Getting Bear-y Cozy with PowerShell

©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00876-4.
Getting Bear-y Cozy with
PowerShell
Defensive Lessons Learned from Emulating the Dukes
®

Introductions
▪ Jamie Williams ( @jamieantisocial)
▪ Cyber adversarial engineer
▪ Adversary emulation + behavior detection research
▪ Mike Hartley ( )
▪ Cybersecurity engineer
▪ Adversary emulation + adversary technique research
▪ ATT&CK & ATT&CK Evaluations ( @MITREattack)
| 2 |

Agenda
▪ATT&CK & ATT&CK Accessories
▪¿Por qué PowerShell? &
▪Emulating & ++
▪Parting-gifts
| 3 |
https://emojipedia.org

| 4 |
https://www.1001fonts.com/beyond-wonderland-font.html

Knowledge base of adversary behaviors
Threat-informed defense
Based on real-world observations
References to publicly reported intelligence
Free, open, and globally accessible
attack.mitre.org
Community contribution driven
attack@mitre.org
| 5 |
https://www.1001fonts.com/beyond-wonderland-font.html

Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
Drive-by Compromise Scheduled Task Binary Padding Network Sniffing AppleScript Audio Capture Commonly Used Port Automated Exfiltration Data Destruction
Exploit Public-Facing
Application
Launchctl Access Token Manipulation Account Manipulation Account Discovery Application Deployment
Software
Automated Collection Communication Through
RemovableMedia
Data Compressed Data Encrypted for Impact
Local Job Scheduling Bypass User Account Control Bash History Application Window
Discovery
Clipboard Data Data Encrypted Defacement
External Remote Services LSASS Driver Extra Window Memory Injection BruteForce Distributed Component
Object Model
Data from Information
Repositories
Connection Proxy Data Transfer Size Limits Disk Content Wipe
HardwareAdditions Trap Process Injection Credential Dumping Browser Bookmark
Discovery
Custom Command and
Control Protocol
Exfiltration Over Other
Network Medium
Disk StructureWipe
Replication Through
RemovableMedia
AppleScript DLL Search Order Hijacking Credentials in Files Exploitation of
RemoteServices
Data from Local System Endpoint Denial of Service
CMSTP ImageFileExecution Options Injection Credentials in Registry Domain Trust Discovery Data from Network
Shared Drive
Custom Cryptographic
Protocol
Exfiltration Over Command
and Control Channel
FirmwareCorruption
Spearphishing Attachment Command-LineInterface Plist Modification Exploitation for
Credential Access
Fileand Directory Discovery Logon Scripts Inhibit System Recovery
Spearphishing Link Compiled HTML File Valid Accounts Network ServiceScanning Pass theHash Data from RemovableMedia Data Encoding Exfiltration Over Alternative
Protocol
Network Denial of Service
Spearphishing via Service Control Panel Items Accessibility Features BITS Jobs Forced Authentication Network ShareDiscovery Pass theTicket Data Staged Data Obfuscation ResourceHijacking
Supply Chain Compromise Dynamic Data Exchange AppCert DLLs Clear Command History Hooking Password Policy Discovery RemoteDesktop Protocol Email Collection Domain Fronting Exfiltration Over
Physical Medium
RuntimeData Manipulation
Trusted Relationship Execution through API AppInit DLLs CMSTP Input Capture Peripheral DeviceDiscovery RemoteFileCopy Input Capture Domain Generation
Algorithms
ServiceStop
Valid Accounts Execution through
ModuleLoad
Application Shimming CodeSigning Input Prompt Permission Groups Discovery RemoteServices Man in theBrowser Scheduled Transfer Stored Data Manipulation
