/
recon_avproduct_through_pwh_or_wmi.yml
74 lines (74 loc) · 3.14 KB
/
recon_avproduct_through_pwh_or_wmi.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
name: Recon AVProduct Through Pwh or WMI
id: 28077620-c9f6-11eb-8785-acde48001122
version: 2
date: '2023-04-14'
author: Teoderick Contreras, Splunk
status: production
type: TTP
description: The following analytic identifies suspicious PowerShell script execution
via EventCode 4104 performing checks to identify anti-virus products installed on
the endpoint. This technique is commonly found in malware and APT events where the
adversary will map all running security applications or services. During triage,
review parallel processes within the same timeframe. Review the full script block
to identify other related artifacts.
data_source:
- Powershell 4104
search: '`powershell` EventCode=4104 (ScriptBlockText = "*SELECT*" OR ScriptBlockText
= "*WMIC*") AND (ScriptBlockText = "*AntiVirusProduct*" OR ScriptBlockText = "*AntiSpywareProduct*")
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText
Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
| `recon_avproduct_through_pwh_or_wmi_filter`'
how_to_implement: To successfully implement this analytic, you will need to enable
PowerShell Script Block Logging on some or all endpoints. Additional setup here
https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.
known_false_positives: network administrator may used this command for checking purposes
references:
- https://news.sophos.com/en-us/2020/05/12/maze-ransomware-1-year-counting/
- https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.
- https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
- https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf
- https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/
- https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html
tags:
analytic_story:
- Qakbot
- Windows Post-Exploitation
- Hermetic Wiper
- Ransomware
- Prestige Ransomware
- Malicious PowerShell
- Data Destruction
asset_type: Endpoint
confidence: 80
impact: 70
message: A suspicious powershell script contains AV recon command in $ScriptBlockText$
with EventCode $EventCode$ in host $dest$
mitre_attack_id:
- T1592
observable:
- name: dest
type: Hostname
role:
- Victim
- name: user
type: User
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- EventCode
- ScriptBlockText
- Computer
- UserID
risk_score: 56
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/t1592/pwh_av_recon/windows-powershell-xml.log
source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
sourcetype: xmlwineventlog