From a1d127126af102591ffa0d095d99a9a5840c90f5 Mon Sep 17 00:00:00 2001 From: d1vious Date: Mon, 14 Feb 2022 11:11:47 -0500 Subject: [PATCH 1/8] adding template detection --- ...connect_to_internet_with_hidden_window.yml | 47 +++++++++++++++++++ ...ct_to_internet_with_hidden_window.test.yml | 12 +++++ 2 files changed, 59 insertions(+) create mode 100644 detections/endpoint/ssa___windows_powershell_connect_to_internet_with_hidden_window.yml create mode 100644 tests/endpoint/windows_powershell_connect_to_internet_with_hidden_window.test.yml diff --git a/detections/endpoint/ssa___windows_powershell_connect_to_internet_with_hidden_window.yml b/detections/endpoint/ssa___windows_powershell_connect_to_internet_with_hidden_window.yml new file mode 100644 index 0000000000..45bd27c042 --- /dev/null +++ b/detections/endpoint/ssa___windows_powershell_connect_to_internet_with_hidden_window.yml @@ -0,0 +1,47 @@ +name: Windows Powershell Connect to Internet With Hidden Window +id: 477e068e-8b6d-11ec-b6c1-81af21670352 +version: 1 +date: '2022-02-11' +author: Jose Hernandez +type: Anomaly +datamodel: +- Endpoint +description: + UPDATE_DESCRIPTION + WHAT IS THIS? + WHAT DOES IT LOOK LIKE? + HOW DO YOU TRIAGE IT? +search: '| UPDATE_SPL | `windows_powershell_connect_to_internet_with_hidden_window_filter`' +how_to_implement: UPDATE_HOW_TO_IMPLEMENT +known_false_positives: UPDATE_KNOWN_FALSE_POSITIVES +references: +- +tags: + analytic_story: + - UPDATE_STORY_NAME + dataset: + - UPDATE_DATASET_URL + kill_chain_phases: + - Exploitation + - Lateral Movement + mitre_attack_id: + - T1059.001 + - T1059 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + security_domain: endpoint + impact: + confidence: + # (impact * confidence)/100 + risk_score: + context: + message: + observable: + nist: + - + cis20: + - \ No newline at end of file diff --git a/tests/endpoint/windows_powershell_connect_to_internet_with_hidden_window.test.yml b/tests/endpoint/windows_powershell_connect_to_internet_with_hidden_window.test.yml new file mode 100644 index 0000000000..40e7685175 --- /dev/null +++ b/tests/endpoint/windows_powershell_connect_to_internet_with_hidden_window.test.yml @@ -0,0 +1,12 @@ +name: Windows Powershell Connect to Internet With Hidden Window Unit Test +tests: +- name: Windows Powershell Connect to Internet With Hidden Window + file: endpoint/ssa___windows_powershell_connect_to_internet_with_hidden_window.yml + pass_condition: '| stats count | where count > 0' + earliest_time: '-24h' + latest_time: 'now' + attack_data: + - file_name: UPDATE_FILE_NAME + data: UPDATE_DATASET_URL + source: UPDATE_SPLUNK_SOURCE + sourcetype: UPDATE_SPLUNK_SOURCETYPE \ No newline at end of file From 0a2618f68655fdd3e3e97010dde800d163a1fbfe Mon Sep 17 00:00:00 2001 From: d1vious Date: Mon, 14 Feb 2022 13:40:24 -0500 Subject: [PATCH 2/8] adding 1 detection --- ...connect_to_internet_with_hidden_window.yml | 115 +++++++++++++----- ...ct_to_internet_with_hidden_window.test.yml | 12 +- 2 files changed, 89 insertions(+), 38 deletions(-) diff --git a/detections/endpoint/ssa___windows_powershell_connect_to_internet_with_hidden_window.yml b/detections/endpoint/ssa___windows_powershell_connect_to_internet_with_hidden_window.yml index 45bd27c042..c39f728f26 100644 --- a/detections/endpoint/ssa___windows_powershell_connect_to_internet_with_hidden_window.yml +++ b/detections/endpoint/ssa___windows_powershell_connect_to_internet_with_hidden_window.yml @@ -2,46 +2,99 @@ name: Windows Powershell Connect to Internet With Hidden Window id: 477e068e-8b6d-11ec-b6c1-81af21670352 version: 1 date: '2022-02-11' -author: Jose Hernandez +author: Jose Hernandez, David Dorsey, Michael Haag Splunk type: Anomaly datamodel: - Endpoint -description: - UPDATE_DESCRIPTION - WHAT IS THIS? - WHAT DOES IT LOOK LIKE? - HOW DO YOU TRIAGE IT? -search: '| UPDATE_SPL | `windows_powershell_connect_to_internet_with_hidden_window_filter`' -how_to_implement: UPDATE_HOW_TO_IMPLEMENT -known_false_positives: UPDATE_KNOWN_FALSE_POSITIVES +description: The following hunting analytic identifies PowerShell commands utilizing + the WindowStyle parameter to