/
detect_mimikatz_with_powershell_script_block_logging.yml
82 lines (79 loc) · 3.47 KB
/
detect_mimikatz_with_powershell_script_block_logging.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
name: Detect Mimikatz With PowerShell Script Block Logging
id: 8148c29c-c952-11eb-9255-acde48001122
version: 2
date: '2023-12-27'
author: Michael Haag, Splunk
status: production
type: TTP
description: 'The following analytic utilizes PowerShell Script Block Logging (EventCode=4104)
to identify suspicious PowerShell execution. Script Block Logging captures the command
sent to PowerShell, the full command to be executed. Upon enabling, logs will output
to Windows event logs. Dependent upon volume, enable no critical endpoints or all.
This analytic identifies common Mimikatz functions that may be identified in the
script block, including `mimikatz`. This will catch the most basic use cases for
Pass the Ticket, Pass the Hash and `-DumprCreds`.
During triage, review parallel processes using an EDR product or 4688 events. It
will be important to understand the timeline of events around this activity. Review
the entire logged PowerShell script block.'
data_source:
- Powershell 4104
search: '`powershell` EventCode=4104 ScriptBlockText IN (*mimikatz*, *-dumpcr*, *sekurlsa::pth*,
*kerberos::ptt*, *kerberos::golden*) | stats count min(_time) as firstTime max(_time)
as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` | `detect_mimikatz_with_powershell_script_block_logging_filter`'
how_to_implement: To successfully implement this analytic, you will need to enable
PowerShell Script Block Logging on some or all endpoints. Additional setup here
https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.
known_false_positives: False positives should be limited as the commands being identifies
are quite specific to EventCode 4104 and Mimikatz. Filter as needed.
references:
- https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.
- https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
- https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf
- https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/
- https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html
tags:
analytic_story:
- Malicious PowerShell
- Hermetic Wiper
- Sandworm Tools
- CISA AA22-264A
- CISA AA22-320A
- CISA AA23-347A
- Data Destruction
asset_type: Endpoint
confidence: 100
impact: 90
message: The following behavior was identified and typically related to MimiKatz
being loaded within the context of PowerShell on $Computer$ by $UserID$.
mitre_attack_id:
- T1003
- T1059.001
observable:
- name: UserID
type: User
role:
- Victim
- name: Computer
type: Hostname
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- ScriptBlockText
- Opcode
- Computer
- UserID
- EventCode
risk_score: 90
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/credaccess-powershell.log
source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
sourcetype: xmlwineventlog