SOAR Use Case: Threat Hunting – Malicious PowerShell Commands

PowerShell is a common utility, used to perform critical actions throughout an IT environment on a regular basis. It’s also frequently used by malware to execute automated attacks, steal credentials, and perform other damaging actions. But because the use of PowerShell is so pervasive, identifying suspicious or malicious PowerShell activity is difficult.

Devo SOAR playbooks automate the analysis and investigation of PowerShell activity, enabling rapid and accurate identification of suspicious activity. Using a combination of machine learning and external integrations, Devo SOAR automatically creates baselines of expected PowerShell behavior and establishes profiles of known malicious PowerShell activity. Any new PowerShell actions are automatically analyzed and assigned an appropriate risk score. When malicious activity is detected, it can be immediately stopped and future PowerShell attacks of the same kind can be automatically prevented.