Execution Discovery
Introduction
PowerShell is a powerful and versatile tool for security operations (SecOps) teams, offering robust capabilities for investigating and responding to threats in enterprise networks. Its seamless integration with the Windows operating system and comprehensive library of cmdlets make it particularly effective for conducting Execution Discovery activities during digital forensics and incident response (DFIR) investigations. Execution Discovery focuses on uncovering evidence of malicious or unauthorized code execution, a common tactic used by attackers to deliver payloads, execute scripts, or run exploit tools. PowerShell enables SecOps teams to efficiently detect and analyze these activities, facilitating swift and precise incident response.
Capabilities of PowerShell for Execution Discovery in DFIR
1. Process and Command-Line Monitoring:
PowerShell provides deep visibility into running processes and their associated command-line arguments. This allows analysts to detect suspicious or unauthorised execution, such as malicious scripts, encoded commands, or exploit tools. It is particularly effective in identifying processes spawned by unusual parent-child relationships, which often indicate attacker activity.
2. Analysis of PowerShell Script Execution:
Since attackers frequently abuse PowerShell to execute scripts or payloads, PowerShell's built-in logging and query capabilities are invaluable for analysing script block logs and event data. This helps security teams uncover evidence of malicious PowerShell usage, including obfuscated or encoded commands designed to evade detection.
3. Scheduled Task and Service Analysis:
Attackers often use scheduled tasks or services to execute malicious payloads. PowerShell enables analysts to investigate existing tasks, startup items, and service configurations to identify unauthorised or anomalous entries linked to execution discovery activities.
4. Binary and DLL Execution Detection:
PowerShell can be used to inspect binaries and dynamic link libraries (DLLs) executed on a system. This includes monitoring for unsigned or unusual executables and DLLs loaded by processes, providing evidence of potentially malicious activity.
5. Memory and File Analysis:
PowerShell facilitates memory analysis by enabling the extraction of process memory for forensic examination. Additionally, it can identify files dropped by attackers for execution, such as staged payloads or tools, and extract metadata for further analysis.
6. Event Log and Telemetry Analysis:
PowerShell’s ability to query event logs allows analysts to investigate execution-related events, such as process creation logs, PowerShell operation logs, and security logs. This aids in correlating events to identify patterns indicative of malicious execution activities.
Efficiency Provided by PowerShell in Execution Discovery
Granular Visibility: PowerShell offers fine-grained visibility into processes, logs, and system events, enabling precise detection and investigation of execution discovery activities.
Scalability: With PowerShell Remoting, SecOps teams can scale investigations across hundreds or thousands of endpoints, ensuring comprehensive coverage in large enterprise environments.
Real-Time Detection: PowerShell enables real-time querying and monitoring of execution-related data, reducing the time required to identify and respond to threats.
Automation and Repeatability: By automating routine tasks, such as process analysis or log queries, PowerShell ensures consistent and efficient investigation workflows.
Customisable Detection: PowerShell scripts can be tailored to align with organisational baselines and the MITRE ATT&CK framework, focusing on specific execution techniques or adversarial behaviours.
Integration with Security Tools: PowerShell integrates seamlessly with tools like Microsoft Sentinel, Defender for Endpoint, and other SIEM platforms, enabling enriched detection and streamlined incident response workflows.
By leveraging the capabilities of PowerShell, SecOps teams can effectively identify and investigate execution discovery activities, facilitating rapid containment and mitigation while strengthening the organisation’s overall security posture.
Execution Discovery
1. Monitoring Process Execution
1.1. Detecting New Executable Processes
Purpose: Identify newly started executable processes.
1.2. Detecting Unusual Command Line Parameters
Purpose: Identify processes with unusual or suspicious commandline parameters.
2. PowerShell Script Execution Monitoring
2.1. Detecting Encoded PowerShell Commands
Purpose: Identify potentially malicious encoded PowerShell commands.
2.2. Monitoring PowerShell Script Block Logging
Purpose: Capture details of executed PowerShell scripts.
3. Identifying Execution of Scripting Languages
3.1. Detecting VBScript Execution
Purpose: Identify execution of VBScript, which could indicate malicious activity.
3.2. Monitoring JScript Execution
Purpose: Detect the execution of JScript files.
4. Malicious Use of Built-in Tools
4.1. Monitoring Mshta Execution
Purpose: Identify the use of mshta.exe, which can be used to execute malicious scripts.
4.2. Detecting Usage of Rundll32
Purpose: Identify malicious usage of rundll32.exe.
