Have you ever seen a shell game being played? Nobody but the swindler knows which cup holds the ball. Detecting a cyberattack launched using PowerShell is a lot like playing a shell game, except, in this case, it is possible to outwit the swindler. All you need is keen observational skills and the right tools.

The key to detecting any PowerShell attack is to try to catch it early.

In the final part of this three-part series, we will see how a SIEM solution with Active Directory auditing capabilities can help you detect a PowerShell attack by watching out for some telltale signs. We will take the examples of two common attack techniques used by malicious actors to try to infiltrate the Active Directory environment of an organization. They are:

  • AD enumeration using situational awareness modules.
  • The pass-the-hash exploit using Mimikatz.

Attackers use AD enumeration for reconnaissance and the pass-the-hash exploit to obtain credentials and elevate privileges.

We will be simulating these executions in the Active Directory of a virtual test environment using a popular pen testing tool called PowerShell Empire. We recommend that you read the first and second part of this series to get a better understanding of the tool, the test environment, and how to execute the attack.

Executions to look out for

We will first list the various executions that will occur on the victim server and then see how a SIEM solution can help detect them.

1. Disabling Windows Defender

Before we deploy the agent from the Kali Linux machine to execute malicious PowerShell commands on the target Windows server, we need to disable certain features of Windows Defender. Windows Defender is the built-in antivirus and security tool that comes with all Windows machines. We will be doing this using PowerShell commands to avoid easy detection.

The features we will disable and the commands we will use to disable them are as follows:

Disabled feature Function Command used to disable it
Real-time monitoring Disabling real-time monitoring stops Windows Defender from continuously tracking all the file and process scanning in real time. Set-MpPreference -DisableRealtimemonitoring $true
Archive scanning Archive scanning allows users to set up scans to detect malicious software in archive folders (files with the ZIP extension, for example). Set-MpPreference -DisableArchiveScanning $true

How a SIEM solution can help detect this

When organizations enable PowerShell logging, a SIEM tool with Windows change auditing capabilities can pick these logs up, parse them, and display them in the form of easily comprehensible dashboards, graphs, and reports. ManageEngine Log360, for example, displays three different reports: Process Tracking, Script Block Logging, and Module Logging. Both of the commands listed above are picked up by Log360 and displayed in Script Block Logging reports. They can be viewed under the Script Data column as shown in Figure 1 and 2.

disable real-time monitoring in Windows Figure 1. The PowerShell command to disable real-time monitoring in Windows Defender shown in Log360 under the Script Data column.

disable real-time monitoring in Windows Figure 2. The PowerShell command to disable archive scanning in Windows Defender shown in Log360 under the Script Data column.

2. Launching the stager

After disabling the above features of Windows Defender, we can deploy the agent. This requires generating a script through PowerShell Empire and launching it on the server. This is a malicious PowerShell script that must be executed through administrator access. The agent helps execute the rest of the scripts on the server.

How a SIEM solution can help detect this

When Script Block Logging is enabled through PowerShell auditing, the entire script executed to connect the victim server with the attacker's machine is captured in the Script Block Logging report, as shown in Figure 3.

launcher script captured Figure 3. The launcher script captured by Log360's PowerShell auditing reports.

Analysts can engineer an alert or custom report profile to detect, record, and respond to the executed script. Log360 provides a built-in report based on the parameters used to execute a PowerShell Empire launcher. The report is called Empire PowerShell Launch Parameters and is displayed in Figure 4.

Empire PowerShell Launch Parameters Figure 4. The Empire PowerShell Launch Parameters report in Log360.

3. PowerShell situational awareness modules for AD enumeration

Once the agent has been deployed, we can execute various modules present in PowerShell Empire. For AD enumeration, we will be using situational awareness modules by executing the following scripts:

  • usemodule_powershell_situational_awareness_network_powerview_get_user
  • usemodule_powershell_situational_awareness_network_powerview_get_ou
  • usemodule_powershell_situational_awareness_network_powerview_get_computer

How a SIEM solution can help detect this

When the agent executes these PowerShell scripts on the victim server, it does so in the form of obfuscated code. In this case, most of the scripts use a Get command or module. This is obfuscated in the form of Get-Random commands, which can be captured by module logs.

