DSC (Desired State Configuration) lateral movement using PowerShell

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2024-11-18
Category
Analytics Alert Reference
Order
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Hour

Required Data

  • Requires:
    • XDR Agent with eXtended Threat Hunting (XTH)

Detection Modules

Detector Tags

ATT&CK Tactic

ATT&CK Technique

Severity

Informational

Description

An attacker is using the DSC feature with PowerShell to remotely modify / execute content / components on the machine.

Attacker's Goals

Execute malicious content on and move laterally across machine in the network.

Investigative actions

  • Search for suspicious WinRM sessions and the user created them, can be found at Event ID: 4102.
  • Additionally, search for the DSC resource executed and related IOC, can be found at Event IDs: 400 or 4104.

Variations

DSC (Desired State Configuration) lateral movement using PowerShell to execute a script

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

High

Description

An attacker may use the DSC feature with PowerShell to execute script remotely on a machine.

Attacker's Goals

Execute malicious content on and move laterally across machine in the network.

Investigative actions

  • Search for suspicious WinRM sessions and the user created them, can be found at Event ID: 4102.
  • Additionally, search for the DSC resource executed and related IOC, can be found at Event IDs: 400 or 4104.
  • The executed script is logged under Event ID 4104.


DSC (Desired State Configuration) lateral movement using PowerShell to execute a new service

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Medium

Description

An attacker may use the DSC feature with PowerShell to create and execute a service on the host.

Attacker's Goals

Execute malicious content on and move laterally across machine in the network.

Investigative actions

  • Search for suspicious WinRM sessions and the user created them, can be found at Event ID: 4102.
  • Additionally, search for the DSC resource executed and related IOC, can be found at Event IDs: 400 or 4104.


DSC (Desired State Configuration) lateral movement using PowerShell to modify the registry

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Medium

Description

An attacker may use the DSC feature with PowerShell to create/modify/dump registry keys/values.

Attacker's Goals

Execute malicious content on and move laterally across machine in the network.

Investigative actions

  • Search for suspicious WinRM sessions and the user created them, can be found at Event ID: 4102.
  • Additionally, search for the DSC resource executed and related IOC, can be found at Event IDs: 400 or 4104.