POWERSHELL: FROM ATTACKERS' TO DEFENDERS' PERSPECTIVE

Transcription

1 POWERSHELL: FROM ATTACKERS' TO DEFENDERS' PERSPECTIVE Elliott Neo and Crystal Tan AGENDA Trends and Attacks Logs PowerShell Logs PowerShell Versions Sysmon Logs Mitigations Restricted RunSpace Constrained Language Mode AppLocker (Application Whitelisting) Detection - Tools and Techniques SIEM Machine Learning Revoke-Obfuscation AMSI (Anti-Malware Scan Interface) Conclusion 1

2 RECENT TRENDS Rise in fileless malware leveraging PowerShell Ransomware using PowerShell such as PowerWare Malware and Cryptocurrency mining Phishing campaigns using DDE/Macros to execute malicious PowerShell invocations. Malvertising that use PowerShell attacks. Attempts to evade antivirus detection RECENT TRENDS Source: 2

3 RECENT TRENDS Source: RECENT TRENDS Source: 3

4 RECENT TRENDS Source: ATTACKER S PERSPECTIVE Reasons for using PowerShell: Stealthy harder for forensic analysis Remote Access Capabilities Readily available scripts contributed by community Able to bypass application-whitelisting tools based on configuration Source: 4

5 ATTACKER S PERSPECTIVE Reasons for using PowerShell: Versatile Myriad uses in system administration Evades traditional security tools Defenders often overlook it when hardening their systems Installed by default on all latest Windows Operating System Source: COMMON USE CASES Incursion Attacker uses an exploit to run shells directly in the memory Downloader Ensure Persistency Often stored in registry for fileless attacks Lateral Movement Remote access to other computers E.g. Enter-PSSession, Invoke-Command and more Source: 5

6 COMMON USE CASES - INCURSION DDE Protocol Used by Microsoft to share information between applications Eliminates the need of enabling macros Superseded but still supported by all Office programs Legitimate feature that can go undetected by AV solutions COMMON USE CASES - INCURSION DDE Protocol Requires user interaction 6

7 COMMON USE CASES - INCURSION Exploit DDE Protocol November 2017 Phishing Campaign by APT28 (Fancy Bear) Source: COMMON USE CASES - DOWNLOADER Phishing with malicious attachments Macros within word document executes PowerShell commands File-Based Executable was downloaded onto the disk and executed Fileless Malicious code was executed directly in the memory Communicates with C2 server to obtain malicious executable 7

8 COMMON USE CASES - DOWNLOADER Kovter PowerShell Installed? No Network Connection? Initial Infection Yes Yes No Fileless Attack Downloads PowerShell Traditional File- Based Attack COMMON USE CASES - PERSISTENCY Kovter \Software\Class\<file extension> Traditional File- Based Attack Initial Infection PowerShell Installed? Yes No Network Connection? No Yes Fileless Attack Downloads PowerShell 8

9 COMMON USE CASES - PERSISTENCY Source: COMMON USE CASES - PERSISTENCY Source: 9

10 RECENT ATTACKS OPERATION GOLD DRAGON December 2017 Operation Gold Dragon Targeted organizations involved Winter Olympic Games Leveraged steganography and Invoke-PSImage (PowerShell pen-testing tool) Source: RECENT ATTACKS - APT-C-12 APT-C-12 (Sapphire Mushroom) Targets the Chinese government, military, research and finance sector since 2011 Sends a RAR attachment that contains a LNK file LNK file contains a base64 encoded PowerShell script #1 In PowerShell Script #1 Downloads the malicious payload Archive Legitimate RAR executable file DLL backdoor file (named beoql.g) Contains PowerShell Script #3 PowerShell Script #2 Source: 10

11 RECENT ATTACKS - APT-C-12 Found within LNK file LNK File PS #1 Downloads 2 documents Within Archive Archive PS #2 RAR File Malicious Attachment beoql.g (DLL File) Decompress Extracts Rar.exe Compress collected information AWS Phishing PS #3 Obtain Persistency AGENDA Trends and Attacks Logs PowerShell Logs PowerShell Versions Sysmon Logs Mitigations Restricted RunSpace Constrained Language Mode AppLocker (Application Whitelisting) Detection - Tools and Techniques SIEM Machine Learning Revoke-Obfuscation AMSI (Anti-Malware Scan Interface) Conclusion 11

