POWERSHELL: FROM ATTACKERS' TO DEFENDERS' PERSPECTIVE
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
7/24/2018
POWERSHELL: FROM ATTACKERS'
TO DEFENDERS' PERSPECTIVE
Elliott Neo and Crystal Tan
AGENDA
Trends and Attacks
Logs
PowerShell Logs
PowerShell Versions
Sysmon Logs
Mitigations
Restricted RunSpace
Constrained Language Mode
AppLocker (Application Whitelisting)
Detection - Tools and Techniques
SIEM
Machine Learning
Revoke-Obfuscation
AMSI (Anti-Malware Scan Interface)
Conclusion
1
7/24/2018
RECENT TRENDS
Rise in fileless malware leveraging PowerShell
Ransomware using PowerShell such as PowerWare
Malware and Cryptocurrency mining
Phishing campaigns using DDE/Macros to execute
malicious PowerShell invocations.
Malvertising that use PowerShell attacks.
Attempts to evade antivirus detection
RECENT TRENDS
Source: http://blog.morphisec.com/fileless-malware-attack-trend-exposed
2
7/24/2018
RECENT TRENDS
Source: https://www.zdnet.com/article/fileless-attacks-surge-in-2017-and-security-solutions-are-not-stopping-them/
RECENT TRENDS
Source: https://www.mcafee.com/enterprise/en-us/assets/reports/rp-quarterly-threats-mar-2018.pdf
3
7/24/2018
RECENT TRENDS
Source: https://www.mcafee.com/enterprise/en-us/assets/reports/rp-quarterly-threats-mar-2018.pdf
ATTACKER’S PERSPECTIVE
Reasons for using PowerShell:
Stealthy – harder for forensic analysis
Remote Access Capabilities
Readily available scripts contributed by community
Able to bypass application-whitelisting tools based on
configuration
Source: https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/increased-use-of-powershell-in-attacks-16-en.pdf
4
7/24/2018
ATTACKER’S PERSPECTIVE
Reasons for using PowerShell:
Versatile – Myriad uses in system administration
Evades traditional security tools
Defenders often overlook it when hardening their systems
Installed by default on all latest Windows Operating System
Source: https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/increased-use-of-powershell-in-attacks-16-en.pdf
COMMON USE CASES
Incursion
Attacker uses an exploit to run shells directly in the memory
Downloader
Ensure Persistency
Often stored in registry for fileless attacks
Lateral Movement
Remote access to other computers
E.g. Enter-PSSession, Invoke-Command and more
Source: https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-living-off-the-land-and-fileless-attack-techniques-en.pdf
5
7/24/2018
COMMON USE CASES - INCURSION
DDE Protocol
Used by Microsoft to share information between applications
Eliminates the need of enabling macros
Superseded but still supported by all Office programs
Legitimate feature that can go undetected by AV solutions
COMMON USE CASES - INCURSION
DDE Protocol
Requires user interaction
6
7/24/2018
COMMON USE CASES - INCURSION
Exploit DDE Protocol
November 2017 – Phishing Email Campaign by APT28 (Fancy Bear)
Source: https://securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/
COMMON USE CASES - DOWNLOADER
Macros within word document executes
Phishing Email with malicious attachments PowerShell commands
File-Based
Executable was downloaded
onto the disk and executed
Communicates with C2 server to obtain
malicious executable
Fileless
Malicious code was
executed directly in the
memory
7
7/24/2018
COMMON USE CASES - DOWNLOADER
Kovter
No Network
PowerShell
Connection
Installed?
?
Yes
Initial Infection
Yes No
Downloads Traditional File-
Fileless Attack Based Attack
PowerShell
COMMON USE CASES - PERSISTENCY
Kovter
Traditional File-
\Software\Class\ Based Attack
No
Network
PowerShell No
Initial Infection Connection
Installed?
?