Dylib Hijacking Compiled HTML File Kerberoasting Process Discovery Replication Through
RemovableMedia
Screen Capture Fallback Channels Transmitted Data
ManipulationExploitation for
Client Execution
FileSystem Permissions Weakness Component Firmware Keychain Query Registry Video Capture Multiband Communication
Hooking Component Object Model
Hijacking
LLMNR/NBT-NS Poisoning
and Relay
RemoteSystem Discovery Shared Webroot Multi-hop Proxy
Graphical User Interface Launch Daemon Security SoftwareDiscovery SSH Hijacking Multilayer Encryption
InstallUtil New Service Control Panel Items Password Filter DLL System Information
Discovery
Taint Shared Content Multi-StageChannels
Mshta Path Interception DCShadow PrivateKeys Third-party Software Port Knocking
PowerShell Port Monitors Deobfuscate/Decode Files
or Information
Securityd Memory System Network
Configuration Discovery
Windows Admin Shares RemoteAccess Tools
Regsvcs/Regasm ServiceRegistry PermissionsWeakness Two-Factor Authentication
Interception
Windows Remote
Management
RemoteFileCopy
Regsvr32 Setuid and Setgid Disabling Security Tools System Network
Connections Discovery
Standard Application Layer
ProtocolRundll32 Startup Items DLL Side-Loading
Scripting Web Shell Execution Guardrails System Owner/User
Discovery
Standard Cryptographic
ProtocolServiceExecution .bash_profile and .bashrc Exploitation for
PrivilegeEscalation
Exploitation for
Defense EvasionSigned Binary
Proxy Execution
Account Manipulation System ServiceDiscovery Standard Non-Application
Layer ProtocolAuthentication Package SID-History Injection FileDeletion System TimeDiscovery
Signed Script
Proxy Execution
BITS Jobs Sudo FilePermissions
Modification
Virtualization/Sandbox
Evasion
Uncommonly Used Port
Bootkit Sudo Caching Web Service
Source Browser Extensions FileSystem Logical Offsets
Spaceafter Filename ChangeDefault
FileAssociation
Gatekeeper Bypass
Third-party Software Group Policy Modification
Trusted Developer Utilities Component Firmware Hidden Files and Directories
User Execution Component Object
Model Hijacking
Hidden Users
Windows Management
Instrumentation
Hidden Window
CreateAccount HISTCONTROL
Windows Remote
Management
External RemoteServices Indicator Blocking
Hidden Files and Directories Indicator Removal
from ToolsXSL Script Processing Hypervisor
Kernel Modules
and Extensions
Indicator Removal on Host
Indirect Command Execution
Launch Agent Install Root Certificate
LC_LOAD_DYLIB Addition InstallUtil
Login Item Launchctl
Logon Scripts LC_MAIN Hijacking
Modify Existing Service Masquerading
Netsh Helper DLL Modify Registry
Office Application Startup Mshta
Port Knocking Network ShareConnection
RemovalRc.common
Redundant Access NTFS FileAttributes
Registry Run
Keys / Startup Folder
Obfuscated Files
or Information
Re-opened Applications Port Knocking
Screensaver Process Doppelgänging
Security Support Provider Process Hollowing
Shortcut Modification Redundant Access
SIP and Trust Provider
Hijacking
Regsvcs/Regasm
Regsvr32
System Firmware Rootkit
Systemd Service Rundll32
TimeProviders Scripting
Windows Management
Instrumentation Event
Subscription
Signed Binary
Proxy Execution
Signed Script
Proxy ExecutionWinlogon Helper DLL
Hijacking
SoftwarePacking
Spaceafter Filename
TemplateInjection
Timestomp
Trusted Developer Utilities
Evasion
Web Service
XSL Script Processing
| 6 |
ATT&CK Structure
Tactics: the adversary’s technical goals
…

