Skip to content

Update PowerShell parameter aliases #3591

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 4 commits into
base: develop
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: GetWmiObject Ds Computer with PowerShell
id: 7141122c-3bc2-4aaa-ab3b-7a85a0bbefc3
version: 6
date: '2025-05-02'
version: 7
date: '2025-07-03'
author: Mauricio Velazco, Splunk
status: production
type: TTP
Expand All @@ -20,8 +20,8 @@ data_source:
- CrowdStrike ProcessRollup2
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe")
(Processes.process=*Get-WmiObject* AND Processes.process="*namespace root\\directory\\ldap*"
AND Processes.process="*class ds_computer*") by Processes.action Processes.dest
(Processes.process=*Get-WmiObject* AND (Processes.process="*namespace root\\directory\\ldap*" OR Processes.process="*ns root\\directory\\ldap*")
AND (Processes.process="*class ds_computer*" OR Processes.process="*classname ds_computer*")) by Processes.action Processes.dest
Processes.original_file_name Processes.parent_process Processes.parent_process_exec
Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name
Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: GetWmiObject Ds Computer with PowerShell Script Block
id: 29b99201-723c-4118-847a-db2b3d3fb8ea
version: 8
date: '2025-06-24'
version: 9
date: '2025-07-03'
author: Mauricio Velazco, Splunk
status: production
type: TTP
Expand All @@ -16,8 +16,8 @@ description:
data_source:
- Powershell Script Block Logging 4104
search:
'`powershell` EventCode=4104 (ScriptBlockText=*Get-WmiObject* AND ScriptBlockText="*namespace
root\\directory\\ldap*" AND ScriptBlockText="*class ds_computer*") | fillnull |
'`powershell` EventCode=4104 (ScriptBlockText=*Get-WmiObject* AND (ScriptBlockText="*namespace
root\\directory\\ldap*" OR ScriptBlockText="*ns root\\directory\\ldap*") AND (ScriptBlockText="*class ds_computer*" OR ScriptBlockText="*classname ds_computer*")) | fillnull |
stats count min(_time) as firstTime max(_time) as lastTime by dest signature signature_id
user_id vendor_product EventID Guid Opcode Name Path ProcessID ScriptBlockId ScriptBlockText
| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `getwmiobject_ds_computer_with_powershell_script_block_filter`'
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: GetWmiObject Ds Group with PowerShell
id: df275a44-4527-443b-b884-7600e066e3eb
version: 7
date: '2025-05-02'
version: 8
date: '2025-07-03'
author: Mauricio Velazco, Splunk
status: production
type: TTP
Expand All @@ -19,8 +19,8 @@ data_source:
- CrowdStrike ProcessRollup2
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe")
(Processes.process=*Get-WmiObject* AND Processes.process="*namespace root\\directory\\ldap*"
AND Processes.process="*class ds_group*") by Processes.action Processes.dest Processes.original_file_name
(Processes.process=*Get-WmiObject* AND (Processes.process="*namespace root\\directory\\ldap*" OR Processes.process="*ns root\\directory\\ldap*")
