From 1f8813d02f5273c20184ea27fddef791286c2b4b Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Wed, 25 May 2022 17:02:21 -0300 Subject: [PATCH] [Promote Rule] Potential Invoke-Mimikatz PowerShell Script (#1993) * Update credential_access_mimikatz_powershell_module.toml * Update credential_access_mimikatz_powershell_module.toml * Update credential_access_mimikatz_powershell_module.toml * Update credential_access_mimikatz_powershell_module.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> --- ...ial_access_mimikatz_powershell_module.toml | 78 +++++++++++++------ 1 file changed, 54 insertions(+), 24 deletions(-) diff --git a/rules/windows/credential_access_mimikatz_powershell_module.toml b/rules/windows/credential_access_mimikatz_powershell_module.toml index 446327abf..3455df446 100644 --- a/rules/windows/credential_access_mimikatz_powershell_module.toml +++ b/rules/windows/credential_access_mimikatz_powershell_module.toml @@ -1,20 +1,20 @@ [metadata] creation_date = "2020/12/07" -maturity = "development" -updated_date = "2022/05/09" +maturity = "production" +updated_date = "2022/05/24" [rule] author = ["Elastic"] description = """ Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many -other features that make it useful for testing the security of networks. This rule detects the Invoke-Mimikatz -PowerShell command. +other features that make it useful for testing the security of networks. This rule detects Invoke-Mimikatz PowerShell +script and alike. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] -language = "eql" +index = ["winlogbeat-*", "logs-windows.*"] +language = "kuery" license = "Elastic License v2" -name = "Mimikatz Powershell Module Activity" +name = "Potential Invoke-Mimikatz PowerShell Script" note = """## Triage and analysis ### Investigating Mimikatz PowerShell Activity @@ -24,21 +24,23 @@ credentials. This tool is commonly abused by adversaries during the post-comprom an initial foothold on an endpoint and are looking to elevate privileges and seek out additional authentication objects such as tokens/hashes/credentials that can then be used to move laterally and pivot across a network. -This specific rule is based on Mimikatz command-line parameters used to dump credentials from the Local Security -Authority Subsystem Service (LSASS). Any activity triggered from this rule should be treated with high priority as it -typically represents an active adversary. +This rule looks for PowerShell scripts that load mimikatz in memory, like Invoke-Mimikataz, which are used to dump +credentials from the Local Security Authority Subsystem Service (LSASS). Any activity triggered from this rule should be +treated with high priority as it typically represents an active adversary. More information about Mimikatz components and how to detect/prevent them can be found on [ADSecurity](https://adsecurity.org/?page_id=1821). #### Possible investigation steps -- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files -for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. -- Contact the account owner and confirm whether they are aware of this activity. -- Examine PowerShell (script block logging), Windows and endpoint detection and response (EDR) logs to understand what -was executed in the host. +- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration +capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for +prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Examine file or network events from the involved PowerShell process for suspicious behavior. - Investigate other alerts associated with the user/host during the past 48 hours. -- Use process name, command line, and file hash to search for occurrences on other hosts. + - Invoke-Mimitakz and alike scripts heavily use other capabilities covered by other detections described in the + "Related Rules" section. +- Evaluate whether the user needs to use PowerShell to complete tasks. - Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host. - Examine network and security events in the environment to identify potential lateral movement using compromised credentials. @@ -49,8 +51,11 @@ target host. ### Related rules +- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe +- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad +- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a +- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d - Mimikatz Memssp Log File Detected - ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6 -- Creation or Modification of Domain Backup DPAPI private key - b83a7e96-2eb3-4edf-8346-427b6858d3bd - Modification of WDigest Security Provider - d703a5af-d5b0-43bd-8ddb-7a5d500b7da5 ### Response and remediation @@ -60,6 +65,7 @@ target host. - Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software. - Validate that cleartext passwords are disabled in memory for use with `WDigest`. - Look into preventing access to `LSASS` using capabilities such as LSA protection or antivirus/EDR tools that provide this capability. @@ -71,19 +77,43 @@ mean time to respond (MTTR). ## Config -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. +The 'PowerShell Script Block Logging' logging policy must be configured (Enable). + +Steps to implement the logging policy with with Advanced Audit Configuration: + +``` +Computer Configuration > +Administrative Templates > +Windows PowerShell > +Turn on PowerShell Script Block Logging (Enable) +``` + +Steps to implement the logging policy via registry: + +``` +reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 +``` """ -references = ["https://attack.mitre.org/software/S0002/"] -risk_score = 99 +references = [ + "https://attack.mitre.org/software/S0002/", + "https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1", +] +risk_score = 73 rule_id = "ac96ceb8-4399-4191-af1d-4feeac1f1f46" -severity = "critical" +severity = "high" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"] timestamp_override = "event.ingested" -type = "eql" +type = "query" query = ''' -process where event.type in ("start", "process_started") and process.name : ("cmd.exe", "powershell.exe", "pwsh.exe") -and process.args : ("*DumpCreds", "*Mimikatz*") +event.category:process and +powershell.file.script_block_text:( + (DumpCreds and + DumpCerts) or + "sekurlsa::logonpasswords" or + ("crypto::certificates" and + "CERT_SYSTEM_STORE_LOCAL_MACHINE") +) '''