Slide 1

Slide 1 text

(Re)Investigating PowerShell Attacks Matt Hastings, Ryan Kazanciyan BruCON 0x0A Retro Talks

Slide 2

Slide 2 text

2

Slide 3

Slide 3 text

3 “Investigating PowerShell Attacks”, 2014 “Desired State: Compromised”, 2015

Slide 4

Slide 4 text

Revisiting Investigating PowerShell Attacks

Slide 5

Slide 5 text

Our original research 5

Slide 6

Slide 6 text

Evidence in Memory

Slide 7

Slide 7 text

Memory footprint: PowerShell remoting 7

Slide 8

Slide 8 text

8

Slide 9

Slide 9 text

Logging

Slide 10

Slide 10 text

Logging in PowerShell 2.0 ● PowerShell and WinRM logs ○ Start and finish of console sessions ○ Start and finish of remoting sessions (with user) ● PowerShell Analytic logs ○ Names of executed scripts and cmdlets ○ Encoded input and output of remoting sessions ○ Disabled; too verbose for ongoing usage ● AppLocker ○ Captures user and script path ○ Must create script rules in audit or enforce mode ● Transcription logging ○ Enabled on a per-profile basis ○ Do not log remoting activity 10

Slide 11

Slide 11 text

Example: PS Analytic logs (v2) 11

Slide 12

Slide 12 text

12 Invoke-Command {Get-ChildItem C:\}

Slide 13

Slide 13 text

Module Logging in PS v3 13 3,905 events from one execution of Invoke-Mimikatz

Slide 14

Slide 14 text

Script Block logging in PS v4 to the rescue! 14

Slide 15

Slide 15 text

PowerShell versus other scripting languages 15 https://blogs.msdn.microsoft.com/powershell/2017/04/10/a-comparison-of-shell-and-scripting-language-security/

Slide 16

Slide 16 text

PowerShell versus other scripting languages 16

Slide 17

Slide 17 text

17

Slide 18

Slide 18 text

PowerShell Attacks Today

Slide 19

Slide 19 text

PS attacks have been commoditized 19

Slide 20

Slide 20 text

20 https://github.com/danielbohannon/Invoke-Obfuscation Defense evasions are widely-available https://github.com/trustedsec/unicorn https://gist.github.com/cobbr

Slide 21

Slide 21 text

Modern attacks still use old tricks 21 https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html https://www.fireeye.com/blog/threat-research/2018/02/cve-2017-10271-used-to-deliver-cryptominers.html

Slide 22

Slide 22 text

Modern attacks still use old tricks 22 https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf https://www.redcanary.com/blog/cryptomining-enabled-by-native-windows-tools/

Slide 23

Slide 23 text

23 https://www.symantec.com/blogs/threat-intelligence/powershell-threats-grow-further-and-operate-plain-sight 4% Percentage of malicious scripts sampled in 2018 that used any form of obfuscation

Slide 24

Slide 24 text

24 https://www.symantec.com/blogs/threat-intelligence/powershell-threats-grow-further-and-operate-plain-sight

Slide 25

Slide 25 text

Investigating .NET Attacks in 2020! 25 ● Researchers moving beyond PowerShell ● Emerging offensive toolkits ● Fewer insights into .NET execution ● More to come later in this talk...

Slide 26

Slide 26 text

Auditing in PowerShell v6

Slide 27

Slide 27 text

PowerShell 6.0 changes ● Relies on .NET Core 6.0 runtime ● Open source ● Windows, macOS, Linux support ● New shell: pwsh.exe ● Installable side-by-side with PS v5 27

Slide 28

Slide 28 text

PS v6 auditing in Windows ● New event Log: PowerShellCore/Operational ● New ETW GUID: {f90714a8-5509-434a-bf6d-b1624c8a19a2} ● New configuration files ○ $PSHOME\PowerShell.Core.Instrumentation.man ○ $PSHOME\RegisterManifest.ps1 ○ $PSHOME\powershell.config.json 28

Slide 29

Slide 29 text

Events & EIDs unchanged from PS v5 29

Slide 30

Slide 30 text

powershell.config.json 1. { 2. "Microsoft.PowerShell:ExecutionPolicy": "RemoteSigned", 3. "PowerShellPolicies": { 4. "ScriptExecution": { 5. "ExecutionPolicy": "RemoteSigned", 6. "EnableScripts": true 7. }, 8. "ScriptBlockLogging": { 9. "EnableScriptBlockInvocationLogging": true, 10. "EnableScriptBlockLogging": true 11. }, 12. "Transcription": { 13. "EnableTranscripting": true, 14. "EnableInvocationHeader": true, 15. "OutputDirectory": "c:\\tmp" 16. } 17. }, 18. "LogLevel": "verbose" 19. } 30

Slide 31

Slide 31 text

Enabling and disabling auditing 31

Slide 32

Slide 32 text

Auditing configuration changes ********************** Command start time: 20180922134046 ********************** PS C:\Users\ryankaz\Desktop> RegisterManifest.ps1 -Unregister 32 ● Not recorded in the event log ● Will be recorded in transcription logging

Slide 33

Slide 33 text

Audit settings in the registry ● HKLM\SOFTWARE\Policies\Microsoft\PowerShellCore ● Not impacted if you use RegisterManifest.ps1 33 System.Management.Automation/engine/PSConfiguration.cs

Slide 34

Slide 34 text

Command History ● Persistent command line history (similar to bash history) %AppData%\Microsoft\Windows\PowerShell\PSReadline\Console Host_history.txt ● (Get|Set)-PSReadLineOption 34

