PowerShell scripts have clearly become one of the weapons of choice for attackers who want to stay extremely stealthy. Like other scripts, they are easily obfuscated, downloaded, tucked away in the registry and among other benign-looking content, and launched using a legitimate process—the scripting engine. As the de facto scripting standard for administrative tasks on Windows, PowerShell trumps other scripting languages because it can easily invoke system APIs and access a variety of .Net classes and objects. PowerShell is loved by system administrators and defenders, but unfortunately it is just as appealing to attackers.
In this post, I’d like to share a few queries that can make it much easier for you to find suspicious PowerShell activity in your network…
Explaining PowerShellCommand events
This event type reports the names of commands executed by the PowerShell engine, including PowerShell cmdlets and scripts, as well as other executables.
It does not matter if that command is specified in the commandline or not – the command is reported nonetheless.
Similarly, it’s reported whether executed by powershell.exe, by wsmprovhost.exe (used for remote PowerShell) or by some other process that loads the PowerShell engine.
This event is part of the MiscEvents table, and its ActionType is "PowerShellCommand".
The columns starting with InitiatingProcess contain the details of the processes that has executed the command.
The AdditionalFields column contains the Command name in a JSON structure, in example:
This column is where we keep the long tail of fields – the uncommon ones that are unique to just a few event types.
You can parse it by calling parse_json or extractjson, or you could simply run a “contains” where filter on it.
If your organization is a large one, we suggest you speed up your queries by applying more filters before you parse the JSON column.
Query #1: Find all executions of a specific command
Have you found a suspicious or malicious command in your network, and want to find other instances of it? Or perhaps you have read a new blog post about some attacker or attack framework using some PowerShell cmdlet?
You can now easily find out if it was executed in your organization and on which machines.
So, next time you investigate an alert and see PowerShell running, you could easily check which uncommon PowerShell commands ran on that machine – and if malicious, check on which other machines these commands were executed.
Don’t forget to bookmark our GitHub repository of Advanced hunting queries. It’s a great place to get guidance on how to hunt for specific threats as well as explore beautifully crafted queries that return insight into possible breach activities in your network.
Thanks for reading, and awaiting your feedback and suggestions for the next posts