AND (Processes.process="*class ds_group*" OR Processes.process="*classname ds_group*")) by Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid Processes.process_hash
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: GetWmiObject Ds Group with PowerShell Script Block
id: 67740bd3-1506-469c-b91d-effc322cc6e5
version: 9
date: '2025-06-24'
version: 10
date: '2025-07-03'
author: Mauricio Velazco, Splunk
status: production
type: TTP
Expand All @@ -16,8 +16,8 @@ description:
data_source:
- Powershell Script Block Logging 4104
search:
'`powershell` EventCode=4104 (ScriptBlockText=*Get-WmiObject* AND ScriptBlockText="*namespace
root\\directory\\ldap*" AND ScriptBlockText="*class ds_group*") | fillnull | stats
'`powershell` EventCode=4104 (ScriptBlockText=*Get-WmiObject* AND (ScriptBlockText="*namespace
root\\directory\\ldap*" OR ScriptBlockText="*ns root\\directory\\ldap*") AND (ScriptBlockText="*class ds_group*" OR ScriptBlockText="*classname ds_group*")) | fillnull | stats
count min(_time) as firstTime max(_time) as lastTime by dest signature signature_id
user_id vendor_product EventID Guid Opcode Name Path ProcessID ScriptBlockId ScriptBlockText
| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`getwmiobject_ds_group_with_powershell_script_block_filter`'
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: GetWmiObject DS User with PowerShell
id: 22d3b118-04df-11ec-8fa3-acde48001122
version: 8
date: '2025-05-02'
version: 9
date: '2025-07-03'
author: Teoderick Contreras, Mauricio Velazco, Splunk
status: production
type: TTP
Expand All @@ -21,7 +21,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime
as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="cmd.exe"
OR Processes.process_name="powershell*") AND Processes.process = "*get-wmiobject*"
AND Processes.process = "*ds_user*" AND Processes.process = "*root\\directory\\ldap*"
AND Processes.process = "*-namespace*" by Processes.action Processes.dest Processes.original_file_name
AND (Processes.process = "*-namespace*" OR Processes.process = "*-ns*") by Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid Processes.process_hash
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: GetWmiObject DS User with PowerShell Script Block
id: fabd364e-04f3-11ec-b34b-acde48001122
version: 9
date: '2025-05-02'
version: 10
date: '2025-07-03'
author: Teoderick Contreras, Mauricio Velazco, Splunk
status: production
type: TTP
Expand All @@ -16,7 +16,7 @@ description: The following analytic detects the execution of the `Get-WmiObject`
data_source:
- Powershell Script Block Logging 4104
search: '`powershell` EventCode=4104 ScriptBlockText = "*get-wmiobject*" ScriptBlockText
= "*ds_user*" ScriptBlockText = "*-namespace*" ScriptBlockText = "*root\\directory\\ldap*"
= "*ds_user*" (ScriptBlockText = "*-namespace*" OR ScriptBlockText = "*-ns*") ScriptBlockText = "*root\\directory\\ldap*"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This one is too short of an atom to be used in a ScriptBlock on its own. Hence I dont recommend using it.

