Use Case With elk

ELK is an open source stack that consists of three applications (Elasticsearch, Logstash and Kibana)

ELK is an open source stack that consists of three applications (Elasticsearch, Logstash and Kibana) working in synergy to provide users with end-to-end search and visualization capabilities to analyze and investigate log file sources in real time.

ندخل ف الموضوع ع طول

1- Perform a hunt for well-known PowerShell Offensive Frameworks and commands

(event.code:4688 OR event.code:1) AND process.name:"powershell.exe" AND (process.command_line:(*Empire* OR *PowerSploit* OR *Mimikatz* OR *PowershellEmpire* OR *Inveigh* OR *BloodHound* OR *PowerUp* OR *nishang* OR *Seatbelt* OR *SharpHound*) OR process.command_line:(*Invoke-Mimikatz* OR *Invoke-SharpHound* OR *Invoke-Inveigh* OR *Invoke-BloodHound* OR *Invoke-Phant0m* OR *Invoke-StealthUser* OR *Invoke-PortScan* OR *Invoke-TokenManipulation* OR *PowerView.ps1* OR *PowerUp.ps1*))

This query searches for two types of events:

Windows process creation events with event code 4688, indicating a new process was created.
File creation events with event code 1, indicating a new file was created.

The query filters for events where the process name is "powershell.exe" and the process command line includes any of the well-known PowerShell offensive frameworks and commands, such as Empire, PowerSploit, Mimikatz, BloodHound, and others. The query uses the OR operator to match any of the keywords within the command line.

2- Perform a hunt for suspicious parent process spawning PowerShell

event.code:4688 AND event.action:created AND process.parent.name:"explorer.exe" AND process.name:"powershell.exe"

This query searches for Windows process creation events with event code 4688, indicating a new process was created. It further filters for events where the process action is "created" and the parent process name is "explorer.exe". Additionally, the query looks for events where the new process is named "powershell.exe", indicating a potential instance of PowerShell being spawned by a suspicious parent process.

We can also expand the query to include additional fields or filters, such as the user who executed the process or the path of the executable.

3- Perform a hunt for renamed PowerShell.exe

(event.code:4688 OR event.code:1) AND process.name:"powershell.exe" AND process.executable:(*rename* OR *renamed*) AND NOT process.executable:"powershell.exe"

This query searches for two types of events:

Windows process creation events with event code 4688, indicating a new process was created
File creation events with event code 1, indicating a new file was created

The query filters for events where the process name is "powershell.exe", but the process executable includes the words "rename" or "renamed", indicating a potential instance of PowerShell being renamed by an attacker. The NOT operator is used to exclude events where the process executable is "powershell.exe" to avoid including legitimate instances of PowerShell.

4- Perform a hunt for base64-encoded PowerShell commands

(event.code:4688 OR event.code:1) AND process.name:"powershell.exe" AND (process.command_line:(*'-encodedcommand'* OR '*-encodedcommand'*) OR process.command_line:(*'-enc'* OR '*-enc'*) OR process.command_line:(*'-encoded'* OR '*-encoded'*)) AND process.command_line:(*base64*)

This query searches for two types of events:

Windows process creation events with event code 4688, indicating a new process was created.
File creation events with event code 1, indicating a new file was created.

The query filters for events where the process name is "powershell.exe" and the process command line includes any of the following parameters: "-encodedcommand", "-enc", or "-encoded". Additionally, the query looks for events where the process command line includes the word "base64", indicating a potential instance of base64-encoded PowerShell commands.

5- Perform a hunt for PowerShell attacks utilizing GZIP compression

event.code: 4103 and event.provider: "Microsoft-Windows-PowerShell" and event.opcode: 5 and "Content-Encoding: gzip" IN event.original

This query searches for events with the code 4103 from the Microsoft-Windows-PowerShell provider with opcode 5 (which indicates the use of a PowerShell script block). It then checks if the string "Content-Encoding: gzip" is present in the original field of the event, which includes the full raw message.

6- Perform a hunt for obfuscated PowerShell code using XOR

event.code: 4104 and event.provider: "Microsoft-Windows-PowerShell" and event.opcode: 3 and "XOR" IN event.original

This query searches for events with the code 4104 from the Microsoft-Windows-PowerShell provider with opcode 3 (which indicates the use of the PowerShell XOR operator). It then checks if the string "XOR" is present in the original field of the event, which includes the full raw message.

