Splunk Tech Talks
Deep-dives for technical practitioners.
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
New Article

Hunting for Malicious PowerShell using Script Block Logging

melissap
Splunk Employee
Splunk Employee
‎09-10-2021 04:27 AM

View our Tech Talk: Security Edition, Hunting for Malicious PowerShell using Script Block Logging 

(view in My Videos)

The Splunk Threat Research Team most recently began evaluating more ways to generate security content using native Windows event logging regarding PowerShell Script Block Logging. This method provides greater depth of visibility as it provides the raw (entire) PowerShell script output. There are three sources that may enhance any defender's perspective: module, script block and transcript logging. We focused our security content on script block logging (4104) as it provides the most granular visibility of PowerShell scripts that execute on an endpoint. However, we also provided a way to gather all three for testing validation, production or curiosity.

Tune in to this Tech Talk to learn about:

  • What is a malicious powershell
  • How to detect malicious powershell with script block logging
  • How to implement threat hunting in your operations to prevent breaches
Labels
2 Comments
melissap
Splunk Employee
Splunk Employee
‎09-10-2021 04:32 AM

Here are some follow up materials to continue on your journey.

  1. Splunk content updates on Github
  2. Blog: PowerShell Detections
  3. Splunk Community Slack
    • splunk-usergroups.slack.com 
  4. Splunk Security Threat Research Team website
  5. Splunk Answers community of ES Content Update
mfiller_schell
Engager
‎09-10-2021 06:25 PM

This is EXCELLENT

 

Would love to see more

Contributors
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...