Gurucul’s #MachineLearningMadness blog series continues to deliver details on our most popular machine leaning models. Next up is a critical model for Windows environments.
Gurucul Machine Learning Model: Abnormal PowerShell Command Execution
How does the Abnormal PowerShell Command Execution machine learning model work, what does it do? This machine learning model tracks all of the access that potentially grants elevated access to users, plus it identifies abnormally frequent system access or bypass attempts. It uses clustering and frequency analysis to detect anomalous behavior.
As you probably know, PowerShell is a tool commonly used by systems administrators in Windows environments, enabling the execution of several commands in a very quick fashion. Unfortunately, it’s also a tool that hackers may use to undertake nefarious activity at the command-line level. PowerShell is increasingly used by cybercriminals as part of their attacks’ tool chain, mainly for installing backdoors, downloading malicious content and for lateral movement. These actions may go undetected because the activity can look normal, yet Gurucul Risk Analytics is able to detect and root out these exploitive actions using clustering and frequency analysis.
Let’s look at some examples:
Case 1: A systems administrator elevates the privileges on his regular user account to perform administrative work. However, he shouldn’t be using his regular user account to execute administrative tasks. Clustering exposes these activities as outlier-type behavior for that user.
Case 2: Someone who is not a systems administrator attempts to execute a PowerShell command. Regular users should not have administrative access. Clustering would identify this as outlier behavior for a regular user account.
Case 3: An entity, such as a device, is trying to bypass a jump server. In most cases, jump host architectures may have some form of monitoring, however, they frequently don’t. You may discover your jump servers being swamped by automated PowerShell scripts which are attempting to overrun this normally protective form of infrastructure. You may detect a device trying to access several different hosts and failing, exposing several failed attempts on numerous devices, equaling “high frequency”. In normal circumstances, where a device is not trying to bypass the jump server, it would be one or two attempts to the same server, equaling “low frequency”. Clustering identifies this form of repetitive type of bypass and flags it as outlier behavior.
Use Case: Fileless Malware
Fileless malware is malicious code that exists only in memory. Because this type of malware never gets installed on the target computer’s hard drive, it doesn’t exist as a file, so it eludes intrusion prevention systems and antivirus programs. Users systems typically become infected with fileless malware via visiting malicious websites. Malvertisements are well known fileless malware offenders. Fileless malware exploits the vulnerabilities of PowerShell to conduct backdoor activities.
Here’s the problem: traditional antivirus and anti-malware security software aren’t looking for fileless malware attacks. They aren’t designed to stop this type of attack, so they can’t find them. You need something more and something better. You need the Gurucul Abnormal PowerShell Command Execution machine learning model.
This powerful model will identify unusual spikes in PowerShell processes. It will detect if someone who is not a system administrator attempts to execute a PowerShell command. It will recognize anomalous behaviors such as a regular user (whose account suddenly has elevated administrative privileges) starts cruising around your network and probing into servers and vulnerability management scans. If a server has not been scanned in a while and it suddenly begins doing odd things, such as attempting to communicate to IP addresses that aren’t normal, this is anomalous behavior. Gurucul Risk Analytics will detect this abnormal behavior and will track that server closely to ensure that it has not been compromised by fileless malware.
What are the Benefits of Abnormal PowerShell Command Execution?
Given the well documented issues of hacker’s exploits using PowerShell, it’s imperative that you track all PowerShell command line processes that are running in your Windows environments. The Abnormal PowerShell Command Execution machine learning model in Gurucul Risk Analytics can detect whether you’re a victim of a fileless malware attack or not. Gurucul Risk Analytics compares current behavior using frequency and clustering to previously baselined behavior, to detect fileless malware attacks. This is extremely difficult to do without the power of big data, clustering and analytics.
As is most often the case, less is more. In this case, fileless is more. Get more with Gurucul’s behavior based security analytics and intelligence. Contact us for details.