Stripping the Malware Threat Out of PowerShell with ensilo. Whitepaper. March

Transcription

1 Stripping the Malware Threat Out of PowerShell with ensilo Whitepaper March

2 2 Table of Contents Introduction In the Beginning - There Was the CMD Prompt When PowerShell Attacks Pulling PowerShell s Teeth Targeted Endpoint Defense About ensilo

3 3 Introduction While intended for system administration and the automation of daily maintenance and management tasks, PowerShell has become a preferred tool for cybercriminals. Using the framework s flexibility to carry out reconnaissance, download payloads, and create lateral movement, threat actors are able to quickly create malicious scripts capable of downloading payloads, sniffing out passwords or even downloading and installing PowerShell if it isn t already installed on the targeted computer. Dealing with the full capabilities of PowerShell based, fileless attacks is daunting. The ability for PowerShell to run virtually invisibly on local systems as well as its ability to move throughout the Microsoft ecosystem makes it not only a challenging threat today, but one that will evolve rapidly. The problem, is that traditional endpoint security, AV and NG-AV are usually only focused on keeping the attacker out. ensilo endpoint security platform delivers a new strategy for battling external cyber threats. Recognizing that infiltration is inevitable, the platform focuses on preventing the consequences of the cyber attack, let it be data theft or ransomware. With this, ensilo delivers what cyber security was supposed to be doing all along: protect the data. Using high-fidelity retroactive review, ensilo provides conclusive evidence whether the enterprise is dealing with a real threat. If so, ensilo blocks the malicious action, without any impact on the user s machine. Out of the box, ensilo s endpoint security platform has already proven it can defend against all of the latest malware that are lighting up the security world. This paper delves into PowerShell s popularity, how it is being leeched on to by threat actors and finally how ensilo can protect your endpoints against this increasing threat. In the Beginning - There Was the CMD Prompt And for the most part it was good. CMD.exe was a simple command-line interpreter known, loved (and reviled) by Windows Admins everywhere. But for all that it did well; CMD was significantly less capable than the more powerful shell environments available in Unix-based systems. So, for every sys-admin that was happy stringing DOS commands together in CMD, there was an equally disgruntled alpha geek that prayed for a more powerful tool. It wasn t until late 2006, that Microsoft finally answered that prayer, with something they called PowerShell. PowerShell, which shipped with Windows 7, was more than just a hyped up CMD shell. It was a fullyfeatured command-line environment capable of managing everything in the Windows OS from the registry to Windows Management Instrumentation (WMI). It utilized pipes (just like UNIX systems do) and gave administrators a powerful environment capable of creating complex scripts that allowed admins to hook into the entire Windows enterprise ecosystem. Its power and popularity eventually led Microsoft to make Powershell, Windows main command shell.

4 4 If Windows admins worldwide were happy, it s easy to imagine how thrilled malware developers must have also been. After all, where else could you find a tool native to the Windows operating system capable of querying systems and executing commands (local and remote) that was also able to remain hidden from traditional endpoint security? What could an enterprising army of threat actors do with a tool like that? The answer to that question wasn t long in arriving. In his 2016, presentation at RSA, The Seven Most Dangerous New Attack Techniques, and What s Coming Next, Ed Skoudis, of the SANS Institute, declared that PowerShell had been fully weaponized. While Skoudis attributed much of this to the freely available tool: PowerShell Empire, it is the combination of the tool s integrated post-exploitation capabilities and how it leverages PowerShell that make it so powerful. Capable of being loaded directly into memory without touching physical disk, agents that leverage PowerShell can evade detection by antivirus, they have privilege escalation capabilities and the ability to persist in compromised systems well beyond the initial attack. This is everything a hopeful threat actor needs to successfully target and compromise Windows systems. The power, flexibility, and availability of PowerShell provides tremendous capability for threat actors looking to exploit it for malicious use. Through 2015 and 2016, more and more new attacks were seen that utilized PowerShell to deliver ransomware and other exploits using Microsoft Office based macros as part of the delivery system. When PowerShell Attacks While intended for system administration and the automation of daily maintenance and management tasks, PowerShell has become a preferred tool for cybercriminals. Using the framework s flexibility to carry out reconnaissance, download payloads, and create lateral movement, threat actors are able to quickly create malicious scripts capable of downloading payloads, sniffing out passwords or even downloading and installing PowerShell if it isn t already installed on the targeted computer. Why Threat Actors Love PowerShell It s installed by default on all new Windows computers It s capable of executing payloads directly from memory It s careful and leaves few traces behind for forensic teams to find It s mobile, capable of lateral movement with remote access capabilities built in It s easy to obfuscate and difficult to detect in script form It s capable of ignoring application whitelisting It s capable of bypassing some sandboxes It s prolific with new scripts being created daily It s trusted systems administrators love PowerShell too Symantec alone found more than 111 malware families using PowerShell and observed more than 45,000 malicious scripts built with PowerShell. Worse, the number of new scripts they re seeing is growing day by day.

