Limitations

As of right now the PowerShell Script only monitors .exe files, in the next version of PowerAV we would like to expand this to .dll, .doc, .ps1, etc. file formats. We would like to add the capability of information captured by the PowerAV script and send that data to a remote web application that would allow the SOC Analyst to log in and have a graphically representation of historical data captured by PowerAV. The last feature we will add to PowerAV is the “file Quarantine” option when the script detects a malicious file. Unfortunately you cannot use this PowerShell Script in a corporate environment or to replace/harm the Anti-Virus industry, this is due to the Terms of Use in the VirusTotal API. This PowerShell script is strictly for educational purposes only, and we cannot tell you how to use this PowerShell script 😜

Conclusion

Using PowerAV is huge when it comes to detecting malicious files on Windows hosts. This just scratches the surface on using PowerShell as a Blue Team tactic on monitoring users and systems process. More prominently is the ability to send information in a light weight format to the VirusTotal Cloud. We would like to see more PowerShell scripts that integrate with Vulnerability research teams such as Talos, VirusTotal, FireEye, Unit 42, etc. Let me know your thoughts in the comments below.