Potential PowerShell Pass-the-Hash/Relay Script

calendar Mar 28, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Credential Access Resources: Investigation Guide Data Source: PowerShell Logs  ·
Share on: linkedin copy

Detects PowerShell scripts that can execute pass-the-hash (PtH) attacks, intercept and relay NTLM challenges, and carry out other man-in-the-middle (MitM) attacks.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2024/03/27"
 3integration = ["windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2024/03/27"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Detects PowerShell scripts that can execute pass-the-hash (PtH) attacks, intercept and relay NTLM challenges, and carry
13out other man-in-the-middle (MitM) attacks.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-windows.powershell*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "Potential PowerShell Pass-the-Hash/Relay Script"
20references = [
21    "https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-WMIExec.ps1",
22    "https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-SMBExec.ps1",
23    "https://github.com/dafthack/Check-LocalAdminHash/blob/master/Check-LocalAdminHash.ps1",
24    "https://github.com/nettitude/PoshC2/blob/master/resources/modules/Invoke-Tater.ps1",
25    "https://github.com/Kevin-Robertson/Inveigh/blob/master/Inveigh.ps1"
26]
27risk_score = 47
28rule_id = "951779c2-82ad-4a6c-82b8-296c1f691449"
29setup = """## Setup
30
31The 'PowerShell Script Block Logging' logging policy must be enabled.
32Steps to implement the logging policy with Advanced Audit Configuration:

Computer Configuration > Administrative Templates > Windows PowerShell > Turn on PowerShell Script Block Logging (Enable)

1
2Steps to implement the logging policy via registry:

reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1

 1"""
 2severity = "medium"
 3tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: PowerShell Logs"]
 4timestamp_override = "event.ingested"
 5type = "query"
 6
 7query = '''
 8event.category:process and host.os.type:windows and
 9  powershell.file.script_block_text : (
10    ("NTLMSSPNegotiate" and ("NegotiateSMB" or "NegotiateSMB2")) or
11    "4E544C4D53535000" or
12    "0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50" or
13    "0x4e,0x54,0x20,0x4c,0x4d" or
14    "0x53,0x4d,0x42,0x20,0x32" or
15    "0x81,0xbb,0x7a,0x36,0x44,0x98,0xf1,0x35,0xad,0x32,0x98,0xf0,0x38"
16  )
17'''
18
19
20[[rule.threat]]
21framework = "MITRE ATT&CK"
22[[rule.threat.technique]]
23id = "T1557"
24name = "Adversary-in-the-Middle"
25reference = "https://attack.mitre.org/techniques/T1557/"
26
27
28
29[rule.threat.tactic]
30id = "TA0006"
31name = "Credential Access"
32reference = "https://attack.mitre.org/tactics/TA0006/"
33
34[[rule.threat]]
35framework = "MITRE ATT&CK"
36[[rule.threat.technique]]
37id = "T1059"
38name = "Command and Scripting Interpreter"
39reference = "https://attack.mitre.org/techniques/T1059/"
40[[rule.threat.technique.subtechnique]]
41id = "T1059.001"
42name = "PowerShell"
43reference = "https://attack.mitre.org/techniques/T1059/001/"
44
45
46
47[rule.threat.tactic]
48id = "TA0002"
49name = "Execution"
50reference = "https://attack.mitre.org/tactics/TA0002/"
51
52[[rule.threat]]
53framework = "MITRE ATT&CK"
54[[rule.threat.technique]]
55id = "T1550"
56name = "Use Alternate Authentication Material"
57reference = "https://attack.mitre.org/techniques/T1550/"
58[[rule.threat.technique.subtechnique]]
59id = "T1550.002"
60name = "Pass the Hash"
61reference = "https://attack.mitre.org/techniques/T1550/002/"
62
63
64
65[rule.threat.tactic]
66id = "TA0008"
67name = "Lateral Movement"
68reference = "https://attack.mitre.org/tactics/TA0008/"

References

Related rules

to-top