Application
Software
RemovableMedia
Discovery
Object Model
Repositories
Discovery
Custom Command and
Control Protocol
Network Medium
Disk StructureWipe
Replication Through
RemovableMedia
RemoteServices
Shared Drive
Protocol
and Control Channel
FirmwareCorruption
Credential Access
Protocol
Physical Medium
Algorithms
ServiceStop
ModuleLoad
RemovableMedia
Client Execution
Hijacking
and Relay
Discovery
or Information
Interception
Windows Remote
Management
RemoteFileCopy
Discovery
PrivilegeEscalation
Exploitation for
Proxy Execution
Signed Script
Proxy Execution
Modification
Evasion
FileAssociation
Gatekeeper Bypass
Model Hijacking
Hidden Users
Windows Management
Instrumentation
Hidden Window
Windows Remote
Management
Kernel Modules
and Extensions
RemovalRc.common
Registry Run
Obfuscated Files
or Information
Hijacking
Regsvcs/Regasm
Regsvr32
Windows Management
Subscription
Signed Binary
Proxy Execution
Signed Script
Hijacking
SoftwarePacking
Spaceafter Filename
TemplateInjection
Timestomp
Evasion
Web Service
| 7 |
ATT&CK Structure
…
Techniques: how the goals are achieved

Application
Software
RemovableMedia
Discovery
Object Model
Repositories
Discovery
Custom Command and
Control Protocol
Network Medium
Disk StructureWipe
Replication Through
RemovableMedia
RemoteServices
Shared Drive
Protocol
and Control Channel
FirmwareCorruption
Credential Access
Protocol
Physical Medium
Algorithms
ServiceStop
ModuleLoad
RemovableMedia
Client Execution
Hijacking
and Relay
Discovery
or Information
Interception
Windows Remote
Management
RemoteFileCopy
Discovery
PrivilegeEscalation
Exploitation for
Proxy Execution
Signed Script
Proxy Execution
Modification
Evasion
FileAssociation
Gatekeeper Bypass
Model Hijacking
Hidden Users
Windows Management
Instrumentation
Hidden Window
Windows Remote
Management
Kernel Modules
and Extensions
RemovalRc.common
Registry Run
Obfuscated Files
or Information
Hijacking
Regsvcs/Regasm
Regsvr32
Windows Management
Subscription
Signed Binary
Proxy Execution
Signed Script
Hijacking
SoftwarePacking
Spaceafter Filename
TemplateInjection
Timestomp
Evasion
Web Service
| 8 |
ATT&CK Structure
Procedure Examples:
how adversaries have performed techniques
…
Techniques: how the goals are achieved

| 9 |
Sub-Techniques (BETA)
Initial
Access
Execution Persistence
Privilege
Escalation
Defense Evasion
Credential
Access
Discovery
Lateral
Movement
Collection Exfiltration Impact
Command
and Control
Same Tactics
Same Procedures

| 10 |
Sub-Techniques (BETA)
Initial
Access
Execution Persistence
Privilege
Escalation
Defense Evasion
Credential
Access
Discovery
Lateral
Movement
Collection Exfiltration Impact
Command
and Control
More Techniques!
Same Tactics
Same Procedures

ATT&CK Evaluations Background
▪ Collaboration with product
vendors to evaluate
detection capabilities
▪ Goals are to improve products
while sharing how they detect
adversary behaviors
▪ No scores or rankings
| 11 |

Again, I Said No Scores…
| 12 |

Again, I Said No Scores…
| 13 |

Why Adversary Emulation?
▪ Impractical to test all techniques (and all variations)
▪ Using intelligence provides scoping and structure
▪ More practical results and lessons learned
| 14 |
https://i.redd.it/2xoht8joghiz.png

- Research, Research Research!
How We Leverage ATT&CK (1,2,3)
| 15 |
Step 1
Cited Public Threat Intelligence
attack.mitre.org http://clipart-library.com/magnifying-glass-cliparts.html
fireeye.com/blog/threat-research/2018/11/not-so-cozy-
an-uncomfortable-examination-of-a-suspected-apt29-
phishing-campaign.html

- Research, Research Research!
| 16 |
Step 1
Cited Public Threat Intelligence
attack.mitre.org http://clipart-library.com/magnifying-glass-cliparts.html

- Create a Plan and Execute It
| 17 |
Step 2
http://clipart-library.com/magnifying-glass-cliparts.html

| 18 |
Step 3
attackevals.mitre.org
- Publish Results
http://clipart-library.com/magnifying-glass-cliparts.html

https://www.clipartmax.com/png/middle/450-4504742_horn-clipart-free-daily-
devil-horns-transparent-background.png &
https://www.clipartmax.com/so/devil-tail-clipart/

Why Detecting PowerShell is Crucial
▪ PowerShell is native to supported Windows system
▪ Frequent legitimate usage by sysadmins
▪ In-memory execution (avoid binaries on disk)
▪ Provides access to .NET and Win32 APIs
Adversaries abuse PowerShell
| 20 |

Top ATT&CK Technique Reports
| 21 |

Top ATT&CK Technique Reports
| 22 |

Example Adversary Usage
| 23 |
1. Obfuscation
2. Download &
Execute
3. Remote
Execution
4. Win32 API

| 24 |
1. Obfuscation
2. Download &
Execute
3. Remote
Execution
4. Win32 API

| 25 |
1. Obfuscation
2. Download &
Execute
3. Remote
Execution
4. Win32 API

| 26 |
1. Obfuscation
2. Download &
Execute
3. Remote
Execution
4. Win32 API

| 27 |
1. Obfuscation
2. Download &
Execute
3. Remote
Execution
4. Win32 API
Open Source Frameworks:
Empire, PoshC2,
PowerSploit

