Name:Powershell Remote Services Add TrustedHost id:bef21d24-297e-45e3-9b9a-c6ac45450474 version:3 date:2024-09-30 author:Teoderick Contreras, Splunk status:production type:TTP Description:The following analytic detects the execution of a PowerShell script that modifies the 'TrustedHosts' configuration via EventCode 4104. It leverages PowerShell Script Block Logging to identify commands targeting WSMan settings, specifically those altering or concatenating trusted hosts. This activity is significant as it can indicate attempts to manipulate remote connection settings, potentially allowing unauthorized remote access. If confirmed malicious, this could enable attackers to establish persistent remote connections, bypass security protocols, and gain unauthorized access to sensitive systems and data. Data_source:
-Powershell Script Block Logging 4104
search:`powershell` EventCode=4104 ScriptBlockText = "*WSMan:\\localhost\\Client\\TrustedHosts*" ScriptBlockText IN ("* -Value *", "* -Concatenate *") | rename Computer as dest, UserID as user | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_remote_services_add_trustedhost_filter`
how_to_implement:To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. known_false_positives:user and network administrator may used this function to add trusted host. References: -https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate drilldown_searches: name:'View the detection results for - "$dest$" and "$user$"' search:'%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$dest$" and "$user$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'DarkGate Malware' asset_type:Endpoint confidence:80 impact:80 message:a powershell script adding a remote trustedhost on $dest$ . mitre_attack_id: - 'T1021.006' - 'T1021' observable: name:'dest' type:'Hostname' - role: - 'Victim' name:'user' type:'User' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' risk_score:64 required_fields: - '_time' - 'EventCode' - 'ScriptBlockText' - 'Computer' - 'UserID' - 'Score' security_domain:endpoint
