New ExtraHop capabilities target malicious PowerShell use across enterprise environments

ExtraHop has announced new capabilities to detect the malicious use of PowerShell. These enhancements provide the visibility needed to disrupt the attack kill chain and deliver insight to stop lateral movement in its tracks.

Remote management tools like PowerShell have become a notable weapon for attackers, like the Qilin Ransomware-as-a-Service (RaaS) operation, which has hit many high-value organizations globally including several UK hospitals.

Threat actors often use PowerShell for living-off-the-land to go under the radar as they map the network, identify targets, and navigate around to escalate their user privileges in a quest to gain control of the network. By using remote management tools and encrypting their commands, it allows attackers to obfuscate their actions and go undetected by tools.

To overcome these challenges, ExtraHop has added several new detections and capabilities that add context to those detections. Detections using PowerShell commands and other lateral movement techniques like Invoke Sharefinder Enumeration attempt and Group Policy Preferences Password Enumeration enable enterprises to spot attempts to access other devices for sensitive information or credentials.

ExtraHop decrypts and uncovers the content hidden within these malicious commands, even when they are encrypted inside protocols like MS-RPC and WSMAN, allowing analysts to follow a threat’s path across the attack kill chain.

With ExtraHop, enterprises benefit from the ability to:

• Uncover hidden threats with critical context: ExtraHop decrypts encrypted traffic at 100 Gbps and decodes 90+ network protocols to uncover malicious activity at rapid speed.
• Detect lateral movement before threats escalate: Reveal PowerShell commands to see an attacker’s actions and movement across the network to different devices.
• Stop living-off-the-land attacks: Detect when PowerShell is being utilized for nefarious activities like privilege escalation, credential dumping, or disabling EDR or firewall controls.

“Without the ability to decrypt and decode commands that would otherwise be hidden, enterprises will fall victim to PowerShell attacks,” said Anthony James, VP, Product Marketing, ExtraHop. “ExtraHop has developed an incredibly robust way to make this a reality for our customers, leveraging our native decryption and protocol fluency to fully capture malicious PowerShell commands that other tools miss. With this level of visibility, enterprises can expose lateral movement and stop an attack before threats turn into impactful breaches.”