(Re)Investigating PowerShell...
Transcript of (Re)Investigating PowerShell...
![Page 1: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/1.jpg)
(Re)Investigating PowerShell Attacks
Matt Hastings, Ryan Kazanciyan
BruCON 0x0A Retro Talks
![Page 2: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/2.jpg)
2
![Page 3: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/3.jpg)
3
“Investigating PowerShell Attacks”, 2014 “Desired State: Compromised”, 2015
![Page 4: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/4.jpg)
Revisiting Investigating PowerShell Attacks
![Page 5: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/5.jpg)
Our original research
5
![Page 6: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/6.jpg)
Evidence in Memory
![Page 7: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/7.jpg)
Memory footprint: PowerShell remoting
7
![Page 8: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/8.jpg)
8
![Page 9: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/9.jpg)
Logging
![Page 10: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/10.jpg)
Logging in PowerShell 2.0● PowerShell and WinRM logs
○ Start and finish of console sessions○ Start and finish of remoting sessions (with user)
● PowerShell Analytic logs○ Names of executed scripts and cmdlets○ Encoded input and output of remoting sessions○ Disabled; too verbose for ongoing usage
● AppLocker○ Captures user and script path○ Must create script rules in audit or enforce mode
● Transcription logging○ Enabled on a per-profile basis○ Do not log remoting activity
10
![Page 11: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/11.jpg)
Example: PS Analytic logs (v2)
11
![Page 12: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/12.jpg)
12
Invoke-Command {Get-ChildItem C:\}
![Page 13: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/13.jpg)
Module Logging in PS v3
13
3,905 events from one execution of Invoke-Mimikatz
![Page 14: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/14.jpg)
Script Block logging in PS v4 to the rescue!
14
![Page 15: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/15.jpg)
PowerShell versus other scripting languages
15
https://blogs.msdn.microsoft.com/powershell/2017/04/10/a-comparison-of-shell-and-scripting-language-security/
![Page 16: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/16.jpg)
PowerShell versus other scripting languages
16
![Page 17: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/17.jpg)
17
![Page 18: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/18.jpg)
PowerShell Attacks Today
![Page 19: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/19.jpg)
PS attacks have been commoditized
19
![Page 20: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/20.jpg)
20
https://github.com/danielbohannon/Invoke-Obfuscation
Defense evasions are widely-available
https://github.com/trustedsec/unicornhttps://gist.github.com/cobbr
![Page 21: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/21.jpg)
Modern attacks still use old tricks
21
https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
https://www.fireeye.com/blog/threat-research/2018/02/cve-2017-10271-used-to-deliver-cryptominers.html
![Page 22: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/22.jpg)
Modern attacks still use old tricks
22
https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
https://www.redcanary.com/blog/cryptomining-enabled-by-native-windows-tools/
![Page 23: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/23.jpg)
23
https://www.symantec.com/blogs/threat-intelligence/powershell-threats-grow-further-and-operate-plain-sight
4%Percentage of malicious scripts sampled in 2018 that
used any form of obfuscation
![Page 24: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/24.jpg)
24
https://www.symantec.com/blogs/threat-intelligence/powershell-threats-grow-further-and-operate-plain-sight
![Page 25: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/25.jpg)
Investigating .NET Attacks in 2020!
25
● Researchers moving beyond PowerShell
● Emerging offensive toolkits● Fewer insights into .NET execution● More to come later in this talk...
