-
Notifications
You must be signed in to change notification settings - Fork 415
Update PowerShell parameter aliases #3591
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: develop
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,7 +1,7 @@ | ||
name: Interactive Session on Remote Endpoint with PowerShell | ||
id: a4e8f3a4-48b2-11ec-bcfc-3e22fbd008af | ||
version: 11 | ||
date: '2025-06-24' | ||
version: 12 | ||
date: '2025-07-03' | ||
author: Mauricio Velazco, Splunk | ||
status: production | ||
type: TTP | ||
|
@@ -17,7 +17,7 @@ description: | |
data_source: | ||
- Powershell Script Block Logging 4104 | ||
search: | ||
'`powershell` EventCode=4104 (ScriptBlockText="*Enter-PSSession*" AND ScriptBlockText="*-ComputerName*") | ||
'`powershell` EventCode=4104 (ScriptBlockText="*Enter-PSSession*" AND (ScriptBlockText="*-ComputerName*" OR ScriptBlockText="*-Cn*")) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. While the logic could see some improvements. Adding If you would like to add it, I would suggest you enhance the logic of the rule overall. By focusing on the While this might introduce some bypass edge case. It would be far more accurate to the intent of the rule (which is remote endpoint) and less FP prone. |
||
| fillnull | stats count min(_time) as firstTime max(_time) as lastTime by dest | ||
signature signature_id user_id vendor_product EventID Guid Opcode Name Path ProcessID | ||
ScriptBlockId ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | ||
|
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
@@ -1,7 +1,7 @@ | ||||||
name: Remote Process Instantiation via WinRM and PowerShell | ||||||
id: ba24cda8-4716-11ec-8009-3e22fbd008af | ||||||
version: 8 | ||||||
date: '2025-05-02' | ||||||
version: 9 | ||||||
date: '2025-07-03' | ||||||
author: Mauricio Velazco, Splunk | ||||||
status: production | ||||||
type: TTP | ||||||
|
@@ -19,7 +19,7 @@ data_source: | |||||
- CrowdStrike ProcessRollup2 | ||||||
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) | ||||||
as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process="*Invoke-Command*" | ||||||
AND Processes.process="*-ComputerName*") by Processes.action Processes.dest Processes.original_file_name | ||||||
AND (Processes.process="*-ComputerName*" OR Processes.process="*-Cn*")) by Processes.action Processes.dest Processes.original_file_name | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Adding a space to avoid any rare edge cases.
Suggested change
|
||||||
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid | ||||||
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path | ||||||
Processes.process Processes.process_exec Processes.process_guid Processes.process_hash | ||||||
|
@@ -41,6 +41,7 @@ known_false_positives: Administrators may leverage WinRM and `Invoke-Command` to | |||||
references: | ||||||
- https://attack.mitre.org/techniques/T1021/006/ | ||||||
- https://pentestlab.blog/2018/05/15/lateral-movement-winrm/ | ||||||
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.4 | ||||||
drilldown_searches: | ||||||
- name: View the detection results for - "$dest$" | ||||||
search: '%original_detection_search% | search dest = "$dest$"' | ||||||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,7 +1,7 @@ | ||
name: Remote Process Instantiation via WinRM and PowerShell Script Block | ||
id: 7d4c618e-4716-11ec-951c-3e22fbd008af | ||
version: 9 | ||
date: '2025-06-24' | ||
version: 10 | ||
date: '2025-07-03' | ||
author: Mauricio Velazco, Splunk | ||
status: production | ||
type: TTP | ||
|
@@ -16,7 +16,7 @@ description: | |
data_source: | ||
- Powershell Script Block Logging 4104 | ||
search: | ||
'`powershell` EventCode=4104 (ScriptBlockText="*Invoke-Command*" AND ScriptBlockText="*-ComputerName*") | ||
'`powershell` EventCode=4104 (ScriptBlockText="*Invoke-Command*" AND (ScriptBlockText="*-ComputerName*" OR ScriptBlockText="*-Cn*")) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. See my comments above. |
||
| fillnull | stats count min(_time) as firstTime max(_time) as lastTime by dest | ||
signature signature_id user_id vendor_product EventID Guid Opcode Name Path ProcessID | ||
ScriptBlockId ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | ||
|
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
@@ -1,7 +1,7 @@ | ||||||
name: Remote Process Instantiation via WMI and PowerShell | ||||||
id: 112638b4-4634-11ec-b9ab-3e22fbd008af | ||||||
version: 16 | ||||||
date: '2025-05-02' | ||||||
version: 17 | ||||||
date: '2025-07-03' | ||||||
author: Mauricio Velazco, Splunk | ||||||
status: production | ||||||
type: TTP | ||||||
|
@@ -18,7 +18,7 @@ data_source: | |||||
- CrowdStrike ProcessRollup2 | ||||||
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) | ||||||
as lastTime from datamodel=Endpoint.Processes where `process_powershell` (Processes.process="*Invoke-WmiMethod*" | ||||||
AND Processes.process="*-CN*" AND Processes.process="*-Class Win32_Process*" AND Processes.process="*-Name | ||||||
AND (Processes.process="*-CN*" OR Processes.process="*-ComputerName*") AND Processes.process="*-Class Win32_Process*" AND Processes.process="*-Name | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
create*") by Processes.action Processes.dest Processes.original_file_name Processes.parent_process | ||||||
Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id | ||||||
Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec | ||||||
|
@@ -35,7 +35,7 @@ how_to_implement: The detection is based on data that originates from Endpoint D | |||||
the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` | ||||||
data model. Use the Splunk Common Information Model (CIM) to normalize the field | ||||||
names and speed up the data modeling process. | ||||||
known_false_positives: Administrators may leverage WWMI and powershell.exe to start | ||||||
known_false_positives: Administrators may leverage WMI and powershell.exe to start | ||||||
a process on remote systems, but this activity is usually limited to a small set | ||||||
of hosts or users. | ||||||
references: | ||||||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This one is too short of an atom to be used in a ScriptBlock on its own. Hence I dont recommend using it.