[New Rules] Potential PowerShell Pass-the-Hash/Relay Script #3543

w0rk3r · 2024-03-27T17:00:13Z

Summary

Detects PowerShell scripts that can execute pass-the-hash (PtH) attacks, intercept and relay NTLM challenges, and carry out other man-in-the-middle (MitM) attacks.

Some related tooling:

Samirbous

nice!

w0rk3r · 2024-03-27T17:07:12Z

rules/windows/credential_access_posh_relay_tools.toml

+event.category:process and host.os.type:windows and
+  powershell.file.script_block_text : (
+    ("NTLMSSPNegotiate" and ("NegotiateSMB" or "NegotiateSMB2")) or
+    "4E544C4D53535000" or


NTLMSSP in hex

w0rk3r · 2024-03-27T17:07:33Z

rules/windows/credential_access_posh_relay_tools.toml

+  powershell.file.script_block_text : (
+    ("NTLMSSPNegotiate" and ("NegotiateSMB" or "NegotiateSMB2")) or
+    "4E544C4D53535000" or
+    "0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50"


NTLMSSP in hex

w0rk3r · 2024-03-27T17:09:00Z

rules/windows/credential_access_posh_relay_tools.toml

+    ("NTLMSSPNegotiate" and ("NegotiateSMB" or "NegotiateSMB2")) or
+    "4E544C4D53535000" or
+    "0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50"
+    "0x4e,0x54,0x20,0x4c,0x4d" or


NT LM 0.12 in hex

w0rk3r · 2024-03-27T17:09:21Z

rules/windows/credential_access_posh_relay_tools.toml

+    "4E544C4D53535000" or
+    "0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50"
+    "0x4e,0x54,0x20,0x4c,0x4d" or
+    "0x53,0x4d,0x42,0x20,0x32" or


SMB 2.002 in hex

w0rk3r · 2024-03-27T17:09:58Z

rules/windows/credential_access_posh_relay_tools.toml

+    "0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50"
+    "0x4e,0x54,0x20,0x4c,0x4d" or
+    "0x53,0x4d,0x42,0x20,0x32" or
+    "0x81,0xbb,0x7a,0x36,0x44,0x98,0xf1,0x35,0xad,0x32,0x98,0xf0,0x38"


SMB named pipe UUID

Aegrah · 2024-03-28T08:22:40Z

rules/windows/credential_access_posh_relay_tools.toml

+type = "query"
+
+query = '''
+event.category:process and host.os.type:windows and


There is no event.type == "start" or something in these events?

Hmmm there is event.type == "info", maybe makes sense to push this in a separated PR, as none of the other PowerShell rules include it

Think that would be good; especially giving the broad search of powershell text fields. For now - feel free to merge!

Actually, I think we may not need to do that, as we specifically use the logs-windows.powershell* index

Aegrah

Good stuff!

* [New Rules] Potential PowerShell Pass-the-Hash/Relay Script * Update credential_access_posh_relay_tools.toml * Update execution_posh_hacktool_functions.toml * Update credential_access_posh_relay_tools.toml * Update credential_access_posh_relay_tools.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> (cherry picked from commit 218c3be)

w0rk3r added 2 commits March 27, 2024 13:57

[New Rules] Potential PowerShell Pass-the-Hash/Relay Script

0629eba

Update credential_access_posh_relay_tools.toml

9be404a

w0rk3r added Rule: New Proposal for new rule OS: Windows windows related rules Domain: Endpoint backport: auto labels Mar 27, 2024

w0rk3r requested review from brokensound77, DefSecSentinel, Samirbous, Aegrah and terrancedejesus March 27, 2024 17:00

w0rk3r self-assigned this Mar 27, 2024

Samirbous approved these changes Mar 27, 2024

View reviewed changes

Update execution_posh_hacktool_functions.toml

db55528

w0rk3r commented Mar 27, 2024

View reviewed changes

w0rk3r added 2 commits March 27, 2024 14:16

Update credential_access_posh_relay_tools.toml

a9dd301

Update credential_access_posh_relay_tools.toml

fab7227

w0rk3r mentioned this pull request Mar 28, 2024

[Meta] Explore Detection Opportunities on Active Directory Relay, Spoofing and Coercion Attacks - Part 1 #3544

Closed

Aegrah reviewed Mar 28, 2024

View reviewed changes

Aegrah approved these changes Mar 28, 2024

View reviewed changes

Merge branch 'main' into posh_ntlm

efc80e8

w0rk3r merged commit 218c3be into main Mar 28, 2024

w0rk3r deleted the posh_ntlm branch March 28, 2024 10:05

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[New Rules] Potential PowerShell Pass-the-Hash/Relay Script #3543

[New Rules] Potential PowerShell Pass-the-Hash/Relay Script #3543

Uh oh!

w0rk3r commented Mar 27, 2024

Uh oh!

Samirbous left a comment

Uh oh!

w0rk3r Mar 27, 2024

Uh oh!

w0rk3r Mar 27, 2024

Uh oh!

w0rk3r Mar 27, 2024

Uh oh!

w0rk3r Mar 27, 2024

Uh oh!

w0rk3r Mar 27, 2024

Uh oh!

Aegrah Mar 28, 2024

Uh oh!

w0rk3r Mar 28, 2024

Uh oh!

Aegrah Mar 28, 2024 •

edited

Loading

Uh oh!

w0rk3r Mar 28, 2024

Uh oh!

Aegrah left a comment •

edited

Loading

Uh oh!

Uh oh!

[New Rules] Potential PowerShell Pass-the-Hash/Relay Script #3543

[New Rules] Potential PowerShell Pass-the-Hash/Relay Script #3543

Uh oh!

Conversation

w0rk3r commented Mar 27, 2024

Summary

Uh oh!

Samirbous left a comment

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Aegrah Mar 28, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Aegrah left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Aegrah Mar 28, 2024 •

edited

Loading

Aegrah left a comment •

edited

Loading