security-content/detections/malicious_powershell_process_obfuscation_techniques.yml at develop · jwindley-splunk/security-content · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
asset_type: Endpoint
confidence: medium
creation_date: '2017-04-25'
data_metadata:
  data_models:
    - Endpoint
  data_source:
    - Endpoint Intel
  providing_technologies:
    - Carbon Black Response
    - CrowdStrike Falcon
    - Sysmon
    - Tanium
    - Ziften
description: This search looks for PowerShell processes launched with arguments that
  have characters indicative of obfuscation on the command-line.
detect:
  splunk:
    correlation_rule:
      notable:
        nes_fields: dest, user, process_name, process
        rule_description: The system $dest$ executed a PowerShell process that has
          evidence of obfuscation on the command-line
        rule_title: PowerShell process with an obfuscation techniques detected on
          $dest$
      risk:
        risk_object: dest
        risk_object_type:
          - system
        risk_score: 60
      schedule:
        cron_schedule: 0 * * * *
        earliest_time: -70m@m
        latest_time: -10m@m
      search: '| tstats `security_content_summariesonly` count values(Processes.process) as process
        values(Processes.parent_process) as parent_process min(_time) as firstTime
        max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe
        by Processes.user Processes.process_name Processes.parent_process_name Processes.dest Processes.process |
        `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`|
        eval num_obfuscation = (mvcount(split(process, "`"))-1) + (mvcount(split(process,
        "^"))-1) | `malicious_powershell_process_obfuscation_techniques_output_filter` | search num_obfuscation > 0'
      suppress:
        suppress_fields: dest,process_name,process
        suppress_period: 14400s
eli5: This search looks for PowerShell processes that are passing command-line arguments
  with unusual characters (backticks and carets) that are PowerShell specific escape
  characters. Attackers use this obfuscation technique since it does not affect the
  functionality of PowerShell and it will bypass standard security controls that look
  for straight up malicious strings and commands. The search counts the occurrence
  of these obfuscation characters and lists out destination IPs running these PowerShell
  commands.
entities:
  - dest
how_to_implement: You must be ingesting data that records process activity from your
  hosts to populate the Endpoint data model in the Processes node. You must also be
  ingesting logs with both the process name and command line from your endpoints.
  The command-line arguments are mapped to the "process" field in the Endpoint data
  model.
id: cde75cf6-3c7a-4dd6-af01-27cdb4511fd4
investigations:
  - id: bc91a8cf-35e7-4bb2-8140-e756cc06fd76
    name: Get Authentication Logs For Endpoint
    type: splunk
  - id: fdcfb369-1725-4c24-824a-22972d7f0d55
    name: Get Risk Modifiers For User
    type: splunk
  - id: bc91a8cf-35e7-4bb2-8140-e756cc06fd71
    name: Get Process Info
    type: splunk
  - id: 3d6c3213-5fff-4a1e-b57d-b24c262171e7
    name: Get Notable History
    type: splunk
  - id: f3fb4d1b-5f33-4b01-b541-c7af9534c242
    name: Get Notable Info
    type: splunk
  - id: fdcfb369-1725-4c24-824a-22972d7f0d65
    name: Get Risk Modifiers For Endpoint
    type: splunk
  - id: bc91a8cf-35e7-4bb2-8140-e756cc06fd74
    name: Get User Information from Identity Table
    type: splunk
known_false_positives: These characters might be legitimately on the command-line,
  but it is not common.
maintainers:
  - company: Splunk
    email: jbrewer@splunk.com
    name: Jason Brewer
  - company: Splunk
    email: davidd@splunk.com
    name: David Dorsey
mappings:
  cis20:
    - CIS 3
    - CIS 7
    - CIS 8
  kill_chain_phases:
    - Command and Control
    - Actions on Objectives
  mitre_attack:
    - Execution
    - PowerShell
    - Scripting
  nist:
    - PR.PT
    - DE.CM
    - PR.IP
modification_date: '2020-01-17'
name: Malicious PowerShell Process With Obfuscation Techniques
original_authors:
  - company: Splunk
    email: davidd@splunk.com
    name: David Dorsey
references: []
security_domain: endpoint
spec_version: 2
type: splunk
version: '2.0'