LoFP LoFP / it is possible administrators or scripts may run these commands, filtering may be required.

Techniques

Sample rules

Windows PowerShell Export PfxCertificate

Description

The following analytic identifies the PowerShell Cmdlet export-pfxcertificate utilizing Script Block Logging. This particular behavior is related to an adversary attempting to steal certificates local to the Windows endpoint within the Certificate Store.

Detection logic

`powershell` EventCode=4104 ScriptBlockText IN ("*export-pfxcertificate*") 
| rename Computer as dest  
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user_id 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_powershell_export_pfxcertificate_filter`

Windows PowerShell IIS Components WebGlobalModule Usage

Description

The following analytic identifies the usage of PowerShell Cmdlets - New-WebGlobalModule, Enable-WebGlobalModule and Set-WebGlobalModule being utilized to create (new), enable (start) or modify a current IIS Module. These commands are equivalent to AppCmd.exe parameters. Adversaries may utilize these cmdlets as they are lesser known and perform the same activity as AppCmd.

Detection logic

`powershell` EventCode=4104 ScriptBlockText IN("*New-WebGlobalModule*","*Enable-WebGlobalModule*","*Set-WebGlobalModule*") 
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`  
| `windows_powershell_iis_components_webglobalmodule_usage_filter`

Windows PowerShell Export Certificate

Description

The following analytic identifies the PowerShell Cmdlet export-certificate utilizing Script Block Logging. This particular behavior is related to an adversary attempting to steal certificates local to the Windows endpoint within the Certificate Store.

Detection logic

`powershell` EventCode=4104 ScriptBlockText IN ("*export-certificate*") 
| rename Computer as dest  
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user_id 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_powershell_export_certificate_filter`

Windows PowerShell Disable HTTP Logging

Description

The following analtyic identifies the use of get-WebConfigurationProperty and Set-ItemProperty attempting to disable HTTP logging on windows via PowerShell. Adversaries may perform this action to disable HTTP logging to cover tracks and delete logs on disk.

Detection logic

`powershell` EventCode=4104 ScriptBlockText IN("*get-WebConfigurationProperty*","*Set-ItemProperty*") AND ScriptBlockText IN ("*httpLogging*","*Logfile.enabled*") AND ScriptBlockText IN ("*dontLog*", "*false*")   
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_powershell_disable_http_logging_filter`

Windows Powershell RemoteSigned File

Description

This analytic identifies the use of “remotesigned” execution policy for a file. This security setting determines whether PowerShell scripts can be executed on a computer. When the execution policy is set to “remotesigned,” it allows locally created scripts to run without any restrictions, but scripts downloaded from the internet must have a digital signature from a trusted publisher.

Detection logic


| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process="* remotesigned *" Processes.process="* -File *" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_powershell_remotesigned_file_filter`