/
windows_archive_collected_data_via_powershell.yml
59 lines (59 loc) · 2.3 KB
/
windows_archive_collected_data_via_powershell.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
name: Windows Archive Collected Data via Powershell
id: 74c5a3b0-27a7-463c-9d00-1a5bb12cb7b5
version: 1
date: '2023-12-19'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
data_source:
- Powershell Script Block Logging 4104
description: The following analytic identifies suspicious PowerShell script that archive files to a temp folder.
This anomaly detection serves as a valuable indicator to uncover threats from adversaries utilizing PowerShell scripts
for data archiving purposes. Identifying this method becomes pivotal in flagging and investigating potential threats,
enabling proactive measures threat actors leveraging similar PowerShell-based data collection and archiving techniques.
search: '`powershell` EventCode=4104 ScriptBlockText = "*Compress-Archive*" ScriptBlockText = "*\\Temp\\*"
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID
| rename Computer as dest
| rename UserID as user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_archive_collected_data_via_powershell_filter`'
how_to_implement: To successfully implement this analytic, you will need to enable
PowerShell Script Block Logging on some or all endpoints. Additional setup here
https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.
known_false_positives: powershell may used this function to archive data.
references:
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
tags:
analytic_story:
- CISA AA23-347A
asset_type: Endpoint
confidence: 70
impact: 70
message: Windows Archive Collected Data via Powershell on $dest$.
mitre_attack_id:
- T1560
observable:
- name: dest
type: Hostname
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
risk_score: 49
required_fields:
- _time
- EventCode
- ScriptBlockText
- dest
- user
- Score
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560/powershell_archive/powershell_archive.log
source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
sourcetype: xmlwineventlog