Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Investigating PowerShell Attacks - Black Hat 2014

1,430 views

Published on

Over the past two years, we've seen targeted attackers increasingly make use of PowerShell to conduct command-and-control in compromised Windows environments. If your organization is running Windows 7 or Server 2008 R2, you've got PowerShell 2.0 installed (and on Server 2012, remoting is enabled by default!). This has created a whole new playground of attack techniques for intruders that have already popped a few admin accounts (or an entire domain). Even if you're not legitimately using PowerShell to administer your systems, you need to be aware of how attackers can enable and abuse its features.

This presentation will focus on common attack patterns performed through PowerShell - such as lateral movement, remote command execution, reconnaissance, file transfer, and establishing persistence - and the sources of evidence they leave behind. We'll demonstrate how to collect and interpret these forensic artifacts, both on individual hosts and at scale across the enterprise. Throughout the presentation, we'll include examples from real-world incidents and recommendations on how to limit exposure to these attacks.

Published in: Technology
  • Be the first to comment

Investigating PowerShell Attacks - Black Hat 2014

  1. 1. PRESENTED BY: © Mandiant, A FireEye Company. All rights reserved. Investigating PowerShell Attacks Black Hat USA 2014 August 7, 2014 Ryan Kazanciyan, Matt Hastings
  2. 2. © Mandiant, A FireEye Company. All rights reserved. Background Case Study 2 Attacker Client Victim VPN WinRM, SMB, NetBIOS Victim workstations, servers  Fortune 100 organization  Compromised for > 3 years  Active Directory  Authenticated access to corporate VPN  Command-and-control via  Scheduled tasks  Local execution of PowerShell scripts  PowerShell Remoting
  3. 3. © Mandiant, A FireEye Company. All rights reserved. Why PowerShell? 3 Execute commands Reflectively load / inject code Download files from the internet Enumerate files Interact with the registry Interact with services Examine processes Retrieve event logs Access .NET framework Interface with Win32 API It can do almost anything…
  4. 4. © Mandiant, A FireEye Company. All rights reserved.  PowerSploit  Reconnaissance  Code execution  DLL injection  Credential harvesting  Reverse engineering  Nishang  Posh-SecMod  Veil-PowerView  Metasploit  More to come… PowerShell Attack Tools 4
  5. 5. © Mandiant, A FireEye Company. All rights reserved. PowerShell Malware in the Wild 5
  6. 6. © Mandiant, A FireEye Company. All rights reserved. Investigation Methodology 6 evil.ps1 Local PowerShell script backdoor.ps1 Persistent PowerShell Registry File System Event Logs Memory Network Traffic Sources of Evidence WinRM PowerShell Remoting
  7. 7. © Mandiant, A FireEye Company. All rights reserved.  Has admin (local or domain) on target system  Has network access to needed ports on target system  Can use other remote command execution methods to:  Enable execution of unsigned PS scripts  Enable PS remoting Attacker Assumptions 7
  8. 8. © Mandiant, A FireEye Company. All rights reserved. Version Reference 8 2.0 3.0 4.0 Default Default (R2)Default Default Default (SP1) Default (R2 SP1) Requires WMF 4.0 Update Requires WMF 4.0 Update Requires WMF 4.0 Update Requires WMF 3.0 Update Requires WMF 3.0 Update
  9. 9. Memory Analysis
  10. 10. © Mandiant, A FireEye Company. All rights reserved.  What’s left in memory on the accessed system?  How can you find it?  How long does it persist? Memory Analysis 10 Scenario: Attacker interacts with target host through PowerShell remoting
  11. 11. © Mandiant, A FireEye Company. All rights reserved. WinRM Process Hierarchy 11 Invoke-Command {c:evil.exe} Client wsmprovhost.exe svchost.exe (DcomLaunch) evil.exe wsmprovhost.exe {PS code} Victim Invoke-Command {Get-ChildItem C:} Invoke-Mimikatz.ps1 -DumpCreds –ComputerName “victim"