Using a SIEM solution, analysts can set up alerts to be notified whenever a suspicious number of Get-Random commands has been executed within a particular time frame. By scanning through the other module logs and the script data in those log entries, analysts can identify whether the executions are malicious or not. Figure 5 shows an obfuscated command captured by PowerShell audit reports in a SIEM solution.

command captured by the Module Logging reports Figure 5. An obfuscated Get command captured by the Module Logging reports of Log360.

PowerShell can also be used to encrypt scripts in Rivest-Shamir-Adleman (RSA) encryption format. The execution of the code to create the agent is given in RSA format, which has been captured by the Module Logging reports of Log360 (Fig. 6).

Module Logging reports capture encrypted code Figure 6. Module Logging reports capture encrypted code.

4. PowerShell Mimikatz modules for obtaining credentials

Once we have obtained information about the users, groups, and other AD objects and their access, we will choose a target user who has the privileges we need or who can be the right next step to obtaining them.

We must now obtain that user's credentials. We can do this using Mimikatz under the credentials module. The scripts used for this are as follows:

  • usemodule_powershell_credentials_mimikatz_cache
  • usemodule_powershell_credentials_mimikatz_logonpasswords

How a SIEM solution can help detect this

Mimikatz modules are executed in the form of obfuscated code. Log360 captures the obfuscated code in the script data of its Script Block Logging reports. Often, Mimikatz uses the same commandlets. Analysts can recognize these and create custom alerts to get notified when they are executed.

For example, Mimikatz often uses scripts that include the $TypeBuilder set of commands. Figure 7 shows this being captured by the Script Block Logging reports in a SIEM solution.

Mimikatz to extract the passwords Figure 7. Log360 captures the obfuscated code used by Mimikatz to extract the passwords.

Log360's Module Logging reports capture which application is executing these commands. In this case, it is the agent deployed by the attacker's machine on the target server. Figure 8 displays this.

captures the host application Figure 8. Log360 captures the host application (agent) that executed the code.

Detecting these executions using a SIEM solution

Apart from offering the reports mentioned above, a SIEM solution can also help you:

  • Create a custom report profile to track malicious PowerShell executions.
  • Create an alert for this profile, which will immediately notify admins of suspicious executions.
  • Monitor and discover suspicious user activities like malicious file downloads.

A comprehensive SIEM solution like Log360 comes equipped with MITRE ATT&CK® reports (Fig. 9) that help track specific techniques and sub-techniques, including malicious PowerShell scripts as well as commands—both successful and failed executions. An advantage of using PowerShell Empire for pen testing is it lists all the ATT&CK techniques associated with a module before running it. Defense teams can use this to set up alerts and track specific PowerShell activities to which they are most susceptible.

ATTACK reports in Log360 Figure 9. ATT&CK reports in Log360.

PowerShell attacks are being increasingly used since most organizations do not log PowerShell activity. These organizations find the number of logs generated to be too high to manage and analyze. Investing in the right security tool can help you track, monitor, analyze, and archive PowerShell logs to easily detect suspicious executions that could lead to a cyberattack.

To learn more about Log360, our comprehensive SIEM solution with built-in AD and PowerShell auditing capabilities, do check out our free, 30-day trial or reach out to our product experts for a personalized demo.

  • Please enter a business email id
  • By clicking 'Read the ebook', you agree to processing of personal data according to the Privacy Policy

Get the latest content delivered
right to your inbox!

Thank you for subscribing.

You will receive regular updates on the latest news on cybersecurity.

  • Please enter a business email id
    By clicking on Keep me Updated you agree to processing of personal data according to the Privacy Policy.

Expert Talks


© 2021 Zoho Corporation Pvt. Ltd. All rights reserved.