security-content/detections/malicious_powershell_process_multiple_suspicious_arguments.yml at develop · jwindley-splunk/security-content · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
asset_type: Endpoint
confidence: medium
creation_date: '2016-09-18'
data_metadata:
  data_models:
    - Endpoint
  data_source:
    - Endpoint Intel
  providing_technologies:
    - Carbon Black Response
    - CrowdStrike Falcon
    - Sysmon
    - Tanium
    - Ziften
description: This search looks for PowerShell processes started with a base64 encoded
  command-line passed to it, with parameters to modify the execution policy for the
  process, and those that prevent the display of an interactive prompt to the user.
  This combination of command-line options is suspicious because it overrides the
  default PowerShell execution policy, attempts to hide itself from the user, and
  passes an encoded script to be run on the command-line.
detect:
  splunk:
    correlation_rule:
      notable:
        nes_fields: dest, user, process, process_name
        rule_description: The system $dest$ executed a PowerShell that had an encoded
          command on the command-line, attempted to bypass local execution policy,
          and prevented the display of an interactive prompt to the user.
        rule_title: PowerShell process with multiple suspicious command-line arguments
          detected on $dest$
      risk:
        risk_object: dest
        risk_object_type:
          - system
        risk_score: 60
      schedule:
        cron_schedule: 50 * * * *
        earliest_time: -70m@m
        latest_time: -10m@m
      search: '| tstats `security_content_summariesonly` count values(Processes.process) as process
        values(Processes.parent_process) as parent_process min(_time) as firstTime
        max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe
        by Processes.user Processes.process_name Processes.parent_process_name Processes.dest  |
        `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`|
        search (process=*-EncodedCommand* OR process=*-enc*) process=*-Exec* AND process=*-NonI*'
      suppress:
        suppress_fields: dest, process_name
        suppress_period: 14400s
eli5: This search looks for PowerShell processes that have a number of suspicious
  flags on the command-line. It is looking for flags are passing encoded commands
  on the command-line. The flags `-EncodedCommand` and `-enc` are two different possible
  flags that can be used to pass base64 encoded commands to PowerShell. The `*-Exec*`
  flag looks to see it the default execution policy of PowerShell is being overridden,
  while the `*-NonI*` flag tells the PowerShell process that this will be a noninteractive
  process, so the user doesn't know about the process. This search will return the
  host, the user the process ran under, the process and it's command-line arguments,
  the number of times it's seen this process, and the first and last times it saw
  this process.
entities:
  - dest
  - process_name
  - user
how_to_implement: You must be ingesting data that records process activity from your
  hosts to populate the Endpoint data model in the Processes node. You must also be
  ingesting logs with both the process name and command line from your endpoints.
  The command-line arguments are mapped to the "process" field in the Endpoint data
  model.
id: 2cdb91d2-542c-497f-b252-be495e71f38c
investigations:
  - id: bc91a8cf-35e7-4bb2-8140-e756cc06fd76
    name: Get Authentication Logs For Endpoint
    type: splunk
  - id: fdcfb369-1725-4c24-824a-22972d7f0d55
    name: Get Risk Modifiers For User
    type: splunk
  - id: bc91a8cf-35e7-4bb2-8140-e756cc06fd71
    name: Get Process Info
    type: splunk
  - id: 3d6c3213-5fff-4a1e-b57d-b24c262171e7
    name: Get Notable History
    type: splunk
  - id: f3fb4d1b-5f33-4b01-b541-c7af9534c242
    name: Get Notable Info
    type: splunk
  - id: fdcfb369-1725-4c24-824a-22972d7f0d65
    name: Get Risk Modifiers For Endpoint
    type: splunk
  - id: bc91a8cf-35e7-4bb2-8140-e756cc06fd74
    name: Get User Information from Identity Table
    type: splunk
known_false_positives: Legitimate process can have this combination of command-line
  options, but it's not common.
maintainers:
  - company: Splunk
    email: davidd@splunk.com
    name: David Dorsey
mappings:
  cis20:
    - CIS 3
    - CIS 7
    - CIS 8
  kill_chain_phases:
    - Command and Control
    - Actions on Objectives
  mitre_attack:
    - Execution
    - PowerShell
    - Scripting
  nist:
    - PR.PT
    - DE.CM
    - PR.IP
modification_date: '2018-12-03'
name: Malicious PowerShell Process - Multiple Suspicious Command-Line Arguments
original_authors:
  - company: Splunk
    email: davidd@splunk.com
    name: David Dorsey
references: []
security_domain: endpoint
spec_version: 2
type: splunk
version: '3.0'