hide the window on the compromised endpoint. This combination + of command-line options is suspicious because it is overriding the default PowerShell + execution policy, attempts to hide its activity from the user, and connects to the + Internet. Removed in this version of the query is New-Object. The analytic identifies + all variations of WindowStyle, as PowerShell allows the ability to shorten the parameter. + For example w, win, windowsty and so forth. In addition, through our research it + was identified that PowerShell will interpret different command switch types beyond + the hyphen. We have added endash, emdash, horizontal bar, and forward slash. +search: '| from pulsar("d156ed3a-1254-469a-bffc-9dd6eda97ac6", "persistent://ssa/egress/decorated-events-research") +| eval input_event=deserialize_json_object(value) +| select input_event +| eval _datamodels=ucast(map_get(input_event, "_datamodels"), "collection", []), body={} +| eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=lower(ucast(map_get(input_event, "process"), + "string", null)), process_name=lower(ucast(map_get(input_event, "process_name"), + "string", null)), process_path=ucast(map_get(input_event, "process_path"), "string", + null), parent_process_name=ucast(map_get(input_event, "parent_process_name"), "string", + null), event_id=ucast(map_get(input_event, "event_id"), "string", null) +| where cmd_line IS NOT NULL AND process_name IS NOT NULL +| where process_name="pwsh.exe" OR process_name="pwsh.exe" OR process_name="sqlps.exe" OR process_name="sqltoolsps.exe" OR process_name="powershell.exe" OR process_name="powershell_ise.exe" +| where match_regex(cmd_line, /(?i)[\\-|\\/|\u2013\|\u2014|\u2015]w(in*d*o*w*s*t*y*l*e*)*\\s+[^-]/)=true +| eval start_time=timestamp, end_time=timestamp, entities=mvappend(ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body=create_map(["event_id", event_id, "cmd_line", cmd_line, "process_name", process_name, "parent_process_name", parent_process_name, "process_path", process_path]) +| into write_ssa_detected_events();' +how_to_implement: You must be ingesting data that records process activity from your + hosts to populate the Endpoint data model in the Processes node. You must also be + ingesting logs with both the process name and command line from your endpoints. + The command-line arguments are mapped to the "process" field in the Endpoint data + model. +known_false_positives: Legitimate process can have this combination of command-line + options, but it's not common. references: -- +- https://regexr.com/663rr +- https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHarnesses/T1059.001_PowerShell/OutPowerShellCommandLineParameter.ps1 +- https://ss64.com/ps/powershell.html +- https://twitter.com/M_haggis/status/1440758396534214658?s=20 +- https://blog.netlab.360.com/ten-families-of-malicious-samples-are-spreading-using-the-log4j2-vulnerability-now/ tags: analytic_story: - - UPDATE_STORY_NAME + - Malicious PowerShell + - Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns + - HAFNIUM Group + - Log4Shell CVE-2021-44228 + automated_detection_testing: passed + cis20: + - CIS 8 + confidence: 70 + context: + - Source:Endpoint + - Stage:Exfiltration dataset: - - UPDATE_DATASET_URL + - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/hidden_powershell/hidden_windows-security.log + impact: 50 kill_chain_phases: - - Exploitation - - Lateral Movement + - Exfiltration + message: PowerShell processes $process$ started with parameters to modify the execution + policy of the run, run in a hidden window, and connect to the Internet on host $dest$ executed by user $user$. mitre_attack_id: - - T1059.001 - - T1059 + - T1020 + nist: + - PR.PT + - DE.CM + observable: + - name: dest_user_id + type: User + role: + - Victim + - name: dest_device_id + type: Hostname + role: + - Victim + - name: parent_process_name + type: Parent Process + role: + - Parent Process + - name: process_name + type: Process + role: + - Child Process product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud + - Splunk Behavioral Analytics required_fields: - _time - security_domain: endpoint - impact: - confidence: - # (impact * confidence)/100 - risk_score: - context: - message: - observable: - nist: - - - cis20: - - \ No newline at end of file + - dest_device_id + - process_name + - parent_process_name + - process_path + - dest_user_id + - process + - cmd_line + risk_score: 35 + risk_severity: low + security_domain: endpoint \ No newline at end of file diff --git a/tests/endpoint/windows_powershell_connect_to_internet_with_hidden_window.test.yml b/tests/endpoint/windows_powershell_connect_to_internet_with_hidden_window.test.yml index 40e7685175..63b94e6806 100644 --- a/tests/endpoint/windows_powershell_connect_to_internet_with_hidden_window.test.yml +++ b/tests/endpoint/windows_powershell_connect_to_internet_with_hidden_window.test.yml @@ -2,11 +2,9 @@ name: Windows Powershell Connect to Internet With Hidden Window Unit Test tests: - name: Windows Powershell Connect to Internet With Hidden Window file: endpoint/ssa___windows_powershell_connect_to_internet_with_hidden_window.yml - pass_condition: '| stats count | where count > 0' - earliest_time: '-24h' - latest_time: 'now' + pass_condition: '@count_gt(0)' + description: Test Windows Powershell Connect to Internet With Hidden Window detections attack_data: - - file_name: UPDATE_FILE_NAME - data: UPDATE_DATASET_URL - source: UPDATE_SPLUNK_SOURCE - sourcetype: UPDATE_SPLUNK_SOURCETYPE \ No newline at end of file + - file_name: hidden_windows-security.log + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/hidden_powershell/hidden_windows-security.log + source: WinEventLog:Security From 1cdd6386f3b95c8c8fe65fdffe7e4660bfcdb8b6 Mon Sep 17 00:00:00 2001 From: d1vious Date: Mon, 14 Feb 2022 13:47:06 -0500 Subject: [PATCH 3/8] updating the detection --- ...connect_to_internet_with_hidden_window.yml | 5 +- ...connect_to_internet_with_hidden_window.yml | 107 ++++++++++++++++++ 2 files changed, 108 insertions(+), 4 deletions(-) create mode 100644 dist/ssa/srs/ssa___windows_powershell_connect_to_internet_with_hidden_window.yml diff --git a/detections/endpoint/ssa___windows_powershell_connect_to_internet_with_hidden_window.yml b/detections/endpoint/ssa___windows_powershell_connect_to_internet_with_hidden_window.yml index c39f728f26..ea4db54aa5 100644 --- a/detections/endpoint/ssa___windows_powershell_connect_to_internet_with_hidden_window.yml +++ b/detections/endpoint/ssa___windows_powershell_connect_to_internet_with_hidden_window.yml @@ -15,10 +15,7 @@ description: The following hunting analytic identifies PowerShell commands utili For example w, win, windowsty and so forth. In addition, through our research it was identified that PowerShell will interpret different command switch types beyond the hyphen. We have added endash, emdash, horizontal bar, and forward slash. -search: '| from pulsar("d156ed3a-1254-469a-bffc-9dd6eda97ac6", "persistent://ssa/egress/decorated-events-research") -| eval input_event=deserialize_json_object(value) -| select input_event -| eval _datamodels=ucast(map_get(input_event, "_datamodels"), "collection", []), body={} +search: '| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=lower(ucast(map_get(input_event, "process"), "string", null)), process_name=lower(ucast(map_get(input_event, "process_name"), "string", null)), process_path=ucast(map_get(input_event, "process_path"), "string", diff --git a/dist/ssa/srs/ssa___windows_powershell_connect_to_internet_with_hidden_window.yml b/dist/ssa/srs/ssa___windows_powershell_connect_to_internet_with_hidden_window.yml new file mode 100644 index 0000000000..d036ed1ec6 --- /dev/null +++ b/dist/ssa/srs/ssa___windows_powershell_connect_to_internet_with_hidden_window.yml @@ -0,0 +1,107 @@ +author: Jose Hernandez, David Dorsey, Michael Haag Splunk +datamodel: +- Endpoint +date: '2022-02-11' +description: The following hunting analytic identifies PowerShell commands utilizing + the WindowStyle parameter to hide the window on the compromised endpoint. This combination + of command-line options is suspicious because it is overriding the default PowerShell + execution policy, attempts to hide its activity from the