Investigating Script-Based Attacks

Script-based attacks are commonly used to gain entry into systems and to move laterally to inflict damage. On the Investigate page, you can find information on script-based attacks and you can identify malicious code in obfuscated PowerShell scripts.

To reveal hidden threats, tools in the Carbon Black Cloud console can decode the contents of the obfuscated PowerShell scripts. You can review the decoded scripts in the right-side panel for a particular event. Syntax highlighting makes it easier to scan for string content, PowerShell commands, and function calls when you search for malicious content.

Investigate Obfuscated PowerShell Scripts

The Carbon Black Cloud console provides the capability to expose the specific details and the decoded version of obfuscated PowerShell scripts, which can help to provide enhanced visibility into these types of attacks.

You can use this procedure to see the decoded content of an obfuscated PowerShell script.

Procedure

On the left navigation pane, click Investigate.

Do one of the following, depending your product configuration:

Product Step

Endpoint Standard

Product	Step
Endpoint Standard	On the Enriched Events tab, find processes where the executable is powershell.exe. Look at the Events. You can use the search facility by directly typing `process_name: powershell.exe` and you can modify the time range for the search. For further narrowing of the results, you can use the filter facets on the left. For more search fields, see the Search Guide, embedded at the top right of the page.
Enterprise EDR	On the Processes tab, find processes where the executable is powershell.exe. You can use the search facility by directly typing `process_name: powershell.exe` and you can modify the time range for the search. For further narrowing of the results, you can use the filter facets on the left. For more search fields, see the Search Guide, embedded at the top right of the page.

On the Enriched Events tab, find processes where the executable is powershell.exe. Look at the Events.

You can use the search facility by directly typing

process_name: powershell.exe

and you can modify the time range for the search. For further narrowing of the results, you can use the filter facets on the left.

For more search fields, see the Search Guide, embedded at the top right of the page.

Enterprise EDR

On the Processes tab, find processes where the executable is powershell.exe.

You can use the search facility by directly typing

process_name: powershell.exe

and you can modify the time range for the search. For further narrowing of the results, you can use the filter facets on the left.

For more search fields, see the Search Guide, embedded at the top right of the page.

On the page, choose the event or process you want to investigate. Click the caret at the end of a row. The right-side panel displays details of the event.
In the Process section on the right-side panel, find the CMD line and click the expand icon .

Results

After clicking Expand

for the Process CMD, distinguish the difference in the output between a non-PowerShell process and a PowerShell process:

Note: In the images below, portions of the path were intentionally blurred out.

For a non-PowerShell process, command line arguments are displayed under CMD Line.
For an obfuscated PowerShell process, the decoded script code is displayed with colored text and highlighted keywords under Key Indicators.

What to do next

Proceed with your alert triage or threat hunting and determine whether the intent is malicious or not.