![Page 26: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/26.jpg)
Auditing in PowerShell v6
![Page 27: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/27.jpg)
PowerShell 6.0 changes● Relies on .NET Core 6.0 runtime● Open source● Windows, macOS, Linux support● New shell: pwsh.exe● Installable side-by-side with PS v5
27
![Page 28: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/28.jpg)
PS v6 auditing in Windows● New event Log:
PowerShellCore/Operational
● New ETW GUID: {f90714a8-5509-434a-bf6d-b1624c8a19a2}
● New configuration files○ $PSHOME\PowerShell.Core.Instrumentation.man○ $PSHOME\RegisterManifest.ps1○ $PSHOME\powershell.config.json
28
![Page 29: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/29.jpg)
Events & EIDs unchanged from PS v5
29
![Page 30: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/30.jpg)
powershell.config.json 1. {2. "Microsoft.PowerShell:ExecutionPolicy": "RemoteSigned",3. "PowerShellPolicies": {4. "ScriptExecution": {5. "ExecutionPolicy": "RemoteSigned",6. "EnableScripts": true7. },8. "ScriptBlockLogging": {9. "EnableScriptBlockInvocationLogging": true,10. "EnableScriptBlockLogging": true11. },12. "Transcription": {13. "EnableTranscripting": true,14. "EnableInvocationHeader": true,15. "OutputDirectory": "c:\\tmp"16. }17. },18. "LogLevel": "verbose"19. } 30
![Page 31: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/31.jpg)
Enabling and disabling auditing
31
![Page 32: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/32.jpg)
Auditing configuration changes
**********************Command start time: 20180922134046**********************PS C:\Users\ryankaz\Desktop> RegisterManifest.ps1 -Unregister
32
● Not recorded in the event log● Will be recorded in transcription logging
![Page 33: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/33.jpg)
Audit settings in the registry● HKLM\SOFTWARE\Policies\Microsoft\PowerShellCore
● Not impacted if you use RegisterManifest.ps1
33
System.Management.Automation/engine/PSConfiguration.cs
![Page 34: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/34.jpg)
Command History
● Persistent command line history (similar to bash history)%AppData%\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
● (Get|Set)-PSReadLineOption
34
![Page 35: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/35.jpg)
Revisiting DSCompromised
![Page 36: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/36.jpg)
Desired State Configuration (DSC)
Ensure that a desired “state” of the system is maintained over time
● Download and create files and directories● Execute processes● Run scripts● Create users and assign group membership● Control Windows services● Manage registry keys and values● Install software
36
![Page 37: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/37.jpg)
DSC Workflow: Author, Stage, Implement
37
Create configuration
Stage configuration on Pull Server
Stage configuration on Push Server
Consume and implement
configuration[or]
WinRM
SMB, HTTP, or HTTPS
.MOF file
Check for config “drift”, re-enforce as
needed
![Page 38: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/38.jpg)
Why is DSC an interesting attacker tool?
● Obscure & flexible persistence mechanism
● Not detected or examined by most security tools
● Automatic re-infection if not properly remediated
38
![Page 39: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/39.jpg)
DSCompromised
![Page 40: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/40.jpg)
DSCompromised Framework
● https://github.com/matthastings/DSCompromised
● PowerShell scripts to setup DSC “C2” server, build payload, infect victims
● Components:○ Server PowerShell module
■ Configure-Server.psm1○ Victim configuration script
■ Configure-Victim.ps1
40
![Page 41: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/41.jpg)
Our approach: DSC “pull” mode
● Emulate a real C2 server● Victim client initiates “beacon” requests via HTTP/s● Server can be on the internet or victim’s internal network
○ Attacker-controlled server preferable○ Significant footprint to install DSC hosting components
41
Configure DSC Pull Server (C2 server)
Create malicious configuration to host
on Pull Server
Consume and implement configon victim host(s)HTTP/s
New-Payload Configure-Victim.ps1Configure-Server.psm1New-User
![Page 42: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/42.jpg)
Persist Malware
● Infect victim machine with backdoor malware
● Ensure the malware continues to execute and remain on disk
● Re-infect victim automatically if remediated
Payloads we implemented
42
Persist User Account
● Create a local account with your choice of password
