tl;dr We use PowerShell to continuously monitor any executed .exe files then get the file locations and pass it to the VirusTotal API to get a virus report. We use an “if else” statement to make a decision to alert our “Security Team” and to remove that file from Windows. The advantage of using this script allows the user to check with the vast amount of data in the VirusTotal database in an automated fashion. Make sure you change the variables in the Readme for PowerAV.ps1.
PowerAV is a PowerShell script designed to monitor your system processes and sends hash data to the VirusTotal cloud for analysis. This information can be very valuable/robust for your SOC (Security Operation Center), the idea would be to convert this PowerShell script to a thin client to run as a background process to monitor processes once they are triggered. This script would trip an email alert once malware was executed, see below for a screenshot of what a typical alert might look like.
PowerShell — PowerAV.ps1
The PowerShell script is made of three major sections.
- Get-VirusTotalReport — Querying VirusTotal service using PowerShell
2. Setting PowerShell Variables
3. Execute the Alert
Using PowerAV is huge when it comes to detecting malicious files on Windows hosts. This just scratches the surface on using PowerShell as a Blue Team tactic on monitoring users and systems process. More prominently is the ability to send information in a lightweight format to the VirusTotal Cloud. We would like to see more PowerShell scripts that integrate with Vulnerability research teams such as Talos, VirusTotal, FireEye, Unit 42, etc. Let me know your thoughts in the comments below.