Threat Detection Series: Watch the PowerShell power hour

For the fifth year in a row, PowerShell (T1059.001) placed high among the most prevalent ATT&CK techniques ranked in Red Canary’s annual Threat Detection Report. Coming in at number 2 this year, PowerShell abuse shows no signs of slowing down, as adversaries find new ways to automate malicious behavior that blends in with normal Windows configurations. Recently, VMware’s Casey Parman and Jamie Williams from the MITRE ATT&CK® team joined Red Canary’s Matt Graeber and Sarah Lewis for the latest installment of our Threat Detection Series—a PowerShell power hour, if you will. The full webinar is available on-demand, and you can watch clips below.

First things first, is PowerShell a tool or technique?

Direct from the ATT&CK team itself: The answer is yes. PowerShell is a powerful tool that provides a foundation for countless other Windows ATT&CK techniques. Jamie Williams explains why PowerShell is like a “swiss army knife” to administrators and adversaries alike.

Which threats abuse PowerShell and how?

In 2022, Red Canary observed Yellow Cockatoo, Gootloader, Mimikatz, and other threats leveraging PowerShell as part of an intrusion chain. Jamie Williams highlights the ways that PowerShell tradecraft has evolved over the years.

How do I collect PowerShell telemetry?

Red Canary’s Director of Threat Research Matt Graeber highlights some key data sources for collecting PowerShell telemetry, including automatic scriptblock logging, deep scriptblock logging, and the Antimalware Scan Interface (AMSI).

How do I distinguish malicious PowerShell behavior from legitimate use?

Given that PowerShell is included by default on most Windows environments, detecting malicious use is not as simple as flagging powershell.exe. Senior Detection Engineer Sarah Lewis walks through some distinguishing elements of PowerShell abuse that defenders can build detection logic around, including unexpected parent and child processes and obfuscated command-line arguments. The PowerShell page in the Threat Detection Report also lists a number of proven detection opportunities.

Are there any preventive measures I can take to mitigate this behavior?

Matt Graeber explains how defenders can reduce their exposure to PowerShell abuse by implementing Microsoft’s Constrained Language mode.

How can I validate my detection coverage for PowerShell abuse?

There are dozens of Atomic Red Team tests that emulate suspicious PowerShell activity. You can also leverage AMSI in your testing efforts. Along with Matt Graeber’s Send-AmsiContent script, Casey Parman shares his custom AMSI provider–SoYouWannaBeAnAMSIProvider–that defenders can install locally to analyze key logs.