This is the latest in a series of posts we’re calling “QOMPLX Knowledge.” These posts are intended to provide basic information and insights about the attack activity and trends that are driving malicious campaigns and that QOMPLX researchers encounter in our forensic work with customers.
Cyber adversaries who compromise an IT environment are aware that many organizations log and monitor behavior on their networks closely and are keen to avoid detection. One way they do that is by “living off the land” - that is: use existing administrative tools, rather than external programs or malware, to carry out their objectives. The other method is to encrypt or encode commands and other communications to avoid tripping alerts tied to specific commands or actions.
As a result, organizations that want to spot and stop sophisticated cyber actors need to pay attention to the use of both “dual use” applications and monitor for efforts to disguise network activity using encryption or encoding.
Microsoft’s PowerShell is one of the most commonly used applications for adversaries seeking to “live off the land.” In this post, we’re taking a look at how QOMPLX’s technology helps customers to spot one technique that is a common feature of sophisticated cyber attacks: the use of encoded commands in conjunction with the PowerShell utility.
- Monitoring for the use of encoded PowerShell command execution is an important means of spotting efforts by malicious applications or actors to conduct surveillance or execute malicious code without being noticed.
- Logging PowerShell activity is critical to monitoring for malicious activities.
- Windows Event ID 4688 (a new process has been created) is a critical event for monitoring processes created with the command line.
- PowerShell commands that invoke the EncodedCommand parameter and variants may indicate efforts to obfuscate malicious commands or activity.
- QOMPLX’s Identity Assurance product monitors for Windows Event ID 4688 in which the command line contains keywords that indicate PowerShell executed with the EncodedCommand parameter and variants.
How Encoded PowerShell Command Execution Works
PowerShell is a cross-platform task automation solution for Windows environments. It has been shipped by default with Windows systems beginning with Windows 7 SP1 and Windows Server 2008 R2 SP. PowerShell includes a command-line shell, a scripting language, and a configuration management framework and runs on Windows, Linux, and macOS.
Because of its power and ubiquity, PowerShell is a popular “dual use” technology: assisting network IT administrators but also popular among “red teams” and malicious actors who want to expand their reach within networks without having to import malicious software that might be detected by endpoint or network monitoring software. PowerShell is a common tool for “living off the land” within compromised environments and has been incorporated into a number of exploit kits with names like PowerSploit, PowerShellEmpire, BloodHound, EmpireProject, Powershell-C2 and more.
PowerShell commands that launch new processes trigger Windows using Event ID 4688 (a new process has been created). Assuming logging is enabled for PowerShell (as it should be), organizations can monitor for commands spawning new processes or the issuance of high risk commands or those associated with reconnaissance or malicious activity. However, PowerShell can also accept Base64 encoded commands to support commands that require otherwise unsupported characters like complex quotation marks, curly braces and so on.
For example, the PowerShell command “ls” executed using Base64 encoding (-enc) is as follows:
powershell.exe -noexit -enc bABzAA==
QOMPLX can detect encoded command execution by monitoring for Windows Event ID 4688 and noting any processes created with a PowerShell command line containing keywords that indicate use of the EncodedCommand parameter and variants. Using this feature requires that customers enable both “Audit Process Creation” and “Include command line in process creation events” policies in Active Directory.
QOMPLX Knowledge: Detecting Account Name Enumeration
QOMPLX Knowledge: Detecting New Members Added To Sensitive Groups
QOMPLX Knowledge: Detecting Password Spraying Attacks
Q:CYBER Ingesting Windows Event Logs
Q:CYBER Using Windowed Rules for Advanced Detection
QOMPLX Knowledge: Golden Ticket Attacks Explained
QOMPLX Knowledge: Silver Ticket Attacks Explained
QOMPLX Knowledge: Responding to Golden Ticket Attacks
QOMPLX Knowledge: DCSync Attacks Explained
QOMPLX Knowledge: DCShadow Attacks Explained
QOMPLX Knowledge: Pass-the-Ticket Attacks Explained
QOMPLX Knowledge: Kerberoasting Attacks Explained
Understanding Zones and Zone Transfer
Security Monitoring Recommendations for Windows Event 4688
Use the following form to request more information about QOMPLX detection of sophisticated attacks and other threats.