Why APT29?
| 28 |
▪ APT29 (Cozy Bear, The Dukes, YYTRIUM)
▪ Attributed to the Russian government
▪ Active since at least 2008
▪ Compromise of DNC
▪ Commitment to stealth
▪ Sophisticated implementations of techniques via
arsenal of custom malware
▪ Has made liberal use of PowerShell
in their custom malware
https://ageofrevolution.org/wellingtons-places-stratfield-saye/8-1st-duke-portrait-by-phillips-1/&
http://www.shirleyreade.com/Gallery/wildlife/efrum.htm

https://giphy.com/gifs/nfl-football-miami-dolphins-l0HlNOtch2D0XOXxS

PowerShell Visibility
In response to adversary abuse, Microsoft helped make
PowerShell one of the most security-transparent
shells available
▪ Process monitoring
▪ PowerShell logging
▪ Event Tracing for Windows (ETW)
But will it scale…?
| 30 |
https://www.stockio.com/free-clipart/powershell-icon &
https://giphy.com/gifs/tex-avery-3HEzHIxZjKduE

Process Monitoring
▪ Process monitoring may catch PowerShell execution
▪ Command line arguments
▪ Parent process
| 31 |
▪ Event 4688 and Sysmon ID 1

PowerShell Logs: Module Logs
▪ Contains pipeline execution details
▪ Variable initialization
▪ Command invocation
▪ Script portions
▪ Some de-obfuscated code
| 32 |
https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/powershell-logging-appendix-a.pdf
▪ Written to Event 4103

PowerShell Logs: Script Block Logs
▪ Captures blocks of code as executed by the PowerShell engine
▪ Captures full script and/or command content
▪ Records deobfuscated code
▪ Does not record output
| 33 |
https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/powershell-logging-appendix-b.pdf
▪ Written to Event 4104

PowerShell Logs: Transcription Logs
▪ Create a record of every PowerShell session
▪ Records input and output
▪ Written to text files in Documents (configurable)
| 34 |
https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/powershell-logging-appendix-c.pdf
▪ Best practice
▪ Write to a remote write-only
network share

Event Tracing for Windows (ETW)
▪ Tracing facility for logging kernel or application-defined events
▪ Can consume in real time or from a log file
▪ Originally intended for application debugging
| 35 |
▪ ETW Provider
▪ Microsoft-Windows-PowerShell
▪ Contains some added context
▪ Additional providers can help gain
further context and insight

Can It Scale?
▪ This is a lot of data to process, not feasible for human review
▪ How do you find APT29 in this sea of data?
| 36 |
https://giphy.com/gifs/mtv-ridiculousness-rob-dyrdek-kgoIBso63Pu6Y

https://www.nps.gov/subjects/bears/types-of-bears.htm &
https://depositphotos.com/200869380/stock-illustration-paw-footprints-mosaic-of-binary.html &
https://encrypted-tbn0.gstatic.com/images?q=tbn%3AANd9GcRUAXZBbHk1IPc-
Xryutu0BQ9xPldk0XS3GkNniU0SAv0vVbqw0&usqp=CAU
Cozy

Emulate to Defend
| 38 |
https://giphy.com/gifs/1fih1TYYBONo0Dkdmx
▪ Stealthy tradecraft,
perhaps ahead of their
time
▪ Implied understanding of
how detection
technologies work (and
how to bypass them)
▪ A lot of learning and
custom development to
deliver “real feel”

Detection Challenge #1 –
Living Off the Land
| 39 |
Trusted
ProcessTrusted
Process
Unknown
Trusted
Process
Unknown Trusted
Process
Untrusted
Process
Trusted
Process
Trusted
Process
Trusted
Process Unknown
Trusted
Process
Untrusted
Process
Trusted
Process

Living Off the Land
| 40 |
Trusted
ProcessTrusted
Process
Unknown
Trusted
Process
Unknown Trusted
Process
Untrusted
Process
Trusted
Process
Trusted
Process
Trusted
Process Unknown
Trusted
Process
Untrusted
Process
Trusted
Process