Yes
Yes
Downloads
Fileless Attack
PowerShell
8
7/24/2018
COMMON USE CASES - PERSISTENCY
Source: https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/
COMMON USE CASES - PERSISTENCY
Source: https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/
9
7/24/2018
RECENT ATTACKS – OPERATION GOLD DRAGON
December 2017 – Operation Gold Dragon
Targeted organizations involved Winter Olympic Games
Leveraged steganography and Invoke-PSImage (PowerShell pen-testing tool)
Source: https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/
RECENT ATTACKS - APT-C-12
APT-C-12 (Sapphire Mushroom)
Targets the Chinese government, military, research and finance
sector since 2011
Sends a RAR attachment that contains a LNK file
LNK file contains a base64 encoded PowerShell script #1
In PowerShell Script #1
Downloads the malicious payload
Archive
Legitimate RAR executable file
DLL backdoor file (named beoql.g)
Contains PowerShell Script #3
PowerShell Script #2
Source: https://mp.weixin.qq.com/s/S-hiGFNC6WXGrkjytAVbpA
107/24/2018
RECENT ATTACKS - APT-C-12
Found within LNK file
LNK File PS #1
Downloads 2 documents
Within
Archive Archive PS #2
RAR File Decompress Compress
collected
beoql.g information
Rar.exe
Malicious
(DLL File)
Attachment
Extracts
AWS
Phishing Email Obtain Persistency
PS #3
AGENDA
Trends and Attacks
Logs
PowerShell Logs
PowerShell Versions
Sysmon Logs
Mitigations
Restricted RunSpace
Constrained Language Mode
AppLocker (Application Whitelisting)
Detection - Tools and Techniques
SIEM
Machine Learning
Revoke-Obfuscation
AMSI (Anti-Malware Scan Interface)
Conclusion
117/24/2018
POWERSHELL LOGS
Log Type Log Name Event ID
PowerShell Logs Pipeline Execution Logs 800
Module Logs 4103
PowerShell Operational
Script Block Logs 4104
Logs
Transcription Logs -
POWERSHELL LOGS
Similarities between Pipeline Execution
Details and Module Logs
Command Executed
Context Information such as, but not limited
to:
PowerShell Version
Application Path
User that executed the command
Parameter Binding Details
127/24/2018
POWERSHELL LOGS
Key Difference:
Pipeline Execution Details logs all modules
Module logs allows administrator to specify which PowerShell modules
they wished to logged
POWERSHELL LOGS
Log Details Module Logs Script Block Logs
Command Executed Yes Yes (including script content)
Context Information Yes No
Parameter Binding Details Yes No
Decoded / Deobfuscated
No Yes
Code
137/24/2018
POWERSHELL LOGS
Script Block Logs VS Transcription Logs
Both has the ability to log decoded or deobfuscated code
Key Differences:
Script Block: ability to log the content of the actual script that was
executed
Transcription
Ability to log all activities on the PowerShell console, including the script that
was executed and the output of the script
Includes Context Information that was found in Pipeline Execution and
Module Logs
PIPELINE EXECUTION DETAILS
Located at: Application and Services Logs > Microsoft > Windows > PowerShell
147/24/2018
POWERSHELL OPERATIONAL LOGS
Group Policy Editor > Administrative Templates > Windows Components >
Windows PowerShell
MODULE LOGS
Available Module Names in PowerShell: Get-Module -ListAvailable
157/24/2018
MODULE LOGS
Located at: Application and Services Logs > Microsoft > Windows >
PowerShell > Operational event log
SCRIPT BLOCK LOGS
167/24/2018
SCRIPT BLOCK LOGS
Store all PowerShell script input as they are executed by PowerShell engine
Located at: Application and Services Logs > Microsoft > Windows > PowerShell >
Operational event log
SCRIPT BLOCK LOGS
Ability to log decoded or deobfuscated code
177/24/2018
TRANSCRIPTION LOGS
TRANSCRIPTION LOGS
Stores all PowerShell
script input and
output
Location where the
logs are stored are
determined by
administrators / users
187/24/2018
TRANSCRIPTION LOGS
Ability to log decoded or deobfuscated commands
POWERSHELL LOGS
Log Details Pipeline Execution Module Script Block Transcription
Yes (including script
Command Executed Yes Yes Yes
content)
Context
Yes Yes No Yes
Information
Parameter Binding
Yes Yes No No
Details
Decoded /
No No Yes Yes
Deobfuscated Code
Output of
No No No Yes
Command
197/24/2018
POWERSHELLVERSIONS
Type of Logs Version 2 Version 3 Version 4 Version 5
Pipeline Execution Yes Yes Yes Yes
Details
Yes (has auto logging
Script Block Logging NIL NIL Yes if cmd used is
potentially malicious)
Yes (more detailed
Module Logging NIL Yes Yes
compared to v3)
Transcription Yes (more detailed
NIL NIL Yes
Logging compared to v4)
POWERSHELLVERSIONS
OS Default PowerShell Version Supported PowerShell Versions
Windows Server 2008 (SP2) 2.0 3.0
Windows Server 2008 R2 (SP1) 5.1 5.1
Windows Server 2012 3.0 5.1
Windows Server 2012 R2 4.0 5.1
Windows Server 2016 5.1 5.1
Windows 7 (SP1) 2.0 5.1
Windows 8 3.0 5.1
Windows 8.1 4.0 5.1
Windows 10 5.0 5.1
Source: https://www.eventsentry.com/blog/2018/01/powershell-p0wrh11-securing-powershell.html
207/24/2018
SYSMON LOGS
Monitors and logs system activities
Examples of Sysmon logs that may be useful in detecting malicious PowerShell
usage:
Event ID Description Explanation
1 Process Creation Logs with full command line for both current and parent processes. Alternative of Event
ID 4688.
