Last active
March 16, 2021 23:02
-
-
Save mattifestation/fa2e3cea76f70b1e2267 to your computer and use it in GitHub Desktop.
Revisions
-
mattifestation revised this gist
Jan 11, 2016 . 1 changed file with 4 additions and 4 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -138,7 +138,7 @@ $ObjectInstanceEnum = { $ClassName = $Event.ClassName Write-Warning @" SIGNATURE: Process listing detected Date/Time: $EventTime Class Name: $ClassName @@ -194,9 +194,9 @@ $ClassCreationArgs = @{ Namespace = 'root/cimv2' } #Trigger upon process enumeration $ObjectInstanceEnumArgs = @{ Query = 'SELECT * FROM MSFT_WmiProvider_CreateInstanceEnumAsyncEvent_Pre WHERE ClassName="Win32_Process"' Action = $ObjectInstanceEnum SourceIdentifier = 'ObjectEnumeration' Namespace = 'root/cimv2' @@ -212,4 +212,4 @@ Register-WmiEvent @RegistryOperationArgs Register-WmiEvent @WMIPersistenceArgs Register-WmiEvent @ClassCreationArgs Register-WmiEvent @ObjectInstanceEnumArgs #endregion -
Jan 11, 2016 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,215 @@ #region Scriptblocks that will execute upon alert trigger $LateralMovementDetected = { $Event = $EventArgs.NewEvent $EventTime = [DateTime]::FromFileTime($Event.TIME_CREATED) $MethodName = $Event.MethodName $Namespace = $Event.Namespace $Object = $Event.ObjectPath $User = $Event.User $CommandLine = $Event.InputParameters.CommandLine Write-Warning @" SIGNATURE: Lateral movement attempt Date/Time: $EventTime User: $User Namespace: $Namespace Object: $Object Method Executed: $MethodName Command Executed: $CommandLine "@ } $RemoteRegistryOperation = { $Event = $EventArgs.NewEvent $EventTime = [DateTime]::FromFileTime($Event.TIME_CREATED) $MethodName = $Event.MethodName $Namespace = $Event.Namespace $Object = $Event.ObjectPath $User = $Event.User Write-Warning @" SIGNATURE: WMI registry operation attempt Date/Time: $EventTime User: $User Namespace: $Namespace Object: $Object Method Executed: $MethodName Keys/values modified/deleted/created/enumerated: TODO... "@ } $StandardPersistenceOperation = { $Event = $EventArgs.NewEvent $EventTime = [DateTime]::FromFileTime($Event.TIME_CREATED) $Name = $Event.TargetInstance.Name $Location = $Event.TargetInstance.Location $Command = $Event.TargetInstance.Command Write-Warning @" SIGNATURE: Standard persistence Date/Time: $EventTime Persistence Location: $Location Name: $Name Command: $Command "@ } $PSHostProcessStarted = { $Event = $EventArgs.NewEvent $LoadTime = [DateTime]::FromFileTime($Event.TIME_CREATED) $PID = $Event.ProcessID # Note: The host process may already have exited by now. # This is a better method for catching any PowerShell host process though. $ProcInfo = Get-WmiObject -Query "SELECT * FROM Win32_Process WHERE ProcessId=$PID" -ErrorAction SilentlyContinue $CommandLine = $ProcInfo.CommandLine $ProcessName = $ProcInfo.Name Write-Warning @" SIGNATURE: Host PowerShell process started Date/Time: $LoadTime Process ID: $PID Process Name: $ProcessName Command Line: $CommandLine "@ } $WMIPersistence = { $Event = $EventArgs.NewEvent $EventTime = [DateTime]::FromFileTime($Event.TIME_CREATED) $Binding = $Event.TargetInstance $Consumer = Get-WmiObject -Namespace root/subscription -Query "ASSOCIATORS OF {$($Binding.Filter)}" $Filter = Get-WmiObject -Namespace root/subscription -Query "ASSOCIATORS OF {$($Binding.Consumer)}" $FilterName = $Filter.Name $FilterQuery = $Filter.Query $ConsumerName = $Consumer.Name $ConsumerCommand = $Consumer.CommandLineTemplate Write-Warning @" SIGNATURE: WMI persistence detected Date/Time: $EventTime Filter Name: $FilterName Filter Query: $FilterQuery Consumer Name: $ConsumerName Consumer Command Line: $ConsumerCommand "@ } $ClassCreated = { $Event = $EventArgs.NewEvent $EventTime = [DateTime]::FromFileTime($Event.TIME_CREATED) $ClassName = $Event.TargetClass.