Get-Process
Large Custom Scripts
| 41 |
Trusted
Process

$TOKEN_OWNER = struct $ModuleBuilder TOKEN_OWNER
@{Owner = field 0 IntPtr}
$TokenPtrSize = 0
$TokenInformationClass = 'TokenOwner'
$hProcess = OpenProcess -ProcessId $PID -DesiredAccess
PROCESS_QUERY_LIMITED_INFORMATION
$hToken = OpenProcessToken -ProcessHandle $hProcess -DesiredAccess
TOKEN_QUERY
$Success = $Advapi32::GetTokenInformation($hToken,
$TOKEN_INFORMATION_CLASS::$TokenInformationClass, 0, $TokenPtrSize,
[ref]$TokenPtrSize)
[IntPtr]$TokenPtr =
[System.Runtime.InteropServices.Marshal]::AllocHGlobal($TokenPtrSize)
$TOKEN_INFORMATION_CLASS::$TokenInformationClass, $TokenPtr,
$TokenPtrSize, [ref]$TokenPtrSize); $LastError =
[Runtime.InteropServices.Marshal]::GetLastWin32Error()
if($Success) {
$TokenOwner = $TokenPtr -as $TOKEN_OWNER
if($TokenOwner.Owner -ne $null) {
$OwnerSid = ConvertSidToStringSid -SidPointer $TokenOwner.Owner
$Sid = New-Object System.Security.Principal.SecurityIdentifier($OwnerSid)
$OwnerName = $Sid.Translate([System.Security.Principal.NTAccount])
$obj = New-Object -TypeName psobject
$obj | Add-Member -MemberType NoteProperty -Name Sid -Value $OwnerSid
$obj | Add-Member -MemberType NoteProperty -Name -Value $OwnerName
Write-Output $obj
}
else {
Write-Output "Fail"
}
[System.Runtime.InteropServices.Marshal]::FreeHGlobal($TokenPtr)
}
else {
Write-Debug "[GetTokenInformation] Error: $(([ComponentModel.Win32Exception]
$LastError).Message)“
…
Large Custom Scripts
| 42 |
Trusted
Process

