How to monitor and detect malicious PowerShell scripts?

In today’s threat landscape more and more threats like fileless malware and ransomware leverage PowerShell during the exploitation stage. In this post I have written some of the best ways to monitor and detect malicious PowerShell scripts.

Let’s begin with some of the best practices for using PowerShell in your environment

  • Limit PowerShell to only authorized users like developers and administrators.
  • Configure your device control security products to block PowerShell execution from unknown parent process like Excel, Word.
  • Restrict PowerShell execution to signed scripts and trusted scripts used for administration.
  • Do not store passwords in plaintext in your powershell scripts.

Monitoring PowerShell Execution

  • Enable PowerShell logging.
  • Monitor PowerShell process execution from unknown process like browsers, word, excel etc.
Events of Interests to monitor.
Event IDDescription
400Engine state is changed from None to Available
600Provider WSMan Is Started
403Engine state is changed from Available to Stopped
7040The start type of the Windows Remote Management (WS-Management) service was changed from [disabled / demand start] to auto start.
10148The WinRM service is listening for WS-Management requests
169User [DOMAIN\Account] authenticated successfully using [authentication_protocol
4688(“A new process has been created”) – includes account name, domain, and executable name in the event message.  
8006“[script_path] was allowed to run but would have been prevented from running if the AppLocker policy were enforced”)  
8005(“[script_path] was allowed to run”).

From the above list, event ID 4688 is an important Windows Security Event, where you can capture the full code executed in PowerShell scripts.

Monitor the following PowerShell commands.

These commands are used by malwares. To avoid noise exclude known application using these commands regularly.

  • Set-ExecutionPolicy, Set-MasterBootRecord
  • Get-WMIObject, Get-GPPPassword, Get-Keystrokes, Get-TimedScreenshot, Get-VaultCredential, Get-ServiceUnquoted, Get-ServiceEXEPerms, Get-ServicePerms, Get-RegAlwaysInstallElevated, Get-RegAutoLogon,Get-UnattendedInstallFiles, Get-Webconfig, Get-ApplicationHost, Get-PassHashes, Get-LsaSecret, Get-Information, Get-PSADForestInfo, Get-KerberosPolicy, Get-PSADForestKRBTGTInfo, Get-PSADForestInfo, Get-KerberosPolicy
  • Invoke-Command, Invoke-Expression, iex, Invoke-Shellcode, Invoke--Shellcode, Invoke-ShellcodeMSIL, Invoke-MimikatzWDigestDowngrade, Invoke-NinjaCopy, Invoke-CredentialInjection, Invoke-TokenManipulation, Invoke-CallbackIEX, Invoke-PSInject, Invoke-DllEncode, Invoke-ServiceUserAdd, Invoke-ServiceCMD, Invoke-ServiceStart,
    Invoke-ServiceStop, Invoke-ServiceEnable, Invoke-ServiceDisable, Invoke-FindDLLHijack, Invoke-FindPathHijack, Invoke-AllChecks, Invoke-MassCommand, Invoke-MassMimikatz, Invoke-MassSearch, Invoke-MassTemplate, Invoke-MassTokens, Invoke-ADSBackdoor, Invoke-CredentialsPhish, Invoke-BruteForce, Invoke-PowerShellIcmp, Invoke-PowerShellUdp, Invoke-PsGcatAgent, Invoke-PoshRatHttps, Invoke-PowerShellTcp, Invoke-PoshRatHttp, Invoke-PowerShellWmi, Invoke-PSGcat, Invoke-Encode, Invoke-Decode, Invoke-CreateCertificate, Invoke-
    NetworkRelay,
  • EncodedCommand, New-ElevatedPersistenceOption, wsman, Enter-PSSession, DownloadString, DownloadFile
  • Out-Word, Out-Excel, Out-Java, Out-Shortcut, Out-CHM, Out-HTA, Out-Minidump, HTTP-Backdoor, Find-AVSignature, DllInjection, ReflectivePEInjection, Base64, System.Reflection, System.Management
  • Restore-ServiceEXE, Add-ScrnSaveBackdoor, Gupt-Backdoor, Execute-OnTime, DNS_TXT_Pwnage, Write- UserAddServiceBinary, Write-CMDServiceBinary, Write-UserAddMSI, Write-ServiceEXE, Write-ServiceEXECMD,
  • Enable-DuplicateToken , Remove-Update, Execute-DNSTXT-Code, Download-Execute-PS, Execute-Command-MSSQL, Download_Execute, Copy-VSS, Check-VM, Create-MultipleSessions, Run-EXEonRemote, Port-Scan, Remove-PoshRat, TexttoEXE, Base64ToString, StringtoBase64, Do-Exfiltration, Parse_Keys, Add-Exfiltration, Add-Persistence, Remove-Persistence, Find-PSServiceAccounts, Discover-PSMSSQLServers, Discover-PSMSExchangeServers, Discover-PSInterestingServices, Discover-PSMSExchangeServers, Discover-PSInterestingServices
  • Mimikatz, powercat, powersploit, PowershellEmpire, Payload, GetProcAddress

Detection Techniques

2 Comments »

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s