July 21, 2021
A major risk for a SIEM or SOAR is not effectively using key PowerShell logs collected.
We talked about the risk of incorrect and empty logs or lack of logging required for advanced detection, and once you have them we cannot assume machine learning and modeling behavior will detect everything.
In part three of our PowerShell tutorial series, we are looking at augmenting rules out-of-the-box in Exabeam with some custom rules derived from SANS discussions on items to monitor.
One of our friends, Andrew Travis, was kind enough to collaborate and create some rules we use in detecting the things that might not be addressed with your current SIEM or considered by the ML.
We have been collecting and reviewing PowerShell, a critical component for detection within the Windows OS. The rules we are sharing here, are things SANS points out regarding detection when it comes to attackers trying to evade detection.
- Encrypted argument in a PowerShell command detected
- ExecutionPolicy Bypass argument in a PowerShell command detected
- Hidden argument in a PowerShell command detected
- Hide Powershell History in PSReadLine
- Invoke-Expression argument in a PowerShell command detected
- NoProfile argument in a PowerShell command detected
- Non-Interactive argument in a PowerShell command detected
In the first article, we forced transcription logging so we can revisit previously issued commands in detail. In the second article, we reviewed all the extra channels in which PowerShell logs reside.
Exabeam has amazing ML and plenty of rules, so our goal is to augment existing rules by contributing risk to sessions (user/account/asset) around scenarios that are much less likely to occur in day-to-day business.
Without further ado, let's look at the rules. Note these are all FACT-based rules, or “finding the needle in the haystack”, which is why writing the correct log and collecting them really matters.
Feel free to adjust scores as well, but a reminder that 90 is where things become notable, so these alone can create incidents as needed if we skew that 30 up to 90!
Any Bypass will trigger this rule, minor false positives have occurred, but all were worth review.
We really hope to never see this one. This is one of the reasons for mandatory transcription!
We would be interested in hearing from you if you have scenarios where this would be considered a false positive.
We hope this helps.
If you have any questions about these instructions, please reach out to Castra so that we can help walk you through these concepts. We are constantly attempting to improve our repository of best practice rules, dashboards, and visualizations used in Exabeam.