-
Notifications
You must be signed in to change notification settings - Fork 377
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #2017 from splunk/Log4ForgeLog4ShellLog4RCE
Log4Forge Log4Shell LogForceShell
- Loading branch information
Showing
6 changed files
with
434 additions
and
0 deletions.
There are no files selected for viewing
97 changes: 97 additions & 0 deletions
97
detections/endpoint/ssa___windows_powershell_connect_to_internet_with_hidden_window.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,97 @@ | ||
| name: Windows Powershell Connect to Internet With Hidden Window | ||
| id: 477e068e-8b6d-11ec-b6c1-81af21670352 | ||
| version: 1 | ||
| date: '2022-02-11' | ||
| author: Jose Hernandez, David Dorsey, Michael Haag Splunk | ||
| type: Anomaly | ||
| datamodel: | ||
| - Endpoint_Processes | ||
| description: The following hunting analytic identifies PowerShell commands utilizing | ||
| the WindowStyle parameter to hide the window on the compromised endpoint. This combination | ||
| of command-line options is suspicious because it is overriding the default PowerShell | ||
| execution policy, attempts to hide its activity from the user, and connects to the | ||
| Internet. Removed in this version of the query is New-Object. The analytic identifies | ||
| all variations of WindowStyle, as PowerShell allows the ability to shorten the parameter. | ||
| For example w, win, windowsty and so forth. In addition, through our research it | ||
| was identified that PowerShell will interpret different command switch types beyond | ||
| the hyphen. We have added endash, emdash, horizontal bar, and forward slash. | ||
| search: '| from read_ssa_enriched_events() | ||
| | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=lower(ucast(map_get(input_event, "process"), | ||
| "string", null)), process_name=lower(ucast(map_get(input_event, "process_name"), | ||
| "string", null)), process_path=ucast(map_get(input_event, "process_path"), "string", | ||
| null), parent_process_name=ucast(map_get(input_event, "parent_process_name"), "string", | ||
| null), event_id=ucast(map_get(input_event, "event_id"), "string", null) | ||
| | where cmd_line IS NOT NULL AND process_name IS NOT NULL | ||
| | where process_name="pwsh.exe" OR process_name="pwsh.exe" OR process_name="sqlps.exe" OR process_name="sqltoolsps.exe" OR process_name="powershell.exe" OR process_name="powershell_ise.exe" | ||
| | where match_regex(cmd_line, /(?i)[\\-|\\/|\u2013\|\u2014|\u2015]w(in*d*o*w*s*t*y*l*e*)*\\s+[^-]/)=true | ||
| | eval start_time=timestamp, end_time=timestamp, entities=mvappend(ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body=create_map(["event_id", event_id, "cmd_line", cmd_line, "process_name", process_name, "parent_process_name", parent_process_name, "process_path", process_path]) | ||
| | into write_ssa_detected_events();' | ||
| how_to_implement: You must be ingesting data that records process activity from your | ||
| hosts to populate the Endpoint data model in the Processes node. You must also be | ||
| ingesting logs with both the process name and command line from your endpoints. | ||
| The command-line arguments are mapped to the "process" field in the Endpoint data | ||
| model. | ||
| known_false_positives: Legitimate process can have this combination of command-line | ||
| options, but it's not common. | ||
| references: | ||
| - https://regexr.com/663rr | ||
| - https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHarnesses/T1059.001_PowerShell/OutPowerShellCommandLineParameter.ps1 | ||
| - https://ss64.com/ps/powershell.html | ||
| - https://twitter.com/M_haggis/status/1440758396534214658?s=20 | ||
| - https://blog.netlab.360.com/ten-families-of-malicious-samples-are-spreading-using-the-log4j2-vulnerability-now/ | ||
| tags: | ||
| analytic_story: | ||
| - Malicious PowerShell | ||
| - Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns | ||
| - HAFNIUM Group | ||
| - Log4Shell CVE-2021-44228 | ||
| automated_detection_testing: passed | ||
| cis20: | ||
| - CIS 8 | ||
| confidence: 70 | ||
| context: | ||
| - Source:Endpoint | ||
| - Stage:Exfiltration | ||
| dataset: | ||
| - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/hidden_powershell/hidden_windows-security.log | ||
| impact: 50 | ||
| kill_chain_phases: | ||
| - Exfiltration | ||
| message: PowerShell processes $process$ started with parameters to modify the execution | ||
| policy of the run, run in a hidden window, and connect to the Internet on host $dest$ executed by user $user$. | ||
| mitre_attack_id: | ||
| - T1020 | ||
| nist: | ||
| - PR.PT | ||
| - DE.CM | ||
| observable: | ||
| - name: dest_user_id | ||
| type: User | ||
| role: | ||
| - Victim | ||
| - name: dest_device_id | ||
| type: Hostname | ||
| role: | ||
| - Victim | ||
| - name: parent_process_name | ||
| type: Parent Process | ||
| role: | ||
| - Parent Process | ||
| - name: process_name | ||
| type: Process | ||
| role: | ||
| - Child Process | ||
| product: | ||
| - Splunk Behavioral Analytics | ||
| required_fields: | ||
| - _time | ||
| - dest_device_id | ||
| - process_name | ||
| - parent_process_name | ||
| - process_path | ||
| - dest_user_id | ||
| - process | ||
| - cmd_line | ||
| risk_score: 35 | ||
| risk_severity: low | ||
| security_domain: endpoint |
89 changes: 89 additions & 0 deletions
89
detections/endpoint/ssa___windows_powershell_downloadfile.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,89 @@ | ||
| name: Windows Powershell DownloadFile | ||
| id: 46440222-81d5-44b1-a376-19dcd70d1b08 | ||
| version: 1 | ||
| date: '2022-02-11' | ||
| author: Jose Hernandez, Michael Haag, Splunk | ||
| type: Anomaly | ||
| datamodel: | ||
| - Endpoint_Processes | ||
| description: The following analytic identifies the use of PowerShell downloading a | ||
| file using `DownloadFile` method. This particular method is utilized in many different | ||
| PowerShell frameworks to download files and output to disk. Identify the source | ||
| (IP/domain) and destination file and triage appropriately. If AMSI logging or PowerShell | ||
| transaction logs are available, review for further details of the implant. | ||
| search: '| from read_ssa_enriched_events() | ||
| | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=lower(ucast(map_get(input_event, "process"), | ||
| "string", null)), process_name=lower(ucast(map_get(input_event, "process_name"), | ||
| "string", null)), process_path=ucast(map_get(input_event, "process_path"), "string", | ||
| null), parent_process_name=ucast(map_get(input_event, "parent_process_name"), "string", | ||
| null), event_id=ucast(map_get(input_event, "event_id"), "string", null) | ||
| | where cmd_line IS NOT NULL AND process_name IS NOT NULL | ||
| | where process_name="pwsh.exe" OR process_name="pwsh.exe" OR process_name="sqlps.exe" OR process_name="sqltoolsps.exe" OR process_name="powershell.exe" OR process_name="powershell_ise.exe" | ||
| | where (like (cmd_line, "%downloadfile%")) | ||
| | eval start_time=timestamp, end_time=timestamp, entities=mvappend(ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body=create_map(["event_id", event_id, "cmd_line", cmd_line, "process_name", process_name, "parent_process_name", parent_process_name, "process_path", process_path]) | ||
| | into write_ssa_detected_events();' | ||
| how_to_implement: To successfully implement this search you need to be ingesting information | ||
| on process that include the name of the process responsible for the changes from | ||
| your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, | ||
| confirm the latest CIM App 4.20 or higher is installed and the latest TA for the | ||
| endpoint product. | ||
