2.1.3. Malicious Powershell detect engine

2.1.3.1. Introduction

2.1.3.1.1. For what types of threats is this engine designed?

The Malicious Powershell Detect engine allows the detection and analysis of malicious powershell scripts.

Powershell is a programming language for windows for system administrators.

Because of this, its capabilities to control a windows machine are very numerous making it a very popular tool in the operation of a compromised machine.

Thus, an attacker will generally use it to maintain access to the machine or extract information from it, before pivoting to another machine.

A powershell script can therefore be used to maintain a backdoor on the machine, in order to let the attacker act later, or download directly in memory a malware and run it.

A powershell script can be obfuscated to avoid being detected by signatures and complicate its analysis.

There are many offuscation techniques for powershell scripts, all using language-inherent methods.

Due to its nature, a malicious powershell script is difficult to detect because:

• This is a very common tool in Windows PC or server farms

• It does not necessarily pass through a file

• Often obfuscated to avoid signature detection

• Legitimate uses of Powershell may be considered malicious behaviour

---

2.1.3.1.2. How does this particular engine detect threats?

The detection of malicious powershell scripts is carried out in several steps:

• The first step is to analyze the form, looking for offuscation of the powershell script.

  Malicious scripts are usually obfuscated and legitimate scripts are not supposed to be, this step helps to avoid false positives.
• The second step is to scan the content of the powershell script for potentially malicious commands.

  This step undoes the most common offuscation techniques to characterize the threat.

---

2.1.3.1.3. How does Malicious Powershell Detect engine work in the GCenter?

The engine:

• Analyses the events sent by GCap (for further details see Malicious Powershell Detect engine input data)

• Analyses these events (for further details see How does this particular engine detect threats?)

• Generates alerts (for further details see Events generated)

---

2.1.3.1.3.1. Malicious Powershell Detect engine input data

The network flow is duplicated on the network by a TAP and the files are rebuilt by the GCap.

The file reconstruction is configured by the file reconstruction rules used by the GCap detection engine (refer to Configuring the file reconstruction rules via the GCap profile).

Any packet passing through the network will undergo a search for smart patterns to identify those likely to contain a malicious powershell script.

These packages are then extracted and sent to the GCenter for further analysis by the Malicious Powershell engine.

Files with extension .ps1 will also be extracted for analysis.

Once the scan is complete, if a malicious powershell script has been identified, an alert is raised with all the information collected.

Currently, the management of obfuscations in the second step will only be possible for a defined set of techniques, but this will not prevent the detection of malicious powershell scripts whose offuscation technique could not be identified.

In order for the engine to be operational, a first update of the "Threat-DB" will have to take place.

---

2.1.3.2. Events generated

Events generated by the Malicious Powershell Detect engine are alerts.

These are displayed:

• In the main interface named WEB UI of the GCenter in the `Alerts` screen:

  The main interface named WEB UI is described in Overview of the WEB UI.
  • To display only these alerts, select the `Malicious Powershell` engine filter then validate.

    See the presentation of the Web UI `Alerts`.
    

• Click on the selected alert.

  The `Alert details` window is displayed.

  The detailed information of this alert is displayed in Example of a Malicious Powershell detect alert in the Webui

• If the `Group by name` mode is activated, the name of the aggregated alerts and their number are displayed.

  Click on a grouping of alerts to display the list.
• When the `Group by name mode is disabled, different Source and Destination information is displayed for each alert.

  `Tags` and `Notes` are also visible and editable.

  The various Quick Access `Actions` are available for each alert.

• In the interface named Kibana UI:
  • In the main interface WEB UI, to view the alerts, select the `Malicious Powershell` engine filter then validate.

    See the presentation of the Web UI `Alerts`.
    
  • After selected the alert, click on the `Open powershell engine analytics` command of the `Actions` menu.

    Kibana is opened on the `Malicious Powershell` category of the `Alerts ` section: in the `Overview` tab, the database displays all alerts

    The interface displayed is the interface named Kibana UI (described in Overview of the Kibana GUI).
    

  • Click on the `Messages` tab.

    

• To consult information about a specific alert:

  • Click on the toggle icon on the left of the Alert

    The expanded document is displayed.
    
    The detailed information of this alert can be viewed in table or json format.

  Note

  The Kibana UI can also be accessed without any filters via the `Hunting` icon on the left side menu bar in the WebUI.