| fillnull | stats count min(_time) as firstTime max(_time) as lastTime by dest
signature signature_id user_id vendor_product EventID Guid Opcode Name Path ProcessID
ScriptBlockId ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: Interactive Session on Remote Endpoint with PowerShell
id: a4e8f3a4-48b2-11ec-bcfc-3e22fbd008af
version: 11
date: '2025-06-24'
version: 12
date: '2025-07-03'
author: Mauricio Velazco, Splunk
status: production
type: TTP
Expand All @@ -17,7 +17,7 @@ description:
data_source:
- Powershell Script Block Logging 4104
search:
'`powershell` EventCode=4104 (ScriptBlockText="*Enter-PSSession*" AND ScriptBlockText="*-ComputerName*")
'`powershell` EventCode=4104 (ScriptBlockText="*Enter-PSSession*" AND (ScriptBlockText="*-ComputerName*" OR ScriptBlockText="*-Cn*"))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While the logic could see some improvements. Adding -Cn is similar to my comment above.
It a short atom that could match with other things in the script. I would not recommend adding directly as it is.

If you would like to add it, I would suggest you enhance the logic of the rule overall. By focusing on the -ComputerName flag and its alias as arguments in the same line.

While this might introduce some bypass edge case. It would be far more accurate to the intent of the rule (which is remote endpoint) and less FP prone.

| fillnull | stats count min(_time) as firstTime max(_time) as lastTime by dest
signature signature_id user_id vendor_product EventID Guid Opcode Name Path ProcessID
ScriptBlockId ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: Remote Process Instantiation via WinRM and PowerShell
id: ba24cda8-4716-11ec-8009-3e22fbd008af
version: 8
date: '2025-05-02'
version: 9
date: '2025-07-03'
author: Mauricio Velazco, Splunk
status: production
type: TTP
Expand All @@ -19,7 +19,7 @@ data_source:
- CrowdStrike ProcessRollup2
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process="*Invoke-Command*"
AND Processes.process="*-ComputerName*") by Processes.action Processes.dest Processes.original_file_name
AND (Processes.process="*-ComputerName*" OR Processes.process="*-Cn*")) by Processes.action Processes.dest Processes.original_file_name
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adding a space to avoid any rare edge cases.

Suggested change
AND (Processes.process="*-ComputerName*" OR Processes.process="*-Cn*")) by Processes.action Processes.dest Processes.original_file_name
AND (Processes.process="*-ComputerName*" OR Processes.process="*-Cn *")) by Processes.action Processes.dest Processes.original_file_name

Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid Processes.process_hash
Expand All @@ -41,6 +41,7 @@ known_false_positives: Administrators may leverage WinRM and `Invoke-Command` to
references:
- https://attack.mitre.org/techniques/T1021/006/
- https://pentestlab.blog/2018/05/15/lateral-movement-winrm/
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.4
drilldown_searches:
- name: View the detection results for - "$dest$"
search: '%original_detection_search% | search dest = "$dest$"'
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: Remote Process Instantiation via WinRM and PowerShell Script Block
id: 7d4c618e-4716-11ec-951c-3e22fbd008af
version: 9
date: '2025-06-24'
version: 10
date: '2025-07-03'
author: Mauricio Velazco, Splunk
status: production
type: TTP
Expand All @@ -16,7 +16,7 @@ description:
data_source:
- Powershell Script Block Logging 4104
search:
'`powershell` EventCode=4104 (ScriptBlockText="*Invoke-Command*" AND ScriptBlockText="*-ComputerName*")
'`powershell` EventCode=4104 (ScriptBlockText="*Invoke-Command*" AND (ScriptBlockText="*-ComputerName*" OR ScriptBlockText="*-Cn*"))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See my comments above.

| fillnull | stats count min(_time) as firstTime max(_time) as lastTime by dest
signature signature_id user_id vendor_product EventID Guid Opcode Name Path ProcessID
ScriptBlockId ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: Remote Process Instantiation via WMI and PowerShell
id: 112638b4-4634-11ec-b9ab-3e22fbd008af
version: 16
date: '2025-05-02'
version: 17
date: '2025-07-03'
author: Mauricio Velazco, Splunk
status: production
type: TTP
Expand All @@ -18,7 +18,7 @@ data_source:
- CrowdStrike ProcessRollup2
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process="*Invoke-WmiMethod*"
AND Processes.process="*-CN*" AND Processes.process="*-Class Win32_Process*" AND Processes.process="*-Name
AND (Processes.process="*-CN*" OR Processes.process="*-ComputerName*") AND Processes.process="*-Class Win32_Process*" AND Processes.process="*-Name
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
AND (Processes.process="*-CN*" OR Processes.process="*-ComputerName*") AND Processes.process="*-Class Win32_Process*" AND Processes.process="*-Name
AND (Processes.process="*-Cn *" OR Processes.process="*-ComputerName*") AND Processes.process="*-Class Win32_Process*" AND Processes.process="*-Name

create*") by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec
Expand All @@ -35,7 +35,7 @@ how_to_implement: The detection is based on data that originates from Endpoint D
the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
data model. Use the Splunk Common Information Model (CIM) to normalize the field
names and speed up the data modeling process.
known_false_positives: Administrators may leverage WWMI and powershell.exe to start
known_false_positives: Administrators may leverage WMI and powershell.exe to start
a process on remote systems, but this activity is usually limited to a small set
of hosts or users.
references:
Expand Down
Loading