Slide 35

Slide 35 text

Revisiting DSCompromised

Slide 36

Slide 36 text

Desired State Configuration (DSC) Ensure that a desired “state” of the system is maintained over time ● Download and create files and directories ● Execute processes ● Run scripts ● Create users and assign group membership ● Control Windows services ● Manage registry keys and values ● Install software 36

Slide 37

Slide 37 text

DSC Workflow: Author, Stage, Implement 37 Create configuration Stage configuration on Pull Server Stage configuration on Push Server Consume and implement configuration [or] WinRM SMB, HTTP, or HTTPS .MOF file Check for config “drift”, re-enforce as needed

Slide 38

Slide 38 text

Why is DSC an interesting attacker tool? ● Obscure & flexible persistence mechanism ● Not detected or examined by most security tools ● Automatic re-infection if not properly remediated 38

Slide 39

Slide 39 text

DSCompromised

Slide 40

Slide 40 text

DSCompromised Framework ● https://github.com/matthastings/DSCompromised ● PowerShell scripts to setup DSC “C2” server, build payload, infect victims ● Components: ○ Server PowerShell module ■ Configure-Server.psm1 ○ Victim configuration script ■ Configure-Victim.ps1 40

Slide 41

Slide 41 text

Our approach: DSC “pull” mode ● Emulate a real C2 server ● Victim client initiates “beacon” requests via HTTP/s ● Server can be on the internet or victim’s internal network ○ Attacker-controlled server preferable ○ Significant footprint to install DSC hosting components 41 Configure DSC Pull Server (C2 server) Create malicious configuration to host on Pull Server Consume and implement config on victim host(s) HTTP/s New-Payload Configure-Victim.ps1 Configure-Server.psm1 New-User

Slide 42

Slide 42 text

Persist Malware ● Infect victim machine with backdoor malware ● Ensure the malware continues to execute and remain on disk ● Re-infect victim automatically if remediated Payloads we implemented 42 Persist User Account ● Create a local account with your choice of password ● Ensure user is a member of a specific group, such as local administrators ● Automatically re-add account and restore group membership if deleted or changed

Slide 43

Slide 43 text

Sources of evidence 43

Slide 44

Slide 44 text

Network activity 44 HTTP requests used in DSC “pull” configuration POST /psdscpullserver.svc/Action(ConfigurationId='a8540639-cd47-4 62d-ae75-415158f60a99')/GetAction GET /psdscpullserver.svc/Action(ConfigurationId='a8540639-cd47-4 62d-ae75-415158f60a99')/ConfigurationContent

Slide 45

Slide 45 text

Configure-Victim script creates pull setup MOF System creates initial LCM meta config Task Manager creates DSC Consistency and Boot Tasks File system activity System creates temp copy of downloaded “payload” MOF Current and backup config set to “payload” MOF Malware dropped by payload MOF

Slide 46

Slide 46 text

Event logs: DSC Operational 46

Slide 47

Slide 47 text

State of DSC Attacks in 2018 47

Slide 48

Slide 48 text

[slide intentionally left blank]

Slide 49

Slide 49 text

No content

Slide 50

Slide 50 text

No content

Slide 51

Slide 51 text

Revisiting DSC’s limitations ● Difficult to learn and use ● Requires PS 4.0 on victim ○ Windows 8.1, Server 2012 R2 and later ● Requires Admin privileges on victim host ○ Post-compromise persistence 51

Slide 52

Slide 52 text

52

Slide 53

Slide 53 text

53

Slide 54

Slide 54 text

54

Slide 55

Slide 55 text

DSC → DSC Core ● DSC continues to receive updates, increasingly important for Azure ● Next-gen: DSC Core ○ Converge to a single cross-platform, open-source code base ○ Removes dependencies on WMI and WMF ○ New Local Configuration Manager ○ Resources written in native C/C++, Python, or PowerShell Core ● Release date remains TBD ○ https://blogs.msdn.microsoft.com/powershell/2018/09/13/desired-state-configuration-dsc-plann ing-update-september-2018/ 55

Slide 56

Slide 56 text

Logging with ETW

Slide 57

Slide 57 text

ETWhat? ● Introduced in Windows 2000 ● Application / kernel tracing ○ Troubleshooting ○ Performance monitoring ● Hiding in plain sight 57

Slide 58

Slide 58 text

58

Slide 59

Slide 59 text

59 Kernel-Process DLL loads Process execution Kernel-Network Threads Kernel-File PowerShell DNS-Client Scriptblocks PS Modules DNS requests / responses File create / delete Network connections

Slide 60

Slide 60 text

ETW Orchestration ● https://github.com/matthastings/PSalander ● PowerShell module to orchestrate ETW sessions ● Impacted by PS logging evasions ● Out-of-the box forensic collection ● Useful beyond PS 60

Slide 61

Slide 61 text

Demo 61

Slide 62

Slide 62 text

.NET Visibility ● Microsoft-Windows-DotNETRuntime ● [SharpSploit.Credentials.Mimikatz]::All() 62

Slide 63

Slide 63 text

63

Slide 64

Slide 64 text

Takeaways 64

Slide 65

Slide 65 text

Takeaways ● Despite advances in attacker tradecraft, PowerShell provides defenders with better auditability than any other language ● Establishing a baseline for legitimate PowerShell activity across an environment makes detection significantly easier ● ETW will continue to serve as a goldmine for telemetry as new techniques emerge (“there’s a provider for that!”) 65

Slide 66

Slide 66 text

Thank you! matt.hastings [at] tanium.com @_mhastings_ ryan.kazanciyan [at] tanium.com @ryankaz42 66