Name:Detect Mimikatz With PowerShell Script Block Logging id:8148c29c-c952-11eb-9255-acde48001122 version:4 date:2024-09-30 author:Michael Haag, Splunk status:production type:TTP Description:The following analytic detects the execution of Mimikatz commands via PowerShell by leveraging PowerShell Script Block Logging (EventCode=4104). This method captures and logs the full command sent to PowerShell, allowing for the identification of suspicious activities such as Pass the Ticket, Pass the Hash, and credential dumping. This activity is significant as Mimikatz is a well-known tool used for credential theft and lateral movement. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information within the environment. Data_source:
-Powershell Script Block Logging 4104
search:`powershell` EventCode=4104 ScriptBlockText IN (*mimikatz*, *-dumpcr*, *sekurlsa::pth*, *kerberos::ptt*, *kerberos::golden*) | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_mimikatz_with_powershell_script_block_logging_filter`
how_to_implement:To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. known_false_positives:False positives should be limited as the commands being identifies are quite specific to EventCode 4104 and Mimikatz. Filter as needed. References: -https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. -https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63 -https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf -https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/ -https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html drilldown_searches: name:'View the detection results for - "$UserID$" and "$Computer$"' search:'%original_detection_search% | search UserID = "$UserID$" Computer = "$Computer$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$UserID$" and "$Computer$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$UserID$", "$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Malicious PowerShell' - 'Hermetic Wiper' - 'Sandworm Tools' - 'CISA AA22-264A' - 'CISA AA22-320A' - 'CISA AA23-347A' - 'Data Destruction' asset_type:Endpoint confidence:100 impact:90 message:The following behavior was identified and typically related to MimiKatz being loaded within the context of PowerShell on $Computer$ by $UserID$. mitre_attack_id: - 'T1003' - 'T1059.001' observable: name:'UserID' type:'User' - role: - 'Victim' name:'Computer' type:'Hostname' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'ScriptBlockText' - 'Opcode' - 'Computer' - 'UserID' - 'EventCode' risk_score:90 security_domain:endpoint
