Microsofts Powershell is a very mighty tool, which can be used as LoLBin. To detect suspicious powershell commands or scripts, a SIEM use case in order to find suspicious powershell-commands can be:
Logging / Data Source
Active PowerShell Script Block Logging (Event ID 4104) OR use your Advanced Endpoint Protection AEP or Endpoint Detection and Response EDR tool like VMware Carbon Black, Microsoft Defender ATP, Crowdstrike or the other tools.
SIEM use case / fetch suspicious powershell
1. process = powershell.exe
&&
2. cmd = ToBase64String OR FromBase64String OR -e OR -en OR -enc OR -enco OR -encod OR -encode OR -encoded OR -encodedc OR -encodedco OR -encodedcom OR -encodedcomm OR -encodedcomma OR -encodedcomman OR -encodedcommand OR -ec
&&
3. not cmd = Windows\CCM\*
More very useful information
- https://attack.mitre.org/techniques/T1059/001/
- https://www.splunk.com/en_us/blog/security/hellsbells-lets-hunt-powershells.html
- https://www.carbonblack.com/blog/decoding-malicious-powershell-streams/
- https://blog.talosintelligence.com/2019/11/hunting-for-lolbins.html
- https://devblogs.microsoft.com/powershell/powershell-the-blue-team/
- https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html
- https://github.com/redcanaryco/atomic-red-team
No comments:
Post a Comment