user, and connects to the + Internet. Removed in this version of the query is New-Object. The analytic identifies + all variations of WindowStyle, as PowerShell allows the ability to shorten the parameter. + For example w, win, windowsty and so forth. In addition, through our research it + was identified that PowerShell will interpret different command switch types beyond + the hyphen. We have added endash, emdash, horizontal bar, and forward slash. +how_to_implement: You must be ingesting data that records process activity from your + hosts to populate the Endpoint data model in the Processes node. You must also be + ingesting logs with both the process name and command line from your endpoints. + The command-line arguments are mapped to the "process" field in the Endpoint data + model. +id: 477e068e-8b6d-11ec-b6c1-81af21670352 +known_false_positives: Legitimate process can have this combination of command-line + options, but it's not common. +name: Windows Powershell Connect to Internet With Hidden Window +product: +- Splunk Behavioral Analytics +references: +- https://regexr.com/663rr +- https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHarnesses/T1059.001_PowerShell/OutPowerShellCommandLineParameter.ps1 +- https://ss64.com/ps/powershell.html +- https://twitter.com/M_haggis/status/1440758396534214658?s=20 +- https://blog.netlab.360.com/ten-families-of-malicious-samples-are-spreading-using-the-log4j2-vulnerability-now/ +risk_message: PowerShell processes $process$ started with parameters to modify the + execution policy of the run, run in a hidden window, and connect to the Internet + on host $dest$ executed by user $user$. +search: '| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, + "_time"), "string", null)), cmd_line=lower(ucast(map_get(input_event, "process"), + "string", null)), process_name=lower(ucast(map_get(input_event, "process_name"), + "string", null)), process_path=ucast(map_get(input_event, "process_path"), "string", + null), parent_process_name=ucast(map_get(input_event, "parent_process_name"), "string", + null), event_id=ucast(map_get(input_event, "event_id"), "string", null) | where + cmd_line IS NOT NULL AND process_name IS NOT NULL | where process_name="pwsh.exe" + OR process_name="pwsh.exe" OR process_name="sqlps.exe" OR process_name="sqltoolsps.exe" + OR process_name="powershell.exe" OR process_name="powershell_ise.exe" | where match_regex(cmd_line, + /(?i)[\\-|\\/|\u2013\|\u2014|\u2015]w(in*d*o*w*s*t*y*l*e*)*\\s+[^-]/)=true | eval + start_time=timestamp, end_time=timestamp, entities=mvappend(ucast(map_get(input_event, + "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), + "string", null)), body=create_map(["event_id", event_id, "cmd_line", cmd_line, "process_name", + process_name, "parent_process_name", parent_process_name, "process_path", process_path]) + | into write_ssa_detected_events();' +tags: + analytic_story: + - Malicious PowerShell + - Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns + - HAFNIUM Group + - Log4Shell CVE-2021-44228 + automated_detection_testing: passed + cis20: + - CIS 8 + confidence: 70 + context: + - Source:Endpoint + - Stage:Exfiltration + dataset: + - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/hidden_powershell/hidden_windows-security.log + impact: 50 + kill_chain_phases: + - Exfiltration + message: PowerShell processes $process$ started with parameters to modify the execution + policy of the run, run in a hidden window, and connect to the Internet on host + $dest$ executed by user $user$. + mitre_attack_id: + - T1020 + nist: + - PR.PT + - DE.CM + observable: + - name: dest_user_id + role: + - Victim + type: User + - name: dest_device_id + role: + - Victim + type: Hostname + - name: parent_process_name + role: + - Parent Process + type: Parent Process + - name: process_name + role: + - Child Process + type: Process + product: + - Splunk Behavioral Analytics + required_fields: + - _time + - dest_device_id + - process_name + - parent_process_name + - process_path + - dest_user_id + - process + - cmd_line + risk_score: 35 + risk_severity: low + security_domain: endpoint +type: Anomaly +version: 1 From 73cb36c6267cfd1b3476251987e336057c220aae Mon Sep 17 00:00:00 2001 From: d1vious Date: Mon, 14 Feb 2022 15:54:12 -0500 Subject: [PATCH 4/8] adding working detection --- ...ershell_connect_to_internet_with_hidden_window.yml | 11 +++++++++++ ...l_connect_to_internet_with_hidden_window.test.yml} | 0 2 files changed, 11 insertions(+) rename tests/endpoint/{windows_powershell_connect_to_internet_with_hidden_window.test.yml => ssa___windows_powershell_connect_to_internet_with_hidden_window.test.yml} (100%) diff --git a/dist/ssa/srs/ssa___windows_powershell_connect_to_internet_with_hidden_window.yml b/dist/ssa/srs/ssa___windows_powershell_connect_to_internet_with_hidden_window.yml index d036ed1ec6..8f641c57c3 100644 --- a/dist/ssa/srs/ssa___windows_powershell_connect_to_internet_with_hidden_window.yml +++ b/dist/ssa/srs/ssa___windows_powershell_connect_to_internet_with_hidden_window.yml @@ -103,5 +103,16 @@ tags: risk_score: 35 risk_severity: low security_domain: endpoint +test: + name: Windows Powershell Connect to Internet With Hidden Window Unit Test + tests: + - attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/hidden_powershell/hidden_windows-security.log + file_name: hidden_windows-security.log + source: WinEventLog:Security + description: Test Windows Powershell Connect to Internet With Hidden Window detections + file: endpoint/ssa___windows_powershell_connect_to_internet_with_hidden_window.yml + name: Windows Powershell Connect to Internet With Hidden Window + pass_condition: '@count_gt(0)' type: Anomaly version: 1 diff --git a/tests/endpoint/windows_powershell_connect_to_internet_with_hidden_window.test.yml b/tests/endpoint/ssa___windows_powershell_connect_to_internet_with_hidden_window.test.yml similarity index 100% rename from tests/endpoint/windows_powershell_connect_to_internet_with_hidden_window.test.yml rename to tests/endpoint/ssa___windows_powershell_connect_to_internet_with_hidden_window.test.yml From 3a3d0a99226737786ac9de69beb5a44a8e88b57b Mon Sep 17 00:00:00 2001 From: d1vious Date: Mon, 14 Feb 2022 21:28:57 -0500 Subject: [PATCH 5/8] adding powershell downloadfile but not passing --- .../ssa___windows_powershell_downloadfile.yml | 89 ++++++++++++++ .../ssa___windows_powershell_downloadfile.yml | 110 ++++++++++++++++++ ...__windows_powershell_downloadfile.test.yml | 10 ++ 3 files changed, 209 insertions(+) create mode 100644 detections/endpoint/ssa___windows_powershell_downloadfile.yml create mode 100644 dist/ssa/srs/ssa___windows_powershell_downloadfile.yml create mode 100644 tests/endpoint/ssa___windows_powershell_downloadfile.test.yml diff --git a/detections/endpoint/ssa___windows_powershell_downloadfile.yml b/detections/endpoint/ssa___windows_powershell_downloadfile.yml new file mode 100644 index 0000000000..dcc0421a12 --- /dev/null +++ b/detections/endpoint/ssa___windows_powershell_downloadfile.yml @@ -0,0 +1,89 @@ +name: Windows Powershell DownloadFile +id: 46440222-81d5-44b1-a376-19dcd70d1b08 +version: 1 +date: '2022-02-11' +author: Jose Hernandez, Michael Haag, Splunk +type: Anomaly +datamodel: +- Endpoint +description: The following analytic identifies the use of PowerShell downloading a + file using `DownloadFile` method. This particular method is utilized in many different + PowerShell frameworks to download files and output to disk. Identify the source + (IP/domain) and destination file and triage appropriately. If AMSI logging or PowerShell + transaction logs are available, review for further details of the implant. +search: '| from read_ssa_enriched_events() +| eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=lower(ucast(map_get(input_event, "process"), + "string", null)), process_name=lower(ucast(map_get(input_event, "process_name"), + "string", null)), process_path=ucast(map_get(input_event, "process_path"), "string", + null), parent_process_name=ucast(map_get(input_event, "parent_process_name"), "string", + null), event_id=ucast(map_get(input_event, "event_id"), "string", null) +| where cmd_line IS NOT NULL AND process_name IS NOT NULL +| where process_name="pwsh.exe" OR