7- Perform a hunt for execution of an assembly from file by PowerShell

event.code: 800 and event.provider: "Microsoft-Windows-PowerShell" and "Assembly" IN event.original and "LoadFrom" IN event.original

This query searches for events with the code 800 from the Microsoft-Windows-PowerShell provider. Code 800 indicates that an external module or assembly was loaded by PowerShell. The query checks if the strings "Assembly" and "LoadFrom" are present in the original field of the event, which includes the full raw message.

8- Perform a hunt for PowerShell commands downloading content

(event.code: 4103 or event.code: 4104) and event.provider: "Microsoft-Windows-PowerShell" and ("Invoke-WebRequest" IN event.original or "Invoke-RestMethod" IN event.original or "Net.WebClient" IN event.original)

This query searches for events with the code 4103 or 4104 from the Microsoft-Windows-PowerShell provider, and checks if the string "Invoke-WebRequest", "Invoke-RestMethod", or "Net.WebClient" is present in the original field of the event. These are common PowerShell commands used for downloading content from the internet.

9- Perform a hunt for obfuscated PowerShell commands

(event.code: 4103 or event.code: 4104) and event.provider: "Microsoft-Windows-PowerShell" and "EncodedCommand" IN event.original

This query searches for events with the code 4103 or 4104 from the Microsoft-Windows-PowerShell provider. Code 4103 indicates that a PowerShell script block was executed, while code 4104 indicates that a PowerShell command was executed. The query checks if the string "EncodedCommand" is present in the original field of the event, which indicates that the PowerShell command was obfuscated.

(event.code: 4103 or event.code: 4104) and event.provider: "Microsoft-Windows-PowerShell" and ("Out-String -Stream | %{$_ -replace" IN event.original)

This query searches for events with the code 4103 or 4104 from the Microsoft-Windows-PowerShell provider, and checks if the original field of the event contains the string "Out-String -Stream | %{$_ -replace". This string is commonly used to obfuscate PowerShell commands by converting them to a string, replacing certain characters, and then invoking them using the "&" operator.

(event.code: 4103 or event.code: 4104) and event.provider: "Microsoft-Windows-PowerShell" and ("--NoP -sta -NonI -Win" IN event.original)

This query searches for events with the code 4103 or 4104 from the Microsoft-Windows-PowerShell provider, and checks if the original field of the event contains the string "--NoP -sta -NonI -Win". This string is often used to obfuscate PowerShell commands by disabling PowerShell's default execution policy, running in a STA (Single-Threaded Apartment) mode, disabling interactive prompts, and running in a non-interactive session.

(event.code: 4103 or event.code: 4104) and event.provider: "Microsoft-Windows-PowerShell" and ("iex (new-object net.webclient)" IN event.original)

This query searches for events with the code 4103 or 4104 from the Microsoft-Windows-PowerShell provider, and checks if the original field of the event contains the string "$([Text.Encoding]::ASCII.GetString". This string is often used to obfuscate PowerShell commands by converting them to ASCII-encoded strings and then decoding them at runtime using the Text.Encoding class.

okay okay PowerShell has a number of techniques that can be utilized to circumvent detection and analysts.
If any query returns any events, they may indicate obfuscated PowerShell commands. You can then investigate these events further using other features of the ELK SIEM solution, such as visualization, timeline analysis, or threat intelligence lookups, to determine if they are indeed malicious.

------------------------------------------------------

PreviousRDP Cache Forensics NextHunting with elk

Last updated 3 months ago

(event.code:4688 OR event.code:1) AND process.name:"powershell.exe" AND (process.command_line:(*Empire* OR *PowerSploit* OR *Mimikatz* OR *PowershellEmpire* OR *Inveigh* OR *BloodHound* OR *PowerUp* OR *nishang* OR *Seatbelt* OR *SharpHound*) OR process.command_line:(*Invoke-Mimikatz* OR *Invoke-SharpHound* OR *Invoke-Inveigh* OR *Invoke-BloodHound* OR *Invoke-Phant0m* OR *Invoke-StealthUser* OR *Invoke-PortScan* OR *Invoke-TokenManipulation* OR *PowerView.ps1* OR *PowerUp.ps1*))

(event.code:4688 OR event.code:1) AND process.name:"powershell.exe" AND (process.command_line:(*'-encodedcommand'* OR '*-encodedcommand'*) OR process.command_line:(*'-enc'* OR '*-enc'*) OR process.command_line:(*'-encoded'* OR '*-encoded'*)) AND process.command_line:(*base64*)

(event.code: 4103 or event.code: 4104) and event.provider: "Microsoft-Windows-PowerShell" and ("Invoke-WebRequest" IN event.original or "Invoke-RestMethod" IN event.original or "Net.WebClient" IN event.original)