Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Process Hunting - Powershell + WGET typing manualy

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Process Hunting - Powershell + WGET typing manualy

L3 Networker

Hello dear community, 

 

is there a way to hunt for a manually started powershell.exe where a attacker started wget. 

 

In this case I opened cmd and typed this CMD in. Cortex XDR recognized it. 

 

Cyber1985_0-1654549745309.png

 

But when I manualy open powershell and type in manualy wget google.at Cortex XDR doesn't recognize the parameters in the powershell with my query. 

 

What is the best way to track starting wget in powershell? 

 

BR

 

Rob

1 accepted solution

Accepted Solutions

L4 Transporter

Hi Cyber1985,

 

There's some Windows nuance happening here which is tripping you up.  When you used CMD to launch Powershell, Cortex examined the command line arguments passed to powershell (i.e. powershell.exe wget [site_url]) and was able to match "wget", however, when you type "wget" into an interactive Powershell window, there are no command line arguments to examine, it all happens within the interactive shell without spawning a subprocess as was the case with CMD.

 

To detect this, you will need to have Powershell logging enabled shown here from Microsoft, https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_win...

 

Assuming you have Cortex XDR Pro per Endpoint, Windows Event logs are ingested and can be searched.

View solution in original post

4 REPLIES 4

L4 Transporter

Hi Cyber1985,

 

There's some Windows nuance happening here which is tripping you up.  When you used CMD to launch Powershell, Cortex examined the command line arguments passed to powershell (i.e. powershell.exe wget [site_url]) and was able to match "wget", however, when you type "wget" into an interactive Powershell window, there are no command line arguments to examine, it all happens within the interactive shell without spawning a subprocess as was the case with CMD.

 

To detect this, you will need to have Powershell logging enabled shown here from Microsoft, https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_win...

 

Assuming you have Cortex XDR Pro per Endpoint, Windows Event logs are ingested and can be searched.

Hey Afurze, 

 

nice nickname, is it german? 

I tested it and it worked on my machine. So, we will need to activate the PowerShell logging on every domain. 

 

Thanks a lot! 

 

BR

 

Rob

is there a list of windows event logs thats are collected? i was not aware powershell event logs are available in cortex

L4 Transporter

Here is the article which outlines what Windows Event Logs are collected by Cortex.

  • 1 accepted solution
  • 2906 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!