process_name="pwsh.exe" OR process_name="sqlps.exe" OR process_name="sqltoolsps.exe" OR process_name="powershell.exe" OR process_name="powershell_ise.exe" +| where (like (cmd_line, "%DownloadFile%")) +| eval start_time=timestamp, end_time=timestamp, entities=mvappend(ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body=create_map(["event_id", event_id, "cmd_line", cmd_line, "process_name", process_name, "parent_process_name", parent_process_name, "process_path", process_path]) +| into write_ssa_detected_events();' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, + confirm the latest CIM App 4.20 or higher is installed and the latest TA for the + endpoint product. +known_false_positives: False positives may be present and filtering will need to occur + by parent process or command line argument. It may be required to modify this query + to an EDR product for more granular coverage. +references: +- https://docs.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-5.0 +- https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/ +- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md +tags: + analytic_story: + - Malicious PowerShell + - Ingress Tool Transfer + - Log4Shell CVE-2021-44228 + cis20: + - CIS 8 + confidence: 70 + context: + - Source:Endpoint + - Stage:LateralMovement + dataset: + - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/downloadfile_windows-security.log + impact: 50 + kill_chain_phases: + - Lateral Movement + message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$. This behavior identifies the use of DownloadFile within PowerShell. + mitre_attack_id: + - T1020 + nist: + - PR.PT + - DE.CM + observable: + - name: dest_user_id + type: User + role: + - Victim + - name: dest_device_id + type: Hostname + role: + - Victim + - name: parent_process_name + type: Parent Process + role: + - Parent Process + - name: process_name + type: Process + role: + - Child Process + product: + - Splunk Behavioral Analytics + required_fields: + - _time + - dest_device_id + - process_name + - parent_process_name + - process_path + - dest_user_id + - process + - cmd_line + risk_score: 35 + risk_severity: low + security_domain: endpoint \ No newline at end of file diff --git a/dist/ssa/srs/ssa___windows_powershell_downloadfile.yml b/dist/ssa/srs/ssa___windows_powershell_downloadfile.yml new file mode 100644 index 0000000000..b4ee206748 --- /dev/null +++ b/dist/ssa/srs/ssa___windows_powershell_downloadfile.yml @@ -0,0 +1,110 @@ +author: Jose Hernandez, Michael Haag, Splunk +datamodel: +- Endpoint +date: '2022-02-11' +description: The following analytic identifies the use of PowerShell downloading a + file using `DownloadFile` method. This particular method is utilized in many different + PowerShell frameworks to download files and output to disk. Identify the source + (IP/domain) and destination file and triage appropriately. If AMSI logging or PowerShell + transaction logs are available, review for further details of the implant. +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, + confirm the latest CIM App 4.20 or higher is installed and the latest TA for the + endpoint product. +id: 46440222-81d5-44b1-a376-19dcd70d1b08 +known_false_positives: False positives may be present and filtering will need to occur + by parent process or command line argument. It may be required to modify this query + to an EDR product for more granular coverage. +name: Windows Powershell DownloadFile +product: +- Splunk Behavioral Analytics +references: +- https://docs.