• QOMPLX Knowledge
  • Apr 30, 2021
  • By QOMPLX

QOMPLX Knowledge: Detecting PowerShell Encoded Command Execution

QOMPLX Knowledge: Detecting PowerShell Encoded Command Execution

This is the latest in a series of posts we’re calling “QOMPLX Knowledge.” These posts are intended to provide basic information and insights about the attack activity and trends that are driving malicious campaigns and that QOMPLX researchers encounter in our forensic work with customers.

Cyber adversaries who compromise an IT environment are aware that many organizations log and monitor behavior on their networks closely and are keen to avoid detection. One way they do that is by “living off the land” - that is: use existing administrative tools, rather than external programs or malware, to carry out their objectives. The other method is to encrypt or encode commands and other communications to avoid tripping alerts tied to specific commands or actions.

As a result, organizations that want to spot and stop sophisticated cyber actors need to pay attention to the use of both “dual use” applications and monitor for efforts to disguise network activity using encryption or encoding.

Microsoft’s PowerShell is one of the most commonly used applications for adversaries seeking to “live off the land.” In this post, we’re taking a look at how QOMPLX’s technology helps customers to spot one technique that is a common feature of sophisticated cyber attacks: the use of encoded commands in conjunction with the PowerShell utility.

Key Points

  • Monitoring for the use of encoded PowerShell command execution is an important means of spotting efforts by malicious applications or actors to conduct surveillance or execute malicious code without being noticed.
  • Logging PowerShell activity is critical to monitoring for malicious activities.
  • Windows Event ID 4688 (a new process has been created) is a critical event for monitoring processes created with the command line.
  • PowerShell commands that invoke the EncodedCommand parameter and variants may indicate efforts to obfuscate malicious commands or activity.
  • QOMPLX’s Identity Assurance product monitors for Windows Event ID 4688 in which the command line contains keywords that indicate PowerShell executed with the EncodedCommand parameter and variants.

How Encoded PowerShell Command Execution Works

PowerShell is a cross-platform task automation solution for Windows environments. It has been shipped by default with Windows systems beginning with Windows 7 SP1 and Windows Server 2008 R2 SP. PowerShell includes a command-line shell, a scripting language, and a configuration management framework and runs on Windows, Linux, and macOS.

Because of its power and ubiquity, PowerShell is a popular “dual use” technology: assisting network IT administrators but also popular among “red teams” and malicious actors who want to expand their reach within networks without having to import malicious software that might be detected by endpoint or network monitoring software. PowerShell is a common tool for “living off the land” within compromised environments and has been incorporated into a number of exploit kits with names like PowerSploit, PowerShellEmpire, BloodHound, EmpireProject, Powershell-C2 and more.

PowerShell commands that launch new processes trigger Windows using Event ID 4688 (a new process has been created). Assuming logging is enabled for PowerShell (as it should be), organizations can monitor for commands spawning new processes or the issuance of high risk commands or those associated with reconnaissance or malicious activity. However, PowerShell can also accept Base64 encoded commands to support commands that require otherwise unsupported characters like complex quotation marks, curly braces and so on.

For example, the PowerShell command “ls” executed using Base64 encoding (-enc) is as follows:

powershell.exe -noexit -enc bABzAA==

QOMPLX Detection

QOMPLX can detect encoded command execution by monitoring for Windows Event ID 4688 and noting any processes created with a PowerShell command line containing keywords that indicate use of the EncodedCommand parameter and variants. Using this feature requires that customers enable both “Audit Process Creation” and “Include command line in process creation events” policies in Active Directory.

Additional Reading

QOMPLX Knowledge: Detecting Account Name Enumeration

QOMPLX Knowledge: Detecting New Members Added To Sensitive Groups

QOMPLX Knowledge: Detecting Password Spraying Attacks

Q:CYBER Ingesting Windows Event Logs

Q:CYBER Using Windowed Rules for Advanced Detection

QOMPLX Knowledge: Golden Ticket Attacks Explained

QOMPLX Knowledge: Silver Ticket Attacks Explained

QOMPLX Knowledge: Responding to Golden Ticket Attacks

QOMPLX Knowledge: DCSync Attacks Explained

QOMPLX Knowledge: DCShadow Attacks Explained

QOMPLX Knowledge: Pass-the-Ticket Attacks Explained

QOMPLX Knowledge: Kerberoasting Attacks Explained

Understanding Zones and Zone Transfer

Security Monitoring Recommendations for Windows Event 4688

Learn More

Use the following form to request more information about QOMPLX detection of sophisticated attacks and other threats.

You might also be interested in

Lessons from the Medibank breach

Lessons from the Medibank breach

Ming Fu, a member of the Americas Pre-Sales Engineering Team at QOMPLX, looks at the much publicized Medibank breach in Australia last year, and draws a few much needed lessons based on the published findings of this breach.

Read more
IcedID Malware Gaining Prominence by Adding Identity Attack Chains

IcedID Malware Gaining Prominence by Adding Identity Attack Chains

Brian Freedman, WW Director of Solution Architecture highlights how identity controls are necessary tools, along with EDR, to combat evolving malware threats that have been expanding to include identity compromise as a primary objective in their attack strategies.

Read more
QOMPLX Knowledge: OverPass The Hash Attacks

QOMPLX Knowledge: OverPass The Hash Attacks

OverPass The Hash (OPtH) is a form of credential theft- and reuse attack that is one of the most common methods of lateral movement within compromised IT environments.

Read more
Request a Demo

Interested in learning more?

Subscribe today to stay informed and get regular updates from QOMPLX.