| id | WIN-190410151110 |
| author | Roberto Rodriguez @Cyb3rWard0g |
| creation date | 2019/04/10 |
| platform | Windows |
| playbook link |
In [ ]:
from openhunt.mordorutils import *
spark = get_spark()
In [ ]:
mordor_file = "https://raw.githubusercontent.com/hunters-forge/mordor/master/small_datasets/windows/execution/scripting_T1064/empire_launcher_vbs.tar.gz"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
| FP Rate | Log Channel | Description |
|---|---|---|
| Medium | ['Microsoft-Windows-PowerShell/Operational', 'PowerShell'] | Within the classic PowerShell log, event ID 400 indicates when a new PowerShell host process has started. You can filter on powershell.exe as a host application if you want to or leave it without a filter to captuer every single PowerShell host |
In [ ]:
df = spark.sql(
'''
SELECT `@timestamp`, computer_name, channel
FROM mordorTable
WHERE (channel = "Microsoft-Windows-PowerShell/Operational" OR channel = "Windows PowerShell")
AND (event_id = 400 OR event_id = 4103)
'''
)
df.show(1,False)
| FP Rate | Log Channel | Description |
|---|---|---|
| High | ['Security'] | Looking for non-interactive powershell session might be a sign of PowerShell being executed by another application in the background |
In [ ]:
df = spark.sql(
'''
SELECT `@timestamp`, computer_name, NewProcessName, ParentProcessName
FROM mordorTable
WHERE channel = "Security"
AND event_id = 4688
AND NewProcessName LIKE "%powershell.exe"
AND NOT ParentProcessName LIKE "%explorer.exe"
'''
)
df.show(1,False)
| FP Rate | Log Channel | Description |
|---|---|---|
| High | ['Microsoft-Windows-Sysmon/Operational'] | Looking for non-interactive powershell session might be a sign of PowerShell being executed by another application in the background |
In [ ]:
df = spark.sql(
'''
SELECT `@timestamp`, computer_name, Image, ParentImage
FROM mordorTable
WHERE channel = "Microsoft-Windows-Sysmon/Operational"
AND event_id = 1
AND Image LIKE "%powershell.exe"
AND NOT ParentImage LIKE "%explorer.exe"
'''
)
df.show(1,False)
| FP Rate | Log Channel | Description |
|---|---|---|
| Medium | ['Microsoft-Windows-Sysmon/Operational'] | Monitor for processes loading PowerShell DLL system.management.automation |
In [ ]:
df = spark.sql(
'''
SELECT `@timestamp`, computer_name, Image, ImageLoaded
FROM mordorTable
WHERE channel = "Microsoft-Windows-Sysmon/Operational"
AND event_id = 7
AND (lower(Description) = "system.management.automation" OR lower(ImageLoaded) LIKE "%system.management.automation%")
'''
)
df.show(1,False)
| FP Rate | Log Channel | Description |
|---|---|---|
| Medium | ['Microsoft-Windows-Sysmon/Operational'] | Monitoring for PSHost* pipes is another interesting way to find PowerShell execution |
In [ ]:
df = spark.sql(
'''
SELECT `@timestamp`, computer_name, Image, PipeName
FROM mordorTable
WHERE channel = "Microsoft-Windows-Sysmon/Operational"
AND event_id = 17
AND lower(PipeName) LIKE "\\\\pshost%"
'''
)
df.show(1,False)
| FP Rate | Log Channel | Description |
|---|---|---|
| Medium | ['Microsoft-Windows-Sysmon/Operational'] | The “PowerShell Named Pipe IPC” event will indicate the name of the PowerShell AppDomain that started. Sign of PowerShell execution |
In [ ]:
df = spark.sql(
'''
SELECT `@timestamp`, computer_name, message
FROM mordorTable
WHERE channel = "Microsoft-Windows-PowerShell/Operational"
AND event_id = 53504
'''
)
df.show(1,False)
| Category | Type | Name |
|---|---|---|
| signature | SIGMA | sysmon_powershell_execution_moduleload |
| signature | SIGMA | sysmon_powershell_execution_pipe |
| signature | SIGMA | sysmon_non_interactive_powershell_execution |
| signature | SIGMA | win_non_interactive_powershell |