| id | WIN-190511223310 |
| author | Roberto Rodriguez @Cyb3rWard0g |
| creation date | 2019/05/11 |
| platform | Windows |
| playbook link | WIN-190410151110 |
Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. In addition, it can be used to execute code remotely via Windows Remote Management (WinRM) services. Therefore, it is important to understand the basic artifacts left when PowerShell is used to execute code remotely via a remote powershell session.
In [ ]:
from openhunt.mordorutils import *
spark = get_spark()
In [ ]:
mordor_file = "https://raw.githubusercontent.com/hunters-forge/mordor/master/small_datasets/windows/execution/powershell_T1086/empire_invoke_psremoting.tar.gz"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
| FP Rate | Log Channel | Description |
|---|---|---|
| Medium | ['PowerShell', 'Microsoft-Windows-PowerShell/Operational'] | Process wsmprovhost hosts the active remote session on the target. Therefore, it is important to monitor for any the initialization of the PowerShell host wsmprovhost |
In [ ]:
df = spark.sql(
'''
SELECT `@timestamp`, computer_name, channel
FROM mordorTable
WHERE (channel = "Microsoft-Windows-PowerShell/Operational" OR channel = "Windows PowerShell")
AND (event_id = 400 OR event_id = 4103)
AND message LIKE "%Host Application%wsmprovhost%"
'''
)
df.show(1,False)
| FP Rate | Log Channel | Description |
|---|---|---|
| Low | ['Security'] | Monitor for any incoming network connection where the destination port is either 5985 or 5986. That will be hosted most likely by the System process. Layer ID:44 |
In [ ]:
df = spark.sql(
'''
SELECT `@timestamp`, computer_name, Application, SourceAddress, DestAddress, LayerName, LayerRTID
FROM mordorTable
WHERE channel = "Security"
AND event_id = 5156
AND (DestPort = 5985 OR DestPort = 5986)
AND LayerRTID = 44
'''
)
df.show(1,False)
| FP Rate | Log Channel | Description |
|---|---|---|
| Low | ['Security'] | Process wsmprovhost hosts the active remote session on the target. Therefore, from a process creation perspective, it is to document any instances of wsmprovhost being spawned and spawning other processes |
In [ ]:
df = spark.sql(
'''
SELECT `@timestamp`, computer_name, ParentProcessName, NewProcessName
FROM mordorTable
WHERE channel = "Security"
AND event_id = 4688
AND (ParentProcessName LIKE "%wsmprovhost.exe" OR NewProcessName LIKE "%wsmprovhost.exe")
'''
)
df.show(1,False)
| FP Rate | Log Channel | Description |
|---|---|---|
| Low | ['Microsoft-Windows-Sysmon/Operational'] | Process wsmprovhost hosts the active remote session on the target. Therefore, from a process creation perspective, it is to document any instances of wsmprovhost being spawned and spawning other processes |
In [ ]:
df = spark.sql(
'''
SELECT `@timestamp`, computer_name, ParentImage, Image
FROM mordorTable
WHERE channel = "Microsoft-Windows-Sysmon/Operational"
AND event_id = 1
AND (ParentImage LIKE "%wsmprovhost.exe" OR Image LIKE "%wsmprovhost.exe")
'''
)
df.show(1,False)
| FP Rate | Log Channel | Description |
|---|---|---|
| Low | ['Microsoft-Windows-Sysmon/Operational'] | Monitor for outbound network connection where the destination port is either 5985 or 5986 and the use is not NT AUTHORITY\NETWORK SERVICE |
In [ ]:
df = spark.sql(
'''
SELECT `@timestamp`, computer_name, User, Initiated, Image, SourceIp, DestinationIp
FROM mordorTable
WHERE channel = "Microsoft-Windows-Sysmon/Operational"
AND event_id = 3
AND (DestinationPort = 5985 OR DestinationPort = 5986)
AND NOT User = "NT AUTHORITY\\\\NETWORK SERVICE"
'''
)
df.show(1,False)
| Category | Type | Name |
|---|---|---|
| signature | SIGMA | powershell_remote_powershell_session |
| signature | SIGMA | sysmon_remote_powershell_session_network |
| signature | SIGMA | sysmon_remote_powershell_session_process |
| signature | SIGMA | win_remote_powershell_session |