Threat Hunting — Encoded PowerShell Commands — Part 2: Monitoring And Detecting Powershell Commands

Introduction

In previous chapter “Threat Hunting — Encoded PowerShell Commands — Part 1: Understanding and Identifying Threats”, we understood that detecting malicious activity is a constant challenge, especially when attackers employ sophisticated obfuscation techniques. One common method involves the use of PowerShell with encoded commands. This write-up explores how attackers use variations of the encoded command switch in PowerShell, and how to effectively monitor and detect these activities to enhance security posture.

The Encoded Command Switch

PowerShell’s encoded command switch allows users to run scripts encoded in Base64 format. This can be done using various forms of the switch, such as -e, -en, -enc, -enco, and others. This flexibility makes it a favored tool for attackers seeking to obfuscate their actions.

Example of Encoded Command Variations

1. Short Form: powershell.exe -e R2V0LVByb2Nlc3M=
2. Long Form: powershell.exe -encodedCommand R2V0LVByb2Nlc3M=
3. Variations: powershell.exe -en R2V0LVByb2Nlc3M=, powershell.exe -enco R2V0LVByb2Nlc3M=

Each variation serves the same purpose: to execute a Base64 encoded command. The attacker can encode any script and run it using these switches, effectively hiding the command’s intent from plain view.

Detecting Encoded PowerShell Commands

To effectively detect these encoded commands, security teams need to implement robust monitoring and detection strategies. Below are key methods to identify encoded PowerShell commands using different variations of the switch.

Monitoring Command Line Activity

One of the most effective ways to detect encoded PowerShell commands is by monitoring command line activity. This involves scrutinizing processes and their command line arguments for signs of encoded commands.

Sample Monitoring Approach

Here’s a conceptual approach to detect any variation of the encoded command switch in PowerShell:

if (process_name == "powershell.exe" && command_includes ('-e' || '-en' || '-enc' || '-enco' || other variations)) {
    alert("Potential encoded PowerShell command detected");
}

Using Security Tools for Detection

Splunk Query Example

Splunk can be configured to detect encoded PowerShell commands with various switches:

index=your_index_name sourcetype="WinEventLog:Microsoft-Windows-PowerShell/Operational"
| eval CommandLine=mvindex(split(Message, "CommandLine: "), 1)
| where like(CommandLine, "%-e%") OR like(CommandLine, "%-en%") OR like(CommandLine, "%-enc%") OR like(CommandLine, "%-enco%")
| table _time, host, user, CommandLine

This query filters events where the command line includes any variation of the encoded command switch and displays relevant details.

Lucene Query Example

For log analysis tools that support Lucene, such as Elasticsearch, you can use a query like this:

process_name:"powershell.exe" AND (command_line:*-e* OR command_line:*-en* OR command_line:*-enc* OR command_line:*-enco*)

This query searches for logs where the process name is powershell.exe and the command line includes any of the specified variations of the encoded command switch.

Implementing Heuristic Analysis

To bolster detection capabilities, heuristic analysis can be used. This involves creating rules that flag unusual command-line activities, especially those that involve PowerShell encoded commands.

Example Heuristic Rule

1. Detect Long Commands: Since encoded commands are often long, set a threshold (e.g., 1000 characters) to flag suspiciously long commands.
2. Flagging Specific Patterns: Look for patterns indicating obfuscation, such as excessive use of certain PowerShell functions or commands that are typically associated with encoded content.

In this write up and series we will focus on detecting long commands.

Detect Long Commands

Since encoded PowerShell commands are often lengthy due to Base64 encoding, monitoring the length of command lines can be an effective detection method. By setting a threshold, such as 1000 characters, security teams can flag and investigate unusually long commands which may indicate obfuscated malicious activity.

Why Length Matters

1. Base64 Encoding: Encoded commands are significantly longer than their original form. A simple command like Get-Process becomes much longer when encoded.
2. Obfuscation: Attackers often use multiple layers of obfuscation, further increasing the length of the command.
3. Threshold Setting: Establishing a threshold helps in focusing on suspicious commands without overwhelming analysts with too many false positives.

Example Detection Approach

Here’s how you can implement a length-based detection strategy:

PowerShell Script to Detect Long Commands

This script scans PowerShell event logs and flags commands longer than a specified length:

$threshold = 1000
Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" | ForEach-Object {
    $message = $_.Message
    if ($message.Length -gt $threshold) {
        Write-Output "Suspicious Command Detected: $($_.TimeCreated) - Length: $($message.Length)"
    }
}

Splunk Query Example

To detect long encoded PowerShell commands in Splunk, you can use the following query:

index=your_index_name sourcetype="WinEventLog:Microsoft-Windows-PowerShell/Operational"
| eval CommandLine=mvindex(split(Message, "CommandLine: "), 1)
| eval CommandLength=len(CommandLine)
| where CommandLength > 1000
| table _time, host, user, CommandLine, CommandLength

This query evaluates the length of the command line and flags those exceeding 1000 characters.

Lucene Query Example

For Elasticsearch, use this Lucene query to detect long PowerShell commands:

process_name:"powershell.exe" AND script_block.length:[2001 TO *]

This query searches for PowerShell commands where the script block length exceeds 1000 characters.

Combining Length Detection with Command Switch Monitoring

Combining length-based detection with monitoring for encoded command switches enhances the robustness of your detection strategy. This multi-faceted approach ensures that even if an attacker tries to obfuscate commands in ways that don’t involve length, the presence of encoded command switches will still trigger an alert.

Example Combined Detection Strategy in Splunk

index=your_index_name sourcetype="WinEventLog:Microsoft-Windows-PowerShell/Operational"
| eval CommandLine=mvindex(split(Message, "CommandLine: "), 1)
| where like(CommandLine, "%-e%") OR like(CommandLine, "%-en%") OR like(CommandLine, "%-enc%") OR like(CommandLine, "%-enco%")
| eval CommandLength=len(CommandLine)
| where CommandLength > 1000
| table _time, host, user, CommandLine, CommandLength

Example Combined Detection Strategy in Lucene

process_name:"powershell.exe" AND (command_line:*-e* OR command_line:*-en* OR command_line:*-enc* OR command_line:*-enco*) AND script_block.length:[2001 TO *]

In Next part “Threat Hunting — Base64 Encoded PowerShell Commands — Part 3: Hunting and Analysing Emotet”, We will hunt and analyze encoded powershell command used by Emotet. I strongly recommend to through previous chapter “Threat Hunting — Encoded PowerShell Commands — Part 1: Understanding and Identifying Threats” to understand the threat.

Conclusion

Detecting encoded and obfuscated PowerShell commands is crucial for identifying sophisticated cyber threats. By combining monitoring of encoded command switches, evaluating command length, and implementing heuristic analysis, security teams can effectively identify and respond to potential threats.

Feel free to share your thoughts and experiences in the comments below. Happy threat hunting!

If you found this article helpful, please clap and share it to help others in the community. Follow me for more insights on cybersecurity and threat hunting.

Author Name: Ameer Mane