Stop Malicious PowerShell with New ExtraHop Security Tools
▼ Summary
– ExtraHop has introduced new capabilities to detect malicious PowerShell use, enhancing visibility to disrupt attack chains and stop lateral movement.
– Attackers like the Qilin Ransomware group exploit PowerShell for living-off-the-land tactics to map networks, escalate privileges, and evade detection.
– ExtraHop’s new detections identify PowerShell commands and lateral movement techniques, such as Invoke Sharefinder and Group Policy Preferences Password Enumeration.
– The platform decrypts encrypted malicious commands in protocols like MS-RPC and WSMAN, enabling analysts to trace threats across the attack kill chain.
– ExtraHop decrypts traffic at high speeds and decodes numerous protocols to uncover hidden threats, detect lateral movement, and stop attacks before they cause breaches.
Organizations facing sophisticated cyberattacks now have a powerful new defense with ExtraHop’s latest security enhancements designed to detect and neutralize malicious PowerShell activity. These advanced capabilities deliver the critical visibility required to interrupt the attack kill chain, providing actionable insights that halt lateral movement before it can inflict damage. Attackers frequently leverage trusted administrative tools like PowerShell to operate stealthily within a network, a technique known as “living-off-the-land.” This approach allows threat actors, including groups like the Qilin Ransomware-as-a-Service operation, to blend in with normal system administration while they map infrastructure, identify high-value targets, and escalate privileges to seize control. By using encrypted commands within common protocols, they effectively hide their actions from many conventional security tools.
To counter these evasive tactics, ExtraHop has integrated several new detection mechanisms that add rich context to security alerts. These detections identify specific malicious behaviors, such as the use of particular PowerShell commands, Invoke Sharefinder Enumeration attempts, and Group Policy Preferences Password Enumeration. This enables security teams to spot efforts to access other systems for sensitive data or credentials. A core strength of the platform is its ability to decrypt and analyze the content concealed within malicious commands, even when they are obfuscated inside protocols like MS-RPC and WSMAN. This allows analysts to trace an attacker’s precise path across the entire attack lifecycle.
With these new tools from ExtraHop, enterprises gain significant advantages in their security posture. They can uncover hidden threats with critical context, as the platform decrypts encrypted traffic at speeds up to 100 Gbps and interprets over 90 different network protocols to rapidly expose malicious actions. The system is also adept at detecting lateral movement before threats escalate, revealing the exact PowerShell commands an attacker is using to pivot between devices on the network. Furthermore, it helps stop living-off-the-land attacks by identifying when PowerShell is weaponized for activities like privilege escalation, credential dumping, or the deliberate disabling of endpoint detection and response (EDR) and firewall controls.
Anthony James, VP of Product Marketing at ExtraHop, emphasized the critical nature of this capability. He stated that without the power to decrypt and decode otherwise hidden commands, enterprises remain highly vulnerable to PowerShell-based attacks. ExtraHop has developed a remarkably robust solution that makes this level of protection a reality for its customers. By leveraging its native decryption and deep protocol understanding, the platform fully captures malicious PowerShell commands that other security tools often miss. This unprecedented level of visibility empowers organizations to expose lateral movement and stop an attack in its tracks, preventing potential threats from escalating into full-scale, impactful breaches.
(Source: HelpNet Security)