3 Network Connection Logs TCP/UDP connections.
8 CreateRemoteThread Logs when a process creates a thread in another process.
10 ProcessAccess Logs when a process opens another process.
12, 13 Registry Events Logs creation and deletion of registry key and value, modification of registry value.
17, 18 PipeEvents Logs when a named pipe is created and when connection is made between a client and
server.
19, 20 WmiEvents Logs when WMI event filter is registered and the registration of WMI consumers
AGENDA
Trends and Attacks
Logs
PowerShell Logs
PowerShell Versions
Sysmon Logs
Mitigations
Restricted RunSpace
Constrained Language Mode
AppLocker (Application Whitelisting)
Detection - Tools and Techniques
SIEM
Machine Learning
Revoke-Obfuscation
AMSI (Anti-Malware Scan Interface)
Conclusion
217/24/2018
RESTRICTED RUNSPACE
Restricted Runspace
Create a customized runspace with reference to the principle of least
privilege
Runspacepool can be used for large number of runspaces with same
characteristics
Benefits:
Restricts the environment
Commands available
Data accessible
Language restrictions
User’s permissions
RESTRICTED RUNSPACE
New-PSSessionConfigurationFile to create the configuration
Register-PSSessionConfiguration to register the configuration for remote users
227/24/2018
RESTRICTED RUNSPACE
Attempt to execute Enter-PSSession using the Configuration
Source:
http://www.ravichaganti.com/blog/powershell-2-0-remoting-guide-part-10-%E2%80%93-restricting-available-commands-using-custom-session-configuration/
CONSTRAINED LANGUAGE
Introduced in PowerShell version 3.0
Language mode designed to support day-to-day administrative
tasks, yet restrict access to sensitive language elements that can
be used to invoke arbitrary Windows APIs
Contains a number of restrictions that prevents malicious activities
such as:
Only approved .NET types are allowed
Only allowed types can be used
237/24/2018
CONSTRAINED LANGUAGE
Set __PSLockdownPolicyin Registry with value to 4
CONSTRAINED LANGUAGE
247/24/2018
APPLOCKER
Restrict which programs/scripts that the users can executed based on
File/Folder Path
Software Publisher
File Hash
Action
Allow Mode
Deny Mode
Exceptions
File/Folder Path
Software Publisher
File Hash
APPLOCKER
Source: https://www.petri.com/protect-malware-enforcing-powershell-constrained-language-mode
257/24/2018
APPLOCKER
Applocker in Allow Mode (Recommended)
Whitelist Mode
Prevent the execution of unknown / unapproved applications/script.
Applocker in Deny Mode
Blacklist Mode
Limit the execution of malware known to your organization.
Source: https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/
ALL SOUNDS SO GOOD..
But what can attacker do?
How about bypass?
Restricted Runspace
Constrained Language
Applocker
267/24/2018
RESTRICTED RUNSPACE
Vulnerabilities:
Command Injection – Escaping the commands
Source: https://clymb3r.wordpress.com/2014/06/25/cracking-open-powershells-constrained-runspace/
RESTRICTED RUNSPACE
Command Injection - Visibility
Source: https://clymb3r.wordpress.com/2014/06/25/cracking-open-powershells-constrained-runspace/
277/24/2018
CONSTRAINED LANGUAGE
Downgrade attack
Constrained language is available in PowerShell 3.0 onwards
Therefore, PowerShell version 2.0 can be used to bypass constrained
language mode
APPLOCKER
Disable AppLocker using privileged account.
