PowerShell Invoke-NinjaCopy script

  1[metadata]
  2creation_date = "2023/01/23"
  3integration = ["windows"]
  4maturity = "production"
  5updated_date = "2024/10/28"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Detects PowerShell scripts that contain the default exported functions used on Invoke-NinjaCopy. Attackers can use
 13Invoke-NinjaCopy to read SYSTEM files that are normally locked, such as the NTDS.dit file or registry hives.
 14"""
 15from = "now-9m"
 16index = ["winlogbeat-*", "logs-windows.powershell*"]
 17language = "kuery"
 18license = "Elastic License v2"
 19name = "PowerShell Invoke-NinjaCopy script"
 20note = """## Triage and analysis
 21
 22### Investigating PowerShell Invoke-NinjaCopy script
 23
 24PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available for use in various environments, creating an attractive way for attackers to execute code.
 25
 26Invoke-NinjaCopy is a PowerShell script capable of reading SYSTEM files that were normally locked, such as `NTDS.dit` or sensitive registry locations. It does so by using the direct volume access technique, which enables attackers to bypass access control mechanisms and file system monitoring by reading the raw data directly from the disk and extracting the file by parsing the file system structures.
 27
 28#### Possible investigation steps
 29
 30- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.
 31- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
 32- Examine file or network events from the involved PowerShell process for suspicious behavior.
 33- Investigate other alerts associated with the user/host during the past 48 hours.
 34- Evaluate whether the user needs to use PowerShell to complete tasks.
 35- Determine whether the script stores the captured data locally.
 36- Check if the imported function was executed and which file it targeted.
 37
 38### False positive analysis
 39
 40- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.
 41
 42### Response and remediation
 43
 44- Initiate the incident response process based on the outcome of the triage.
 45- Isolate the involved hosts to prevent further post-compromise behavior.
 46- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.
 47- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.
 48- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.
 49- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
 50- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
 51"""
 52references = [
 53    "https://github.com/BC-SECURITY/Empire/blob/main/empire/server/data/module_source/collection/Invoke-NinjaCopy.ps1",
 54]
 55risk_score = 73
 56rule_id = "b8386923-b02c-4b94-986a-d223d9b01f88"
 57severity = "high"
 58tags = [
 59    "Domain: Endpoint",
 60    "OS: Windows",
 61    "Use Case: Threat Detection",
 62    "Tactic: Credential Access",
 63    "Data Source: PowerShell Logs",
 64    "Resources: Investigation Guide",
 65]
 66timestamp_override = "event.ingested"
 67type = "query"
 68
 69query = '''
 70event.category:process and host.os.type:windows and
 71  powershell.file.script_block_text : (
 72    "StealthReadFile" or
 73    "StealthReadFileAddr" or
 74    "StealthCloseFileDelegate" or
 75    "StealthOpenFile" or
 76    "StealthCloseFile" or
 77    "StealthReadFile" or
 78    "Invoke-NinjaCopy"
 79   )
 80  and not user.id : "S-1-5-18"
 81  and not powershell.file.script_block_text : (
 82    "sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators"
 83  )
 84'''
 85
 86
 87[[rule.threat]]
 88framework = "MITRE ATT&CK"
 89[[rule.threat.technique]]
 90id = "T1003"
 91name = "OS Credential Dumping"
 92reference = "https://attack.mitre.org/techniques/T1003/"
 93[[rule.threat.technique.subtechnique]]
 94id = "T1003.002"
 95name = "Security Account Manager"
 96reference = "https://attack.mitre.org/techniques/T1003/002/"
 97
 98[[rule.threat.technique.subtechnique]]
 99id = "T1003.003"
100name = "NTDS"
101reference = "https://attack.mitre.org/techniques/T1003/003/"
102
103
104
105[rule.threat.tactic]
106id = "TA0006"
107name = "Credential Access"
108reference = "https://attack.mitre.org/tactics/TA0006/"
109[[rule.threat]]
110framework = "MITRE ATT&CK"
111[[rule.threat.technique]]
112id = "T1059"
113name = "Command and Scripting Interpreter"
114reference = "https://attack.mitre.org/techniques/T1059/"
115[[rule.threat.technique.subtechnique]]
116id = "T1059.001"
117name = "PowerShell"
118reference = "https://attack.mitre.org/techniques/T1059/001/"
119
120
121
122[rule.threat.tactic]
123id = "TA0002"
124name = "Execution"
125reference = "https://attack.mitre.org/tactics/TA0002/"
126[[rule.threat]]
127framework = "MITRE ATT&CK"
128[[rule.threat.technique]]
129id = "T1006"
130name = "Direct Volume Access"
131reference = "https://attack.mitre.org/techniques/T1006/"
132
133
134[rule.threat.tactic]
135id = "TA0005"
136name = "Defense Evasion"
137reference = "https://attack.mitre.org/tactics/TA0005/"