ID | Technique | Tactic |
---|---|---|
T1082 | System Information Discovery | Discovery |
T1016 | System Network Configuration Discovery | Discovery |
T1059.001 | PowerShell | Execution |
Detection: Windows PowerShell Invoke-RestMethod IP Information Collection
Description
The following analytic detects the use of PowerShell's Invoke-RestMethod cmdlet to collect geolocation data from ipinfo.io or IP address information from api.ipify.org. This behavior leverages PowerShell Script Block Logging to identify scripts that gather external IP information and potential geolocation data. This activity is significant as it may indicate reconnaissance efforts, where threat actors are attempting to determine the geographical location or network details of a compromised system. While some legitimate software may use these services, this pattern is commonly observed in malware and post-exploitation toolkits like those used by Water Gamayun threat actors.
Search
1`powershell` EventCode=4104 (ScriptBlockText="*Invoke-RestMethod*" AND (ScriptBlockText="*ipinfo.io*" OR ScriptBlockText="*api.ipify.org*"))
2| stats count min(_time) as firstTime max(_time) as lastTime by dest signature signature_id user_id vendor_product Guid Opcode Name Path ProcessID ScriptBlockId ScriptBlockText
3| `security_content_ctime(firstTime)`
4| `security_content_ctime(lastTime)`
5| `windows_powershell_invoke_restmethod_ip_information_collection_filter`
Data Source
Name | Platform | Sourcetype | Source |
---|---|---|---|
Powershell Script Block Logging 4104 | 'xmlwineventlog' |
'XmlWinEventLog:Microsoft-Windows-PowerShell/Operational' |
Macros Used
Name | Value |
---|---|
powershell | (source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source="XmlWinEventLog:Microsoft-Windows-PowerShell/Operational" OR source=WinEventLog:PowerShellCore/Operational OR source="XmlWinEventLog:PowerShellCore/Operational") |
windows_powershell_invoke_restmethod_ip_information_collection_filter | search * |
windows_powershell_invoke_restmethod_ip_information_collection_filter
is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
Setting | Value |
---|---|
Disabled | true |
Cron Schedule | 0 * * * * |
Earliest Time | -70m@m |
Latest Time | -10m@m |
Schedule Window | auto |
Creates Risk Event | True |
Implementation
To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.
Known False Positives
Some legitimate applications or administrative scripts may use these services for IP validation or geolocation. Filter as needed for approved administrative tools.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
A PowerShell script on $dest$ is collecting external IP or geolocation information using Invoke-RestMethod.
Risk Object | Risk Object Type | Risk Score | Threat Objects |
---|---|---|---|
dest | system | 45 | No Threat Objects |
References
-
https://securityintelligence.com/posts/new-threat-actor-water-gamayun-targets-telecom-finance/
-
https://www.ncsc.gov.uk/report/weekly-threat-report-12th-april-2024
Detection Testing
Test Type | Status | Dataset | Source | Sourcetype |
---|---|---|---|---|
Validation | ✅ Passing | N/A | N/A | N/A |
Unit | ✅ Passing | Dataset | XmlWinEventLog:Microsoft-Windows-PowerShell/Operational |
XmlWinEventLog |
Integration | ✅ Passing | Dataset | XmlWinEventLog:Microsoft-Windows-PowerShell/Operational |
XmlWinEventLog |
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1