PowerShell Detections — Threat Research Release, August 2021

Splunk is committed to using inclusive and unbiased language. This blog post might contain terminology that we no longer use. For more information on our updated terminology and our stance on biased language, please visit our blog post. We appreciate your understanding as we work towards making our community more inclusive for everyone.

The Splunk Threat Research Team (STRT) most recently began evaluating more ways to generate security content using native Windows event logging regarding PowerShell Script Block Logging. This method provides greater depth of visibility as it provides the raw (entire) PowerShell script output. There are three sources that may enhance any defender's perspective: module, script block and transcript logging. We focused our security content on script block logging (Event Code 4104) as it provides the most granular visibility of PowerShell scripts that execute on an endpoint. However, we also provided a way to gather all three for testing validation, production or curiosity. Adversaries continue to use PowerShell and defenders are granted deeper visibility with Script Block Logging.

Watch the video to understand how STRT has developed PowerShell analytics for Splunk by using the Splunk Attack Range to collect the generated logs, and hunt for suspicious PowerShell.

PowerShell attacks have not surmised and Microsoft continues to expand on new features, plus it’s native integration in each operating system. Since version 5 of PowerShell, logging was expanded to include script block, module and transaction logging. What does this mean? Granular visibility into what is being run on our endpoints.

What is PowerShell Script Block Logging?

This is the raw, deobfuscated script supplied through the command line or wrapped in a function, script, workflow or similar. Think of everytime an adversary executes an encoded PowerShell script or command, script block logging provides that data in its raw form.

Windows Event Code=4104

What does it look like?

PowerShell Detections

The Splunk Threat Research Team has developed a set of detections to assist with getting started in detecting suspicious 4104 script block events.

Responding to PowerShell with Automated Playbooks

The following community Splunk SOAR playbooks mentioned below can be used in conjunction with some of the previously described Powershell analytics.

For more information about how Splunk SOAR can accelerate investigations and remediations for your SOC, check out the upcoming Splunk4Ninjas Splunk SOAR Hands On Workshop.

Why Should You Care About PowerShell Logging?

PowerShell is not leaving the Windows endpoint any time soon. As defenders, we need to expand beyond process and command-line analytics and begin diving deeper into our logs to identify more unique ways to capture malicious or suspicious activity. Script block logging, albeit not new, opens our horizons to see complete scripts being executed

For a full list of security content, check out the release notes on Splunk Docs:

• 3.25.0
• 3.25.1
• 3.25.2
• 3.26.0

Learn More

You can find the latest content about security analytic stories on GitHub and in Splunkbase. Splunk Security Essentials also has all these detections now available via push update.

Feedback

Any feedback or requests? Feel free to put in an issue on GitHub, and we’ll follow up. Alternatively, join us on the Slack channel #security-research. Follow these instructions If you need an invitation to our Splunk user groups on Slack.

Contributors

We would like to thank the whole threat research team Jose Hernandez, Rod Soto, Bhavin Patel, Mauricio Velazco, Michael Haag, Teoderick Contreras, Lou Stella and Patrick Bareiss for their contribution to this release.