  12. 12. © Mandiant, A FireEye Company. All rights reserved. Remnants in Memory 12 wsmprovhost.exe svchost.exe (DcomLaunch) evil.exe wsmprovhost.exe {PS code} svchost.exe (WinRM) Remnants of WinRM SOAP persist Kernel Cmd history Cmd history Terminate at end of session
  13. 13. © Mandiant, A FireEye Company. All rights reserved. How Long Will Evidence Remain? 13 wsmprovhost.exe svchost.exe (WinRM) Kernel Memory Pagefile Evidence Best source of command history, output Fragments of remoting I/O Fragments of remoting I/O Fragments of remoting I/O Retention Single remoting session Varies with # of remoting sessions Varies with memory utilization Varies with memory utilization Max Lifetime End of remoting session Reboot Reboot Varies – may persist beyond reboot
  14. 14. © Mandiant, A FireEye Company. All rights reserved. Example: In-Memory Remnants 14 SOAP in WinRM service memory, after interactive PsSession with command: echo teststring_pssession > c:testoutput_possession.txt
  15. 15. © Mandiant, A FireEye Company. All rights reserved. Example: In-Memory Remnants 15 WinRM service memory - Invoke-Mimikatz.ps1 executed remotely on target host
  16. 16. © Mandiant, A FireEye Company. All rights reserved.  WSMan & MS PSRP Syntax /wsman.xsd <rsp:Command> <rsp:CommandLine> <rsp:Arguments> <S N="Cmd“>  Known attacker filenames  View context around hits  Yes, this is painful What to Look For? 16 <rsp:CommandResponse><rsp:CommandId>""xmlns:r sp="http://schemas.microsoft.com/wbem/wsman/1 /windows/shell"""C80927B1-C741-4E99-9F97- CBA80F23E595</a:MessageID><w:Locale xml:lang="en-US" s:mustUnderstand="false" /><p:DataLocale xml:lang="en-US" s:mustUnderstand="false" /><p:SessionId"/w:OperationTimeout></s:Header ><s:Body><rsp:CommandLine xmlns:rsp="http://schemas.microsoft.com/wbem/ wsman/1/windows/shell" CommandId="9A153F8A- AA3C-4664-8600- AC186539F107"><rsp:Command>prompt""/rsp:Comma nd><rsp:Arguments>AAAAAAAAAFkAAAAAAAAAAAMAAAa jAgAAAAYQAgC2Yc+EDBrbTLq08PrufN+rij8VmjyqZEaG AKwYZTnxB++7vzxPYmogUmVmSWQ9IjAiPjxNUz48T2JqI E49IlBvd2VyU2hlbGwiIFJlZklkPSIxIj48TVM+PE9iai BOPSJDbWRzIiBSZWZJZD0iMiI+PFROIFJlZklkPSIwIj4 8VD5TeXN0ZW0uQ29sbG . . .
  17. 17. © Mandiant, A FireEye Company. All rights reserved.  Timing is everything  Challenging to recover evidence  Many variables  System uptime  Memory utilization  Volume of WinRM activity Memory Analysis Summary 17
  18. 18. Event Logs
  19. 19. © Mandiant, A FireEye Company. All rights reserved.  Which event logs capture activity?  Level of logging detail?  Differences between PowerShell 2.0 and 3.0? Event Logs 19 Scenario: Attacker interacts with target host through local PowerShell script execution or PowerShell remoting
  20. 20. © Mandiant, A FireEye Company. All rights reserved.  Application Logs  Windows PowerShell.evtx  Microsoft-Windows- PowerShell/Operational.evtx  Microsoft-Windows- WinRM/Operational.evtx  Analytic Logs  Microsoft-Windows- PowerShell/Analytic.etl  Microsoft-Windows- WinRM/Analytic.etl PowerShell Event Logs 20
  21. 21. © Mandiant, A FireEye Company. All rights reserved. Local PowerShell Execution 21 PowerShell EID 400: Engine state is changed from None to Available. … HostName=ConsoleHost EID 403: Engine state is changed from Available to Stopped. … HostName=ConsoleHost Start & stop times of PowerShell session
  22. 22. © Mandiant, A FireEye Company. All rights reserved. Local PowerShell Execution 22 PowerShell Operational** EID 40961: PowerShell console is starting up EID 4100: Error Message = File C:temptest.ps1 cannot be loaded because running scripts is disabled on this system ** Events exclusive to PowerShell 3.0 or greater Start time of PowerShell session Error provides path to PowerShell script
  23. 23. © Mandiant, A FireEye Company. All rights reserved. Local PowerShell Execution 23 PowerShell Analytic** EID 7937: Command test.ps1 is Started. EID 7937: Command Write-Output is Started. EID 7937: Command dropper.exe is Started ** Log disabled by default. Events exclusive to PowerShell 3.0 or greater Executed cmdlets, scripts, or commands (no arguments)
