LoFP / it is possible administrators or scripts may run these commands, filtering may be required.

Techniques

• T1059
• T1059.001
• T1505
• T1505.004
• T1552
• T1552.004
• T1562
• T1562.002
• T1649

Sample rules

Windows PowerShell IIS Components WebGlobalModule Usage

• source: splunk
• technicques:
  • T1505
  • T1505.004

Description

The following analytic detects the usage of PowerShell Cmdlets - New-WebGlobalModule, Enable-WebGlobalModule, and Set-WebGlobalModule, which are used to create, enable, or modify IIS Modules. This detection leverages PowerShell Script Block Logging, specifically monitoring EventCode 4104 for these cmdlets. This activity is significant as adversaries may use these lesser-known cmdlets to manipulate IIS configurations, similar to AppCmd.exe, potentially bypassing traditional defenses. If confirmed malicious, this could allow attackers to persist in the environment, manipulate web server behavior, or escalate privileges.

Detection logic

`powershell` EventCode=4104 ScriptBlockText IN("*New-WebGlobalModule*","*Enable-WebGlobalModule*","*Set-WebGlobalModule*") 
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`  
| `windows_powershell_iis_components_webglobalmodule_usage_filter`

Windows PowerShell Disable HTTP Logging

• source: splunk
• technicques:
  • T1562
  • T1562.002
  • T1505
  • T1505.004

Description

The following analytic detects the use of get-WebConfigurationProperty and Set-ItemProperty commands in PowerShell to disable HTTP logging on Windows systems. This detection leverages PowerShell Script Block Logging, specifically looking for script blocks that reference HTTP logging properties and attempt to set them to “false” or “dontLog”. Disabling HTTP logging is significant as it can be used by adversaries to cover their tracks and delete logs, hindering forensic investigations. If confirmed malicious, this activity could allow attackers to evade detection and persist in the environment undetected.

Detection logic

`powershell` EventCode=4104 ScriptBlockText IN("*get-WebConfigurationProperty*","*Set-ItemProperty*") AND ScriptBlockText IN ("*httpLogging*","*Logfile.enabled*") AND ScriptBlockText IN ("*dontLog*", "*false*")   
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_powershell_disable_http_logging_filter`

Windows PowerShell Export Certificate

• source: splunk
• technicques:
  • T1552.004
  • T1552
  • T1649

Description

The following analytic detects the use of the PowerShell Cmdlet export-certificate by leveraging Script Block Logging. This activity is significant as it may indicate an adversary attempting to exfiltrate certificates from the local Certificate Store on a Windows endpoint. Monitoring this behavior is crucial because stolen certificates can be used to impersonate users, decrypt sensitive data, or facilitate further attacks. If confirmed malicious, this activity could lead to unauthorized access to encrypted communications and sensitive information, posing a severe security risk.

Detection logic

`powershell` EventCode=4104 ScriptBlockText IN ("*export-certificate*") 
| rename Computer as dest  
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user_id 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_powershell_export_certificate_filter`

Windows Powershell RemoteSigned File

• source: splunk
• technicques:
  • T1059.001
  • T1059

Description

The following analytic identifies the use of the “remotesigned” execution policy for PowerShell scripts. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions containing “remotesigned” and “-File”. This activity is significant because the “remotesigned” policy allows locally created scripts to run without restrictions, posing a potential security risk. If confirmed malicious, an attacker could execute unauthorized scripts, leading to code execution, privilege escalation, or persistence within the environment.

Detection logic

| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process="* remotesigned *" Processes.process="* -File *" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_powershell_remotesigned_file_filter`

Windows PowerShell Export PfxCertificate

• source: splunk
• technicques:
  • T1552.004
  • T1552
  • T1649

Description

The following analytic detects the use of the PowerShell cmdlet export-pfxcertificate by leveraging Script Block Logging. This activity is significant as it may indicate an adversary attempting to exfiltrate certificates from the Windows Certificate Store. Monitoring this behavior is crucial for identifying potential certificate theft, which can lead to unauthorized access and impersonation attacks. If confirmed malicious, this activity could allow attackers to compromise secure communications, authenticate as legitimate users, and escalate their privileges within the network.

Detection logic

`powershell` EventCode=4104 ScriptBlockText IN ("*export-pfxcertificate*") 
| rename Computer as dest  
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user_id 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_powershell_export_pfxcertificate_filter`