Potential PowerShell Pass-the-Hash/Relay Script

Detects PowerShell scripts that can execute pass-the-hash (PtH) attacks, intercept and relay NTLM challenges, and carry out other man-in-the-middle (MitM) attacks.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2024/03/27"
 3integration = ["windows"]
 4maturity = "production"
 5updated_date = "2024/10/28"
 6min_stack_version = "8.14.0"
 7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Detects PowerShell scripts that can execute pass-the-hash (PtH) attacks, intercept and relay NTLM challenges, and carry
13out other man-in-the-middle (MitM) attacks.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-windows.powershell*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "Potential PowerShell Pass-the-Hash/Relay Script"
20references = [
21    "https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-WMIExec.ps1",
22    "https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-SMBExec.ps1",
23    "https://github.com/dafthack/Check-LocalAdminHash/blob/master/Check-LocalAdminHash.ps1",
24    "https://github.com/nettitude/PoshC2/blob/master/resources/modules/Invoke-Tater.ps1",
25    "https://github.com/Kevin-Robertson/Inveigh/blob/master/Inveigh.ps1",
26]
27risk_score = 73
28rule_id = "951779c2-82ad-4a6c-82b8-296c1f691449"
29setup = """## Setup
30
31The 'PowerShell Script Block Logging' logging policy must be enabled.
32Steps to implement the logging policy with Advanced Audit Configuration:

Computer Configuration > Administrative Templates > Windows PowerShell > Turn on PowerShell Script Block Logging (Enable)

1
2Steps to implement the logging policy via registry:

reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1

 1"""
 2severity = "high"
 3tags = [
 4    "Domain: Endpoint",
 5    "OS: Windows",
 6    "Use Case: Threat Detection",
 7    "Tactic: Credential Access",
 8    "Resources: Investigation Guide",
 9    "Data Source: PowerShell Logs",
10]
11timestamp_override = "event.ingested"
12type = "query"
13
14query = '''
15event.category:process and host.os.type:windows and
16  powershell.file.script_block_text : (
17    ("NTLMSSPNegotiate" and ("NegotiateSMB" or "NegotiateSMB2")) or
18    "4E544C4D53535000" or
19    "0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50" or
20    "0x4e,0x54,0x20,0x4c,0x4d" or
21    "0x53,0x4d,0x42,0x20,0x32" or
22    "0x81,0xbb,0x7a,0x36,0x44,0x98,0xf1,0x35,0xad,0x32,0x98,0xf0,0x38"
23  ) and
24  not file.directory : "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads"
25'''
26
27
28[[rule.threat]]
29framework = "MITRE ATT&CK"
30[[rule.threat.technique]]
31id = "T1557"
32name = "Adversary-in-the-Middle"
33reference = "https://attack.mitre.org/techniques/T1557/"
34
35
36[rule.threat.tactic]
37id = "TA0006"
38name = "Credential Access"
39reference = "https://attack.mitre.org/tactics/TA0006/"
40[[rule.threat]]
41framework = "MITRE ATT&CK"
42[[rule.threat.technique]]
43id = "T1059"
44name = "Command and Scripting Interpreter"
45reference = "https://attack.mitre.org/techniques/T1059/"
46[[rule.threat.technique.subtechnique]]
47id = "T1059.001"
48name = "PowerShell"
49reference = "https://attack.mitre.org/techniques/T1059/001/"
50
51
52
53[rule.threat.tactic]
54id = "TA0002"
55name = "Execution"
56reference = "https://attack.mitre.org/tactics/TA0002/"
57[[rule.threat]]
58framework = "MITRE ATT&CK"
59[[rule.threat.technique]]
60id = "T1550"
61name = "Use Alternate Authentication Material"
62reference = "https://attack.mitre.org/techniques/T1550/"
63[[rule.threat.technique.subtechnique]]
64id = "T1550.002"
65name = "Pass the Hash"
66reference = "https://attack.mitre.org/techniques/T1550/002/"
67
68
69
70[rule.threat.tactic]
71id = "TA0008"
72name = "Lateral Movement"
73reference = "https://attack.mitre.org/tactics/TA0008/"

References

Related rules

to-top