PowerShell Hunting with CrowdStrike Falcon®
Introduction
Threat hunting is the active search for new and novel attack behaviors that aren’t detected by current automated methods of prevention and detection.
Threat hunting starts with human analysts, who approach their challenge with the assumption that active intrusions are underway but hidden from the view of their layers of detection technology such as NGAV, network IDS, and SIEM. Threat hunters develop hypotheses around where these hidden attackers might be lurking, based on the best threat intelligence available as well as years of experience, and then shine a bright light into these dark corners to see if their hypothesis proves true.
The best hunting leads are informed by known attacker behavior patterns, but leave a lot of room for surprising discoveries. After all, if you’re simply looking for known bad behaviors, you’re using humans to perform analysis that could easily be automated.
Video
The Power of PowerShell Threat Hunting
PowerShell activity represents a rich source of leads for threat hunting. PowerShell provides a robust command line and scripting language for the Windows operating system, and is frequently used by system administrators for a wide range of configuration management and automation tasks. This advanced functionality and broad usage makes it an attractive tool for intruders.
CrowdStrike’s 2020 Global Threat Report showed that PowerShell is used broadly by attackers of all types. It provides them with powerful tools for exploring and exploiting systems, while also allowing them to hide their malicious activity in the noise of daily IT operations. Properly equipped, human threat hunters can leverage their experience and intuition to surface suspicious activity before it leads to an expensive breach.
Getting Started with PowerShell Threat Hunting
Broad and deep visibility provides the basis for any type of threat hunting. By collecting a wide range of telemetry from all endpoints across the organization, CrowdStrike provides the threat hunter with the raw visibility and context they need in order to search for hidden threats.
To perform PowerShell threat hunting, the analyst will require a repository of data that records all PowerShell activity across the organization, ideally updated in real time. Microsoft provides logging within the Windows operating system, which must be enabled by system administrators. A good endpoint detection and response solution such as CrowdStrike’s Falcon Insight will not only collect the necessary data, but also provide some automated analysis and tools to make the threat hunter’s job a great deal easier.
What to Look for in PowerShell
Examples of suspicious activities in PowerShell that warrant further investigation include:
- Downloaded files, especially from outside your organization. Attackers frequently download late-stage malware and tools from sites such as github, or their own staging infrastructure.
- Obfuscated or encoded scripts. Administrators very rarely have a need to obfuscate their scripts, as this greatly complicates future maintenance and troubleshooting. Seeing PowerShell scripts that are encoded merits a deeper look.
- Unusual command line arguments. PowerShell provides a wide range of command line arguments that allow administrators to set the execution context and control how PowerShell operates. -ExecutionPolicy Unrestricted allows scripts to run without standard OS restrictions. Other arguments can suppress user warnings or dialogs that might otherwise alert a user or administrator to an intrusion. These arguments are rarely used in most enterprise environments.
- Repeated use of local informational tools. Attackers frequently use local commands such as whoami, hostname, ping, netstat, and similar commands during their initial reconnaissance, in order to orient themselves after an initial intrusion. On the other hand, it’s much more rare for an authorized administrator to do these things, as they typically know what systems they are accessing, and the account context they are working under.
Conclusion
Regular threat hunts across PowerShell activity in your organization for these and other behaviors can bring to light critical signs that an intruder has obtained a foothold in your organization, and allow your team to act in time to eject the intruder before a damaging breach can occur. CrowdStrike’s Falcon platform provides an ideal foundation for PowerShell threat hunting.
More resources
- CrowdStrike 15-Day Free Trial
- Request a demo
- Guide to AV Replacement
- CrowdStrike Products
- CrowdStrike Cloud Security
Content provided by Scott Taschler