Make use of interactive PowerShell input instead of using scripts
287/24/2018
AGENDA
Trends and Attacks
Logs
PowerShell Logs
PowerShell Versions
Sysmon Logs
Mitigations
Restricted RunSpace
Constrained Language Mode
AppLocker (Application Whitelisting)
Detection - Tools and Techniques
SIEM
Machine Learning
Revoke-Obfuscation
AMSI (Anti-Malware Scan Interface)
Conclusion
SIEM
Centralized all logs into SIEM for investigation and to write simple detections
Script Block
Transcription
Logs
Sysmon
Module Logs
Logs
SIEM
297/24/2018
SIEM
Source: http://www.leeholmes.com/blog/2016/10/22/more-detecting-obfuscated-powershell
SIEM - WRITING DETECTIONS
Detection Considerations
Know your environment
Check for long command line length in process creation/sysmon
logs
Look out for encoded commands which are base64
Look out for indicators of obfuscations
Check cmdlet execution against a list of whitelist commands/scripts
307/24/2018
SIEM - WRITING DETECTIONS
Look out for the parent process which triggers PowerShell (but not limited
to) such as:
CMD
CScript/WScript
BAT
MSHTA
WMI
Registry
Scheduled Tasks
VBA
VBS
LNK
MACHINE LEARNING
Leveraging machine learning to detect malicious PowerShell
commands
Requires a large training set!
Latest research article includes:
Malicious PowerShell Detection via Machine Learning
https://www.fireeye.com/blog/threat-research/2018/07/malicious-powershell-
detection-via-machine-learning.html
Detecting Malicious PowerShell Commands using Deep Neural Networks
https://arxiv.org/pdf/1804.04177.pdf
317/24/2018
REVOKE-OBFUSCATION SCRIPT
Developed by Daniel Bohannon and Lee Holmes
Source:
https://github.com/danielbohannon/R
evoke-Obfuscation
ANTI-MALWARE SCAN INTERFACE (AMSI)
Insights into script behaviour through AMSI to look at script contents that
is unencrypted and pass it on to AMSI Provider for inspection.
Source: http://standa-note.blogspot.com/2018/02/amsi-bypass-with-null-character.html
327/24/2018
AMSI
Source: https://cloudblogs.microsoft.com/microsoftsecure/2015/06/09/windows-10-to-offer-application-developers-new-malware-defenses/
AMSI
337/24/2018
CAN WE BYPASS AMSI?
Downgrade attacks
Obfuscation
Disabling AMSI
Other Techniques
Is there a script?
BYPASS AMSI
Downgrade
Downgrade to PowerShell v2.0 which
doesn’t support AMSI
Obfuscation
Evade AV signature detection through:
Mixed Characters
Randomized Variable/Function Names
Invoke-Obfuscation Script
Source: https://github.com/danielbohannon/Invoke-Obfuscation
347/24/2018
BYPASS AMSI
Disable AMSI
Registry Edits
Set value in “HKCU\Software\Microsoft\Windows Script\Settings\AmsiEnable”
to 0
PowerShell Command
Set -MpPreference –DisableRealTimeMonitoring $True
Source: https://www.blackhat.com/docs/us-16/materials/us-16-Mittal-AMSI-How-Windows-10-Plans-To-Stop-Script-Based-Attacks-And-How-
Well-It-Does-It.pdf
BYPASS AMSI
Other techniques
Placing a rogue AMSI.dll in
C:\Windows\System32\WindowsPowerShell\v1.0
CyberArk Research
Patching Technique
https://www.cyberark.com/threat-research-blog/amsi-bypass-patching-
technique/
Redux Technique
https://www.cyberark.com/threat-research-blog/amsi-bypass-redux/
357/24/2018
BYPASS AMSI
Is there a simpler way? YES!
Nishang script which uses publicly known methods to bypass/avoid AMSI.
https://github.com/samratashok/nishang/blob/master/Bypass/Invoke-AmsiBypass.ps1
Source:
https://twitter.com/nikhil_mitt/status/81228751931
6246528
CONCLUSION
Centralized all the logs and understand your environment well.
Try to at least enable scriptblock and sysmon/process creation logging.
Install PowerShell v4.0 and above at minimum
Uninstall/disable PowerShell v2.0 if possible
Enable AppLocker and constrained language mode as they compliment each other.
Makes use of AMSI and be aware of all bypass techniques
Look out for indicators of obfuscation which can bypass signature based detection
Take note of possible ways that powershell.exe can be invoked and suspicious
command invocations.
We can never protect everything but we can make it harder for attackers to
infiltrate!
367/24/2018
37You can also read