---

2.1.3.2.1. Example of a Malicious Powershell detect alert in the Webui

The presentation of the Alert details is given in the Alert details window.

The counters are given in the Example of an alert exported.

---

2.1.3.2.2. Malicious Powershell log data structure

The logs are composed of different parts:

• The leading part

• The source part defined by "_source"

• The field portion defined by "_fields"

This information is displayed in the Expanded document of Kibana.

---

2.1.3.2.2.1. The header part of Malicious Powershell logs

The header section contains:

"_index": "engines_alerts-2024.12.04-000030",
"_id": "0KIEkpMBe7GX5B2fI_RU",
"_version": 1,
"_score": 0,

The detailed information is given in the table (Counters of the header part of logs).

---

2.1.3.2.2.2. The source part of Malicious Powershell logs

The source part is defined by "_source" in the logs.

Note

The data displayed on the Webui (alerts details window) is a part of the data displayed on the Extended document on the Kibana interface.

All data can be exported to a SIEM via syslog (an example of an exported alert is shown).

The detailed information is given in the tables ( Data related to detection results).

The example given here is a Kibana example.

"malicious_powershell": {
  "sample_id": "12-04-2024T14:12:40_03afe38854c8443db03807bcc51cf935_gcap.gatewatcher.com",
  "score_details": {
    "InvokeRestMethod": 0,
    "StreamWriter": 0,
    "CharInt": 6,
    "AddContent": 0,
    "InvokeExpression": 100,
    "StrCat": 4,
    "StreamReader": 0,
    "SystemIOFile": 0,
    "InvokeWebRequest": 0,
    "StrJoin": 6,
    "WebClientInvokation": 20,
    "StrReplace": 0,
    "SetContent": 0,
    "GetContent": 0,
    "FmtStr": 8,
    "StartBitsTransfer": 0,
    "Base64": 188
  },
  "proba_obfuscated": 0.6,
  "score": 332,
  "id": "b5c38e2159f80a5a3076a353360cb5f1"
},
"event": {
  "created": "2024-12-04T14:12:44.750657+0000",
  "dataset": "alert",
  "module": "malicious_powershell_detect",
  "severity": 1,
  "kind": "alert",
  "category": [
    "network",
    "intrusion_detection"
  ],
  "id": "081d78f9-81f2-4408-84bf-2c8d6a8e5939"
},
"@version": "1",
"source": {
  "port": 33698,
  "ip": "x.y.z.A",
},
"ecs": {
  "version": "8.6.0"
},
"observer": {
  "log_format_version": "1.0.0",
  "hostname": "gcenter.domain",
  "vendor": "gatewatcher",
  "gcap": {
    "ingress": {
      "interface": {
        "name": "monvirt"
      }
    },
    "hostname": "gcap",
    "version": "2.5.x."
  },
  "product": "gcenter",
  "uuid": "fc1e66e3-a397-5eb4-9277-754be778f317",
  "version": "2.5.x"
},
"destination": {
  "port": 9999,
  "ip": "x.A.V.X"
},
"@timestamp": "2024-12-04T14:12:44.750Z",
"network": {
  "protocol": "unknown",
  "transport": "tcp",
  "timestamp": "2024-12-04T14:11:36.408774+0000",
  "flow_id": 2227663757209674

---

2.1.3.2.2.3. List of counters of the alert

Note

The alert counters are visible:

• in the Alert details screen of the WEBUI

• in the Expanded document of Kibana

• in the export to the SIEM

The detailed information is given in the table (Counters of the source part of logs).

---

2.1.3.3. Management of the engine

2.1.3.3.1. Viewing the engine status

The engine status is displayed in the `Health checks` screen.

---

2.1.3.3.2. Engine update

The engine is updated with each new version of the GCenter.

---

2.1.3.3.3. Engine configuration

The configuration interface enables the engine activation:

• See the screen description, see the `Malicious powershell detect` screen

• See the procedure, see the Setting up the Malicious Powershell detect engine

Powershell detection is not enabled by default and is defined in the profiles sent to GCap (`GCaps profiles` screen).

---

2.1.3.4. Alert Analysis

The alerts are displayed on a specific screen: this screen is described in Web UI `Alerts`.

The general procedure for analyzing alerts is described in Using of NDR dashboards.

The specific procedure for analyzing Powershell alerts is described in the Analysing the Malicious Powershell Detect alerts.

---