotal— that can provide some reputation information
on the IP address or domain name, which can assist in determining whether the event
is malicious. Finally, determining whether there are other events associated with
the IP address may help connect data points or show other events that should be
brought into scope.
Gathering data on the system of interest can sometimes help you quickly determine
whether something suspicious is happening. Some of these items include finding out
who else may have recently logged into the system, whether any unusual scheduled
tasks exist, whether the system is communicating on suspicious ports, whether there
are modifications to sensitive registry keys, and whether there are any known vulnerabilities
on the system. This information can often highlight other activity commonly seen
in attack scenarios or give more information about how the system may have been
targeted.
Often, a simple inspection of the process name and path can tell you if the system
has been compromised. For example, if `svchost.exe` is found running from a location
other than `C:\Windows\System32`, it is likely something malicious designed to hide
in plain sight when cursorily reviewing process names. Similarly, if the process
itself seems legitimate, but the parent process is running from the temporary browser
cache, that could be indicative of activity initiated via a compromised website
a user visited.
It can also be very helpful to examine various behaviors of the process of interest
or the parent of the process of interest. For example, if it turns out the process
of interest is malicious, it would be good to see if the parent to that process
spawned other processes that might be worth further scrutiny. If a process is suspect,
a review of the network connections made in and around the time of the event and/or
whether the process spawned any child processes could be helpful, as well.
In the event a system is suspected of having been compromised via a malicious website,
we suggest reviewing the browsing activity from that system around the time of the
event. If categories are given for the URLs visited, that can help you zero in on
possible malicious sites.
Most recently we have added new content related to PowerShell Script Block logging,
Windows EventCode 4104. Script block logging presents the deobfuscated and raw script
executed on an endpoint. The analytics produced were tested against commonly used
attack frameworks - PowerShell-Empire, Cobalt Strike and Covenant. In addition,
we sampled publicly available samples that utilize PowerShell and validated coverage.
The analytics are here to identify suspicious usage, cmdlets, or script values.
4104 events are enabled via the Windows registry and may generate a large volume
of data if enabled globally. Enabling on critical systems or a limited set may be
best. During triage of 4104 events, review parallel processes for other processes
and command executed. Identify any file modifications and network communication
and review accordingly. Fortunately, we get the full script to determine the level
of threat identified.'
references:
- https://blogs.mcafee.com/mcafee-labs/malware-employs-powershell-to-infect-systems/
- https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/
tags:
category:
- Adversary Tactics
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Advanced Threat Detection