  24. 24. © Mandiant, A FireEye Company. All rights reserved. Remoting 24 PowerShell EID 6: Creating WSMan Session. The connection string is: 192.168.1.1/wsman?PSVersion=2.0 Start of remoting session (client host) PowerShell EID 400: Engine state is changed from None to Available. … HostName=ServerRemoteHost EID 403: Engine state is changed from Available to Stopped. … HostName=ServerRemoteHost Start & stop of remoting session (accessed host)
  25. 25. © Mandiant, A FireEye Company. All rights reserved. Remoting (Accessed Host) 25 WinRM Operational EID 81: Processing client request for operation CreateShell EID 169: User CORPMattH authenticated successfully using NTLM EID 134: Sending response for operation DeleteShell Who connected via remoting Timeframe of remoting activity
  26. 26. © Mandiant, A FireEye Company. All rights reserved. Remoting (Accessed Host) 26 PowerShell Analytic EID 32850: Request 7873936. Creating a server remote session. UserName: CORPJohnD EID 32867: Received remoting fragment […] Payload Length: 752 Payload Data: 0x020000000200010064D64FA51E7C784 18483DC[…] EID 32868: Sent remoting fragment […] Payload Length: 202 Payload Data: 0xEFBBBF3C4F626A2052656649643D22 30223E3[…] Who connected via remoting Encoded contents of remoting I/O
  27. 27. © Mandiant, A FireEye Company. All rights reserved. PS Analytic Log: Encoded I/O 27 Invoke-Command {Get-ChildItem C:}
  28. 28. © Mandiant, A FireEye Company. All rights reserved. PS Analytic Log: Decoded Input 28 Invoke-Command {Get-ChildItem C:}
  29. 29. © Mandiant, A FireEye Company. All rights reserved. PS Analytic Log: Decoded Output 29 Invoke-Command {Get-ChildItem C:}
  30. 30. © Mandiant, A FireEye Company. All rights reserved.  Add code to global profile  Loads with each local PS session  Start-Transcript cmdlet  Overwrite default prompt function  Limitations  Will not log remoting activity  Can launch PowerShell without loading profiles Logging via PowerShell Profiles 30 %windir%system32WindowsPowerShellv1.0profile.ps1
  31. 31. © Mandiant, A FireEye Company. All rights reserved.  Set Audit or Enforce script rules  Captures user, script path Logging via AppLocker 31
  32. 32. © Mandiant, A FireEye Company. All rights reserved. PowerShell 3.0: Module Logging 32 Computer Configuration → Administrative Templates → Windows Components → Windows PowerShell → Turn on Module Logging Solves (almost) all our logging problems!
  33. 33. © Mandiant, A FireEye Company. All rights reserved. Module Logging Example: File Listing 33 ParameterBinding(Get-ChildItem): name="Filter"; value="*.txt" ParameterBinding(Get-ChildItem): name="Recurse"; value="True" ParameterBinding(Get-ChildItem): name="Path"; value="c:temp" ParameterBinding(Select-String): name="Pattern"; value="password" ParameterBinding(Select-String): name="InputObject"; value="creds.txt" ... Command Name = Get-ChildItem User = CORPMHastings ParameterBinding(Out-Default): name="InputObject"; value="C:tempcreds.txt:2:password: secret" ParameterBinding(Out-Default): name="InputObject"; value="C:tempcreds.txt:5:password: test" Microsoft-Windows-PowerShell/Operational (EID 4103) Get-ChildItem c:temp -Filter *.txt -Recurse | Select-String password Logged upon command execution Logged upon command output
  34. 34. © Mandiant, A FireEye Company. All rights reserved. Module Logging Example: Invoke-Mimikatz 34 Invoke-Mimikatz.ps1 via remoting Detailed “per- command” logging
  35. 35. © Mandiant, A FireEye Company. All rights reserved. Module Logging Example: Invoke-Mimikatz 35 Mimikatz output in event log
  36. 36. Persistence
  37. 37. © Mandiant, A FireEye Company. All rights reserved.  What are common PowerShell persistence mechanisms?  How to find them? PowerShell Persistence 37 Scenario: Attacker configures system to load malicious PowerShell code upon startup or user logon
  38. 38. © Mandiant, A FireEye Company. All rights reserved.  Registry “autorun” keys  Scheduled tasks  User “startup” folders  Easy to detect  Autorun review  Registry timeline analysis  File system timeline analysis  Event log review Common Techniques 38 At1.job At1.job At1.job