JFRPS0VOX09XTkVSID0gc3RydWN0ICRNb2R1bGVCdWlsZGVyIFRPS0VOX09XTkVSI
ApAe093bmVyID0gZmllbGQgMCBJbnRQdHJ9CiRUb2tlblB0clNpemUgPSAwCiRUb2tl
bkluZm9ybWF0aW9uQ2xhc3MgPSAnVG9rZW5Pd25lcicKJGhQcm9jZXNzID0gT3BlblB
yb2Nlc3MgLVByb2Nlc3NJZCAkUElEIC1EZXNpcmVkQWNjZXNzIFBST0NFU1NfUVVFUl
lfTElNSVRFRF9JTkZPUk1BVElPTgokaFRva2VuID0gT3BlblByb2Nlc3NUb2tlbiAtUHJvY
2Vzc0hhbmRsZSAkaFByb2Nlc3MgLURlc2lyZWRBY2Nlc3MgVE9LRU5fUVVFUlkKJFN1
Y2Nlc3MgPSAkQWR2YXBpMzI6OkdldFRva2VuSW5mb3JtYXRpb24oJGhUb2tlbiwgJF
RPS0VOX0lORk9STUFUSU9OX0NMQVNTOjokVG9rZW5JbmZvcm1hdGlvbkNsYXNzL
CAwLCAkVG9rZW5QdHJTaXplLCBbcmVmXSRUb2tlblB0clNpemUpCltJbnRQdHJdJF
Rva2VuUHRyID0gW1N5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcy5NYXJzaGFs
XTo6QWxsb2NIR2xvYmFsKCRUb2tlblB0clNpemUpCiRTdWNjZXNzID0gJEFkdmFwaT
MyOjpHZXRUb2tlbkluZm9ybWF0aW9uKCRoVG9rZW4sICRUT0tFTl9JTkZPUk1BVElPT
l9DTEFTUzo6JFRva2VuSW5mb3JtYXRpb25DbGFzcywgJFRva2VuUHRyLCAkVG9rZW
5QdHJTaXplLCBbcmVmXSRUb2tlblB0clNpemUpOyAkTGFzdEVycm9yID0gW1J1bnRp
bWUuSW50ZXJvcFNlcnZpY2VzLk1hcnNoYWxdOjpHZXRMYXN0V2luMzJFcnJvcigpC
mlmKCRTdWNjZXNzKSB7CiRUb2tlbk93bmVyID0gJFRva2VuUHRyIC1hcyAkVE9LRU5f
T1dORVIKaWYoJFRva2VuT3duZXIuT3duZXIgLW5lICRudWxsKSB7CiRPd25lclNpZCA9
IENvbnZlcnRTaWRUb1N0cmluZ1NpZCAtU2lkUG9pbnRlciAkVG9rZW5Pd25lci5Pd25lc
gokU2lkID0gTmV3LU9iamVjdCBTeXN0ZW0uU2VjdXJpdHkuUHJpbmNpcGFsLlNlY3Vy
aXR5SWRlbnRpZmllcigkT3duZXJTaWQpCiRPd25lck5hbWUgPSAkU2lkLlRyYW5zbGF
0ZShbU3lzdGVtLlNlY3VyaXR5LlByaW5jaXBhbC5OVEFjY291bnRdKQokb2JqID0gTmV
3LU9iamVjdCAtVHlwZU5hbWUgcHNvYmplY3QKJG9iaiB8IEFkZC1NZW1iZXIgLU1lbW
JlclR5cGUgTm90ZVByb3BlcnR5IC1OYW1lIFNpZCAtVmFsdWUgJE93bmVyU2lkCiRvY
mogfCBBZGQtTWVtYmVyIC1NZW1iZXJUeXBlIE5vdGVQcm9wZXJ0eSAtTmFtZSAtVm
FsdWUgJE93bmVyTmFtZQpXcml0ZS1PdXRwdXQgJG9iagp9CmVsc2UgewpXcml0ZS
1PdXRwdXQgIkZhaWwiCn0KW1N5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcy5N
YXJzaGFsXTo6RnJlZUhHbG9iYWwoJFRva2VuUHRyKQp9CmVsc2UgewpXcml0ZS1EZ
WJ1ZyAiW0dldFRva2VuSW5mb3JtYXRpb25dIEVycm9yOiAkKChbQ29tcG9uZW50TW9
kZWwuV2luMzJFeGNlcHRpb25dICRMYXN0RXJyb3IpLk1lc3NhZ2Up4oCcCg==
…
$TOKEN_OWNER = struct $ModuleBuilder TOKEN_OWNER
@{Owner = field 0 IntPtr}
$TokenPtrSize = 0
$TokenInformationClass = 'TokenOwner'
$hProcess = OpenProcess -ProcessId $PID -DesiredAccess
PROCESS_QUERY_LIMITED_INFORMATION
$hToken = OpenProcessToken -ProcessHandle $hProcess -DesiredAccess
TOKEN_QUERY
$TOKEN_INFORMATION_CLASS::$TokenInformationClass, 0, $TokenPtrSize,
[ref]$TokenPtrSize)
[IntPtr]$TokenPtr =
[System.Runtime.InteropServices.Marshal]::AllocHGlobal($TokenPtrSize)
$TOKEN_INFORMATION_CLASS::$TokenInformationClass, $TokenPtr,
$TokenPtrSize, [ref]$TokenPtrSize); $LastError =
[Runtime.InteropServices.Marshal]::GetLastWin32Error()
if($Success) {
$TokenOwner = $TokenPtr -as $TOKEN_OWNER
if($TokenOwner.Owner -ne $null) {
$OwnerSid = ConvertSidToStringSid -SidPointer $TokenOwner.Owner
$Sid = New-Object System.Security.Principal.SecurityIdentifier($OwnerSid)
$OwnerName = $Sid.Translate([System.Security.Principal.NTAccount])
$obj = New-Object -TypeName psobject
$obj | Add-Member -MemberType NoteProperty -Name Sid -Value $OwnerSid
$obj | Add-Member -MemberType NoteProperty -Name -Value $OwnerName
Write-Output $obj
}
else {
Write-Output "Fail"
}
[System.Runtime.InteropServices.Marshal]::FreeHGlobal($TokenPtr)
}
else {
Write-Debug "[GetTokenInformation] Error: $(([ComponentModel.Win32Exception]
$LastError).Message)“
…
Detection Challenge #3 – Obfuscation
| 43 |
Trusted
Process
https://www.kaspersky.com/blog/no-monkeys-for-cozyduke/8543/

