We just released a new three-minute video that shows how you can monitor, detect and mitigate attacks happening using PowerShell commands.
PowerShell became very popular among penetration testers and hackers recently. Why I know this? Because it's in the latest FBI report on recent attack on US Infrastructure networks by a state-sponsored hackers group. Here is what they absolutely recommend to be able to detect such an cybersecurity attacks:
- Detect lateral movement and privilege escalation by searching PowerShell logs for all filenames ending in “.ps1” contained in the IOC packages. (Note: requires Windows PowerShell version 5, and PowerShell logging must be enabled prior to the activity.)
- Ensure the use of PowerShell version 5, with enhanced logging enabled. Older versions of PowerShell do not provide adequate logging of the PowerShell commands an attacker may have executed. Enable PowerShell module logging, script block logging, and transcription. Send the associated logs to a centralized log repository for monitoring and analysis.
FBI and DHS is telling us that bad guys were using CrackMapExec. And we can see that this toolkit is using Mimikatz:
command = "Invoke-Mimikatz -Command '{}'".format(self.command)
And other PowerShell scripts from popular red-team toolkits such as PowerSploit. And in our video below (or at https://www.quest.com/video/defend-against-powershell-attacks-with-automated-response-actions8131372/) you can see how using InTrust you can log, detect and mitigate such dangerous PowerShell commands. Check out our previous post about this with explanations of what should be enabled in the environment for this to work.
Want to learn more from Windows security expert, Randy Franklin Smith?
Also, mark your calendars for next Thursday, March 29 at 2:00 PM – 3:30 PM EST for a live webinar hosted by renowned Windows security expert, Randy Franklin Smith, on the topic: Top 3 Workstation Logs to Monitor for Early Detection of Attacks: Security Log, PowerShell, Sysmon.
Stay tuned - we will research using this auditing with Obfuscation techniques. So far, Quest InTrust and rules we are developing are looking great - we were not able to make them go blind. To be continued.
PowerShell rules are going to be available as part of the upcoming InTrust release this year, but you can do it manually in your current version of InTrust.