  39. 39. © Mandiant, A FireEye Company. All rights reserved. Persistence via WMI 39 Set-WmiInstance Namespace: “rootsubscription” EventFilter Filter name, event query CommandLineEventConsumer Consumer name, path to powershell.exe FilterToConsumerBinding Filter name, consumer name Set-WmiInstance Set-WmiInstance Use WMI to automatically launch PowerShell upon a common event
  40. 40. © Mandiant, A FireEye Company. All rights reserved.  Query that causes the consumer to trigger Event Filters 40 SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325 Run within minutes of startup SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_LocalTime' AND TargetInstance.Hour = 12 AND TargetInstance.Minute = 00 GROUP WITHIN 60 Run at 12:00
  41. 41. © Mandiant, A FireEye Company. All rights reserved.  Launch “PowerShell.exe” when triggered by filter  Where does the evil PS code load from? Event Consumers 41 sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64 String('7L0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyq BymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP3 58Hz8ivlsXbb795bpdrdv0o2/nZVml363qcvbR/xMAAP//'),[IO.Compression.Co mpressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd() Stored in user or system-wide “profile.ps1” Set-WmiInstance -Namespace "rootsubscription" -Class 'CommandLineEventConsumer' -Arguments @{ name='TotallyLegitWMI';CommandLineTemplate="$($Env:SystemRoot)Syst em32WindowsPowerShellv1.0powershell.exe - NonInteractive";RunInteractively='false'} Added to Consumer Command-Line Arguments (length limit, code must be base64’d)
  42. 42. © Mandiant, A FireEye Company. All rights reserved. Enumerating WMI Objects with PowerShell 42  Get-WMIObject –Namespace rootSubscription -Class __EventFilter  Get-WMIObject -Namespace rootSubscription -Class __EventConsumer  Get-WMIObject -Namespace rootSubscription -Class __FilterToConsumerBinding
  43. 43. © Mandiant, A FireEye Company. All rights reserved. PS WMI Evidence: File System 43 WBEM repository files changed (common) sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStr eam][Convert]::FromBase64String('7L0HYBxJl iUmL23Ke39K9UrX4HShCIBgEyTYkEA... Global or per-user “profile.ps1” changed (if used to store code) Strings in “objects.data”
  44. 44. © Mandiant, A FireEye Company. All rights reserved. PS WMI Evidence: Registry 44 Key Value Data HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEM ESS//./root/CIMV2Win32ClockProvider [N/A] [N/A] Key Last Modified 06/04/14 01:30:03 UTC Created only when setting a time-based WMI filter (many other types of triggers may be used)
  45. 45. © Mandiant, A FireEye Company. All rights reserved.  SysInternals AutoRuns v12  Memory: WMI filter & consumer names  svchost.exe (WinMgmt service)  WmiPrvse.exe  Event logs: WMI Trace PS WMI Evidence: Other Sources 45
  46. 46. Conclusions
  47. 47. © Mandiant, A FireEye Company. All rights reserved.  Refer to whitepaper  Prefetch for “PowerShell.exe”  Local execution only  Scripts in Accessed File list  Registry  “ExecutionPolicy” setting  Network traffic analysis (WinRM)  Port 5985 (HTTP) / port 5986 (HTTPS)  Payload always encrypted  Identify anomalous netflows Other Sources of Evidence 47 POWERSHELL.EXE-59FC8F3D.pf
  48. 48. © Mandiant, A FireEye Company. All rights reserved.  Upgrade and enable Module Logging if possible  Baseline legitimate PowerShell usage  ExecutionPolicy setting  Script naming conventions, paths  Remoting enabled?  Which users?  Common source / destination systems  Recognize artifacts of anomalous usage Lessons Learned 48
  49. 49. © Mandiant, A FireEye Company. All rights reserved.  Matt Graeber  Joseph Bialek  Chris Campbell  Lee Holmes  David Wyatt  David Kennedy  Josh Kelley  All the other PowerShell authors, hackers, and researchers! Acknowledgements 49
  50. 50. © Mandiant, A FireEye Company. All rights reserved. ryan.kazanciyan@mandiant.com @ryankaz42 matt.hastings@mandiant.com @HastingsVT Questions? 50

×