Monitoring Malicious Powershell Usage Through Log Analysis
Total Page:16
File Type:pdf, Size:1020Kb
Monitoring malicious PowerShell usage through log analysis Jesper Magnusson Computer Science and Engineering, master's level 2019 Luleå University of Technology Department of Computer Science, Electrical and Space Engineering (This page is intentionally left almost blank) Abstract Security has become a hot topic around the world but focuses more on the perime- ter than inside networks which opens up vulnerabilities. Directed cyber-attacks towards the energy sector which leverages this fact has increased and can have dis- astrous effect, even on national level. To counter this, a solution to monitor the usage of the most powerful and popular built-in tool among attackers - PowerShell - was implemented. A test-bed was set up reflecting a corporate network with two separate active directory domains, one for office clients and one for critical infrastructure. It was shown that attackers only needed to overtake the office active directory domain in order for gain easy access to the critical active directory domain. To simulate attacks of this type, a collection of malicious scripts was gathered from which a number of possible scenarios for taking over the office active directory domain via PowerShell was created. Windows has several options for logging executions of PowerShell commands on machines. The one used and deemed most beneficiary was "Module logging" with the addition of a filtered result of process creation logs. To monitor the logs created on the office client from PowerShell executions, a system based on the "ELK stack" was set up. This system gathered, processed, stored and visualized logs along with the result of their analysis. The system analyzed logs with the aid of a custom software called "ESPSA" which based on different parameters and contexts assigned every execution with a risk value indicating the level of maliciousness. To be able to assign risk values, the maliciousness of every command had to be evaluated. This was done with the aid of a mathematical expression that gave values between 0 and 100 based on the probability of benign execution and the security risk of the actual command. The evaluation shows that all simulated attack scenarios were detected as mali- cious by reaching total risk values above the threshold of 100 in their exact imple- mentation. It also shows that possible branching of these attacks could instead lead to a value below the threshold and become undetectable. Evaluation also shows that "Module logging" is unable to detect certain types of executions, primarily those of .NET Framework interactions, which affects the monitoring possibilities for malicious behavior severely. i List of Figures 1 Industroyer overview . 10 2 Test-bed used for vulnerability evaluation . 15 3 Test-bed with implemented solution . 24 4 Process flow between solution components . 25 5 Process flow between ESPSA components . 27 6 Example graph of Akima Cubic Spline Interpolation for time risk factoring with working hours between 8 and 17 .................... 31 7 3D plot of equation 2 . 42 List of Tables 1 Malicious PowerShell scripts . 16 2 enabled GPOs for PowerShell logging . 23 3 PowerShell command risk assignments . 32 4 Outcome of simulation - Local files . 37 5 Outcome of simulation - MSI packages . 38 6 Outcome of simulation - Saved browser credentials . 39 List of Listings 1 PowerShell logon script . 20 2 PowerShell logoff script . 21 3 Added log structure by Logstash . 26 List of Equations 1 PowerShell execution risk evaluation . 30 2 PowerShell command risk assignment . 32 ii Abbreviations AD Active Directory. 5, 7, 8, 14{16, 18{22, 36, 37, 39, 40 AD DS Active Directory Domain Services. viii, 14{16, 20{22 AI Artificial Intelligence. 49 BHIPS Behavioural Host Intrusion Prevention System. 3 BIOS Basic Input/Ouput System. 7, 16 C# C Sharp. 24, 27 C&C command-and-control. 5{9, 11, 12, 20 CLI Command Line Interface. 13 CMD Command Prompt. iii, 45, 48, Glossary: Command Prompt CNN Convolutional Neural Network. 3 COM Component Object Model. 12 CPU Central Processing Unit. 8 DC Domain Controller. viii, 15, 16, 21, 40 DCOM Distributed COM. 12 DHCP Dynamic Host Configuration Protocol. 16 DLL Dynamic-Link Library. 6{8, 11, 12 DMS Distribution Management System. 9, 10 DNS Domain Name System. 17, 19 DoS Denial-of-Service. iii, 10, 12, Glossary: Denial-of-Service FIFO First In First Out. 28 FTP File Transfer Protocol. 21 GPO Group Policy Object. ii, viii, 4, 13, 15, 16, 20, 21, 23, 25, 43{45 HMI Human-Machine Interface. 9 HTML HyperText Markup Language. 7, 19 iii HTTP Hyper-Text Transfer Protocol. 5, 7, 8, 25 HTTPS Hyper-Text Transfer Protocol Secure. 11 ICS Industrial Control System. 9 IP Internet Protocol. 6{8, 11, 12, 16, 18, 22 IT Information Technology. 1, 9 JAR Java Archive. 6, 7 JS JavaScript. 7 JSON JavaScript Object Notation. 25{29, 31 MAC Media Access Control. 16 MMS Manufacturing Message Specification. 