JFRPS0VOX09XTkVSID0gc3RydWN0ICRNb2R1bGVCdWlsZGVyIFRPS0VOX09XTkVSI
ApAe093bmVyID0gZmllbGQgMCBJbnRQdHJ9CiRUb2tlblB0clNpemUgPSAwCiRUb2tl
bkluZm9ybWF0aW9uQ2xhc3MgPSAnVG9rZW5Pd25lcicKJGhQcm9jZXNzID0gT3BlblB
yb2Nlc3MgLVByb2Nlc3NJZCAkUElEIC1EZXNpcmVkQWNjZXNzIFBST0NFU1NfUVVFUl
lfTElNSVRFRF9JTkZPUk1BVElPTgokaFRva2VuID0gT3BlblByb2Nlc3NUb2tlbiAtUHJvY
2Vzc0hhbmRsZSAkaFByb2Nlc3MgLURlc2lyZWRBY2Nlc3MgVE9LRU5fUVVFUlkKJFN1
Y2Nlc3MgPSAkQWR2YXBpMzI6OkdldFRva2VuSW5mb3JtYXRpb24oJGhUb2tlbiwgJF
RPS0VOX0lORk9STUFUSU9OX0NMQVNTOjokVG9rZW5JbmZvcm1hdGlvbkNsYXNzL
CAwLCAkVG9rZW5QdHJTaXplLCBbcmVmXSRUb2tlblB0clNpemUpCltJbnRQdHJdJF
Rva2VuUHRyID0gW1N5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcy5NYXJzaGFs
XTo6QWxsb2NIR2xvYmFsKCRUb2tlblB0clNpemUpCiRTdWNjZXNzID0gJEFkdmFwaT
MyOjpHZXRUb2tlbkluZm9ybWF0aW9uKCRoVG9rZW4sICRUT0tFTl9JTkZPUk1BVElPT
l9DTEFTUzo6JFRva2VuSW5mb3JtYXRpb25DbGFzcywgJFRva2VuUHRyLCAkVG9rZW
5QdHJTaXplLCBbcmVmXSRUb2tlblB0clNpemUpOyAkTGFzdEVycm9yID0gW1J1bnRp
bWUuSW50ZXJvcFNlcnZpY2VzLk1hcnNoYWxdOjpHZXRMYXN0V2luMzJFcnJvcigpC
mlmKCRTdWNjZXNzKSB7CiRUb2tlbk93bmVyID0gJFRva2VuUHRyIC1hcyAkVE9LRU5f
T1dORVIKaWYoJFRva2VuT3duZXIuT3duZXIgLW5lICRudWxsKSB7CiRPd25lclNpZCA9
IENvbnZlcnRTaWRUb1N0cmluZ1NpZCAtU2lkUG9pbnRlciAkVG9rZW5Pd25lci5Pd25lc
gokU2lkID0gTmV3LU9iamVjdCBTeXN0ZW0uU2VjdXJpdHkuUHJpbmNpcGFsLlNlY3Vy
aXR5SWRlbnRpZmllcigkT3duZXJTaWQpCiRPd25lck5hbWUgPSAkU2lkLlRyYW5zbGF
0ZShbU3lzdGVtLlNlY3VyaXR5LlByaW5jaXBhbC5OVEFjY291bnRdKQokb2JqID0gTmV
3LU9iamVjdCAtVHlwZU5hbWUgcHNvYmplY3QKJG9iaiB8IEFkZC1NZW1iZXIgLU1lbW
JlclR5cGUgTm90ZVByb3BlcnR5IC1OYW1lIFNpZCAtVmFsdWUgJE93bmVyU2lkCiRvY
mogfCBBZGQtTWVtYmVyIC1NZW1iZXJUeXBlIE5vdGVQcm9wZXJ0eSAtTmFtZSAtVm
FsdWUgJE93bmVyTmFtZQpXcml0ZS1PdXRwdXQgJG9iagp9CmVsc2UgewpXcml0ZS
1PdXRwdXQgIkZhaWwiCn0KW1N5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcy5N
YXJzaGFsXTo6RnJlZUhHbG9iYWwoJFRva2VuUHRyKQp9CmVsc2UgewpXcml0ZS1EZ
WJ1ZyAiW0dldFRva2VuSW5mb3JtYXRpb25dIEVycm9yOiAkKChbQ29tcG9uZW50TW9
kZWwuV2luMzJFeGNlcHRpb25dICRMYXN0RXJyb3IpLk1lc3NhZ2Up4oCcCg==
…
Detection Challenge #3 – Obfuscation
| 44 |
Trusted
Process

