Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

IT security : Keep calm and monitor PowerShell


Published on

Cybersecurity killchain: Build a strong defense against malicious PowerShell use and protect your organization from security breaches.

Published in: Software
  • Be the first to comment

  • Be the first to like this

IT security : Keep calm and monitor PowerShell

  1. 1. Keep calm and monitor PowerShell
  2. 2. Major issues with native PowerShell (PS) auditing Large volume of logs generated (e.g. greater than 100 logs must be checked to detect a potential brute-force attack) Users may use PS for legitimate reasons - Numerous logs that are a combination of malicious PS scripts and legitimate scripts Limited search capabilities - No filtered search (e.g. tracking malicious scripts by reading the code, commands invoked, etc.) No instant alerts upon the execution of malicious commands/scripts Cannot apply remedial measures when malicious scripts/cmdlets are detected
  3. 3. The ADAudit Plus approach to detect PowerShell attacks Performs filtered searches for malicious PS commands/scripts Alerts the admin via SMS/email Takes corrective action Attacker gains access/insider goes rogue Runs a malicious script using PS
  4. 4. Detecting PowerShell-based attacks with ADAudit Plus
  5. 5. Get a bird’s-eye view on all PowerShell scripts Bird’s-eye view of scripts and commands executed by users Granular search based on users, commands invoked, and more
  6. 6. A classic brute-force attack on the administrator account • The simplicity of a brute-force attack is that a malicious actor can try numerous predictable and vulnerable password patterns to compromise a user’s password • Often these attacks involve manually keying in a password during native logons, which can raise suspicion due to the rise in the number of logon failures • But with PowerShell, millions of passwords can be brute-forced: – And the administrator account (with the SID 500) is likely the target, because these accounts can never be deleted from Active Directory and have no lockout policy!
  7. 7. Detecting PowerShell-based brute-force attacks with ADAudit Plus Perform granular searches about users who executed PS scripts, and get the script path Find the exact script code Search based on commands invoked
  8. 8. A domain password spray attack using PowerShell • A domain password spray attack could be a slightly more advanced version of a typical brute-force attack • In a password spray attack, an attacker specifies an entire password list or a single password, and performs a spray attempt on all accounts within the domain • The password spray is performed very cautiously to not lockout any account and is within the lockout threshold, and there is always a 30-minute wait between sprays (which can be modified based on the lockout observation window)
  9. 9. Detecting password spray attacks with ADAudit Plus A code block in the script to get the lockout counter reset time Find details like the name, SID of account who ran the script, and more Find complete script details
  10. 10. Specific script functions (like finding the lockout observation window) can be detected with ADAudit Plus, and corrective actions (like changing the lockout observation time ) can be immediately performed to counter the attack attempt
  11. 11. Privilege escalation attacks using PowerShell • PowerShell is not only used for password-based attacks, but for post- exploitation activities, like privilege escalation as well • Powerup is a PowerShell tool that allows a malicious actor, with the help of PowerShell script, to install and execute a Windows Installer (MSI) application • The MSI application, when run, offers a GUI to secretly add a backdoor user to any group within Active Directory
  12. 12. Detecting privilege escalation attacks with ADAudit Plus Function to get a list of unattended install files (that may have deployment credentials) for privilege escalation Function to write out a pre-compiled MSI installer that prompts for user/group addition Function to get a list of exploitable services
  13. 13. Bypassing execution policies with PowerShell • The starting point before running any malicious PowerShell script is bypassing the default execution policy • The execution policy, if set to restricted, prevents malicious actors from running PowerShell scripts/code that are not authorized by Microsoft or are not from verified sources • But it is also extremely easy to bypass these policies; all you need to do is run the command Set-ExecutionPolicy unrestricted, and that’s it! Any malicious code can now be executed without any hindrance
  14. 14. Detecting execution policy bypass attempts with ADAudit Plus Search for bypassing commands and which user invoked it Find the exact commands run, values changed, etc.
  15. 15. Attacking Exchange Servers with PowerShell • PowerShell can be used to attack not only Active Directory, but hybrid environments, too – in this case, Exchange or Office 365 • MailSniper is a free tool that can be used to perform guessing attacks to compromise domains and usernames; it can also perform a password spray attack on the accounts that have a mailbox in the Exchange Server • And once a user is compromised, the credentials can be used to perform a global mail search, and write out emails (in a CSV file) containing sensitive data (logon credentials)
  16. 16. Discovering Exchange/0ffice365 attacks with ADAudit Plus Get credential command, which provides a dialog box to enter account credentials An Invoke- WebRequest to connect to an Exchange Server A GlobalMailSearch attempt to read emails being passed within an organization
  17. 17. Get-Credential: This command can be used by an attacker to obtain a user's credentials. An unassuming user, upon seeing a dialog box prompting for credentials, will enter the required details under the impression that it is a legitimate request
  18. 18. There is more than one way to leverage PowerShell for attacks
  19. 19. Detecting remote PowerShell attempts, version downgrades, and third-party attack toolkit use with ADAudit Plus
  20. 20. An attempt to create a PS remote session to remotely execute commands Often, a first step in PSRemote attacks: enabling remoting within PowerShell A PowerShell version downgrade attempt to enable an earlier version of PS that lacks essential security features Invoking a third party tool (Mimikatz) for post-exploitation activities
  21. 21. Set up customized PowerShell alerts with ADAudit Plus
  22. 22. Instant PowerShell-based alerts Set threshold- based alerts Granularly filter alerts based on various parameters Instantly notify the admin/take corrective action
  23. 23. PowerShell-based attacks are on the rise. It is crucial to have a bird’s-eye view of all PowerShell-based activities and a strong 24x7 defense mechanism
  24. 24. Stay alert with Abhilash Mamidela Get your free trial!