Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Observable-Submission]: PowerShell 4104: ScriptBlockText #55

Open
michael5486 opened this issue Aug 9, 2023 · 0 comments
Open

[Observable-Submission]: PowerShell 4104: ScriptBlockText #55

michael5486 opened this issue Aug 9, 2023 · 0 comments
Assignees
@marvel90120

Comments

@michael5486
Copy link
Contributor

Observable

PowerShell EventID 4104 ScriptBlockText

Observable Placement

Level 2, Column A

Research

When detecting for specific values in ScriptBlockText, we're basically looking for a string representation of another observable. For example, this could be a registry key, config file, file, or process name. However, it is easy for an adversary to alter values in ScriptBlockText...they can mangle strings, split into multiple values, permutate or do operations like XOR so that the output value is as desired, but the actual text in the script is obfuscated.

Additional Notes

See https://github.com/center-for-threat-informed-defense/summiting-the-pyramid/blob/main/docs/analytics/service_registry_permissions_weakness_check.rst for additional information

Contributed By

michael5486, RobertSchull
@michael5486 michael5486 changed the title [Observable-Submission]: [Observable-Submission]: PowerShell 4104: ScriptBlockText Aug 9, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marvel90120 marvel90120

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@michael5486 @marvel90120