The Risks Associated with (unmanaged) PowerShell. Casting a hidden.net HITRUST Alliance

Size: px

Start display at page:

Download "The Risks Associated with (unmanaged) PowerShell. Casting a hidden.net HITRUST Alliance"

Martha Bennett
5 years ago
Views:

1 The Risks Associated with (unmanaged) PowerShell Casting a hidden.net HITRUST Alliance

not commonly enabled/monitored Capable: Run Code in Memory == No on disk evidence Download and

2 PowerShell as an Attack Platform Availability: Built-in command shell in every Windows 7/2008 R2 and newer system Detection: Not commonly blocked or effectively blocked PowerShell logging not commonly enabled/monitored Capable: Run Code in Memory == No on disk evidence Download and execute code from the internet/another system Many powerful capabilities HITRUST Alliance

3 Living off the Land with Powershell 38% of attacks involve PowerShell *.Why do attackers live off the land? Reduces detection surface by using built-ins Utilizes common, legitimate actions such as using cmd.exe No AV or malware signatures; can bypass execution policy Looks similar to normal activity, doesn t stand out (as much) PowerShell.exe /ExecutionPolicy bypass /file stealdata.ps1 * HITRUST Alliance

4 You ve upgraded to PS v5 Great! Allows new controls: Limit PS command usage (Constrained Language Model) View obfuscated code (script block logging) Monitor all PS execution (system-wide transcription) Did you Uninstall PS v2? If not, attackers can bypass v5 defensive capabilities by downgrading and running under v HITRUST Alliance

5 But You re blocking PowerShell.exe?... Blocking PowerShell.exe from running isn t enough PS can be invoked without access to the executable (System.Management.Automation.dll) Attackers can provide their own custom PowerShell executable and run the code of their choosing (Unmanaged PowerShell) HITRUST Alliance

6 What if You re NOT blocking PowerShell.exe? There are bountiful detection opportunities!! Windows Host-based logging: Sysmon Command line logging* (but blind to script and interactive sessions) PowerShell Event Logs needed to be enabled (version 3.0+) Module logging good luck! Event Codes 4103 and 4104 (4105/4106) Transcription logging full log of commands and output (version 5.0) Event ID 7: PowerShell that s not PowerShell (DLL loading of PS) Windows Event Security Logs Event ID 4688*: Awesome detections, but need to enable command line process auditing* (which you should be doing anyway) * Link in Appendix HITRUST Alliance

7 Strong Indicators of Malicious PowerShell Use Loading PowerShell via DLL Sysmon Event ID 7 Indicator values: Task Category = Image Loaded Image = *System.Management.Automation.ni.dll There are some filtering options in Sysmon that will help this* Other Methods: best way is to experiment A word on Sysmon and general scripting attacks like PowerShell. * link in Appendix HITRUST Alliance

8 Strong Indicators of Malicious PowerShell Use Windows Event Security Logs and Windows Command Line Auditing* Event ID 4688 (Process Created) Things to look for: -ExecutionPolicy, bypass, -enc, Invoke-Expression / iex, Net.WebClient See for a good example of what encoding looks like Other Methods: best way is to experiment Machine Learning Can use some basic clustering to understand better what is normal in your environment anomalies/outliers are easy to spot Some questions to ask are: Who normally runs PowerShell? What are normal and frequent commands? Look at the length of commands * link on how to enable is in Appendix HITRUST Alliance

Guard by running their code reflectively Load and execute malicious code (.

9 So, You have EDR and Device Guard?... Watch your logs, watch your logs, watch your logs Attackers can bypass EDR and Device Guard by running their code reflectively Load and execute malicious code (.NET assemblies ) at run time using trusted executables Code can be run in memory, thwarting some EDR solutions and leaving next to no host based evidence HITRUST Alliance

PS requires a Safety PowerShell is a powerful tool for managing your Windows Environment, but: Enable enhanced logging and auditing to help your cyber security defenders.

10 PS requires a Safety PowerShell is a powerful tool for managing your Windows Environment, but: Enable enhanced logging and auditing to help your cyber security defenders. Utilize Just Enough Administration (JEA) configuration capabilities to dial in and limit PowerShell usage PowerShell is also a powerful attack tool, reduce risk by: Enable and MONITOR logs, enable JEA, upgrade and remove old versions HITRUST Alliance

11 Closing Thought: Powershell has lots of detection opportunities to explore.but start with the #1 Incident Response Tool: The Google HITRUST Alliance

12 Visit for more information To view our latest documents, visit the Content Spotlight HITRUST Alliance

13 Appendix Resources Configuring Command Line Process Auditing: Sysmon Filter: General PowerShell Detections: (an article on using deep learning for PowerShell detections; if you know basic python you can do this easily in Keras) HITRUST Alliance

Detecting Modern PowerShell Attacks with SIEM

SEC555 Presentation based on SEC555: SIEM with Tactical Analytics Detecting Modern PowerShell Attacks with SIEM Justin Henderson (GSE # 108) @SecurityMapper About Us Author of SEC555: SIEM with Tactical