12 MSI Microsoft Windows Installer. ii, viii, ix, 18, 21, 22, 37, 38, 40 NLP Natural Language Processing. 3 OLE Object Linking and Embedding. iv, 7, 12 OPC OLE for Process Control. iv, 7, 8, 12 OPC DA OPC Data Access. 12 OS operating system. 1, 6{8, 13, 16, 22 PDF Portable Document Format. 6 PLC Programmable Logic Controller. 7 RADIUS Remote Authentication Dial-In User Service. 22 RAT Remote Access Trojan. iv, 1, 8, 22, 42, 45, Glossary: Remote Access Trojan RDP Remote Desktop Protocol. 16, 18, 20 RTU Remote Terminal Unit. 11 SCADA Supervisory Control And Data Acquisition. 7{10, 20 SIEM Security Information and Event Management. 4, 46 SMB Server Message Block. 7 iv SQL Structured Query Language. 12 TCP Transmission Control Protocol. 11, 25, 27, 29 UAC User Access Control. v, 5, Glossary: User Access Control UPS Uninterruptible Power Supply. 10 URL Uniform Resource Locator. 18, 22 VLAN Virtual Local Area Network. 16 VPN Virtual Private Network. 9 WLAN Wireless Local Area Network. 17 WMI Windows Management Instrumentation. 2 WPA Wi-Fi Protected Access. 16 WSL Windows Subsystem for Linux. 45, 48 XDP XML Data Package. 6 XML Extensible Markup Language. v, 6, 21, 36 Glossary Command Prompt a command line interpreter application available in most Windows operating systems. It is used to execute entered commands. Most of those com- mands automate tasks via scripts and batch files, perform advanced administrative functions, and troubleshoot or solve certain kinds of Windows issues. iii, 45 Denial-of-Service a type of cyber-attack in which a malicious actor aims to render a computer or other device unavailable to its intended users. attacks typically func- tion by overwhelming or flooding a targeted machine with requests until normal traffic is unable to be processed. iii, 10 keylogger software or hardware which records (logs) the keys struck on a keyboard, typically covertly, so that person using the keyboard is unaware that their actions are being monitored. 20{22, 37 machine learning the scientific study of algorithms and statistical models that computer systems use to effectively perform a specific task without using explicit instructions, relying on patterns and inference instead. 3, 22 v non-malware attack attacks in which an attacker uses existing software, allowed appli- cations and authorized protocols to carry out malicious activities. Non-malware attacks can gain control of computers without downloading any malicious files, hence the name. Non-malware attacks are also referred to as file-less, memory- based or “living-off-the-land” attacks. 2, 3, 13, 21 phishing the fraudulent attempt to obtain sensitive information such as usernames, pass- words and credit card details by disguising oneself as a trustworthy entity in an electronic communication. Typically carried out by email spoofing or instant mes- saging, it often directs users to enter personal information at a fake website which matches the look and feel of the legitimate site. vi, 11 polling a technique that continually interrogates a peripheral device to see if it has data to transfer. 8 regex regex is a sequence of characters that define a search pattern. 31{36 Remote Access Trojan a type of malware that allows a malicious party access to a computer system through a remote network connection. iv, 1 sandboxing a security mechanism for separating running programs, usually to mitigate system failures or software vulnerabilities from spreading. It is often used to exe- cute untested or untrusted programs or code, possibly from unverified or untrusted third parties, suppliers, users or websites, without risking harm to the host machine or operating system. 2 social engineering attack the term used for a broad range of malicious activities accom- plished through human interactions. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information. 2 spear phishing a phishing method that targets specific individuals or groups within an organization. It is a potent variant of phishing, a malicious tactic which uses emails, social media, instant messaging, and other platforms to get users to divulge personal information or perform actions that cause network compromise, data loss, or financial loss. While phishing tactics may rely on shotgun methods that deliver mass emails to random individuals, spear phishing focuses on specific targets and involve prior research. 9 User Access Control security feature in Windows that aims to improve security by lim- iting application software to standard user privileges until an administrator autho- rizes an increase or elevation. v, 5 watering hole attack a computer attack strategy, in which the victim is a selected group (organization, industry, or region). In this attack, the attacker guesses or observes which websites the group often uses and infects one or more of them with malware. Eventually, some member of the targeted group becomes infected. 7 vi web scraping extracting data from websites either manually or by automated bots or web crawlers.