LoFP LoFP / false positives should be limited. filter as needed.

Sample rules

Windows Exfiltration Over C2 Via Powershell UploadString

Description

The following analytic identifies potential data exfiltration using the PowerShell net.webclient command. This technique was observed in the Winter-Vivern malware, which uploads desktop screenshots and files from compromised or targeted hosts. Detecting this TTP can serve as a valuable indicator that a process is attempting to upload files to an external or internal URI link. We recommend examining the process, the files it is trying to upload, and the URL link or C2 destination where the data is being uploaded.

Detection logic

`powershell` EventCode=4104 ScriptBlockText = "*Net.webclient*" AND ScriptBlockText = "*.UploadString*" 
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_exfiltration_over_c2_via_powershell_uploadstring_filter`

Powershell Fileless Script Contains Base64 Encoded Content

Description

The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all.

This analytic identifies FromBase64String within the script block. A typical malicious instance will include additional code. Command example - [Byte[]]$var_code = [System.Convert]::FromBase64String(38uqIyMjQ6rG....

During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block.

Detection logic

`powershell` EventCode=4104 ScriptBlockText = "*frombase64string*" OR ScriptBlockText = "*gnirtS46esaBmorF*" 
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID 
| rename Computer as dest 
|rename UserID as user 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `powershell_fileless_script_contains_base64_encoded_content_filter`

Windows Exfiltration Over C2 Via Invoke RestMethod

Description

The following analytic identifies the potential exfiltration of data using PowerShell’s Invoke-RestMethod. This technique was observed in the Winter-Vivern malware, which uploads desktop screenshots and files from compromised or targeted hosts. Detecting this TTP can serve as a valuable indicator that a process is attempting to upload files to an external or internal URI link. We recommend examining the process, the files it is trying to upload, and the URL link or C2 destination where the data is being uploaded.

Detection logic

`powershell` EventCode=4104 ScriptBlockText = "*Invoke-RestMethod *" AND ScriptBlockText = "* -Uri *" AND ScriptBlockText = "* -Method *" AND ScriptBlockText = "* Post *" AND ScriptBlockText = "* -InFile *" 
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_exfiltration_over_c2_via_invoke_restmethod_filter`

Esentutl SAM Copy

Description

The following analytic identifies the process - esentutl.exe - being used to capture credentials stored in ntds.dit or the SAM file on disk. During triage, review parallel processes and determine if legitimate activity. Upon determination of illegitimate activity, take further action to isolate and contain the threat.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_esentutl` Processes.process IN ("*ntds*", "*SAM*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `esentutl_sam_copy_filter`

Windows Powershell Cryptography Namespace

Description

The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is processing cryptography namespace library. This technique was seen in several powershell malware, loader, downloader and stager that will decrypt or decode the next malicious stager or the actual payload. This Anomaly detection can be a good indicator that a powershell process to decrypt code. We recommend to further check the parent_process_name, the file or data it tries to decrypt, network connection and user who execute the script.

Detection logic

`powershell` EventCode=4104 ScriptBlockText = "*System.Security.Cryptography*" AND NOT(ScriptBlockText IN ("*SHA*", "*MD5*", "*DeriveBytes*")) 
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID 
| rename Computer as dest 
| rename UserID as user 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_powershell_cryptography_namespace_filter`

Windows System Binary Proxy Execution Compiled HTML File Decompile

Description

The following analytic identifies the decompile parameter with the HTML Help application, HH.exe. This is a uncommon command to see ran and behavior. Most recently this was seen in a APT41 campaign where a CHM file was delivered and a script inside used a technique for running an arbitrary command in a CHM file via an ActiveX object. This unpacks an HTML help file to a specified path for launching the next stage.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_hh` Processes.process=*-decompile* by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_system_binary_proxy_execution_compiled_html_file_decompile_filter`