Splunk Tech Talks
Deep-dives for technical practitioners.
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
New Article

Hunting for Malicious PowerShell using Script Block Logging

melissap
Splunk Employee
Splunk Employee
‎09-10-2021 04:27 AM

View our Tech Talk: Security Edition, Hunting for Malicious PowerShell using Script Block Logging 

(view in My Videos)

The Splunk Threat Research Team most recently began evaluating more ways to generate security content using native Windows event logging regarding PowerShell Script Block Logging. This method provides greater depth of visibility as it provides the raw (entire) PowerShell script output. There are three sources that may enhance any defender's perspective: module, script block and transcript logging. We focused our security content on script block logging (4104) as it provides the most granular visibility of PowerShell scripts that execute on an endpoint. However, we also provided a way to gather all three for testing validation, production or curiosity.

Tune in to this Tech Talk to learn about:

  • What is a malicious powershell
  • How to detect malicious powershell with script block logging
  • How to implement threat hunting in your operations to prevent breaches
Labels
2 Comments
melissap
Splunk Employee
Splunk Employee
‎09-10-2021 04:32 AM

Here are some follow up materials to continue on your journey.

  1. Splunk content updates on Github
  2. Blog: PowerShell Detections
  3. Splunk Community Slack
    • splunk-usergroups.slack.com 
  4. Splunk Security Threat Research Team website
  5. Splunk Answers community of ES Content Update
mfiller_schell
Engager
‎09-10-2021 06:25 PM

This is EXCELLENT

 

Would love to see more

Contributors
Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...