-
Notifications
You must be signed in to change notification settings - Fork 333
/
get_wmiobject_group_discovery_with_script_block_logging.yml
69 lines (69 loc) · 3.1 KB
/
get_wmiobject_group_discovery_with_script_block_logging.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
name: Get WMIObject Group Discovery with Script Block Logging
id: 69df7f7c-155d-11ec-a055-acde48001122
version: 3
date: '2024-05-23'
author: Michael Haag, Splunk
status: production
type: Hunting
description: 'The following analytic detects the execution of the `Get-WMIObject Win32_Group`
command using PowerShell Script Block Logging (EventCode=4104). This method captures
the full command sent to PowerShell, allowing for detailed analysis. Identifying
group information on an endpoint is not inherently malicious but can be suspicious
based on context such as time, endpoint, and user. This activity is significant
as it may indicate reconnaissance efforts by an attacker. If confirmed malicious,
it could lead to further enumeration and potential lateral movement within the network.'
data_source:
- Powershell Script Block Logging 4104
search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-WMIObject*" AND ScriptBlockText
= "*Win32_Group*" | stats count min(_time) as firstTime max(_time) as lastTime by
EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user
| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_wmiobject_group_discovery_with_script_block_logging_filter`'
how_to_implement: To successfully implement this analytic, you will need to enable
PowerShell Script Block Logging on some or all endpoints. Additional setup here
https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.
known_false_positives: False positives may be present. Tune as needed.
references:
- https://www.splunk.com/en_us/blog/security/powershell-detections-threat-research-release-august-2021.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md
- https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.
- https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
- https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf
- https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/
tags:
analytic_story:
- Active Directory Discovery
asset_type: Endpoint
confidence: 50
impact: 30
message: System group discovery enumeration on $dest$ by $user$.
mitre_attack_id:
- T1069
- T1069.001
observable:
- name: dest
type: Endpoint
role:
- Victim
- name: user
type: User
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- EventCode
- Message
- ComputerName
- User
risk_score: 15
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data:
https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.001/atomic_red_team/windows-powershell-xml.log
source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
sourcetype: xmlwineventlog