Detection rules › Splunk
PowerHuntShares Commands (PowerShell)
Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts). Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. This use case detects PowerHuntShares' commands used for network share/account/remote system discovery.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Discovery | T1018 Remote System Discovery, T1087 Account Discovery, T1135 Network Share Discovery |
References
Event coverage
| Provider | Event | Title |
|---|---|---|
| PowerShell | Event ID 4103 | Payload Context: ContextInfo User Data: UserData. |
Rule body yaml
id: '31298.56019'
title: PowerHuntShares Commands
description: Adversaries may look for folders and drives shared on remote systems
as a means of identifying sources of information to gather as a precursor for Collection
and to identify potential systems of interest for Lateral Movement. Networks often
contain shared network drives and folders that enable users to access file directories
on various systems across a network. Adversaries may attempt to get a listing of
valid accounts, usernames, or email addresses on a system or within a compromised
environment. This information can help adversaries determine which accounts exist,
which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks,
or account takeovers (e.g., Valid Accounts). Adversaries may attempt to get a listing
of other systems by IP address, hostname, or other logical identifier on a network
that may be used for Lateral Movement from the current system. This use case detects
PowerHuntShares' commands used for network share/account/remote system discovery.
logic_format: Splunk
logic: '`get_endpoint_data` `get_endpoint_data_powershell` (TERM(EventCode=4103) OR
"<EventID>4103<" TERM(EventCode=4103) OR "<EventID>4103<") (TERM(Invoke-HuntSMBShares)
OR TERM(Get-CardCreationTime) OR TERM(Get-CardLastAccess) OR TERM(Get-CardLastModified)
OR TERM(Get-PercentDisplay) OR TERM(Get-ExPrivSumData) OR TERM(Get-GroupOwnerBar)
OR TERM(Get-GroupNameBar) OR TERM(Get-GroupFileBar) OR TERM(Get-UserAceCounts) OR
TERM(Convert-DataTableToHtmlTable) OR TERM(Convert-DataTableToHtmlReport) OR TERM(Get-FolderGroupMd5)
OR TERM(Get-LdapQuery) OR TERM(Get-DomainSubnet) OR TERM(Invoke-Parallel) OR TERM(checkSubnet))
| table _time, host, user, process | bin span=1s | stats values(*) as * by _time,
host '
techniques:
- discovery:network share discovery
- discovery:account discovery
- discovery:remote system discovery
technique_id:
- T1135
- T1087
- T1018
data_category:
- PowerShell logs
references:
- https://attack.mitre.org/techniques/T1135/
- https://attack.mitre.org/techniques/T1087/
- https://attack.mitre.org/techniques/T1018/
- https://github.com/NetSPI/PowerHuntShares/tree/main
- https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations/
Stages and Predicates
Stage 1: search
`get_endpoint_data` `get_endpoint_data_powershell` (TERM(EventCode=4103) OR "<EventID>4103<" TERM(EventCode=4103) OR "<EventID>4103<") (TERM(Invoke-HuntSMBShares) OR TERM(Get-CardCreationTime) OR TERM(Get-CardLastAccess) OR TERM(Get-CardLastModified) OR TERM(Get-PercentDisplay) OR TERM(Get-ExPrivSumData) OR TERM(Get-GroupOwnerBar) OR TERM(Get-GroupNameBar) OR TERM(Get-GroupFileBar) OR TERM(Get-UserAceCounts) OR TERM(Convert-DataTableToHtmlTable) OR TERM(Convert-DataTableToHtmlReport) OR TERM(Get-FolderGroupMd5) OR TERM(Get-LdapQuery) OR TERM(Get-DomainSubnet) OR TERM(Invoke-Parallel) OR TERM(checkSubnet))
Stage 2: table
| table _time, host, user, process
Stage 3: bucket
| bin span=1s
Stage 4: stats
| stats values(*) as * by _time, host
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | TERM |
| 1 | "<EventID>4103<" |
| 1 | TERM |
| 1 | "<EventID>4103<" |
| 1 | "Invoke-HuntSMBShares" |
| 1 | "Get-CardCreationTime" |
| 1 | "Get-CardLastAccess" |
| 1 | "Get-CardLastModified" |
| 1 | "Get-PercentDisplay" |
| 1 | "Get-ExPrivSumData" |
| 1 | "Get-GroupOwnerBar" |
| 1 | "Get-GroupNameBar" |
| 1 | "Get-GroupFileBar" |
| 1 | "Get-UserAceCounts" |
| 1 | "Convert-DataTableToHtmlTable" |
| 1 | "Convert-DataTableToHtmlReport" |
| 1 | "Get-FolderGroupMd5" |
| 1 | "Get-LdapQuery" |
| 1 | "Get-DomainSubnet" |
| 1 | "Invoke-Parallel" |
| 1 | TERM |
| 1 | checkSubnet |