Techniques
Sample rules
Windows PowerShell Export PfxCertificate
- source: splunk
- technicques:
- T1552.004
- T1552
- T1649
Description
The following analytic identifies the PowerShell Cmdlet export-pfxcertificate utilizing Script Block Logging. This particular behavior is related to an adversary attempting to steal certificates local to the Windows endpoint within the Certificate Store.
Detection logic
`powershell` EventCode=4104 ScriptBlockText IN ("*export-pfxcertificate*")
| rename Computer as dest
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_powershell_export_pfxcertificate_filter`
Windows PowerShell IIS Components WebGlobalModule Usage
- source: splunk
- technicques:
- T1505
- T1505.004
Description
The following analytic identifies the usage of PowerShell Cmdlets - New-WebGlobalModule, Enable-WebGlobalModule and Set-WebGlobalModule being utilized to create (new), enable (start) or modify a current IIS Module. These commands are equivalent to AppCmd.exe parameters. Adversaries may utilize these cmdlets as they are lesser known and perform the same activity as AppCmd.
Detection logic
`powershell` EventCode=4104 ScriptBlockText IN("*New-WebGlobalModule*","*Enable-WebGlobalModule*","*Set-WebGlobalModule*")
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_powershell_iis_components_webglobalmodule_usage_filter`
Windows PowerShell Export Certificate
- source: splunk
- technicques:
- T1552.004
- T1552
- T1649
Description
The following analytic identifies the PowerShell Cmdlet export-certificate utilizing Script Block Logging. This particular behavior is related to an adversary attempting to steal certificates local to the Windows endpoint within the Certificate Store.
Detection logic
`powershell` EventCode=4104 ScriptBlockText IN ("*export-certificate*")
| rename Computer as dest
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_powershell_export_certificate_filter`
Windows PowerShell Disable HTTP Logging
- source: splunk
- technicques:
- T1562
- T1562.002
- T1505
- T1505.004
Description
The following analtyic identifies the use of get-WebConfigurationProperty and Set-ItemProperty attempting to disable HTTP logging on windows via PowerShell. Adversaries may perform this action to disable HTTP logging to cover tracks and delete logs on disk.
Detection logic
`powershell` EventCode=4104 ScriptBlockText IN("*get-WebConfigurationProperty*","*Set-ItemProperty*") AND ScriptBlockText IN ("*httpLogging*","*Logfile.enabled*") AND ScriptBlockText IN ("*dontLog*", "*false*")
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_powershell_disable_http_logging_filter`
Windows Powershell RemoteSigned File
- source: splunk
- technicques:
- T1059.001
- T1059
Description
This analytic identifies the use of “remotesigned” execution policy for a file. This security setting determines whether PowerShell scripts can be executed on a computer. When the execution policy is set to “remotesigned,” it allows locally created scripts to run without any restrictions, but scripts downloaded from the internet must have a digital signature from a trusted publisher.
Detection logic
| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process="* remotesigned *" Processes.process="* -File *" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_powershell_remotesigned_file_filter`