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-5.0 +- https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/ +- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md +risk_message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$. This behavior identifies the use of DownloadFile + within PowerShell. +search: '| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, + "_time"), "string", null)), cmd_line=lower(ucast(map_get(input_event, "process"), + "string", null)), process_name=lower(ucast(map_get(input_event, "process_name"), + "string", null)), process_path=ucast(map_get(input_event, "process_path"), "string", + null), parent_process_name=ucast(map_get(input_event, "parent_process_name"), "string", + null), event_id=ucast(map_get(input_event, "event_id"), "string", null) | where + cmd_line IS NOT NULL AND process_name IS NOT NULL | where process_name="pwsh.exe" + OR process_name="pwsh.exe" OR process_name="sqlps.exe" OR process_name="sqltoolsps.exe" + OR process_name="powershell.exe" OR process_name="powershell_ise.exe" | where (like + (cmd_line, "%DownloadFile%")) | eval start_time=timestamp, end_time=timestamp, entities=mvappend(ucast(map_get(input_event, + "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), + "string", null)), body=create_map(["event_id", event_id, "cmd_line", cmd_line, "process_name", + process_name, "parent_process_name", parent_process_name, "process_path", process_path]) + | into write_ssa_detected_events();' +tags: + analytic_story: + - Malicious PowerShell + - Ingress Tool Transfer + - Log4Shell CVE-2021-44228 + cis20: + - CIS 8 + confidence: 70 + context: + - Source:Endpoint + - Stage:LateralMovement + dataset: + - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/downloadfile_windows-security.log + impact: 50 + kill_chain_phases: + - Lateral Movement + message: An instance of $parent_process_name$ spawning $process_name$ was identified + on endpoint $dest$ by user $user$. This behavior identifies the use of DownloadFile + within PowerShell. + mitre_attack_id: + - T1020 + nist: + - PR.PT + - DE.CM + observable: + - name: dest_user_id + role: + - Victim + type: User + - name: dest_device_id + role: + - Victim + type: Hostname + - name: parent_process_name + role: + - Parent Process + type: Parent Process + - name: process_name + role: + - Child Process + type: Process + product: + - Splunk Behavioral Analytics + required_fields: + - _time + - dest_device_id + - process_name + - parent_process_name + - process_path + - dest_user_id + - process + - cmd_line + risk_score: 35 + risk_severity: low + security_domain: endpoint +test: + name: Windows Powershell DownloadFile Unit Test + tests: + - attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/downloadfile_windows-security.log + file_name: downloadfile_windows-security.log + source: WinEventLog:Security + description: Test Windows Powershell DownloadFile detections + file: endpoint/ssa___windows_powershell_downloadfile.yml + name: Windows Powershell DownloadFile + pass_condition: '@count_gt(0)' +type: Anomaly +version: 1 diff --git a/tests/endpoint/ssa___windows_powershell_downloadfile.test.yml b/tests/endpoint/ssa___windows_powershell_downloadfile.test.yml new file mode 100644 index 0000000000..b8276b1001 --- /dev/null +++ b/tests/endpoint/ssa___windows_powershell_downloadfile.test.yml @@ -0,0 +1,10 @@ +name: Windows Powershell DownloadFile Unit Test +tests: +- name: Windows Powershell DownloadFile + file: endpoint/ssa___windows_powershell_downloadfile.yml + pass_condition: '@count_gt(0)' + description: Test Windows Powershell DownloadFile detections + attack_data: + - file_name: downloadfile_windows-security.log + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/atomic_red_team/downloadfile_windows-security.log + source: WinEventLog:Security From 6ef8187b2f6d7c2a8e0bbe38ea55b2183f91e8fb Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Tue, 15 Feb 2022 12:37:57 -0800 Subject: [PATCH 6/8] Update ssa___windows_powershell_connect_to_internet_with_hidden_window.yml --- ...dows_powershell_connect_to_internet_with_hidden_window.