How to monitor and detect malicious PowerShell scripts?
In today’s threat landscape more and more threats like fileless malware and ransomware leverage PowerShell during the exploitation stage. In this post I have written some of the best ways to monitor and detect malicious PowerShell scripts.
Let’s begin with some of the best practices for using PowerShell in your environment
- Limit PowerShell to only authorized users like developers and administrators.
- Configure your device control security products to block PowerShell execution from unknown parent process like Excel, Word.
- Restrict PowerShell execution to signed scripts and trusted scripts used for administration.
- Do not store passwords in plaintext in your powershell scripts.
Monitoring PowerShell Execution
- Enable PowerShell logging.
- Monitor PowerShell process execution from unknown process like browsers, word, excel etc.
Events of Interests to monitor.
| Event ID | Description |
| 400 | Engine state is changed from None to Available |
| 600 | Provider WSMan Is Started |
| 403 | Engine state is changed from Available to Stopped |
| 7040 | The start type of the Windows Remote Management (WS-Management) service was changed from [disabled / demand start] to auto start. |
| 10148 | The WinRM service is listening for WS-Management requests |
| 169 | User [DOMAIN\Account] authenticated successfully using [authentication_protocol |
| 4688 | (“A new process has been created”) – includes account name, domain, and executable name in the event message. |
| 8006 | “[script_path] was allowed to run but would have been prevented from running if the AppLocker policy were enforced”) |
| 8005 | (“[script_path] was allowed to run”). |
From the above list, event ID 4688 is an important Windows Security Event, where you can capture the full code executed in PowerShell scripts.
Monitor the following PowerShell commands.
These commands are used by malwares. To avoid noise exclude known application using these commands regularly.
Set-ExecutionPolicy, Set-MasterBootRecordGet-WMIObject, Get-GPPPassword, Get-Keystrokes, Get-TimedScreenshot, Get-VaultCredential, Get-ServiceUnquoted, Get-ServiceEXEPerms, Get-ServicePerms, Get-RegAlwaysInstallElevated, Get-RegAutoLogon,Get-UnattendedInstallFiles, Get-Webconfig, Get-ApplicationHost, Get-PassHashes, Get-LsaSecret, Get-Information, Get-PSADForestInfo, Get-KerberosPolicy, Get-PSADForestKRBTGTInfo, Get-PSADForestInfo, Get-KerberosPolicyInvoke-Command, Invoke-Expression, iex, Invoke-Shellcode, Invoke--Shellcode, Invoke-ShellcodeMSIL, Invoke-MimikatzWDigestDowngrade, Invoke-NinjaCopy, Invoke-CredentialInjection, Invoke-TokenManipulation, Invoke-CallbackIEX, Invoke-PSInject, Invoke-DllEncode, Invoke-ServiceUserAdd, Invoke-ServiceCMD, Invoke-ServiceStart,
Invoke-ServiceStop, Invoke-ServiceEnable, Invoke-ServiceDisable, Invoke-FindDLLHijack, Invoke-FindPathHijack, Invoke-AllChecks, Invoke-MassCommand, Invoke-MassMimikatz, Invoke-MassSearch, Invoke-MassTemplate, Invoke-MassTokens, Invoke-ADSBackdoor, Invoke-CredentialsPhish, Invoke-BruteForce, Invoke-PowerShellIcmp, Invoke-PowerShellUdp, Invoke-PsGcatAgent, Invoke-PoshRatHttps, Invoke-PowerShellTcp, Invoke-PoshRatHttp, Invoke-PowerShellWmi, Invoke-PSGcat, Invoke-Encode, Invoke-Decode, Invoke-CreateCertificate, Invoke-
NetworkRelay,EncodedCommand, New-ElevatedPersistenceOption, wsman, Enter-PSSession, DownloadString, DownloadFileOut-Word, Out-Excel, Out-Java, Out-Shortcut, Out-CHM, Out-HTA, Out-Minidump, HTTP-Backdoor, Find-AVSignature, DllInjection, ReflectivePEInjection, Base64, System.Reflection, System.ManagementRestore-ServiceEXE, Add-ScrnSaveBackdoor, Gupt-Backdoor, Execute-OnTime, DNS_TXT_Pwnage, Write- UserAddServiceBinary, Write-CMDServiceBinary, Write-UserAddMSI, Write-ServiceEXE, Write-ServiceEXECMD,Enable-DuplicateToken , Remove-Update, Execute-DNSTXT-Code, Download-Execute-PS, Execute-Command-MSSQL, Download_Execute, Copy-VSS, Check-VM, Create-MultipleSessions, Run-EXEonRemote, Port-Scan, Remove-PoshRat, TexttoEXE, Base64ToString, StringtoBase64, Do-Exfiltration, Parse_Keys, Add-Exfiltration, Add-Persistence, Remove-Persistence, Find-PSServiceAccounts, Discover-PSMSSQLServers, Discover-PSMSExchangeServers, Discover-PSInterestingServices, Discover-PSMSExchangeServers, Discover-PSInterestingServicesMimikatz, powercat, powersploit, PowershellEmpire, Payload, GetProcAddress
Detection Techniques
- Here is an excellent list of Atomic PowerShell commands to execute and test your security controls provided by redcanary https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md These techniques are mapped in MITRE ATT&CK Framework.
- One of my favorite free tools Uncoder provides lot of PowerShell detection rules. Just search with the keyword PowerShell and you will find number of detection rules. Best part, you can get the rule in most of the leading SIEMs and EDR tools query language.
- Open source tools for hunting and validating PowerShell security.
Injection Hunter – https://devblogs.microsoft.com/powershell/powershell-injection-hunter-security-auditing-for-powershell-scripts/
Powersploit – https://github.com/PowerShellMafia/PowerSploit
Nishang – https://github.com/samratashok/nishang
CyberSec Talk 
very informative
Thank you
LikeLiked by 1 person
Thanks Asif 🙂
LikeLike