Recon AVProduct Through Pwh or WMI

Original Source: [splunk source]
Name:Recon AVProduct Through Pwh or WMI
id:28077620-c9f6-11eb-8785-acde48001122
version:4
date:2024-09-30
author:Teoderick Contreras, Splunk
status:production
type:TTP
Description:The following analytic detects suspicious PowerShell script execution via EventCode 4104, specifically targeting checks for installed anti-virus products using WMI or PowerShell commands. This detection leverages PowerShell Script Block Logging to identify scripts containing keywords like "SELECT," "WMIC," "AntiVirusProduct," or "AntiSpywareProduct." This activity is significant as it is commonly used by malware and APT actors to map running security applications or services, potentially aiding in evasion techniques. If confirmed malicious, this could allow attackers to disable or bypass security measures, leading to further compromise of the endpoint.
Data_source:
  • -Powershell Script Block Logging 4104
search:`powershell` EventCode=4104 (ScriptBlockText = "*SELECT*" OR ScriptBlockText = "*WMIC*") AND (ScriptBlockText = "*AntiVirusProduct*" OR ScriptBlockText = "*AntiSpywareProduct*")
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID
| rename Computer as dest
| rename UserID as user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `recon_avproduct_through_pwh_or_wmi_filter`

how_to_implement:To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.
known_false_positives:network administrator may used this command for checking purposes
References:
  -https://news.sophos.com/en-us/2020/05/12/maze-ransomware-1-year-counting/
   -https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.
   -https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
   -https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf
   -https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/
   -https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html
 drilldown_searches:
name:'View the detection results for - "$dest$" and "$user$"'
search:'%original_detection_search% | search dest = "$dest$" user = "$user$"'
earliest_offset:'$info_min_time$'
latest_offset:'$info_max_time$'
name:'View risk events for the last 7 days for - "$dest$" and "$user$"'
search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset:'$info_min_time$'
latest_offset:'$info_max_time$'
tags:
  analytic_story:
    - 'Qakbot'
    - 'Windows Post-Exploitation'
    - 'Hermetic Wiper'
    - 'Ransomware'
    - 'Prestige Ransomware'
    - 'Malicious PowerShell'
    - 'Data Destruction'
    - 'MoonPeak'
  asset_type:Endpoint
  confidence:80
  impact:70
  message:A suspicious powershell script contains AV recon command on host $dest$
  mitre_attack_id:
    - 'T1592'
  observable:
    name:'dest'
    type:'Hostname'
    - role:
      - 'Victim'
    name:'user'
    type:'User'
    - role:
      - 'Victim'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  required_fields:
    - '_time'
    - 'EventCode'
    - 'ScriptBlockText'
    - 'Computer'
    - 'UserID'
  risk_score:56
  security_domain:endpoint

tests:
name:'True Positive Test'
 attack_data:
  data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/t1592/pwh_av_recon/windows-powershell-xml.log
  source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
  sourcetype: XmlWinEventLog
manual_test:None

Related Analytic Stories


Qakbot

Malicious PowerShell

Data Destruction

Prestige Ransomware

Windows Post-Exploitation

MoonPeak

Hermetic Wiper

Ransomware

© 2024 DetectionCode Website. All Rights Reserved.