-
Notifications
You must be signed in to change notification settings - Fork 333
/
malicious_powershell_process___encoded_command.yml
58 lines (58 loc) · 2.13 KB
/
malicious_powershell_process___encoded_command.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
name: Malicious PowerShell Process - Encoded Command
id: c4db14d9-7909-48b4-a054-aa14d89dbb19
version: 4
date: '2020-07-21'
author: David Dorsey, Splunk
type: batch
datamodel:
- Endpoint
description: This search looks for PowerShell processes that have encoded the script
within the command-line. Malware has been seen using this parameter, as it obfuscates
the code and makes it relatively easy to pass a script on the command-line.
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime from datamodel=Endpoint.Processes where Processes.process_name = powershell.exe
(Processes.process=*-EncodedCommand* OR Processes.process=*-enc*) by Processes.user
Processes.process_name Processes.process Processes.parent_process_name Processes.dest
Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`|
`security_content_ctime(lastTime)` | `malicious_powershell_process___encoded_command_filter`'
how_to_implement: You must be ingesting data that records process activity from your
hosts to populate the Endpoint data model in the Processes node. You must also be
ingesting logs with both the process name and command line from your endpoints.
The command-line arguments are mapped to the "process" field in the Endpoint data
model.
known_false_positives: System administrators may use this option, but it's not common.
references: []
tags:
analytic_story:
- Malicious PowerShell
- NOBELIUM Group
asset_type: Endpoint
automated_detection_testing: passed
cis20:
- CIS 3
- CIS 7
- CIS 8
dataset:
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/windows-sysmon.log
kill_chain_phases:
- Command and Control
- Actions on Objectives
mitre_attack_id:
- T1027
nist:
- PR.PT
- DE.CM
- PR.IP
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Processes.process_name
- Processes.process
- Processes.user
- Processes.parent_process_name
- Processes.dest
- Processes.process_id
security_domain: endpoint