5 5 Microsoft didn t set out to build the PowerShell framework into a dedicated threat actor toolset. But sometimes you have to wonder. For an example of this, just look to Microsoft s execution policy for PowerShell scripts. The execution policy (in a nutshell) is a setting that determines which types of scripts can be run on the system. Microsoft s default setting for PowerShell execution (on all systems save Server 2012) is Restricted. The Restricted policy only allows PowerShell to run interactively and execute single commands. While this can help prevent some users accidentally triggering a malicious script (such as those delivered by an infected Office document), they were truly intended as a means to protect the operating system from overzealous systems administrators with run-away scripts. So think more safety feature and less security feature. For example: In a Windows system, if a user tries to launch a PowerShell script, the 3restricted execution policy will ensure that instead of allowing the script to execute, it will instead open up in the default viewer application for the.ps1 filetype. However, if an attacker were to pipe the script into the standard-in of the PowerShell executable things change. This technique bypasses the execution policy, does not require any writing to disk and allows for the execution of the script. Similar techniques allow for PowerShell scripts to downloaded content from the Internet onto local disk or even run downloaded scripts in memory. There s even a helpful command flag called Bypass that will allow users to call PowerShell with an explicit option to bypass the execution policy, a method that blocks nothing and provides no warnings or prompts. Handy, right? Since the majority of PowerShell script based attacks are done post-exploitation, they are often used to fetch payloads. Using built-in functions such as: (New-Object System.Net.Webclient).DownloadString() (New-Object System.Net.Webclient).DownloadFile() The System.Net class is capable of sending or receiving data from remote systems, and can function on the command line. Combine the abilities to run unrestricted, to pull files from anywhere in the world, and combine it with a rich set of obfuscation tools built in, and you only get the first hints of just how powerful, agile, and devilishly difficult to detect PowerShell based exploits truly are.

6 6 Examples of PowerShell-based Attacks Poweliks Crigent (aka PowerWorm ) Popular with click-fraud operations. Fileless, running completely in the Windows registry. Capable of maintaining its persistence on a system while never directly writing any detectable data to disk. Once installed, depends on C2 servers to download further components. Uses PowerShell to evade detection and allow for the downloading components from Tor and Polipo. Also uses PowerShell to find, and infect any existing Office documents on the drive. Very difficult to detect short of recognizing and blocking known TOR traffic. Fariet CryptoLocker Utilizes either a malware stuffed PDF file that exploits PowerShell or a Word Document with an infected macro. Steals stored passwords, credentials, and even bitcoin information. Because users can ignore the potential threats wrapped in the malicious s, it can be difficult for traditional endpoint systems and AV to stop. A ransomware variant dropped by malicious Word files containing macros that when executed, invoke PowerShell. The PowerShell instance connects out to a C2 server to bring down the ransomware payload. Other script generates encryption keys and goes to work searching the local system for files to encrypt and network shares to traverse. Vawtrak Uses malicious macros embedded in Microsoft Word and PowerShell to steal users online banking information. Attachments include a macro that drops a batch file into the local system. The scripts run using a policy exception flag that prevents blocking or warnings to come from the local OS. Newer variants will escape the notice of endpoint systems and many AV products as there will be no known hashes for the new attack nor any threat intelligence on updated files, URLS, or known SPAM data.

