Update PowerShell parameter aliases #3591
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Adds parameter aliases to detections with logic that matches parameters for Get-WmiObject. Alias reference: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1#parameters
Add the full parameter '-ComputerName' to the detection logic, which was previously matching only the parameter alias '-CN'. This aligns the detection with others in the ESCU that look for suspicious Invoke-WmiMethod activitiy.
Adds '-ComputerName' parameter alias '-Cn' to logic for detections that look for Invoke-Command activity.
Adds '-Cn' alias of parameter '-ComputerName' to logic for interactive_session_on_remote_endpoint_with_powershell detection. Alias reference: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enter-pssession?view=powershell-7.5#parameters
nasbench
requested changes
Jul 7, 2025
| @@ -16,7 +16,7 @@ description: The following analytic detects the execution of the `Get-WmiObject` | |||
| data_source: | |||
| - Powershell Script Block Logging 4104 | |||
| search: '`powershell` EventCode=4104 ScriptBlockText = "*get-wmiobject*" ScriptBlockText | |||
| = "*ds_user*" ScriptBlockText = "*-namespace*" ScriptBlockText = "*root\\directory\\ldap*" | |||
| = "*ds_user*" (ScriptBlockText = "*-namespace*" OR ScriptBlockText = "*-ns*") ScriptBlockText = "*root\\directory\\ldap*" | |||
There was a problem hiding this comment.
This one is too short of an atom to be used in a ScriptBlock on its own. Hence I dont recommend using it.
| @@ -17,7 +17,7 @@ description: | |||
| data_source: | |||
| - Powershell Script Block Logging 4104 | |||
| search: | |||
| '`powershell` EventCode=4104 (ScriptBlockText="*Enter-PSSession*" AND ScriptBlockText="*-ComputerName*") | |||
| '`powershell` EventCode=4104 (ScriptBlockText="*Enter-PSSession*" AND (ScriptBlockText="*-ComputerName*" OR ScriptBlockText="*-Cn*")) | |||
There was a problem hiding this comment.
While the logic could see some improvements. Adding -Cn is similar to my comment above.
It a short atom that could match with other things in the script. I would not recommend adding directly as it is.
If you would like to add it, I would suggest you enhance the logic of the rule overall. By focusing on the -ComputerName flag and its alias as arguments in the same line.
While this might introduce some bypass edge case. It would be far more accurate to the intent of the rule (which is remote endpoint) and less FP prone.
| @@ -19,7 +19,7 @@ data_source: | |||
| - CrowdStrike ProcessRollup2 | |||
| search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) | |||
| as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process="*Invoke-Command*" | |||
| AND Processes.process="*-ComputerName*") by Processes.action Processes.dest Processes.original_file_name | |||
| AND (Processes.process="*-ComputerName*" OR Processes.process="*-Cn*")) by Processes.action Processes.dest Processes.original_file_name | |||
There was a problem hiding this comment.
Adding a space to avoid any rare edge cases.
Suggested change
| AND (Processes.process="*-ComputerName*" OR Processes.process="*-Cn*")) by Processes.action Processes.dest Processes.original_file_name | |
| AND (Processes.process="*-ComputerName*" OR Processes.process="*-Cn *")) by Processes.action Processes.dest Processes.original_file_name |
| @@ -16,7 +16,7 @@ description: | |||
| data_source: | |||
| - Powershell Script Block Logging 4104 | |||
| search: | |||
| '`powershell` EventCode=4104 (ScriptBlockText="*Invoke-Command*" AND ScriptBlockText="*-ComputerName*") | |||
| '`powershell` EventCode=4104 (ScriptBlockText="*Invoke-Command*" AND (ScriptBlockText="*-ComputerName*" OR ScriptBlockText="*-Cn*")) | |||
| @@ -18,7 +18,7 @@ data_source: | |||
| - CrowdStrike ProcessRollup2 | |||
| search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) | |||
| as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process="*Invoke-WmiMethod*" | |||
| AND Processes.process="*-CN*" AND Processes.process="*-Class Win32_Process*" AND Processes.process="*-Name | |||
| AND (Processes.process="*-CN*" OR Processes.process="*-ComputerName*") AND Processes.process="*-Class Win32_Process*" AND Processes.process="*-Name | |||
There was a problem hiding this comment.
Suggested change
| AND (Processes.process="*-CN*" OR Processes.process="*-ComputerName*") AND Processes.process="*-Class Win32_Process*" AND Processes.process="*-Name | |
| AND (Processes.process="*-Cn *" OR Processes.process="*-ComputerName*") AND Processes.process="*-Class Win32_Process*" AND Processes.process="*-Name |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Details
This PR consists of some batch updates to PowerShell activity-based detections that include parameters in the detection logic for which a parameter alias exists.
The commands, and parameter aliases for said commands, that were looked at for this PR are as follows (links to relevant docs for aliases):
The purpose of these updates is to ensure the desired activity is captured by the detection, regardless of whether a parameter name or alias is used, for any parameters which have an alias.
The changes were made with minimum # LOC modified in mind, but happy to adjust formatting to whatever best practice is for the repo. Opted not to reflow any search blocks with long lines as a result of the added logic, but it'd be easy to adjust if that's the desired process. I additionally attempted to maintain consistent style with whichever individual detection was being modified, with minimum modification/potential disruption in mind, but would again be happy to refactor into more repeatable logic (e.g., a macro or two to replace components that are repeated across detections).
I'm unsure if this PR covers the exhaustive list of PowerShell-activity based detections with potential parameter alias visibility gaps, but I plan to keep searching/parsing some more in an attempt to surface any others.
Detections updated:
endpoint/getwmiobject_ds_computer_with_powershellendpoint/getwmiobject_ds_computer_with_powershell_script_blockendpoint/getwmiobject_ds_group_with_powershellendpoint/getwmiobject_ds_group_with_powershell_script_blockendpoint/getwmiobject_ds_user_with_powershellendpoint/getwmiobject_ds_user_with_powershell_script_blockendpoint/interactive_session_on_remote_endpoint_with_powershellendpoint/remote_process_instantiation_via_winrm_and_powershellendpoint/remote_process_instantiation_via_winrm_and_powershell_script_blockendpoint/remote_process_instantiation_via_wmi_and_powershellChecklist
<platform>_<mitre att&ck technique>_<short description>nomenclatureNotes For Submitters and Reviewers
buildCI job when it fails will likely show an error about what is failing. You may have a very descriptive error of the specific field(s) in the specific file(s) that is causing an issue. In some cases, its also possible there is an issue with the YAML. Many of these can be caught with the pre-commit hooks if you set them up. These errors will be less descriptive as to what exactly is wrong, but will give you a column and row position in a specific file where the YAML processing breaks. If you're having trouble with this, feel free to add a comment to your PR tagging one of the maintainers and we'll be happy to help troubleshoot it.