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/endpoint/ssa___windows_powershell_connect_to_internet_with_hidden_window.yml b/detections/endpoint/ssa___windows_powershell_connect_to_internet_with_hidden_window.yml index ea4db54aa5..b07c391fab 100644 --- a/detections/endpoint/ssa___windows_powershell_connect_to_internet_with_hidden_window.yml +++ b/detections/endpoint/ssa___windows_powershell_connect_to_internet_with_hidden_window.yml @@ -5,7 +5,7 @@ date: '2022-02-11' author: Jose Hernandez, David Dorsey, Michael Haag Splunk type: Anomaly datamodel: -- Endpoint +- Endpoint_Processes description: The following hunting analytic identifies PowerShell commands utilizing the WindowStyle parameter to hide the window on the compromised endpoint. This combination of command-line options is suspicious because it is overriding the default PowerShell @@ -94,4 +94,4 @@ tags: - cmd_line risk_score: 35 risk_severity: low - security_domain: endpoint \ No newline at end of file + security_domain: endpoint From 990694e9e60af7ac1a333885d0f55f9c951c8bd9 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Tue, 15 Feb 2022 12:38:12 -0800 Subject: [PATCH 7/8] Update ssa___windows_powershell_downloadfile.yml --- detections/endpoint/ssa___windows_powershell_downloadfile.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/endpoint/ssa___windows_powershell_downloadfile.yml b/detections/endpoint/ssa___windows_powershell_downloadfile.yml index dcc0421a12..a6391b3bc8 100644 --- a/detections/endpoint/ssa___windows_powershell_downloadfile.yml +++ b/detections/endpoint/ssa___windows_powershell_downloadfile.yml @@ -5,7 +5,7 @@ date: '2022-02-11' author: Jose Hernandez, Michael Haag, Splunk type: Anomaly datamodel: -- Endpoint +- Endpoint_Processes description: The following analytic identifies the use of PowerShell downloading a file using `DownloadFile` method. This particular method is utilized in many different PowerShell frameworks to download files and output to disk. Identify the source @@ -86,4 +86,4 @@ tags: - cmd_line risk_score: 35 risk_severity: low - security_domain: endpoint \ No newline at end of file + security_domain: endpoint From b767a93e5b86c25072c0f8199d53a215622f7893 Mon Sep 17 00:00:00 2001 From: d1vious Date: Tue, 15 Feb 2022 17:40:51 -0500 Subject: [PATCH 8/8] fixing base on feedback --- detections/endpoint/ssa___windows_powershell_downloadfile.yml | 2 +- dist/ssa/srs/ssa___windows_powershell_downloadfile.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/endpoint/ssa___windows_powershell_downloadfile.yml b/detections/endpoint/ssa___windows_powershell_downloadfile.yml index dcc0421a12..295399d429 100644 --- a/detections/endpoint/ssa___windows_powershell_downloadfile.yml +++ b/detections/endpoint/ssa___windows_powershell_downloadfile.yml @@ -19,7 +19,7 @@ search: '| from read_ssa_enriched_events() null), event_id=ucast(map_get(input_event, "event_id"), "string", null) | where cmd_line IS NOT NULL AND process_name IS NOT NULL | where process_name="pwsh.exe" OR process_name="pwsh.exe" OR process_name="sqlps.exe" OR process_name="sqltoolsps.exe" OR process_name="powershell.exe" OR process_name="powershell_ise.exe" -| where (like (cmd_line, "%DownloadFile%")) +| where (like (cmd_line, "%downloadfile%")) | eval start_time=timestamp, end_time=timestamp, entities=mvappend(ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body=create_map(["event_id", event_id, "cmd_line", cmd_line, "process_name", process_name, "parent_process_name", parent_process_name, "process_path", process_path]) | into write_ssa_detected_events();' how_to_implement: To successfully implement this search you need to be ingesting information diff --git a/dist/ssa/srs/ssa___windows_powershell_downloadfile.yml b/dist/ssa/srs/ssa___windows_powershell_downloadfile.yml index b4ee206748..1799870fc0 100644 --- a/dist/ssa/srs/ssa___windows_powershell_downloadfile.yml +++ b/dist/ssa/srs/ssa___windows_powershell_downloadfile.yml @@ -35,7 +35,7 @@ search: '| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map cmd_line IS NOT NULL AND process_name IS NOT NULL | where process_name="pwsh.exe" OR process_name="pwsh.exe" OR process_name="sqlps.exe" OR process_name="sqltoolsps.exe" OR process_name="powershell.exe" OR process_name="powershell_ise.exe" | where (like - (cmd_line, "%DownloadFile%")) | eval start_time=timestamp, end_time=timestamp, entities=mvappend(ucast(map_get(input_event, + (cmd_line, "%downloadfile%")) | eval start_time=timestamp, end_time=timestamp, entities=mvappend(ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body=create_map(["event_id", event_id, "cmd_line", cmd_line, "process_name", process_name, "parent_process_name", parent_process_name, "process_path", process_path])