| known_false_positives: False positives may be present and filtering will need to occur | ||
| by parent process or command line argument. It may be required to modify this query | ||
| to an EDR product for more granular coverage. | ||
| references: | ||
| - https://docs.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-5.0 | ||
| - https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/ | ||
| - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md | ||
| tags: | ||
| analytic_story: | ||
| - Malicious PowerShell | ||
| - Ingress Tool Transfer | ||
| - Log4Shell CVE-2021-44228 | ||
| cis20: | ||
| - CIS 8 | ||
| confidence: 70 | ||
| context: | ||
| - Source:Endpoint | ||
| - Stage:LateralMovement | ||
| dataset: | ||
| - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/downloadfile_windows-security.log | ||
| impact: 50 | ||
| kill_chain_phases: | ||
| - Lateral Movement | ||
| message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$. This behavior identifies the use of DownloadFile within PowerShell. | ||
| mitre_attack_id: | ||
| - T1020 | ||
| nist: | ||
| - PR.PT | ||
| - DE.CM | ||
| observable: | ||
| - name: dest_user_id | ||
| type: User | ||
| role: | ||
| - Victim | ||
| - name: dest_device_id | ||
| type: Hostname | ||
| role: | ||
| - Victim | ||
| - name: parent_process_name | ||
| type: Parent Process | ||
| role: | ||
| - Parent Process | ||
| - name: process_name | ||
| type: Process | ||
| role: | ||
| - Child Process | ||
| product: | ||
| - Splunk Behavioral Analytics | ||
| required_fields: | ||
| - _time | ||
| - dest_device_id | ||
| - process_name | ||
| - parent_process_name | ||
| - process_path | ||
| - dest_user_id | ||
| - process | ||
| - cmd_line | ||
| risk_score: 35 | ||
| risk_severity: low | ||
| security_domain: endpoint |
118 changes: 118 additions & 0 deletions
118
dist/ssa/srs/ssa___windows_powershell_connect_to_internet_with_hidden_window.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,118 @@ | ||
| author: Jose Hernandez, David Dorsey, Michael Haag Splunk | ||
| datamodel: | ||
| - Endpoint | ||
| date: '2022-02-11' | ||
| description: The following hunting analytic identifies PowerShell commands utilizing | ||
| the WindowStyle parameter to hide the window on the compromised endpoint. This combination | ||
| of command-line options is suspicious because it is overriding the default PowerShell | ||
| execution policy, attempts to hide its activity from the user, and connects to the | ||
| Internet. Removed in this version of the query is New-Object. The analytic identifies | ||
| all variations of WindowStyle, as PowerShell allows the ability to shorten the parameter. | ||
| For example w, win, windowsty and so forth. In addition, through our research it | ||
| was identified that PowerShell will interpret different command switch types beyond | ||
| the hyphen. We have added endash, emdash, horizontal bar, and forward slash. | ||
| how_to_implement: You must be ingesting data that records process activity from your | ||
| hosts to populate the Endpoint data model in the Processes node. You must also be | ||
| ingesting logs with both the process name and command line from your endpoints. | ||
| The command-line arguments are mapped to the "process" field in the Endpoint data | ||
| model. | ||
| id: 477e068e-8b6d-11ec-b6c1-81af21670352 | ||
| known_false_positives: Legitimate process can have this combination of command-line | ||
| options, but it's not common. | ||
| name: Windows Powershell Connect to Internet With Hidden Window | ||
| product: | ||
| - Splunk Behavioral Analytics | ||
| references: | ||
| - https://regexr.com/663rr | ||
| - https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHarnesses/T1059.001_PowerShell/OutPowerShellCommandLineParameter.ps1 | ||
| - https://ss64.com/ps/powershell.html | ||
| - https://twitter.com/M_haggis/status/1440758396534214658?s=20 | ||
