From 5a7d7cf4a0bf15aef5b06d9092dcd316b2a98208 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Thu, 28 Mar 2024 07:05:35 -0300 Subject: [PATCH] [New Rules] Potential PowerShell Pass-the-Hash/Relay Script (#3543) * [New Rules] Potential PowerShell Pass-the-Hash/Relay Script * Update credential_access_posh_relay_tools.toml * Update execution_posh_hacktool_functions.toml * Update credential_access_posh_relay_tools.toml * Update credential_access_posh_relay_tools.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> (cherry picked from commit 218c3bead6da1463b7a037f7a0ccf8d4df9b669a) --- .../credential_access_posh_relay_tools.toml | 114 ++++++++++++++++++ .../execution_posh_hacktool_functions.toml | 4 +- 2 files changed, 116 insertions(+), 2 deletions(-) create mode 100644 rules/windows/credential_access_posh_relay_tools.toml diff --git a/rules/windows/credential_access_posh_relay_tools.toml b/rules/windows/credential_access_posh_relay_tools.toml new file mode 100644 index 000000000..f3bf6ee05 --- /dev/null +++ b/rules/windows/credential_access_posh_relay_tools.toml @@ -0,0 +1,114 @@ +[metadata] +creation_date = "2024/03/27" +integration = ["windows"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/03/27" + +[rule] +author = ["Elastic"] +description = """ +Detects PowerShell scripts that can execute pass-the-hash (PtH) attacks, intercept and relay NTLM challenges, and carry +out other man-in-the-middle (MitM) attacks. +""" +from = "now-9m" +index = ["winlogbeat-*", "logs-windows.powershell*"] +language = "kuery" +license = "Elastic License v2" +name = "Potential PowerShell Pass-the-Hash/Relay Script" +references = [ + "https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-WMIExec.ps1", + "https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-SMBExec.ps1", + "https://github.com/dafthack/Check-LocalAdminHash/blob/master/Check-LocalAdminHash.ps1", + "https://github.com/nettitude/PoshC2/blob/master/resources/modules/Invoke-Tater.ps1", + "https://github.com/Kevin-Robertson/Inveigh/blob/master/Inveigh.ps1" +] +risk_score = 47 +rule_id = "951779c2-82ad-4a6c-82b8-296c1f691449" +setup = """## Setup + +The 'PowerShell Script Block Logging' logging policy must be enabled. +Steps to implement the logging policy with Advanced Audit Configuration: + +``` +Computer Configuration > +Administrative Templates > +Windows PowerShell > +Turn on PowerShell Script Block Logging (Enable) +``` + +Steps to implement the logging policy via registry: + +``` +reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 +``` +""" +severity = "medium" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.category:process and host.os.type:windows and + powershell.file.script_block_text : ( + ("NTLMSSPNegotiate" and ("NegotiateSMB" or "NegotiateSMB2")) or + "4E544C4D53535000" or + "0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50" or + "0x4e,0x54,0x20,0x4c,0x4d" or + "0x53,0x4d,0x42,0x20,0x32" or + "0x81,0xbb,0x7a,0x36,0x44,0x98,0xf1,0x35,0xad,0x32,0x98,0xf0,0x38" + ) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1557" +name = "Adversary-in-the-Middle" +reference = "https://attack.mitre.org/techniques/T1557/" + + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" +[[rule.threat.technique.subtechnique]] +id = "T1550.002" +name = "Pass the Hash" +reference = "https://attack.mitre.org/techniques/T1550/002/" + + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/windows/execution_posh_hacktool_functions.toml b/rules/windows/execution_posh_hacktool_functions.toml index 7ad5a737a..f0d1a9fe4 100644 --- a/rules/windows/execution_posh_hacktool_functions.toml +++ b/rules/windows/execution_posh_hacktool_functions.toml @@ -159,7 +159,7 @@ event.category:process and host.os.type:windows and "Find-ProcessDLLHijack" or "Find-RDPClientConnection" or "Get-AllAttributesForClass" or "Get-CachedGPPPassword" or "Get-DecryptedCpassword" or "Get-DecryptedSitelistPassword" or - "Get-DelegateType" or + "Get-DelegateType" or "New-RelayEnumObject" or "Get-DomainDFSShare" or "Get-DomainDFSShareV1" or "Get-DomainDFSShareV2" or "Get-DomainDNSRecord" or "Get-DomainDNSZone" or "Get-DomainFileServer" or @@ -183,7 +183,7 @@ event.category:process and host.os.type:windows and "Get-GPPInnerFields" or "Get-GPPPassword" or "Get-GptTmpl" or "Get-GroupsXML" or "Get-HttpStatus" or "Get-ImageNtHeaders" or - "Get-Keystrokes" or + "Get-Keystrokes" or "New-SOASerialNumberArray" or "Get-MemoryProcAddress" or "Get-MicrophoneAudio" or "Get-ModifiablePath" or "Get-ModifiableRegistryAutoRun" or "Get-ModifiableScheduledTaskFile" or "Get-ModifiableService" or