-
Notifications
You must be signed in to change notification settings - Fork 11
Analysis Modules
Scott Sutherland edited this page Mar 29, 2022
·
15 revisions
Analysis modules are used to filter collected data in a way that makes it easier to find known threats, suspicious behavior, and environmental anomalies. Additionally, the .csv files generated from the filtering can be consumed by another tool like Jupyter notebooks.
All analysis modules are automatically loaded from the windows\modules\analysis folder and ran offline against collected data sources based on matching module names. For example, all analysis modules that start with "analysis-tasks" will be ran against the "collect-tasks" data source. It's not very elegant, but it's functional and seems to make adding new modules easy as long as you name them correctly. :)
Analysis modules are broken into two types:
| Analysis Type | Description | Path |
|---|---|---|
| Search | These are analysis modules that perform detection of artifacts associated with known bad behavior. | windows\modules\analysis\search |
| Stack | These are analysis modules that perform anomaly detection via stacking or frequency analysis | windows\modules\analysis\stack |
By default, all analysis modules will be run. To run a subset of the analysis modules simply remove the modules you dont want to run.
Module Template
Below is a basic module template.
# Script : Invoke-PowerHunt
# Module : analyze-tasks-outlier-owner
# Version: 1.0
# Author : Scott Sutherland
# Summary: This is script is part of the PowerHunt framework. This looks for unusual ownership of the executables run out of tasks.
# License: 3-clause BSD
# Filter out common owners
$AnalysisResult = $CollectedData | where {($_.fileowner -notlike 'NT SERVICE\TrustedInstaller' -and $_.fileowner -notlike 'NT AUTHORITY\SYSTEM' -and $_.fileowner -notlike "BUILTIN\Administrators" -and $_.fileowner -notlike "")}
# Save result details
$AnalysisModuleFileName = $_.name -replace(".ps1",".csv")
$Time = Get-Date -UFormat "%m/%d/%Y %R"
$AnalysisResult | Export-Csv -NoTypeInformation "$OutputDirectory\analysis\$AnalysisSubDir\Hunt-$AnalysisModuleFileName"
# Save result summary
$AnalysisModuleFileName = $_.name -replace(".ps1","-counts.csv")
$FinalOutput = $AnalysisResult | group FileOwner | Sort-Object count -Descending | select count,name
$FinalOutput | Export-Csv -NoTypeInformation "$OutputDirectory\analysis\$AnalysisSubDir\Hunt-$AnalysisModuleFileName"
# Count instances
$InstanceCount = $FinalOutput | measure | select count -expandproperty count
# Save summary metrics
$null = $ModuleOutputSummary.Rows.Add("$AnalysisModuleName","$ModuleType","$AnalysisType","$InstanceCount")
Standardized Variables
- $CollectedData is handed to the analysis module by PowerHunt and contains all the data from the associated collection script. Analysis operations are performed against this data set.
- $FinalOutput usually contains a list of all final analysis results. It is then used to write the csv/html files and count instances.
- $ModuleOutputSummary is an object used to store summary data from all modules run.
Below is a summary of the currently supported analysis modules.
| Module Name |
Data Source | Mitre ATT&CK ID |
|---|---|---|
| analyze-events-4732-add-user-by-remotecomputer | collect-events-4732 | T1053.002 |
| analyze-events-4732-add-user-by-workgroup | collect-events-4732 | T1053.002 |
| analyze-events-4732-add-user-computeraccount | collect-events-4732 | T1053.002 |
| analyze-events-4732-add-user | collect-events-4732 | T1053.002 |
| analyze-installed-software-mgmt | collect-installed-software | T1219 |
| analyze-installed-software-offsec | collect-installed-software | T1505 |
| analyze-named-pipes-known-bad | collect-named-pipes | T1570 |
| analyze-services-badpath | collect-services | T1569.002 |
| analyze-services-dotnet | collect-services | T1569.002 |
| analyze-services-lolbas | collect-services | T1569.002 |
| analyze-services-mgmt-software | collect-services | T1219 |
| analyze-services-offsec-software | collect-services | T1569.002 |
| analyze-services-outlier-file-owner | collect-services | T1569.002 |
| analyze-services-unsigned | collect-services | T1569.002 |
| analyze-startup-files-allusers-dotnet | collect-startup-files-allusers | T1547.001 |
| analyze-startup-files-allusers-lolbas | collect-startup-files-allusers | T1547.001 |
| analyze-startup-files-allusers-mgmt-software | collect-startup-files-allusers | T1219 |
| analyze-startup-files-allusers-offsec-software | collect-startup-files-allusers | T1547.001 |
| analyze-startup-files-allusers-outlier-file-owner | collect-startup-files-allusers | T1547.001 |
| analyze-startup-files-allusers-unsigned | collect-startup-files-allusers | T1547.001 |
| analyze-startup-registry-run-badpath | collect-startup-registry-run | T1547.001 |
| analyze-startup-registry-run-dotnet | collect-startup-registry-run | T1547.001 |
| analyze-startup-registry-run-lolbas | collect-startup-registry-run | T1547.001 |
| analyze-startup-registry-run-mgmt-software | collect-startup-registry-run | T1219 |
| analyze-startup-registry-run-offsec-software | collect-startup-registry-run | T1547.001 |
| analyze-startup-registry-run-outlier-file-owner | collect-startup-registry-run | T1547.001 |
| analyze-startup-registry-run-unsigned | collect-startup-registry-run | T1547.001 |
| analyze-tasks-dotnet | collect-tasks | T1053.002 |
| analyze-tasks-lolbas | collect-tasks | T1053.002 |
| analyze-tasks-mgmt-software | collect-tasks | T1219 |
| analyze-tasks-offsec-software | collect-tasks | T1053.002 |
| analyze-tasks-outlier-file-owner | collect-tasks | T1053.002 |
| analyze-tasks-unsigned | collect-tasks | T1053.002 |
| analyze-wmi-bindings | collect-wmi-bindings | T1546.003 |
| analyze-wmi-bindings-creatorsid | collect-wmi-bindings | T1546.003 |