cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
jmcg
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 1 of 14
‎10-09-2020 09:20 AM

Exploit Prevention, get source name of the script

Jump to solution

Hello,

I have created a Expert Rule that trigger a report event when a specific command line in powershell is called.

In this event I cannot find the source name of the script that executed the command.

 

Is there a way to locate the script that tryied to execute this command ?

0 Kudos
Reply
1 Solution

Accepted Solutions
jmcg
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 14 of 14
‎10-13-2020 09:45 AM

Re: Exploit Prevention, get source name of the script

Jump to solution
I find it using "parent_cmdline" in ProcessHistory (Not visible by default)

Thx

View solution in original post

0 Kudos
Reply
13 Replies
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 14
‎10-09-2020 08:42 PM

Re: Exploit Prevention, get source name of the script

Jump to solution

Hello,

 

Thank you for your post.

 

Could you share a screenshot of the issue that you are referring to so that we can suggest you further?

 

 

 

 

0 Kudos
Reply
jmcg
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 14
‎10-13-2020 06:35 AM

Re: Exploit Prevention, get source name of the script

Jump to solution
Hello i'm not really sure what to share with you.

It's easy.

I have a custom Expert rule, which include *Powershell* and specific "commandline"

When i check report / block i do receive event but I just have the description of the commandline, the source has powershell, but not the source script.

How can I have the source script ?
0 Kudos
Reply
Daveb3d
MVP
Report Inappropriate Content
Message 4 of 14
‎10-10-2020 02:54 PM

Re: Exploit Prevention, get source name of the script

Jump to solution

There isn't necessarily a script file.  It could be a command line argument or a command passed in the shell.   If you want to to see script file names that aren't passed in the command line,  you would have to create a rule that logs ps1 file read.  

Dave

0 Kudos
Reply
Former Member
Not applicable
Report Inappropriate Content
Message 5 of 14
‎10-11-2020 02:21 AM

Re: Exploit Prevention, get source name of the script

Jump to solution

Hello Dave,

 

I understand but if you could provide us a screenshot it will very helpful to suggest you further.

 

 

0 Kudos
Reply
jmcg
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 6 of 14
‎10-13-2020 06:36 AM

Re: Exploit Prevention, get source name of the script

Jump to solution
Hm could you give me more detail on that?
0 Kudos
Reply
Daveb3d
MVP
Report Inappropriate Content
Message 7 of 14
‎10-13-2020 08:05 AM

Re: Exploit Prevention, get source name of the script

Jump to solution

ENS doesn't log the script content. It would be necessary to use MVISION EDR on an AMSI-enabled system, using the ProcessHistory content collector to pull back script content, or enable local PowerShell logging and view the data there.

 

Dave

0 Kudos
Reply
jmcg
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 8 of 14
‎10-13-2020 08:33 AM

Re: Exploit Prevention, get source name of the script

Jump to solution
Nice idea,

But even in ProcessHistory (using MAR search) I do not have the script Path, I only see the powershell.exe using the commandline without the source script.
0 Kudos
Reply
Daveb3d
MVP
Report Inappropriate Content
Message 9 of 14
‎10-13-2020 08:37 AM

Re: Exploit Prevention, get source name of the script

Jump to solution

Depending upon the command line, there may be no script file at all.  You do not need a file to execute a PowerShell command.  

0 Kudos
Reply
jmcg
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 10 of 14
‎10-13-2020 08:41 AM

Re: Exploit Prevention, get source name of the script

Jump to solution
I have simulate a "bad script" which inside I call "Powershell -mybadcommandline"

I can see/block this commandline using exploit prevention, but i'm not able to locate the script, with this scenario, this script can run in loop without been deleted.
0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC