forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathmalicious_powershell.yml
More file actions
95 lines (86 loc) · 4.97 KB
/
malicious_powershell.yml
File metadata and controls
95 lines (86 loc) · 4.97 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
category:
- Adversary Tactics
channel: ESCU
creation_date: '2016-09-18'
description: Attackers are finding stealthy ways "live off the land," leveraging utilities
and tools that come standard on the endpoint--such as PowerShell--to achieve their
goals without downloading binary files. These searches can help you detect and investigate
PowerShell command-line options that may be indicative of malicious intent.
detections:
- detection_id: ee18ed37-0802-4268-9435-b3b91aaa18db
name: Malicious PowerShell Process - Connect To Internet With Hidden Window
type: splunk
- detection_id: c4db14d9-7909-48b4-a054-aa14d89dbb19
name: Malicious PowerShell Process - Encoded Command
type: splunk
- detection_id: 2cdb91d2-542c-497f-b252-be495e71f38c
name: Malicious PowerShell Process - Multiple Suspicious Command-Line Arguments
type: splunk
- detection_id: cde75cf6-3c7a-4dd6-af01-27cdb4511fd4
name: Malicious PowerShell Process With Obfuscation Techniques
type: splunk
- detection_id: c2590137-0b08-4985-9ec5-6ae23d92f63d
name: Attempt To Set Default PowerShell Execution Policy To Unrestricted or Bypass
type: splunk
id: 2c8ff66e-0b57-42af-8ad7-912438a403fc
maintainers:
- company: Splunk
email: davidd@splunk.com
name: David Dorsey
modification_date: '2017-08-23'
name: Malicious PowerShell
narrative: 'The searches in this Analytic Story monitor for parameters often used
for malicious purposes. It is helpful to understand how often the notable events
generated by this story occur, as well as the commonalities between some of these
events. These factors may provide clues about whether this is a common occurrence
of minimal concern or a rare event that may require more extensive investigation.
Likewise, it is important to determine whether the issue is restricted to a single
user/system or is broader in scope.\
The following factors may assist you in determining whether the event is malicious:
\
1. Country of origin\
1. Responsible party\
1. Fully qualified domain names associated with the external IP address\
1. Registration of fully qualified domain names associated with external IP addressDetermining
whether it is a dynamic domain frequently visited by others and/or how third parties
categorize it can also help you answer some questions surrounding the attacker and
details related to the external system. In addition, there are various sources--such
as VirusTotal— that can provide some reputation information on the IP address
or domain name, which can assist in determining whether the event is malicious.
Finally, determining whether there are other events associated with the IP address
may help connect data points or show other events that should be brought into scope.\
Gathering data on the system of interest can sometimes help you quickly determine
whether something suspicious is happening. Some of these items include finding out
who else may have recently logged into the system, whether any unusual scheduled
tasks exist, whether the system is communicating on suspicious ports, whether there
are modifications to sensitive registry keys, and whether there are any known vulnerabilities
on the system. This information can often highlight other activity commonly seen
in attack scenarios or give more information about how the system may have been
targeted.\
Often, a simple inspection of the process name and path can tell you if the system
has been compromised. For example, if `svchost.exe` is found running from a location
other than `C:\Windows\System32`, it is likely something malicious designed to hide
in plain sight when cursorily reviewing process names. Similarly, if the process
itself seems legitimate, but the parent process is running from the temporary browser
cache, that could be indicative of activity initiated via a compromised website
a user visited.\
It can also be very helpful to examine various behaviors of the process of interest
or the parent of the process of interest. For example, if it turns out the process
of interest is malicious, it would be good to see if the parent to that process
spawned other processes that might be worth further scrutiny. If a process is suspect,
a review of the network connections made in and around the time of the event and/or
whether the process spawned any child processes could be helpful, as well.\
In the event a system is suspected of having been compromised via a malicious website,
we suggest reviewing the browsing activity from that system around the time of the
event. If categories are given for the URLs visited, that can help you zero in on
possible malicious sites.'
original_authors:
- company: Splunk
email: davidd@splunk.com
name: David Dorsey
references:
- https://blogs.mcafee.com/mcafee-labs/malware-employs-powershell-to-infect-systems/
- https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/
spec_version: 2
usecase: Advanced Threat Detection
version: '4.0'