| - https://blog.netlab.360.com/ten-families-of-malicious-samples-are-spreading-using-the-log4j2-vulnerability-now/ | ||
| risk_message: PowerShell processes $process$ started with parameters to modify the | ||
| execution policy of the run, run in a hidden window, and connect to the Internet | ||
| on host $dest$ executed by user $user$. | ||
| search: '| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, | ||
| "_time"), "string", null)), cmd_line=lower(ucast(map_get(input_event, "process"), | ||
| "string", null)), process_name=lower(ucast(map_get(input_event, "process_name"), | ||
| "string", null)), process_path=ucast(map_get(input_event, "process_path"), "string", | ||
| null), parent_process_name=ucast(map_get(input_event, "parent_process_name"), "string", | ||
| null), event_id=ucast(map_get(input_event, "event_id"), "string", null) | where | ||
| cmd_line IS NOT NULL AND process_name IS NOT NULL | where process_name="pwsh.exe" | ||
| OR process_name="pwsh.exe" OR process_name="sqlps.exe" OR process_name="sqltoolsps.exe" | ||
| OR process_name="powershell.exe" OR process_name="powershell_ise.exe" | where match_regex(cmd_line, | ||
| /(?i)[\\-|\\/|\u2013\|\u2014|\u2015]w(in*d*o*w*s*t*y*l*e*)*\\s+[^-]/)=true | eval | ||
| start_time=timestamp, end_time=timestamp, entities=mvappend(ucast(map_get(input_event, | ||
| "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), | ||
| "string", null)), body=create_map(["event_id", event_id, "cmd_line", cmd_line, "process_name", | ||
| process_name, "parent_process_name", parent_process_name, "process_path", process_path]) | ||
| | into write_ssa_detected_events();' | ||
| tags: | ||
| analytic_story: | ||
| - Malicious PowerShell | ||
| - Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns | ||
| - HAFNIUM Group | ||
| - Log4Shell CVE-2021-44228 | ||
| automated_detection_testing: passed | ||
| cis20: | ||
| - CIS 8 | ||
| confidence: 70 | ||
| context: | ||
| - Source:Endpoint | ||
| - Stage:Exfiltration | ||
| dataset: | ||
| - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/hidden_powershell/hidden_windows-security.log | ||
| impact: 50 | ||
| kill_chain_phases: | ||
| - Exfiltration | ||
| message: PowerShell processes $process$ started with parameters to modify the execution | ||
| policy of the run, run in a hidden window, and connect to the Internet on host | ||
| $dest$ executed by user $user$. | ||
| mitre_attack_id: | ||
| - T1020 | ||
| nist: | ||
| - PR.PT | ||
| - DE.CM | ||
| observable: | ||
| - name: dest_user_id | ||
| role: | ||
| - Victim | ||
| type: User | ||
| - name: dest_device_id | ||
| role: | ||
| - Victim | ||
| type: Hostname | ||
| - name: parent_process_name | ||
| role: | ||
| - Parent Process | ||
| type: Parent Process | ||
| - name: process_name | ||
| role: | ||
| - Child Process | ||
| type: Process | ||
| product: | ||
| - Splunk Behavioral Analytics | ||
| required_fields: | ||
| - _time | ||
| - dest_device_id | ||
| - process_name | ||
| - parent_process_name | ||
| - process_path | ||
| - dest_user_id | ||
| - process | ||
| - cmd_line | ||
| risk_score: 35 | ||
| risk_severity: low | ||
| security_domain: endpoint | ||
| test: | ||
| name: Windows Powershell Connect to Internet With Hidden Window Unit Test | ||
| tests: | ||
| - attack_data: | ||
| - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/hidden_powershell/hidden_windows-security.log | ||
| file_name: hidden_windows-security.log | ||
| source: WinEventLog:Security | ||
| description: Test Windows Powershell Connect to Internet With Hidden Window detections | ||
| file: endpoint/ssa___windows_powershell_connect_to_internet_with_hidden_window.yml | ||
| name: Windows Powershell Connect to Internet With Hidden Window | ||
| pass_condition: '@count_gt(0)' | ||
| type: Anomaly | ||
| version: 1 |
Oops, something went wrong.