A significant portion of modern exploits - often those utilized by ransomware actors - leverage PowerShell scripts in the exploit chain. Without enabling PowerShell-specific logging, the only attacks Alert Logic can investigate are those that pass the entire script as a command line argument, assuming command line logging is enabled.
Enabling PowerShell-specific logging provides Alert Logic with the specific modules and script blocks that are leveraged regardless of how PowerShell or a malicious script is executed. There are some versions of Windows that the Alert Logic agent will be able to collect these event log types from; however, they may not provide enough verbosity or have all recommended log streams. Thus, Alert Logic recommends enabling Windows PowerShell logging.
Note: PowerShell logs can often contain sensitive information like passwords. This information will be sent to Alert Logic unencrypted.
Configure Windows PowerShell Logging
Note: The following steps are provided as general guidance when using an Amazon Web Services instance template with Windows Server 2019. There may be variations in necessary steps depending on your version. If you have concerns or issues, consult your Windows Administrator or Microsoft TechNet articles for the most up-to-date information on Windows logging configurations and specific best practices.
- Open Command Prompt, type gpedit, and press the Enter/Return key. This will open the Local Group Policy Editor.
Note: This must be done on a Domain Controller unless the Server is a standalone.
- On the left-hand side of the Local Group Policy Editor, navigate to Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell.
- Double-click Turn on Module Logging and set it to Enabled. Put an asterisk (*) in the Module Names box.
- Double-click Turn on PowerShell Script Block Logging and set it to Enabled.
Note: Confirm in steps 3-4 that you have included invocation headers.
- Open Command Prompt, type gpupdate /force, and press the Enter/Return key.
Note: Logging can be enabled using a variety of means, including custom PowerShell cmdlets, registry modification, and the Group Policy Object. We have explained here how to use the Group Policy Object method because it is simple and scalable.
Validate the Configuration
Open Windows PowerShell and run a few scripts. Wait about 15 minutes for the logs to begin coming through.
In the Alert Logic console at (navigation menu) > Investigate > Search > Search and via Expert Mode search, use the below SQL query to validate logs are coming through to Alert Logic as expected. Check the tags powershell_logs and powershell_script_block_logs - the number of logs in these categories that have come to the console will be visible. This will confirm that Windows PowerShell logs are successfully being collected by Alert Logic.
Validate Using Alert Logic Log Search
The following is an Alert Logic search query for the presence of PowerShell, Windows commands, and other ransomware-related log types:
SELECT
coalesce([asset.dict.asset.host.name, metadata.dict.dict.local_hostname, parsed.token_names.header.addr.host_name]) as hostname, metadata.dict.dict.local_ipv4, metadata.dict.dict.host_type,
SUM(IF(Coalesce([parsed.token_names.log_information.win_log.win_event.win_event_code, parsed.token_names.event.event_id]) in ['4624', '4625'], 1, 0)) as num_login_events,
SUM(IF(Coalesce([parsed.token_names.log_information.win_log.win_event.win_event_code, parsed.token_names.event.event_id]) in ['4723', '4724', '4725', '4726', '4720', '4738'], 1, 0)) as user_account_events,
SUM(IF(Coalesce([parsed.token_names.log_information.win_log.win_event.win_event_code, parsed.token_names.event.event_id]) in ['4100', '4101', '4102', '4103', '400', '500', '501'], 1, 0)) as powershell_logs,
SUM(IF(Coalesce([parsed.token_names.log_information.win_log.win_event.win_event_code, parsed.token_names.event.event_id]) = '4104', 1, 0)) as powershell_script_block_log,
SUM(IF(Coalesce([parsed.token_names.log_information.win_log.win_event.win_event_code, parsed.token_names.event.event_id]) = '4688', 1, 0)) as process_logs,
SUM(IF(not parsed.token_names.action.command = '' and Coalesce([parsed.token_names.log_information.win_log.win_event.win_event_code, parsed.token_names.event.event_id]) = '4688', 1, 0)) as process_logs_with_cmd_line_args
FROM logmsgs
WHERE
(
parsed.token_names.log_information.win_log.win_event.win_event_code in ['4624', '4625','4723', '4724', '4725', '4726', '4720', '4738', '4100', '4101', '4102', '4103', '400', '500', '501', '4104', '4688']
or
parsed.token_names.event.event_id in ['4624', '4625','4723', '4724', '4725', '4726', '4720', '4738', '4100', '4101', '4102', '4103', '400', '500', '501', '4104', '4688']
)
group by hostname, metadata.dict.dict.local_ipv4, metadata.dict.dict.host_type
Comments
0 comments
Please sign in to leave a comment.