Skip to content

[New Rules] Potential PowerShell Pass-the-Hash/Relay Script #3543

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Mar 28, 2024
Merged

[New Rules] Potential PowerShell Pass-the-Hash/Relay Script #3543

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
0629eba
[New Rules] Potential PowerShell Pass-the-Hash/Relay Script
w0rk3r Mar 27, 2024
9be404a
Update credential_access_posh_relay_tools.toml
w0rk3r Mar 27, 2024
db55528
Update execution_posh_hacktool_functions.toml
Samirbous Mar 27, 2024
a9dd301
Update credential_access_posh_relay_tools.toml
w0rk3r Mar 27, 2024
fab7227
Update credential_access_posh_relay_tools.toml
w0rk3r Mar 27, 2024
efc80e8
Merge branch 'main' into posh_ntlm
w0rk3r Mar 28, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
114 changes: 114 additions & 0 deletions rules/windows/credential_access_posh_relay_tools.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,114 @@
[metadata]
creation_date = "2024/03/27"
integration = ["windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/03/27"

[rule]
author = ["Elastic"]
description = """
Detects PowerShell scripts that can execute pass-the-hash (PtH) attacks, intercept and relay NTLM challenges, and carry
out other man-in-the-middle (MitM) attacks.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-windows.powershell*"]
language = "kuery"
license = "Elastic License v2"
name = "Potential PowerShell Pass-the-Hash/Relay Script"
references = [
"https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-WMIExec.ps1",
"https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-SMBExec.ps1",
"https://github.com/dafthack/Check-LocalAdminHash/blob/master/Check-LocalAdminHash.ps1",
"https://github.com/nettitude/PoshC2/blob/master/resources/modules/Invoke-Tater.ps1",
"https://github.com/Kevin-Robertson/Inveigh/blob/master/Inveigh.ps1"
]
risk_score = 47
rule_id = "951779c2-82ad-4a6c-82b8-296c1f691449"
setup = """## Setup
The 'PowerShell Script Block Logging' logging policy must be enabled.
Steps to implement the logging policy with Advanced Audit Configuration:
```
Computer Configuration >
Administrative Templates >
Windows PowerShell >
Turn on PowerShell Script Block Logging (Enable)
```
Steps to implement the logging policy via registry:
```
reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
```
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: PowerShell Logs"]
timestamp_override = "event.ingested"
type = "query"

query = '''
event.category:process and host.os.type:windows and
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is no event.type == "start" or something in these events?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmmm there is event.type == "info", maybe makes sense to push this in a separated PR, as none of the other PowerShell rules include it

Copy link
Contributor

@Aegrah Aegrah Mar 28, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Think that would be good; especially giving the broad search of powershell text fields. For now - feel free to merge!

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, I think we may not need to do that, as we specifically use the logs-windows.powershell* index

powershell.file.script_block_text : (
("NTLMSSPNegotiate" and ("NegotiateSMB" or "NegotiateSMB2")) or
"4E544C4D53535000" or
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NTLMSSP in hex

"0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50" or
"0x4e,0x54,0x20,0x4c,0x4d" or
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NT LM 0.12 in hex

"0x53,0x4d,0x42,0x20,0x32" or
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SMB 2.002 in hex

"0x81,0xbb,0x7a,0x36,0x44,0x98,0xf1,0x35,0xad,0x32,0x98,0xf0,0x38"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SMB named pipe UUID

)
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1557"
name = "Adversary-in-the-Middle"
reference = "https://attack.mitre.org/techniques/T1557/"



[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"

[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.001"
name = "PowerShell"
reference = "https://attack.mitre.org/techniques/T1059/001/"



[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"

[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1550"
name = "Use Alternate Authentication Material"
reference = "https://attack.mitre.org/techniques/T1550/"
[[rule.threat.technique.subtechnique]]
id = "T1550.002"
name = "Pass the Hash"
reference = "https://attack.mitre.org/techniques/T1550/002/"



[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"

4 changes: 2 additions & 2 deletions rules/windows/execution_posh_hacktool_functions.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -159,7 +159,7 @@ event.category:process and host.os.type:windows and
"Find-ProcessDLLHijack" or "Find-RDPClientConnection" or
"Get-AllAttributesForClass" or "Get-CachedGPPPassword" or
"Get-DecryptedCpassword" or "Get-DecryptedSitelistPassword" or
"Get-DelegateType" or
"Get-DelegateType" or "New-RelayEnumObject" or
"Get-DomainDFSShare" or "Get-DomainDFSShareV1" or
"Get-DomainDFSShareV2" or "Get-DomainDNSRecord" or
"Get-DomainDNSZone" or "Get-DomainFileServer" or
Expand All @@ -183,7 +183,7 @@ event.category:process and host.os.type:windows and
"Get-GPPInnerFields" or "Get-GPPPassword" or
"Get-GptTmpl" or "Get-GroupsXML" or
"Get-HttpStatus" or "Get-ImageNtHeaders" or
"Get-Keystrokes" or
"Get-Keystrokes" or "New-SOASerialNumberArray" or
"Get-MemoryProcAddress" or "Get-MicrophoneAudio" or
"Get-ModifiablePath" or "Get-ModifiableRegistryAutoRun" or
"Get-ModifiableScheduledTaskFile" or "Get-ModifiableService" or
Expand Down