Casting a Hidden .NET

The Risks Associated with (unmanaged) PowerShell

Casting a hidden .NET

• Availability: – Built-in command shell in every Windows 7/2008 R2 and newer system • Detection: – Not commonly blocked or effectively blocked – PowerShell logging not commonly enabled/monitored • Capable: – Run Code in Memory == No on disk evidence – Download and execute code from the internet/another system – Many powerful capabilities

• 38% of attacks involve PowerShell*….Why do attackers live off the land? – Reduces detection surface by using built-ins – Utilizes common, legitimate actions such as using cmd.exe – No AV or malware signatures; can bypass execution policy – Looks similar to normal activity, doesn’t stand out (as much)

PowerShell.exe /ExecutionPolicy bypass /file stealdata.ps1

* https://www.carbonblack.com/wp-content/uploads/2016/04/Cb-Powershell-Deep-Dive-A-United-Threat-Research-Report-1.pdf

• Allows new controls: – Limit PS command usage (Constrained Language Model) – View obfuscated code (script block logging) – Monitor all PS execution (system-wide transcription)

• Did you Uninstall PS v2? – If not, attackers can bypass v5 defensive capabilities by “downgrading” and running under v2

• Blocking PowerShell.exe from running isn’t enough – PS can be invoked without access to the executable (System.Management.Automation.dll)

• Attackers can provide their own “custom” PowerShell executable and run the code of their choosing (Unmanaged PowerShell)

• There are bountiful detection opportunities!! • Windows Host-based logging: – Command line logging* (but blind to script and interactive sessions) – PowerShell Event Logs needed to be enabled (version 3.0+) – Module logging… good luck! Event Codes 4103 and 4104 (4105/4106) – Transcription logging – full log of commands and output (version 5.0) • Sysmon – Event ID 7: PowerShell that’s not PowerShell (DLL loading of PS) • Windows Event Security Logs – Event ID 4688*: Awesome detections, but need to enable command line process auditing* (which you should be doing anyway) * Link in Appendix

• Loading PowerShell via DLL – Sysmon Event ID 7 – Indicator values: • Task Category = Image Loaded • Image = “ *System.Management.Automation.ni.dll ” • There are some filtering options in Sysmon that will help this* – Other Methods: best way is to experiment

• A word on Sysmon and general scripting attacks like PowerShell….

* link in Appendix

• Windows Event Security Logs and Windows Command Line Auditing* – Event ID 4688 (Process Created) – Things to look for: “-ExecutionPolicy”, “bypass”, “-enc”, “Invoke-Expression” / “iex”, “Net.WebClient” – See https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/ for a good example of what encoding looks like – Other Methods: best way is to experiment • Machine Learning – Can use some basic clustering to understand better what is normal in your environment – anomalies/outliers are easy to spot – Some questions to ask are: • Who normally runs PowerShell? • What are normal and frequent commands? • Look at the length of commands * link on how to enable is in Appendix

• Watch your logs, watch your logs, watch your logs…

• Attackers can bypass EDR and Device Guard by running their code “reflectively” – Load and execute malicious code (.NET “assemblies”) at run time using trusted executables – Code can be run in memory, thwarting some EDR solutions and leaving next to no host based evidence.

• PowerShell is a powerful tool for managing your Windows Environment, but: – Enable enhanced logging and auditing to help your cyber security defenders. – Utilize “Just Enough Administration” (JEA) configuration capabilities to dial in and limit PowerShell usage

• PowerShell is also a powerful attack tool, reduce risk by: – Enable and MONITOR logs, enable JEA, upgrade and remove old versions…

Powershell has lots of detection opportunities to explore….but start with the #1 Incident Response Tool:

The Google

To view our latest documents, visit the Content Spotlight

12 © 2018 HITRUST Alliance Appendix Resources Configuring Command Line Process Auditing: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing

Sysmon Filter: https://github.com/datasci4security/sysmon-config

General PowerShell Detections: https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-bypass-application-whitelisting-environment-restrictions-av/ https://www.blackhillsinfosec.com/powershell-w-o-powershell-simplified/ https://arxiv.org/pdf/1804.04177.pdf (an article on using deep learning for PowerShell detections; if you know basic python you can do this easily in Keras) https://www.carbonblack.com/wp-content/uploads/2016/04/Cb-Powershell-Deep-Dive-A-United-Threat-Research-Report-1.pdf