-
Notifications
You must be signed in to change notification settings - Fork 327
/
CAR-2020-11-005.yaml
46 lines (46 loc) · 2.76 KB
/
CAR-2020-11-005.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
title: Clear Powershell Console Command History
submission_date: 2020/11/30
information_domain: Host
platforms:
- Windows
subtypes:
- Process
analytic_types:
- TTP
contributors:
- Olaf Hartong
id: CAR-2020-11-005
description: |-
Adversaries may attempt to conceal their tracks by deleting the history of commands run within the Powershell console, or turning off history saving to begin with. This analytic looks for several commands that would do this. This does not capture the event if it is done within the console itself; only commandline-based commands are detected. Note that the command to remove the history file directly may very a bit if the history file is not saved in the default path on a particular system.
coverage:
- technique: T1070
tactics:
- TA0005
subtechniques:
- T1070.003
coverage: Low
implementations:
- name: Pseudocode - clear or disable Powershell console history via commandline
description: This is a pseudocode representation of the below splunk search.
code: |-
processes = search Process:Create
clear_commands = filter processes where (
command_line ="*rm (Get-PSReadlineOption).HistorySavePath*" OR command_line="*del (Get-PSReadlineOption).HistorySavePath*" OR command_line="*Set-PSReadlineOption –HistorySaveStyle SaveNothing*" OR command_line="*Remove-Item (Get-PSReadlineOption).HistorySavePath*") OR command_linee="del*Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt")
output clear_commands
data_model: CAR native
type: Pseudocode
- name: Splunk Search - clear command history via Powershell
description: Look for powershell commands that would clear command history
code: |-
(index=__your_sysmon_index__ EventCode=1) (CommandLine="*rm (Get-PSReadlineOption).HistorySavePath*" OR CommandLine="*del (Get-PSReadlineOption).HistorySavePath*" OR CommandLine="*Set-PSReadlineOption –HistorySaveStyle SaveNothing*" OR CommandLine="*Remove-Item (Get-PSReadlineOption).HistorySavePath*" OR CommandLine="del*Microsoft\\Windows\\Powershell\\PSReadline\\ConsoleHost_history.txt")
data_model: Sysmon native
type: Splunk
- name: LogPoint Search - clear command history via Powershell
description: Look for powershell commands that would clear command history
code: |-
norm_id=WindowsSysmon event_id=1 (command="*rm (Get-PSReadlineOption).HistorySavePath*" OR command="*del (Get-PSReadlineOption).HistorySavePath*" OR command="*Set-PSReadlineOption –HistorySaveStyle SaveNothing*" OR command="*Remove-Item (Get-PSReadlineOption).HistorySavePath*" OR command="del*Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt")
data_model: LogPoint native
type: LogPoint
data_model_references:
- process/create/exe
- process/create/command_line