| ID | Technique | Tactic |
|---|---|---|
| T1027 | Obfuscated Files or Information | Defense Evasion |
| T1027.005 | Indicator Removal from Tools | Defense Evasion |
| T1059.001 | PowerShell | Execution |
Detection: Powershell Creating Thread Mutex
Description
The following analytic detects the execution of PowerShell scripts using the mutex function via EventCode 4104. This detection leverages PowerShell Script Block Logging to identify scripts that create thread mutexes, a technique often used in obfuscated scripts to ensure only one instance runs on a compromised machine. This activity is significant as it may indicate the presence of sophisticated malware or persistence mechanisms. If confirmed malicious, the attacker could maintain exclusive control over a process, potentially leading to further exploitation or persistence within the environment.
Search
1`powershell` EventCode=4104 ScriptBlockText = "*Threading.Mutex*"
2| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID
3| rename Computer as dest
4|rename UserID as user
5| `security_content_ctime(firstTime)`
6| `security_content_ctime(lastTime)`
7| `powershell_creating_thread_mutex_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Powershell Script Block Logging 4104 |  Windows |
'xmlwineventlog' |
'XmlWinEventLog:Microsoft-Windows-PowerShell/Operational' |
Macros Used
| Name | Value |
|---|---|
| powershell | (source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source="XmlWinEventLog:Microsoft-Windows-PowerShell/Operational") |
| powershell_creating_thread_mutex_filter | search * |
powershell_creating_thread_mutex_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Notable | Yes |
| Rule Title | %name% |
| Rule Description | %description% |
| Notable Event Fields | user, dest |
| Creates Risk Event | True |
This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.
Implementation
To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.
Known False Positives
powershell developer may used this function in their script for instance checking too.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
A suspicious powershell script contains Thread Mutex on host $dest$
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| user | user | 40 | No Threat Objects |
| dest | system | 40 | No Threat Objects |
References
-
https://isc.sans.edu/forums/diary/Some+Powershell+Malicious+Code/22988/
-
https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | XmlWinEventLog:Microsoft-Windows-PowerShell/Operational |
XmlWinEventLog |
| Integration | ✅ Passing | Dataset | XmlWinEventLog:Microsoft-Windows-PowerShell/Operational |
XmlWinEventLog |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 6