12 POWERSHELL LOGS Log Type Log Name Event ID PowerShell Logs Pipeline Execution Logs 800 PowerShell Operational Logs Module Logs 4103 Script Block Logs 4104 Transcription Logs - POWERSHELL LOGS Similarities between Pipeline Execution Details and Module Logs Command Executed Context Information such as, but not limited to: PowerShell Version Application Path User that executed the command Parameter Binding Details 12

13 POWERSHELL LOGS Key Difference: Pipeline Execution Details logs all modules Module logs allows administrator to specify which PowerShell modules they wished to logged POWERSHELL LOGS Log Details Module Logs Script Block Logs Command Executed Yes Yes (including script content) Context Information Yes No Parameter Binding Details Yes No Decoded / Deobfuscated Code No Yes 13

14 POWERSHELL LOGS Script Block Logs VS Transcription Logs Both has the ability to log decoded or deobfuscated code Key Differences: Script Block: ability to log the content of the actual script that was executed Transcription Ability to log all activities on the PowerShell console, including the script that was executed and the output of the script Includes Context Information that was found in Pipeline Execution and Module Logs PIPELINE EXECUTION DETAILS Located at: Application and Services Logs > Microsoft > Windows > PowerShell 14

15 POWERSHELL OPERATIONAL LOGS Group Policy Editor > Administrative Templates > Windows Components > Windows PowerShell MODULE LOGS Available Module Names in PowerShell: Get-Module -ListAvailable 15

16 MODULE LOGS Located at: Application and Services Logs > Microsoft > Windows > PowerShell > Operational event log SCRIPT BLOCK LOGS 16

17 SCRIPT BLOCK LOGS Store all PowerShell script input as they are executed by PowerShell engine Located at: Application and Services Logs > Microsoft > Windows > PowerShell > Operational event log SCRIPT BLOCK LOGS Ability to log decoded or deobfuscated code 17

18 TRANSCRIPTION LOGS TRANSCRIPTION LOGS Stores all PowerShell script input and output Location where the logs are stored are determined by administrators / users 18

19 TRANSCRIPTION LOGS Ability to log decoded or deobfuscated commands POWERSHELL LOGS Log Details Pipeline Execution Module Script Block Transcription Command Executed Yes Yes Context Information Parameter Binding Details Yes (including script content) Yes Yes No Yes Yes Yes No No Yes Decoded / Deobfuscated Code Output of Command No No Yes Yes No No No Yes 19

20 POWERSHELLVERSIONS Type of Logs Version 2 Version 3 Version 4 Version 5 Pipeline Execution Details Yes Yes Yes Yes Script Block Logging NIL NIL Yes Module Logging NIL Yes Transcription Logging Yes (more detailed compared to v3) NIL NIL Yes Yes (has auto logging if cmd used is potentially malicious) Yes Yes (more detailed compared to v4) POWERSHELLVERSIONS OS Default PowerShell Version Supported PowerShell Versions Windows Server 2008 (SP2) Windows Server 2008 R2 (SP1) Windows Server Windows Server 2012 R Windows Server Windows 7 (SP1) Windows Windows Windows Source: 20

21 SYSMON LOGS Monitors and logs system activities Examples of Sysmon logs that may be useful in detecting malicious PowerShell usage: Event ID Description Explanation 1 Process Creation Logs with full command line for both current and parent processes. Alternative of Event ID Network Connection Logs TCP/UDP connections. 8 CreateRemoteThread Logs when a process creates a thread in another process. 10 ProcessAccess Logs when a process opens another process. 12, 13 Registry Events Logs creation and deletion of registry key and value, modification of registry value. 17, 18 PipeEvents Logs when a named pipe is created and when connection is made between a client and server. 19, 20 WmiEvents Logs when WMI event filter is registered and the registration of WMI consumers AGENDA Trends and Attacks Logs PowerShell Logs PowerShell Versions Sysmon Logs Mitigations Restricted RunSpace Constrained Language Mode AppLocker (Application Whitelisting) Detection - Tools and Techniques SIEM Machine Learning Revoke-Obfuscation AMSI (Anti-Malware Scan Interface) Conclusion 21

22 RESTRICTED RUNSPACE Restricted Runspace Create a customized runspace with reference to the principle of least privilege Runspacepool can be used for large number of runspaces with same characteristics Benefits: Restricts the environment Commands available Data accessible Language restrictions User s permissions RESTRICTED RUNSPACE New-PSSessionConfigurationFile to create the configuration Register-PSSessionConfiguration to register the configuration for remote users 22

