[New Rules] Potential PowerShell Pass-the-Hash/Relay Script (#3543)

w0rk3r · github-actions[bot] · commit 5cb0cd7e2d20 · 2024-03-28T10:14:31.000Z
* [New Rules] Potential PowerShell Pass-the-Hash/Relay Script * Update credential_access_posh_relay_tools.toml * Update execution_posh_hacktool_functions.toml * Update credential_access_posh_relay_tools.toml * Update credential_access_posh_relay_tools.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> (cherry picked from commit 218c3be)
diff --git a/rules/windows/credential_access_posh_relay_tools.toml b/rules/windows/credential_access_posh_relay_tools.toml
@@ -0,0 +1,114 @@
+[metadata]
+creation_date = "2024/03/27"
+integration = ["windows"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2024/03/27"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects PowerShell scripts that can execute pass-the-hash (PtH) attacks, intercept and relay NTLM challenges, and carry
+out other man-in-the-middle (MitM) attacks.
+"""
+from = "now-9m"
+index = ["winlogbeat-*", "logs-windows.powershell*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Potential PowerShell Pass-the-Hash/Relay Script"
+references = [
+    "https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-WMIExec.ps1",
+    "https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-SMBExec.ps1",
+    "https://github.com/dafthack/Check-LocalAdminHash/blob/master/Check-LocalAdminHash.ps1",
+    "https://github.com/nettitude/PoshC2/blob/master/resources/modules/Invoke-Tater.ps1",
+    "https://github.com/Kevin-Robertson/Inveigh/blob/master/Inveigh.ps1"
+]
+risk_score = 47
+rule_id = "951779c2-82ad-4a6c-82b8-296c1f691449"
+setup = """## Setup
+
+The 'PowerShell Script Block Logging' logging policy must be enabled.
+Steps to implement the logging policy with Advanced Audit Configuration:
+
+```
+Computer Configuration >
+Administrative Templates >
+Windows PowerShell >
+Turn on PowerShell Script Block Logging (Enable)
+```
+
+Steps to implement the logging policy via registry:
+
+```
+reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
+```
+"""
+severity = "medium"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: PowerShell Logs"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.category:process and host.os.type:windows and
+  powershell.file.script_block_text : (
+    ("NTLMSSPNegotiate" and ("NegotiateSMB" or "NegotiateSMB2")) or
+    "4E544C4D53535000" or
+    "0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50" or
+    "0x4e,0x54,0x20,0x4c,0x4d" or
+    "0x53,0x4d,0x42,0x20,0x32" or
+    "0x81,0xbb,0x7a,0x36,0x44,0x98,0xf1,0x35,0xad,0x32,0x98,0xf0,0x38"
+  )
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1557"
+name = "Adversary-in-the-Middle"
+reference = "https://attack.mitre.org/techniques/T1557/"
+
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+[[rule.threat.technique.subtechnique]]
+id = "T1059.001"
+name = "PowerShell"
+reference = "https://attack.mitre.org/techniques/T1059/001/"
+
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1550"
+name = "Use Alternate Authentication Material"
+reference = "https://attack.mitre.org/techniques/T1550/"
+[[rule.threat.technique.subtechnique]]
+id = "T1550.002"
+name = "Pass the Hash"
+reference = "https://attack.mitre.org/techniques/T1550/002/"
+
+
+
+[rule.threat.tactic]
+id = "TA0008"
+name = "Lateral Movement"
+reference = "https://attack.mitre.org/tactics/TA0008/"
+
diff --git a/rules/windows/execution_posh_hacktool_functions.toml b/rules/windows/execution_posh_hacktool_functions.toml
@@ -159,7 +159,7 @@ event.category:process and host.os.type:windows and
     "Find-ProcessDLLHijack" or "Find-RDPClientConnection" or
     "Get-AllAttributesForClass" or "Get-CachedGPPPassword" or
     "Get-DecryptedCpassword" or "Get-DecryptedSitelistPassword" or
-    "Get-DelegateType" or
+    "Get-DelegateType" or "New-RelayEnumObject" or
     "Get-DomainDFSShare" or "Get-DomainDFSShareV1" or
     "Get-DomainDFSShareV2" or "Get-DomainDNSRecord" or
     "Get-DomainDNSZone" or "Get-DomainFileServer" or
@@ -183,7 +183,7 @@ event.category:process and host.os.type:windows and
     "Get-GPPInnerFields" or "Get-GPPPassword" or
     "Get-GptTmpl" or "Get-GroupsXML" or
     "Get-HttpStatus" or "Get-ImageNtHeaders" or
-    "Get-Keystrokes" or
+    "Get-Keystrokes" or "New-SOASerialNumberArray" or 
     "Get-MemoryProcAddress" or "Get-MicrophoneAudio" or
     "Get-ModifiablePath" or "Get-ModifiableRegistryAutoRun" or
     "Get-ModifiableScheduledTaskFile" or "Get-ModifiableService" or