__CLASS Write-Warning @" SIGNATURE: WMI class created Date/Time: $EventTime Class Name: $ClassName "@ } $ObjectInstanceEnum = { $Event = $EventArgs.NewEvent $EventTime = [DateTime]::FromFileTime($Event.TIME_CREATED) $Global:Foo = $Event $ClassName = $Event.ClassName Write-Warning @" SIGNATURE: WMI object enumeration detected Date/Time: $EventTime Class Name: $ClassName "@ } #endregion #region Alert definitions # Trigger on executing code via the Win32_Process Create method $LateralMovementArgs = @{ Query = 'SELECT * FROM MSFT_WmiProvider_ExecMethodAsyncEvent_Pre WHERE ObjectPath="Win32_Process" AND MethodName="Create"' Action = $LateralMovementDetected SourceIdentifier = 'LateralMovementDetection' } # Trigger on any method invocation on the StdRegProv class # Note: the following extrinsic classes are great for detecting registry modification but they only detect changes to the HKLM hive: # RegistryKeyChangeEvent, RegistryTreeChangeEvent, RegistryValueChangeEvent $RegistryOperationArgs = @{ Query = 'SELECT * FROM MSFT_WmiProvider_ExecMethodAsyncEvent_Pre WHERE ObjectPath="StdRegProv"' Action = $RemoteRegistryOperation SourceIdentifier = 'RegistryOperationDetection' } # Trigger on any additions to the startup folder or run keys $StandardPersistenceArgs = @{ Query = 'SELECT * FROM __InstanceCreationEvent WITHIN 5 Where TargetInstance ISA "Win32_StartupCommand"' Action = $StandardPersistenceOperation SourceIdentifier = 'StandardPersistenceOperation' } # Trigger on any process that loads the PowerShell DLL - System.Management.Automation[.ni].dll $PSHostProcArgs = @{ Query = 'SELECT * FROM Win32_ModuleLoadTrace WHERE FileName LIKE "%System.Management.Automation%.dll%"' Action = $PSHostProcessStarted SourceIdentifier = 'PowerShellHostProcessStarted' } # Trigger upon creation of a permanent WMI event subscription - i.e. WMI persistence $WMIPersistenceArgs = @{ Query = 'SELECT * FROM __InstanceCreationEvent WITHIN 5 Where TargetInstance ISA "__FilterToConsumerBinding"' Action = $WMIPersistence SourceIdentifier = 'WMIPersistenceDetection' Namespace = 'root/subscription' } # Trigger upon creation of a WMI class - TTP of APT28 $ClassCreationArgs = @{ Query = 'SELECT * FROM __ClassCreationEvent' Action = $ClassCreated SourceIdentifier = 'ClassCreated' Namespace = 'root/cimv2' } #Trigger upon class instance enumeration $ObjectInstanceEnumArgs = @{ Class = 'MSFT_WmiProvider_CreateInstanceEnumAsyncEvent_Pre' Action = $ObjectInstanceEnum SourceIdentifier = 'ObjectEnumeration' Namespace = 'root/cimv2' } #endregion #region Alert registration Register-WmiEvent @LateralMovementArgs Register-WmiEvent @PSHostProcArgs Register-WmiEvent @StandardPersistenceArgs Register-WmiEvent @RegistryOperationArgs Register-WmiEvent @WMIPersistenceArgs Register-WmiEvent @ClassCreationArgs Register-WmiEvent @ObjectInstanceEnumArgs #endregion