This artifact by itself only indicates that the PowerPick tool may have been invoked on the client. To capture additional context, ensure that Powershell script block and module logging are enabled on the clients and deploy the Windows.ETW.Powershell artifact from the Exchange.
This artifact is based on on PowerPick research by Crowdstrike in https://www.crowdstrike [.]com/blog/getting-the-bacon-from-cobalt-strike-beacon/
As noted in the blog post, when PowerPick tool is run, the PowerShell logs on the target system may contain an EID 400 event where the HostVersion and EngineVersion fields in the message have different values.
In recent puprle team exercises, we observed that the mismatched HostVersion value was always “1.0”, providing a simple way to monitor for this activity as a backup to other PowerShell or CobaltStrike rules.
If this artifact generates an event on a client, check the PowerShell Operational logs for suspicious 410x events (especially 4104). If the Windows.ETW.Powershell artifact is also enabled on the client and did not fire an event, update that artifact’s IOC list with the new information and redeploy it.
name: Alert.Windows.EVTX.PowerPickHostVersion
author: sbattaglia-r7
description: |
This artifact by itself only indicates that the PowerPick tool may have
been invoked on the client. To capture additional context, ensure that
Powershell script block and module logging are enabled on the clients and
deploy the Windows.ETW.Powershell artifact from the Exchange.
-----
This artifact is based on on PowerPick research by Crowdstrike in
https://www.crowdstrike[.]com/blog/getting-the-bacon-from-cobalt-strike-beacon/
As noted in the blog post, when PowerPick tool is run, the PowerShell logs
on the target system may contain an EID 400 event where the
HostVersion and EngineVersion fields in the message have different values.
In recent puprle team exercises, we observed that the mismatched HostVersion
value was always "1.0", providing a simple way to monitor for this activity
as a backup to other PowerShell or CobaltStrike rules.
If this artifact generates an event on a client, check the PowerShell Operational
logs for suspicious 410x events (especially 4104). If the Windows.ETW.Powershell
artifact is also enabled on the client and did not fire an event, update that
artifact's IOC list with the new information and redeploy it.
# Can be CLIENT, CLIENT_EVENT, SERVER, SERVER_EVENT
type: CLIENT_EVENT
parameters:
- name: pseventLog
default: 'C:\Windows\System32\winevt\Logs\Windows PowerShell.evtx'
sources:
- precondition:
SELECT OS From info() where OS = 'windows'
query: |
SELECT
timestamp(epoch=int(int=System.TimeCreated.SystemTime)) AS EventTime,
System.Computer as Computer,
System.Channel as Channel,
System.Provider.Name as Provider,
System.EventID.Value as EventID,
System.EventRecordID as EventRecordID,
get(field="Message") as Message
FROM watch_evtx(filename=pseventLog)
WHERE EventID = 400 AND Message =~ 'HostVersion=1.0'