/
interactive_session_on_remote_endpoint_with_powershell.yml
60 lines (60 loc) · 2.54 KB
/
interactive_session_on_remote_endpoint_with_powershell.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
name: Interactive Session on Remote Endpoint with PowerShell
id: a4e8f3a4-48b2-11ec-bcfc-3e22fbd008af
version: 4
date: '2023-11-07'
author: Mauricio Velazco, Splunk
status: production
type: TTP
description: The following analytic utilizes PowerShell Script Block Logging (EventCode=4104)
to identify the usage of the `Enter-PSSession`. This commandlet can be used to open
an interactive session on a remote endpoint leveraging the WinRM protocol. Red Teams
and adversaries alike may abuse WinRM and `Enter-PSSession` for lateral movement
and remote code execution.
data_source:
- Powershell Script Block Logging 4104
search: '`powershell` EventCode=4104 (ScriptBlockText="*Enter-PSSession*" AND ScriptBlockText="*-ComputerName*")
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText
Computer UserID | rename Computer as dest | rename UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
| `interactive_session_on_remote_endpoint_with_powershell_filter`'
how_to_implement: To successfully implement this analytic, you will need to enable
PowerShell Script Block Logging on some or all endpoints. Additional setup instructions
can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.
known_false_positives: Administrators may leverage WinRM and `Enter-PSSession` for
administrative and troubleshooting tasks. This activity is usually limited to a
small set of hosts or users. In certain environments, tuning may not be possible.
references:
- https://attack.mitre.org/techniques/T1021/006/
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enter-pssession?view=powershell-7.2
tags:
analytic_story:
- Active Directory Lateral Movement
asset_type: Endpoint
confidence: 50
impact: 90
message: An interactive session was opened on a remote endpoint from $dest$
mitre_attack_id:
- T1021
- T1021.006
observable:
- name: dest
type: Endpoint
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- EventCode
- Message
- ComputerName
- User
risk_score: 45
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement_pssession/windows-powershell-xml.log
source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
sourcetype: xmlwineventlog