Splunk Tech Talks
Deep-dives for technical practitioners.

Hunting for Malicious PowerShell using Script Block Logging

melissap
Splunk Employee
Splunk Employee

View our Tech Talk: Security Edition, Hunting for Malicious PowerShell using Script Block Logging 

Hunting for Malicious PowerShell using Script Block Logging
Video Player is loading.
Current Time 0:00
Duration 0:00
Loaded: 0%
Stream Type LIVE
Remaining Time 0:00
 
1x
    • Chapters
    • descriptions off, selected
    • captions off, selected
      (view in My Videos)

      The Splunk Threat Research Team most recently began evaluating more ways to generate security content using native Windows event logging regarding PowerShell Script Block Logging. This method provides greater depth of visibility as it provides the raw (entire) PowerShell script output. There are three sources that may enhance any defender's perspective: module, script block and transcript logging. We focused our security content on script block logging (4104) as it provides the most granular visibility of PowerShell scripts that execute on an endpoint. However, we also provided a way to gather all three for testing validation, production or curiosity.

      Tune in to this Tech Talk to learn about:

      • What is a malicious powershell
      • How to detect malicious powershell with script block logging
      • How to implement threat hunting in your operations to prevent breaches
      melissap
      Splunk Employee
      Splunk Employee

      Here are some follow up materials to continue on your journey.

      1. Splunk content updates on Github
      2. Blog: PowerShell Detections
      3. Splunk Community Slack
        • splunk-usergroups.slack.com 
      4. Splunk Security Threat Research Team website
      5. Splunk Answers community of ES Content Update
      mfiller_schell
      Engager

      This is EXCELLENT

       

      Would love to see more

      Get Updates on the Splunk Community!

      AppDynamics Summer Webinars

      This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

      SOCin’ it to you at Splunk University

      Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

      Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

      Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...