23 RESTRICTED RUNSPACE Attempt to execute Enter-PSSession using the Configuration Source: CONSTRAINED LANGUAGE Introduced in PowerShell version 3.0 Language mode designed to support day-to-day administrative tasks, yet restrict access to sensitive language elements that can be used to invoke arbitrary Windows APIs Contains a number of restrictions that prevents malicious activities such as: Only approved.net types are allowed Only allowed types can be used 23

24 CONSTRAINED LANGUAGE Set PSLockdownPolicyin Registry with value to 4 CONSTRAINED LANGUAGE 24

25 APPLOCKER Restrict which programs/scripts that the users can executed based on File/Folder Path Software Publisher File Hash Action Allow Mode Deny Mode Exceptions File/Folder Path Software Publisher File Hash APPLOCKER Source: 25

26 APPLOCKER Applocker in Allow Mode (Recommended) Whitelist Mode Prevent the execution of unknown / unapproved applications/script. Applocker in Deny Mode Blacklist Mode Limit the execution of malware known to your organization. Source: ALL SOUNDS SO GOOD.. But what can attacker do? How about bypass? Restricted Runspace Constrained Language Applocker 26

27 RESTRICTED RUNSPACE Vulnerabilities: Command Injection Escaping the commands Source: RESTRICTED RUNSPACE Command Injection - Visibility Source: 27

28 CONSTRAINED LANGUAGE Downgrade attack Constrained language is available in PowerShell 3.0 onwards Therefore, PowerShell version 2.0 can be used to bypass constrained language mode APPLOCKER Disable AppLocker using privileged account. Make use of interactive PowerShell input instead of using scripts 28

29 AGENDA Trends and Attacks Logs PowerShell Logs PowerShell Versions Sysmon Logs Mitigations Restricted RunSpace Constrained Language Mode AppLocker (Application Whitelisting) Detection - Tools and Techniques SIEM Machine Learning Revoke-Obfuscation AMSI (Anti-Malware Scan Interface) Conclusion SIEM Centralized all logs into SIEM for investigation and to write simple detections Script Block Logs Transcription Module Logs SIEM Sysmon Logs 29

30 SIEM Source: SIEM - WRITING DETECTIONS Detection Considerations Know your environment Check for long command line length in process creation/sysmon logs Look out for encoded commands which are base64 Look out for indicators of obfuscations Check cmdlet execution against a list of whitelist commands/scripts 30

31 SIEM - WRITING DETECTIONS Look out for the parent process which triggers PowerShell (but not limited to) such as: CMD CScript/WScript BAT MSHTA WMI Registry Scheduled Tasks VBA VBS LNK MACHINE LEARNING Leveraging machine learning to detect malicious PowerShell commands Requires a large training set! Latest research article includes: Malicious PowerShell Detection via Machine Learning Detecting Malicious PowerShell Commands using Deep Neural Networks 31

32 REVOKE-OBFUSCATION SCRIPT Developed by Daniel Bohannon and Lee Holmes Source: evoke-obfuscation ANTI-MALWARE SCAN INTERFACE (AMSI) Insights into script behaviour through AMSI to look at script contents that is unencrypted and pass it on to AMSI Provider for inspection. Source: 32

33 AMSI Source: AMSI 33

34 CAN WE BYPASS AMSI? Downgrade attacks Obfuscation Disabling AMSI Other Techniques Is there a script? BYPASS AMSI Downgrade Downgrade to PowerShell v2.0 which doesn t support AMSI Obfuscation Evade AV signature detection through: Mixed Characters Randomized Variable/Function Names Invoke-Obfuscation Script Source: 34

35 BYPASS AMSI Disable AMSI Registry Edits Set value in HKCU\Software\Microsoft\Windows Script\Settings\AmsiEnable to 0 PowerShell Command Set -MpPreference DisableRealTimeMonitoring $True Source: Well-It-Does-It.pdf BYPASS AMSI Other techniques Placing a rogue AMSI.dll in C:\Windows\System32\WindowsPowerShell\v1.0 CyberArk Research Patching Technique Redux Technique 35

36 BYPASS AMSI Is there a simpler way? YES! Nishang script which uses publicly known methods to bypass/avoid AMSI. Source: CONCLUSION Centralized all the logs and understand your environment well. Try to at least enable scriptblock and sysmon/process creation logging. Install PowerShell v4.0 and above at minimum Uninstall/disable PowerShell v2.0 if possible Enable AppLocker and constrained language mode as they compliment each other. Makes use of AMSI and be aware of all bypass techniques Look out for indicators of obfuscation which can bypass signature based detection Take note of possible ways that powershell.exe can be invoked and suspicious command invocations. We can never protect everything but we can make it harder for attackers to infiltrate! 36

37 37