7 7 Pulling PowerShell s Teeth Dealing with the full capabilities of PowerShell based, fileless attacks is daunting. The ability for PowerShell to run virtually invisibly on local systems as well as its ability to move throughout the Microsoft ecosystem makes it not only a challenging threat today, but one that will evolve rapidly. The problem, is that traditional endpoint security, AV and NG-AV are usually only focused on keeping the attacker out. The grim reality continues to be that for most organizations a breach is inevitable. And what the AV and NGAV solutions overwhelmingly fail at is preventing the damage that occurs after an attacker gets in anyway. Once inside the enterprise, an attacker can locate sensitive data and tamper with it, as with the case of ransomware, or package and ship it to the darker parts of the Internet in seconds. ensilo endpoint security platform delivers a new strategy for battling external cyber threats. Instead of blindly shielding all entry points, ensilo does what cyber security was supposed to be doing all along: protect the data. Targeted Endpoint Defense Let s suppose one of your users has executed a malware infected macro virus in an attachment. The malware has to succeed at one of two specific actions before it can be successful. It must either communicate out to a command and control server or it must successfully encrypt your files. Because ensilo sits inside the operating system and the eco-system of its files, processes, and applications, it detects these malicious activities within the OS instruction flow. Unauthorized actions and evidence of attack are detected, silently responded to, and reported with a single alert, while legitimate OS functions are able to continue uninterrupted. Let s see the breakdown. High-Fidelity Retroactive Review ensilo s endpoint security platform conducts retroactive review in real-time. It starts by seamlessly recording all OS activity. When there s an attempt to extract or modify data, ensilo focuses on the action, retrieves all recorded activity, and retroactively reviews it in real time all the way back to its source. The entire chain of OS activities provides conclusive evidence whether you re dealing with a real threat. If so, ensilo blocks the malicious action, with any impact on the user s machine. By tracing malicious activity back to its origin, ensilo can identify the root cause. If you choose to take action, you can also neutralize it.

8 w w w.ensilo.com 8 Business Continues As-Usual As malware developers continue to increase the threat level, ensilo has found a way to provide frictionless, real-time, autonomous endpoint protection. Out of the box, ensilo has already proven it can defend the enterprise against all of the latest malware threats that are lighting up the security world: PowerShell integration, even fileless malware exploits. The damages that these malware can wreak have all been successfully blocked by ensilo even when these threats were technically in their zero-day states. Not only does ensilo work, it also stays out of your way. Because ensilo only stops malicious OS calls, users can continue to work on their systems and not have their productivity limited or stopped. ensilo is so lightweight, your users work unhindered by resource intensive scans or massive memory footprints. Since ensilo catches the attackers' red-handed, security administrators receive only a single alert per real threat, so there is no alert overload to contend with. Perhaps the most overlooked aspect of ensilo is that it is a solution that is focused on prevention not detection. We prevent bad outcomes. We prevent data tampering or theft by denying attackers the activities they need to perform to successfully breach your enterprise. Specifications The ensilo endpoint security platform supports any of the following operating systems (both 32-bit and 64-bit versions): Windows XP SP2/SP3, 7, 8, 8.1 and 10.x Windows Server 2003 R2, 2008, 2008 R2, 2012 and 2012 R2 MacOS Maverick (10.9), Yosemite (10.10) El Capitan (10.11), and Sierra (10.12) Red Hat Enterprise Linux 6.8 and 7.x and CentOS 6.8 and 7.x VDI Environments: VMware Horizons 6 and Citrix XenDesktop/ XenApp 7

9 9 About ensilo ensilo is a comprehensive endpoint security platform that combines certified next generation antivirus with post-infection data protection capabilities that can automatically respond to and defeat the most complex infections. The unique platform makes incident response automatic and provides post-infection protection that prevents the theft or ransom of all data even if an endpoint is compromised. ensilo enables forensic teams with evidence of all stopped attacks so remediation can follow the clear-cut evidence without being buried in questionable alerts or indicators. ensilo Benefits One Alert Per One Live Threat Real-Time Theft Prevention Real-Time Ransomware Prevention Frictionless Security Low number of alerts No action required Prevents the consequences of an advanced attack Real-time, before it starts Continue working in a Compromised envoirment Schedule a Demo Today to See How ensilo Successfully Combats PowerShell Attacks. contact@ensilo.com