● Ensure user is a member of a specific group, such as local administrators
● Automatically re-add account and restore group membership if deleted or changed
![Page 43: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/43.jpg)
Sources of evidence
43
![Page 44: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/44.jpg)
Network activity
44
HTTP requests used in DSC “pull” configuration
POST /psdscpullserver.svc/Action(ConfigurationId='a8540639-cd47-462d-ae75-415158f60a99')/GetAction
GET /psdscpullserver.svc/Action(ConfigurationId='a8540639-cd47-462d-ae75-415158f60a99')/ConfigurationContent
![Page 45: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/45.jpg)
Configure-Victim script creates pull
setup MOF
System creates initial LCM meta
config
Task Manager creates DSC Consistency and
Boot Tasks
File system activity
System creates temp copy of downloaded
“payload” MOF
Current and backup config set to
“payload” MOF
Malware dropped by payload MOF
![Page 46: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/46.jpg)
Event logs: DSC Operational
46
![Page 47: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/47.jpg)
State of DSC Attacks in 2018
47
![Page 48: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/48.jpg)
[slide intentionally left blank]
![Page 49: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/49.jpg)
![Page 50: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/50.jpg)
![Page 51: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/51.jpg)
Revisiting DSC’s limitations
● Difficult to learn and use
● Requires PS 4.0 on victim○ Windows 8.1, Server 2012 R2 and later
● Requires Admin privileges on victim host○ Post-compromise persistence
51
![Page 52: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/52.jpg)
52
![Page 53: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/53.jpg)
53
![Page 54: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/54.jpg)
54
![Page 55: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/55.jpg)
DSC → DSC Core● DSC continues to receive updates, increasingly important for Azure
● Next-gen: DSC Core○ Converge to a single cross-platform, open-source code base○ Removes dependencies on WMI and WMF○ New Local Configuration Manager○ Resources written in native C/C++, Python, or PowerShell Core
● Release date remains TBD○ https://blogs.msdn.microsoft.com/powershell/2018/09/13/desired-state-configuration-dsc-plann
ing-update-september-2018/
55
![Page 56: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/56.jpg)
Logging with ETW
![Page 57: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/57.jpg)
ETWhat?
● Introduced in Windows 2000
● Application / kernel tracing
○ Troubleshooting
○ Performance monitoring
● Hiding in plain sight
57
![Page 58: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/58.jpg)
58
![Page 59: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/59.jpg)
59
Kernel-Process DLL loads
Process execution
Kernel-NetworkThreads
Kernel-File
PowerShell
DNS-Client
Scriptblocks
PS Modules
DNS requests / responses
File create / delete
Network connections
![Page 60: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/60.jpg)
ETW Orchestration
● https://github.com/matthastings/PSalander
● PowerShell module to orchestrate ETW sessions
● Impacted by PS logging evasions
● Out-of-the box forensic collection
● Useful beyond PS
60
![Page 61: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/61.jpg)
Demo
61
![Page 62: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/62.jpg)
.NET Visibility● Microsoft-Windows-DotNETRuntime● [SharpSploit.Credentials.Mimikatz]::All()
62
![Page 63: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/63.jpg)
63
![Page 64: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/64.jpg)
Takeaways
64
![Page 65: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/65.jpg)
Takeaways
● Despite advances in attacker tradecraft, PowerShell provides defenders with better auditability than any other language
● Establishing a baseline for legitimate PowerShell activity across an environment makes detection significantly easier
● ETW will continue to serve as a goldmine for telemetry as new techniques emerge (“there’s a provider for that!”)
65
![Page 66: (Re)Investigating PowerShell Attacksfiles.brucon.org/2018/03-Matt-Ryan-ReInvestigating-Powershell-Attac… · DSC → DSC Core DSC continues to receive updates, increasingly important](https://reader033.fdocuments.in/reader033/viewer/2022042622/5f88b3a5855400685d13c6f1/html5/thumbnails/66.jpg)
Thank you!
matt.hastings [at] tanium.com@_mhastings_
ryan.kazanciyan [at] tanium.com@ryankaz42
66