As a strong Windows command file language, PowerShell is used by both IT specialists and attackers. PowerShell is an on-board command line tool. You can download and execute codes from another system. PowerShell enables a unique access on Windows computers. As system managers use PowerShell to automatize various tasks, it is activated on many computers. As the files and commands are not written on a disc, the malicious use of them are generally not prevented or perceived by traditional AV/HIPS. Despite these difficulties, it is not ideal to remove PowerShell due to the benefits it provides for IT managers. A widespread problem we face is the lack of saving on the usable log in order to understand the actions of the attacker conducted with PowerShell. These logs will assist you in obtaining the necessary visibility in order to better respond to, search, and correct the attacks related to PowerShell.
PowerShell control logs, process creation logs, and EDR logs on Windows are shared with Logsign SIEM and subject to relevant correlation processes.
The user is labelled as Attacker, Victim, Suspicious following the behavioral analysis with correlation operations.
Following the first activity started by the attacker on the user’s side, the logs are enriched by means of behavioral analysis with the logs received from the sources. Log activities formed with the attacker’s activities are subject to correlation and displayed on the relevant dashboard panels.
Malicious PowerShell attacks detected by Logsign correlation motor can be perceived and revealed by Logsign SIEM and shared with relevant IT managers in SMS and e-mail after being analyzed.