5. Macro Execution and Document Exploits
5.1. Detecting Office Macro Execution
Purpose: Identify when Office applications execute macros, which may indicate macro-based malware.
5.2. Monitoring Malicious Document Execution
Purpose: Detect execution of malicious documents, such as those with embedded exploits.
6. Windows Management Instrumentation (WMI) Execution
6.1. Detecting WMI Command Execution
Purpose: Identify commands executed via WMI, often used for remote execution.
6.2. Monitoring WMI Subscription Events
Purpose: Detect suspicious WMI subscriptions, which can be used for persistence.
7. Execution via Services and Tasks
7.1. Detecting Service Execution
Purpose: Monitor the creation or modification of services that execute commands.
7.2. Monitoring Scheduled Task Creation
Purpose: Identify the creation of scheduled tasks for executing commands.
8. Credential Dumping and Usage
8.1. Detecting LSASS Memory Access
Purpose: Identify attempts to access LSASS memory for credential dumping.
8.2. Monitoring Mimikatz Usage
Purpose: Detect the use of Mimikatz, a tool commonly used for credential dumping.
9. Execution of Exploit Tools
9.1. Detecting Exploit Framework Usage
Purpose: Identify the execution of known exploit frameworks like Metasploit.
9.2. Monitoring the Use of Cobalt Strike
Purpose: Detect the use of Cobalt Strike, a popular post-exploitation tool.
10. Script and Binary Obfuscation
10.1. Detecting Obfuscated PowerShell Scripts
Purpose: Identify the use of obfuscated PowerShell scripts.
10.2. Monitoring Executables with Uncommon File Extensions
Purpose: Detect executables disguised with uncommon file extensions.
Additional Discovery Techniques
1. Monitoring Script Execution
1.1. Detecting PowerShell Script Execution
Purpose: Identify the execution of PowerShell scripts, especially those with potentially malicious content.
1.2. Monitoring Batch File Execution
Purpose: Detect the execution of batch files, which may indicate malicious script usage.
2. Malicious Use of Legitimate Tools
2.1. Detecting the Use of Mshta
Purpose: Identify the use ofmshta.exe often used to execute malicious scripts.
2.2. Monitoring for RunDLL32 Execution
Purpose: Detect the use of rundll32.exe to execute DLL files, which may be used for malicious purposes.
3. Unauthorised Software and Tool Usage
3.1. Detecting Unauthorized Software Installation
Purpose: Identify the installation of unauthorized software, which may indicate malicious intent.
3.2. Monitoring Portable Executables
Purpose: Detect the use of portable executables, which can bypass security controls.
4. Remote Command Execution
4.1. Monitoring for Remote PowerShell Execution
Purpose: Detect unauthorized use of PowerShell for remote command execution.
4.2. Detecting WMI Command Execution
Purpose: Identify commands executed via Windows Management Instrumentation (WMI).
5. Execution of Scripting Languages
5.1. Monitoring VBScript Execution
Purpose: Detect execution of VBScript files, which may be used for malicious purposes.
5.2. Detecting JScript Execution
Purpose: Identify the execution of JScript files, which can be used to execute malicious scripts.
6. Executable and DLL Injection
6.1. Detecting Code Injection Attempts
Purpose: Monitor for attempts to inject code into other processes.
6.2. Monitoring DLL Injection via RunDLL32
Purpose: Detect the use of rundll32.exe for DLL injection.
7. Malicious Use of System Tools
7.1. Detecting Usage of CertUtil
Purpose: Identify the use of certutil.exe which can be misused for malicious purposes.
7.2. Monitoring for Bitsadmin Usage
Purpose: Detect the use of bitsadmin.exe , which can be used for data transfer.
8. Application Whitelisting Bypass
8.1. Detecting Application Whitelisting Bypass via LOLBins
Purpose: Identify the use of living-off-the-land binaries (LOLBins) to bypass security controls.
8.2. Monitoring Bypass Attempts via Dynamic Invocation
Purpose: Detect attempts to bypass application whitelisting using dynamic invocation.
9. Macro and Script Exploitation
9.1. Monitoring for Malicious Office Macros
Purpose: Detect the execution of potentially malicious macros in Office documents.
9.2. Detecting Malicious Scripts via Document Execution
Purpose: Identify the execution of scripts embedded in documents.
10. Exploitation Tools and Post-Exploitation Frameworks
10.1. Detecting Cobalt Strike Beacon Execution
Purpose: Identify the execution of Cobalt Strike beacons.
10.2. Monitoring for Metasploit Framework Usage
Purpose: Detect the use of Metasploit, a popular penetration testing tool.
Last updated