未加星标

Hunting malicious behaviour abusing PowerShell with Sysmon and Splunk

字体大小 | |
[系统(windows) 所属分类 系统(windows) | 发布者 店小二05 | 时间 2017 | 作者 红领巾 ] 0人收藏点击收藏

Sysmon is a monitoring tool which combined with Splunk makes an excellent tandem for threat hunting. A good example was presented by Tom Ueltschi at Botconf 2016.


windows PowerShell is a command shell very useful for administrative purpose, but at the same time can be abused across different phases of an intrusion and it is being actively used by malware developers. For these reasons, I'm interesting in hunting, using Sysmon and Splunk, when PowerShell is used for bad purposes. The setup is very simple: Windows Machine(s) with Splunk Forwader and Sysmon. The two necessary files to configured are inputs.conf and config.xml.

A simple inputs.conf file in the forwarder is the following:

C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\default\inputs.conf

# Version 6.4.5 # these here just override and disable stuff that in system/default. ################################ # Data thru parsingQueue always ################################ [splunktcp] route=has_key:tautology:parsingQueue;absent_key:tautology:parsingQueue ################################ # Make sure these get forwarded ################################ [monitor://$SPLUNK_HOME\var\log\splunk\splunkd.log] _TCP_ROUTING = * index = _internal [monitor://$SPLUNK_HOME\var\log\splunk\metrics.log] _TCP_ROUTING = * index = _internal [WinEventLog://Microsoft-Windows-Sysmon/Operational] disabled = false renderXml = true
Regarding the config.xml file for sysmon, it is key to customise the file for each specific environment in order to reduce the noise and catch all the interesting events. In my case, I have used a very simple one which works for my test environment and doesn't create much noise. A more advance template to use is the one created by @SwiftOnSecurity . <Sysmon schemaversion="3.2"> <HashAlgorithms>MD5</HashAlgorithms> <EventFiltering> <!-- Log all drivers except if the signature --> <!-- contains Microsoft or Windows --> <DriverLoad onmatch="exclude"> <Signature condition="contains">microsoft</Signature> <Signature condition="contains">windows</Signature> </DriverLoad> <NetworkConnect onmatch="include"> <DestinationPort>443</DestinationPort> <DestinationPort>80</DestinationPort> </NetworkConnect> <!-- Exclude certain processes that cause high event volumes --> <ProcessCreate onmatch="exclude"> <Image condition="contains">splunk</Image> <Image condition="contains">streamfwd</Image> <Image condition="contains">splunkd</Image> <Image condition="contains">splunkD</Image> <Image condition="contains">splunk</Image> <Image condition="contains">splunk-optimize</Image> <Image condition="contains">splunk-MonitorNoHandle</Image> <Image condition="contains">splunk-admon</Image> <Image condition="contains">splunk-netmon</Image> <Image condition="contains">splunk-regmon</Image> <Image condition="contains">splunk-winprintmon</Image> <Image condition="contains">btool</Image> <Image condition="contains">python</Image> </ProcessCreate> <ProcessTerminate onmatch="exclude"> <Image condition="contains">splunk</Image> <Image condition="contains">streamfwd</Image> <Image condition="contains">splunkd</Image> <Image condition="contains">splunkD</Image> <Image condition="contains">splunk</Image> <Image condition="contains">splunk-optimize</Image> <Image condition="contains">splunk-MonitorNoHandle</Image> <Image condition="contains">splunk-admon</Image> <Image condition="contains">splunk-netmon</Image> <Image condition="contains">splunk-regmon</Image> <Image condition="contains">splunk-winprintmon</Image> <Image condition="contains">btool</Image> <Image condition="contains">PYTHON</Image> </ProcessTerminate> <FileCreateTime onmatch="exclude"> <Image condition="contains">splunk</Image> <Image condition="contains">streamfwd</Image> <Image condition="contains">splunkd</Image> <Image condition="contains">splunkD</Image> <Image condition="contains">splunk</Image> <Image condition="contains">splunk-optimize</Image> <Image condition="contains">splunk-MonitorNoHandle</Image> <Image condition="contains">splunk-admon</Image> <Image condition="contains">splunk-netmon</Image> <Image condition="contains">splunk-regmon</Image> <Image condition="contains">splunk-winprintmon</Image> <Image condition="contains">btool</Image> <Image condition="contains">PYTHON</Image> </FileCreateTime> </EventFiltering> </Sysmon>
As I said, I'm interested in any PowerShell command spawned and the parent process associated. With a simple SPL query I get straight forward all the PowerShell commands executed, as showed below
Hunting malicious behaviour abusing PowerShell with Sysmon and Splunk

Let's analyse each of the executed PowerShell commands from the screenshot above


"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden cmd /c SafetyTest.rar

This command is using the 'ExecutionPolicy bypass' option. According to some documentation the PowerShell Execution Policy was not designed as security control, but as a control to limit mistakes done by sysadmins. https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/

In any case, any PowerShell command using that option should be consider suspicious.


It also runs with the option "windowstyle hidden" to hide the prompt. Although this is a not bad indicator 'per se' and some valid scripts can run in the background with this option, this indicator together with any additional other indicator should raise an alert.

In the command above there is another suspicious thing: the 'rar' extension of the file executed by the PowerShell. Looking to any process launched by that Command, as ParentComandLine, I get the following:


Hunting malicious behaviour abusing PowerShell with Sysmon and Splunk
So basically, I see that the PowerShell command invokes

本文系统(windows)相关术语:三级网络技术 计算机三级网络技术 网络技术基础 计算机网络技术

主题: PowerShellWindowsSwiftUTTI
分页:12
转载请注明
本文标题:Hunting malicious behaviour abusing PowerShell with Sysmon and Splunk
本站链接:http://www.codesec.net/view/534986.html
分享请点击:


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 系统(windows) | 评论(0) | 阅读(120)