Breaking Process Trees
| 45 |
Trusted
Process
http://clipart-library.com/spotlight-cliparts.html &
https://clipartpng.com/?227,kiwi-png-clipart

Breaking Process Trees
| 46 |
Trusted
Process
Trusted
Process
[wmiclass]".rootcimv2:
Win32_Process"

Adversary OPSEC
| 47 |
Trusted
Process

Adversary OPSEC
| 48 |

https://giphy.com/gifs/han-solo-1HH6lJOzOXAY

Defensive Lesson #1 –
Know Your Systems
▪ Need to do more than identify known-bad
▪ Most adversary behaviors are abuse of
legitimate functionalities
▪ Must reconsider “trust” and least privilege
| 50 |
Trusted
Process

Trusted
Process
Know Your Data
▪ Detecting everything may be unrealistic
▪ Build with what you have
▪ Correlate multiple sources to see more of the story
| 51 |
2
1
3
4
5

Know Your Threats
▪Use knowledge of adversaries and
their behaviors to fill-in gaps
| 52 |
Trusted
Process
1
2
3
4
5
T1059
T1086
T1083
T1019
T1102
4.5
2.5
0 T1036?
T1032?
T1005?

Shared Methodology
| 54 |
ATT&CK Arsenal: github.com/mitre-attack/attack-arsenal

Shared Methodology
| 55 |

Shared Methodology
| 56 |
What if you don’t have a red
team to help execute this?

Automagical Execution w/ CALDERA
| 57 |
https://clip.cookdiary.net/relax-clipart/relax-clipart-recreation

| 58 |

| 59 |

Conclusion: Threat-Informed Defense
▪Vital to understand
your capabilities,
strengths and limitations,
but most importantly
how they align with
real adversary behaviors
| 60 |
https://fallout.fandom.com/wiki/Vault_Boy
https://www.jing.fm/clipimg/detail/56-562333_anonymous-mask-png-transparent-free-images-png-only.png

Relevant Links
ATT&CK & ATT&CK Accessories
▪ attack.mitre.org
▪ attackevals.mitre.org
▪ medium.com/mitre-attack
▪ medium.com/mitre-engenuity
▪ github.com/mitre-attack/attack-arsenal
▪ github.com/mitre/caldera
No Easy Breach
▪ slideshare.net/MatthewDunwoody1/
no-easy-breach-derby-con-2016
▪ fireeye.com/blog/products-and-
services/2019/02/state-of-the-hack-no-
easy-breach-revisited.html
PowerShell Logging and Adversary Abuse
▪ fireeye.com/blog/threat-
research/2016/02/greater_visibilityt.html
▪ redcanary.com/threat-detection-report/
▪ carbonblack.com/global-incident-response-threat-
report/april-2019/
▪ content.fireeye.com/m-trends/rpt-m-trends-2020
▪ crowdstrike.com/resources/reports/2019-
crowdstrike-global-threat-report/
▪ fireeye.com/blog/threat-research/2019/04/pick-six-
intercepting-a-fin6-intrusion.html
▪ proofpoint.com/us/threat-insight/post/ta505-
abusing-settingcontent-ms-within-pdf-files-
distribute-flawedammyy-rat
▪ secureworks.com/research/bronze-union
▪ github.com/PowerShellMafia/PowerSploit/blob/
master/Exfiltration/Invoke-Mimikatz.ps1
| 61 |

Getting Bear-y Cozy with PowerShell

Recommended

Recommended

More Related Content

What's hot

What's hot (11)

Similar to Getting Bear-y Cozy with PowerShell

Similar to Getting Bear-y Cozy with PowerShell (20)

Recently uploaded

Recently uploaded (20)

Getting Bear-y Cozy with PowerShell