ELK Lab 1 - PowerShell Threat Hunting
ELK-based threat hunting lab covering detection of PowerShell offensive frameworks, suspicious parent processes, renamed executables, base64-encoded commands, GZIP compression, XOR obfuscation, and download techniques.
Select logstash-2020.02.02 index in Kibana.
Task 1. Hunt for well-known PowerShell Offensive Frameworks and commands
The information we are interested in is contained in the ScriptBlockText field of event ID 4104. We set a filter for event ID 4104 and construct the following query:
winlog.event_data.ScriptBlockText:(PowerUp OR Mimikatz OR NinjaCopy OR Get-ModifiablePath OR AllChecks OR AmsiBypass OR PsUACme OR Invoke-DLLInjection OR Invoke-ReflectivePEInjection OR Invoke-Shellcode OR Get-GPPPassword OR Get-Keystrokes OR Get-TimedScreenshot OR PowerView)
Task 2. Hunt for suspicious parent process spawning PowerShell
For this task, we look into Sysmon’s Process creation events (event id 1). We construct the following query with researched suspicious parent processes:
winlog.event_data.ParentImage:(*mshta.exe OR *rundll32.exe OR *regsvr32.exe OR *services.exe OR *winword.exe OR *wmiprvse.exe OR *powerpnt.exe OR *excel.exe OR *msaccess.exe OR *mpub.exe OR *visio.exe OR *outlook.exe OR *chrome.exe OR *iexplorer.exe OR *sqlserver.exe) AND winlog.event_data.Image : *powershell.exe
If you expand the first match and look at the parent process’s command line argument, you’ll notice Regsvr32 using a well-known command execution to spawn PowerShell.
Task 3. Hunt for renamed PowerShell.exe
Detection is based on the fact that the PowerShell executable preserves “PowerShell” in its description, regardless of the name. Look into Sysmon for any created process (event id 1) with description containing “PowerShell” that is not powershell.exe or powershell_ise.exe:
winlog.event_data.Description:*PowerShell AND NOT (winlog.event_data.Image:*powershell.exe OR winlog.event_data.Image:*powershell_ise.exe)
This reveals that the program executed is “C:\ProgramData\Windows.exe”.
Another approach: Look for EventID 400 where HostName is ConsoleHost but HostApplication is not powershell.exe.
Task 4. Hunt for base64-encoded PowerShell commands
Using Sysmon event id 1, look for command line arguments matching encoded commands. The parameter is “-encodedcommand” but the bare minimum PowerShell needs is “-e”:
(winlog.event_data.Description:*PowerShell OR winlog.event_data.Image:*powershell.exe) AND winlog.event_data.CommandLine:*-e*
If we decode the passed command, we find it is the command “whoami”.
Task 5. Hunt for PowerShell attacks utilizing GZIP compression
Look at ScriptBlockText of event id 4104. GZIP archives have the magic number “H4sI”:
winlog.event_data.ScriptBlockText:*H4sI*
Task 6. Hunt for obfuscated PowerShell code using XOR
Look at ScriptBlockText of event id 4104. XOR usage involves the operators “char”, “bxor” and “join”:
winlog.event_data.ScriptBlockText:(*bxor* AND *join*)
Task 7. Hunt for execution of an assembly from file by PowerShell
Look at ScriptBlockText of event id 4104. To execute an assembly from file, a function “Load” together with either “ReadAllBytes” or “LoadFile” is utilized:
winlog.event_data.ScriptBlockText:((*Load*) AND (*ReadAllBytes* OR *LoadFile*))
Task 8. Hunt for PowerShell commands downloading content
Look at ScriptBlockText of event id 4104. Multiple ways PowerShell can download content:
winlog.event_data.ScriptBlockText:(*WebClient* OR *DownloadData* OR *DownloadFile* OR *DownloadString* OR *OpenRead* OR *WebRequest* OR *curl* OR *wget* OR *RestMethod* OR *WinHTTP* OR *InternetExplorer.Application* OR *Excel.Application* OR *Word.Application* OR *Msxml2.XMLHTTP* OR *MsXML2.ServerXML* OR *System.XML.XMLDocument* OR *BitsTransfer*)
The search detected download through:
- Start-BitsTransfer
- Curl
- Invoke-RestMethod
COM objects can also be used for file download. Interesting CLSIDs:
"0002DF01-0000-0000-C000-000000000046" | InternetExplorer.Application
"F6D90F16-9C73-11D3-B32E-00C04F990BB4" | Msxml2.XMLHTTP
"F5078F35-C551-11D3-89B9-0000F81FE221" | Msxml2.XMLHTTP.3.0
"88D9D96A-F192-11D4-A65F-0040963251E5" | Msxml2.XMLHTTP.6.0
"AFBA6B42-5692-48EA-8141-DC517DCF0EF1" | Msxml2.ServerXmlHttp
"AFB40FFD-B609-40A3-9828-F88BBE11E4E3" | Msxml2.ServerXmlHttp.3.0
"88D96A0B-F192-11D4-A65F-0040963251E5" | Msxml2.ServerXmlHttp.6.0
"2087C2F4-2CEF-4953-A8AB-66779B670495" | WinHttp.WinHttpRequest.5.1
"000209FF-0000-0000-C000-000000000046" | Word.Application
"00023500-0000-0000-C000-000000000046" | Excel.Application
Task 9. Hunt for obfuscated PowerShell commands
Look at ScriptBlockText of event id 4104 for obfuscation characters:
winlog.event_data.ScriptBlockText:((*char* AND *join*) OR ((*ToInt* OR *ToInt16* OR *ToDecimal* OR *ToByte* OR *ToUnit* OR *ToSingle*) AND (*ToChar* OR *ToString* OR *String*)) OR (*ForEach* AND *Xor*))
4 of the 5 identified logs are associated with the same command, while the 5th is a false positive.
To detect reverse-obfuscated commands (words spelled backwards):
winlog.event_data.ScriptBlockText:(*hctac* OR *kearb* OR *dnammoc* OR *ekovn* OR *elifd* OR *rahc* OR *etirw* OR *eddih* OR *tpircs* OR *ssecorp* OR *llehsrewop* OR *esnopser* OR *daolnwod* OR *tneilcbew* OR *tneilc* OR *ptth* OR *elifotevas* OR *46esab* OR *tcejbo* OR *maerts* OR *hcaerof* OR *retupmoc*)
Key Takeaways
- PowerShell has a number of techniques that can be utilized to circumvent detection and analysts.