LoFP LoFP / no false positives have been identified at this time. commands with overlap.

Techniques

Sample rules

Windows PowerShell Script Block With Malicious String

Description

The following analytic detects the execution of multiple offensive toolkits and commands by leveraging PowerShell Script Block Logging (EventCode=4104). This method captures and logs the full command sent to PowerShell, allowing for the identification of suspicious activities including several well-known tools used for credential theft, lateral movement, and persistence. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information within the environment.

Detection logic

`powershell` ScriptBlockText=* EventCode=4104 
| stats count min(_time) as firstTime max(_time) as lastTime list(ScriptBlockText) as command values(Guid) as Guid values(Opcode) as Opcode values(Name) as Name values(Path) as Path values(ProcessID) as ProcessID values(ScriptBlockId) as ScriptBlockId values(ScriptBlockText) as ScriptBlockText by dest signature signature_id user_id vendor_product 
| eval command = mvjoin(command,"\n") 
| lookup malicious_powershell_strings command 
| where isnotnull(match) 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_powershell_script_block_with_malicious_string_filter`

Windows PowerShell Process With Malicious String

Description

The following analytic detects the execution of multiple offensive toolkits and commands through the process execution datamodel. This method captures commands given directly to powershell.exe, allowing for the identification of suspicious activities including several well-known tools used for credential theft, lateral movement, and persistence. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information within the environment.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` 
by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec 
Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name 
Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash 
Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path 
Processes.user Processes.user_id Processes.vendor_product 

| `drop_dm_object_name(Processes)` 

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| lookup malicious_powershell_strings command as process

| where isnotnull(match)

| `windows_powershell_process_with_malicious_string_filter`