How to defend against PowerShell cyberattacks with InTrust automated response actions

We just released a new three-minute video that shows how you can monitor, detect and mitigate attacks happening using PowerShell commands.

PowerShell became very popular among penetration testers and hackers recently. Why I know this? Because it's in the latest FBI report on recent attack on US Infrastructure networks by a state-sponsored hackers group. Here is what they absolutely recommend to be able to detect such an cybersecurity attacks:

  • Detect lateral movement and privilege escalation by searching PowerShell logs for all filenames ending in “.ps1” contained in the IOC packages. (Note: requires Windows PowerShell version 5, and PowerShell logging must be enabled prior to the activity.)
  • Ensure the use of PowerShell version 5, with enhanced logging enabled. Older versions of PowerShell do not provide adequate logging of the PowerShell commands an attacker may have executed. Enable PowerShell module logging, script block logging, and transcription. Send the associated logs to a centralized log repository for monitoring and analysis.

FBI and DHS is telling us that bad guys were using CrackMapExec. And we can see that this toolkit is using Mimikatz:

command = "Invoke-Mimikatz -Command '{}'".format(self.command)

And other PowerShell scripts from popular red-team toolkits such as PowerSploit. And in our video below (or at you can see how using InTrust you can log, detect and mitigate such dangerous PowerShell commands. Check out our previous post about this with explanations of what should be enabled in the environment for this to work.