Detect Mimikatz With PowerShell Script Block Logging

Name:Detect Mimikatz With PowerShell Script Block Logging
id:8148c29c-c952-11eb-9255-acde48001122
version:7
date:2024-11-13
author:Michael Haag, Splunk
status:production
type:TTP
Description:The following analytic detects the execution of Mimikatz commands via PowerShell by leveraging PowerShell Script Block Logging (EventCode=4104). This method captures and logs the full command sent to PowerShell, allowing for the identification of suspicious activities such as Pass the Ticket, Pass the Hash, and credential dumping. This activity is significant as Mimikatz is a well-known tool used for credential theft and lateral movement. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information within the environment.
Data_source:

• -Powershell Script Block Logging 4104

search:`powershell` EventCode=4104 ScriptBlockText IN (*mimikatz*, *-dumpcr*, *sekurlsa::pth*, *kerberos::ptt*, *kerberos::golden*)
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by dest signature signature_id user_id vendor_product EventID Guid Opcode Name Path ProcessID ScriptBlockId ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_mimikatz_with_powershell_script_block_logging_filter`

how_to_implement:To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.
known_false_positives:False positives should be limited as the commands being identifies are quite specific to EventCode 4104 and Mimikatz. Filter as needed.
References:
  -https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.
  -https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
  -https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf
  -https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/
  -https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html
drilldown_searches:
 name:'View the detection results for - "$user$" and "$Computer$"'
 search:'%original_detection_search% | search user = "$user$" Computer = "$Computer$"'
 earliest_offset:'$info_min_time$'
 latest_offset:'$info_max_time$'
 name:'View risk events for the last 7 days for - "$user$" and "$Computer$"'
 search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
 earliest_offset:'$info_min_time$'
 latest_offset:'$info_max_time$'
tags:
  analytic_story:
    - 'Malicious PowerShell'
    - 'Hermetic Wiper'
    - 'Sandworm Tools'
    - 'CISA AA22-264A'
    - 'CISA AA22-320A'
    - 'CISA AA23-347A'
    - 'Data Destruction'
  asset_type:Endpoint
  mitre_attack_id:
    - 'T1003'
    - 'T1059.001'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  security_domain:endpoint

tests:
 name:'True Positive Test'
 attack_data:
  data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/credaccess-powershell.log
  source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
  sourcetype: XmlWinEventLog
manual_test:None