/
remote_process_instantiation_via_dcom_and_powershell_script_block.yml
60 lines (60 loc) · 2.5 KB
/
remote_process_instantiation_via_dcom_and_powershell_script_block.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
name: Remote Process Instantiation via DCOM and PowerShell Script Block
id: fa1c3040-4680-11ec-a618-3e22fbd008af
version: 2
date: '2022-03-22'
author: Mauricio Velazco, Splunk
status: production
type: TTP
description: The following analytic utilizes PowerShell Script Block Logging (EventCode=4104)
to identify the execution of PowerShell with arguments utilized to start a process
on a remote endpoint by abusing the DCOM protocol. Specifically, this search looks
for the abuse of ShellExecute and ExecuteShellCommand. Red Teams and adversaries
alike may abuse DCOM for lateral movement and remote code execution.
data_source:
- Powershell Script Block Logging 4104
search: '`powershell` EventCode=4104 (ScriptBlockText="*Document.Application.ShellExecute*"
OR ScriptBlockText="*Document.ActiveView.ExecuteShellCommand*") | stats count min(_time)
as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id
| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_process_instantiation_via_dcom_and_powershell_script_block_filter`'
how_to_implement: To successfully implement this analytic, you will need to enable
PowerShell Script Block Logging on some or all endpoints. Additional setup instructions
can be found https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.
known_false_positives: Administrators may leverage DCOM to start a process on remote
systems, but this activity is usually limited to a small set of hosts or users.
references:
- https://attack.mitre.org/techniques/T1021/003/
- https://www.cybereason.com/blog/dcom-lateral-movement-techniques
tags:
analytic_story:
- Active Directory Lateral Movement
asset_type: Endpoint
confidence: 70
impact: 90
message: A process was started on a remote endpoint from $Computer$ by abusing
WMI using PowerShell.exe
mitre_attack_id:
- T1021
- T1021.003
observable:
- name: Computer
type: Endpoint
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- EventCode
- ScriptBlockText
- Computer
- user_id
risk_score: 63
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.006/lateral_movement_psh/windows-powershell-xml.log
source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
sourcetype: xmlwineventlog