Name:Windows Powershell Cryptography Namespace id:f8b482f4-6d62-49fa-a905-dfa15698317b version:4 date:2024-09-30 author:Teoderick Contreras, Splunk status:production type:Anomaly Description:The following analytic detects suspicious PowerShell script execution involving the cryptography namespace via EventCode 4104. It leverages PowerShell Script Block Logging to identify scripts using cryptographic functions, excluding common hashes like SHA and MD5. This activity is significant as it is often associated with malware that decrypts or decodes additional malicious payloads. If confirmed malicious, this could allow an attacker to execute further code, escalate privileges, or establish persistence within the environment. Analysts should investigate the parent process, decrypted data, network connections, and the user executing the script. Data_source:
-Powershell Script Block Logging 4104
search:`powershell` EventCode=4104 ScriptBlockText = "*System.Security.Cryptography*" AND NOT(ScriptBlockText IN ("*SHA*", "*MD5*", "*DeriveBytes*")) | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_cryptography_namespace_filter`
how_to_implement:To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. known_false_positives:False positives should be limited. Filter as needed. References: -https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat drilldown_searches: name:'View the detection results for - "$dest$" and "$user$"' search:'%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$dest$" and "$user$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'AsyncRAT' asset_type:Endpoint confidence:50 impact:50 message:A suspicious powershell script contains cryptography command detected on host $dest$ mitre_attack_id: - 'T1059.001' - 'T1059' observable: name:'dest' type:'Hostname' - role: - 'Victim' name:'user' type:'User' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'ScriptBlockText' - 'Opcode' - 'Computer' - 'UserID' - 'EventCodes' risk_score:25 security_domain:endpoint
