PowerShell Anti-Virus with VirusTotal API

tl;dr We use PowerShell to continuously monitor any executed .exe files then get the file locations and pass it to the VirusTotal API to get a virus report. We use an “if else” statement to make a decision to alert our “Security Team” and to remove that file from Windows. The advantage of using this script allows the user to check with the vast amount of data in the VirusTotal database in an automated fashion. Make sure you change the variables in the Readme for PowerAV.ps1.

PowerAV is a PowerShell script designed to monitor your system processes and sends hash data to the VirusTotal cloud for analysis. This information can be very valuable/robust for your SOC (Security Operation Center), the idea would be to convert this PowerShell script to a thin client to run as a background process to monitor processes once they are triggered. This script would trip an email alert once malware was executed, see below for a screenshot of what a typical alert might look like.

Email sent from PowerAV

PowerShell — PowerAV.ps1

The PowerShell script is made of three major sections.

  1. Get-VirusTotalReport — Querying VirusTotal service using PowerShell
Get-VirusTotalReport from Microsoft

2. Setting PowerShell Variables

Setting PowerShell Variables

3. Execute the Alert

Execute the Alert

Limitations

As of right now the PowerShell Script only monitors .exe files, in the next version of PowerAV we would like to expand this to .dll, .doc, .ps1, etc. file formats. We would like to add the capability of information captured by the PowerAV script and send that data to a remote web application that would allow the SOC Analyst to log in and have a graphical representation of historical data captured by PowerAV. The last feature we will add to PowerAV is the “file Quarantine” option when the script detects a malicious file. Unfortunately, you cannot use this PowerShell Script in a corporate environment or to replace/harm the Anti-Virus industry, this is due to the Terms of Use in the VirusTotal API. This PowerShell script is strictly for educational purposes only, and we cannot tell you how to use this PowerShell script ?

Conclusion

Using PowerAV is huge when it comes to detecting malicious files on Windows hosts. This just scratches the surface on using PowerShell as a Blue Team tactic on monitoring users and systems process. More prominently is the ability to send information in a lightweight format to the VirusTotal Cloud. We would like to see more PowerShell scripts that integrate with Vulnerability research teams such as Talos, VirusTotal, FireEye, Unit 42, etc. Let me know your thoughts in the comments below.

Five Things to Know about Cryptomining

Does it feel like your computer is running (or rather, crawling) slowly? You may be a victim of cryptomining—cyber criminals’ latest tool du jour. A couple of weeks ago, Reuters reported that thousands of websites, including ones run by U.S. and UK government agencies, were infected with cryptomining code. As we covered recently, many enterprising hackers also use this attack method to take advantage of the surge in online viewing activity around high-profile events such as the 2018 Winter Olympics.

Cryptomining may be the latest cyber attack rising, but what is it, exactly? According to MIT Technology Review, “Mining is a computationally intensive process that computers comprising a cryptocurrency network complete to verify the transaction record, called the blockchain, and receive digital coins in return.” In other words, “miners” work to solve complex mathematical problems in order to generate income in the form of digital currency, such as Bitcoin, Ethereum, Monero and others. This mining process requires serious hardware and significant CPU resources to “create” cryptocurrency.

To put this in perspective, a representative from Hitaveita Sudurnesja, an energy company in Iceland, said he expected “Iceland’s virtual currency mining to double its energy consumption to about 100 megawatts this year.” This is significantly more than what is used by the country’s entire population of 340,000.

Five Things to Know about Cryptomining:

  1. How Cryptomining Malware is Executed: Malicious cryptomining typically spreads in one of two ways. The first approach is by malware, delivered via a malicious email attachment or link. Researchers found that 23% of organizations globally were affected by Cryptomining malware, specifically the Coinhive variant, during January 2018. The second approach is to infect third-party content providers used by high trafficked sites. For example, an advertising provider might be targeted because of its access to thousands of websites reaching millions of people. This method can deliver more substantial return for the attacker. When users visit the site, they unknowingly “donate” their computing processing power to the attacker while they remain on the page. These attacks don’t require, or spread, malware on the user’s endpoint, so while users are impacted, they are not infected?
  2. How the Attacker Uses Power from your Device: By using crowd-sourced computing power, the attacker can scale up his/her mining efforts while eliminating the need to purchase expensive equipment as they “pan for digital gold.” The more collective power and speed the attacker can amass, the bigger the cryptocurrency payout.
  3. How to Tell If You’ve Been Hit: In most cases, you won’t find malware on your device, since this type of attack can run without it, so the only indication may be a visible slowdown in performance.
  4. Why It’s a Big Deal: What’s so concerning about this type of attack is that user computing power can now be hijacked by attackers just by visiting an infected site or a site that uses an infected third party.
  5. How to Protect Your Devices: Unfortunately, there is a little you and other end users can do but to monitor for abnormal utilization of browser process (not trivial for a non tech-savvy users) and higher than normal CPU usage. Instead, the responsibility should rely on those who own and maintain the website to routinely inspect all of their third-party providers.

Cyrptomining operations will continue and likely expand. We already see reports of mining of Monero using malware installed on internet-connected servers. Another reason to stay on top of vulnerabilities and the performance of your systems.

 

Source: https://www.cyberark.com/blog/five-things-know-cryptomining/