Current state of malicious Powershell script blocking

Discussion in 'other anti-virus software' started by itman, Aug 9, 2017.

  1. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    No, I was talking about sandbox/containment.
    I watched a video from cruelsister where a .doc file was able to start powershell, but then the payload was sandboxed
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Also as far as .Net use of System.Management.Automation.dll, it has to run in the context of PowerShell as I stated previously.

    Mittal has an example of that in his write up that I am posting below. Further using PowerShell "Constained Language" mode would prohibit its use.
     
    Last edited: Aug 17, 2017
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Well and fine for disk based PowerShell attacks. However, as noted through these posting are attacks where PowerShell and the payload are run entirely from memory.
     
  4. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,094
    Location:
    Germany
    Comodo will only sandbox powershell, if a powershell script file is launched from the disk, because the sandbox is file reputation based.
     
  5. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    It also has fileless malware protection, I don't know if it's relevant here
     
  6. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,649
    Location:
    Paris
    Imuade- Yeah, it is very relevant. Virtualization (such as is found in CF) is oblivious to the attack mechanism; the malware and resultant spawn will be contained separately but equally (Ive done too many videos on this exact topic). Also Powershell itself is not the issue, but instead what the powershell script will command to be done. CF is proof against attacks of this type (also, seems that some folk still feel the "fileless" malware is magic! Hardly the case).

    It should also be of no surprise to anyone that traditional types of protection are quite bad against Scriptors, whether PS, vbs, or Python based. Microsoft was well aware of this deficiency and thus tried to improve matters with stuff like AMSI (additional protection on the way in Win10).
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Mittal in his article mentioned that there were ways to run PowerShell scripts without using Win based powershell.exe although they were not publically disclosed. True to form, they have since been disclosed. What is disturbing about these is they are also designed to bypass Powershell "Constrained language" mode by creating a powershell instance in memory that runs in "Full Language" mode.

    The first to detail these bypasses was the Babushka dolls article discussed previously on Wilders: https://improsec.com/blog//babushka...ation-whitelisting-and-constrained-powershell. A more recent article noting same techniques but adding a "new twist" noted at the end of the article is given here: https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/ . So unless you have a security solution capable of monitoring .dll loading by .Net's InstallUtil.exe instances, your only alternative is to monitor its execution directly.

    Also of note is PowerOPS now includes this bypass:
    https://labs.portcullis.co.uk/blog/powerops-powershell-for-offensive-operations/
     
    Last edited: Aug 18, 2017
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    it's unbelievable the number of ways Powershell can get you once its on your system. But in reading a lot of the analysis's about Powershell attacks one thing stands out. They all start with someone being careless with email. So the trick is to mentally lock down your email procedures. That is easy for me, but for some companies and families it can be tough
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    On that regard, there's always Microsoft software that that can always be abused such as this Office365 attack: https://www.blackhat.com/docs/us-17/wednesday/us-17-Dods-Infecting-The-Enterprise-Abusing-Office365-Powershell-For-Covert-C2.pdf

    Also all my recent PowerShell attack attempts have been via drive by download upon web site access.
     
  10. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I haven't really looked into it, and I don't understand all of the details. But for some reason I'm not really worried about PowerShell attacks, I think it's more often used in corporate environments.
     
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Actually, ransomware is extremely fond of using PowerShell. Whereas many of those are delivered via e-mail, Cerber is known to be delivered via drive by download as shown below:

    Eset_Malware_Cerber_2.png
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes, but in most attacks I read about, they always run powershell.exe at some point, which is easy to block.
     
  14. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Did you actually read the postings in this thread? The advanced Powershell attacks are running it from memory.
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    And no they don't need powershell.exe Rasheed, grab a cup of coffee, and goodle "powershell attacks" Then sit back in awe.
     
  16. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Just found another Powershell nasty in a recent blog posting. And again, leave it to Casey Smith to dream this one up. Unlike the previously noted InstallUtil delivery that actually downloaded a Powershell executable to memory and executed it from there, this puppy skips the powershell.exe download entirely and instead downloads a binary code version of it within Mimikatz.

    Of note is DotNetToJScript requires .Net 3.5 or below. One more reason I have found to probably uninstall .Net 3.5 in Win 10 that doesn't need it natively. Of course that means I then can't use VoodooShield which uses .Net 2.0.o_O Also, PowerShell v2 requires .Net 3.0. So even if you don't uninstall it or malware downloads it to memory, it won't be able to run if .Net 3.5 is uninstalled in Win 10. And if you get a popup about an app, Powershell 2.0, wants to install .Net 3.5, you have your "alert" that malicious activity is underway.
    https://blog.stealthbits.com/how-attackers-are-bypassing-powershell-protections/

    BTW - standard .Net assemblies are not be used by the DotNetToJScript utility; you have to create your own custom one:
     
    Last edited: Aug 19, 2017
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes, but aren't these kind of attacks only related to exploits? You first have to exploit a process, before being able to run stuff like MimiKatz, is this correct?
     
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Rasheed, you keep asking similiar questions. You need to google "powershell attacks" and start reading. It's not a simple subject.
     
  19. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,418
    Location:
    Slovakia
    Majority of malware/exploits/UAC bypasses and all ransomware use WSH. Block that and you are better protected than with any AV. Removing powershell is a cherry on top.
    Most users do not need either, it is only required for a remote management in corporate environments. Even that can be done with other tools.

    Code:
    reg add "HKCU\Software\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d "0" /f
    reg add "HKLM\Software\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d "0" /f
    Code:
    takeown /f "%ProgramFiles%\WindowsPowerShell" /a /r /d y
    icacls "%ProgramFiles%\WindowsPowerShell" /inheritance:r /grant:r Administrators:(OI)(CI)F /t /l /q /c
    rd "%ProgramFiles%\WindowsPowerShell" /s /q
    takeown /f "%ProgramFiles(x86)%\WindowsPowerShell" /a /r /d y
    icacls "%ProgramFiles(x86)%\WindowsPowerShell" /inheritance:r /grant:r Administrators:(OI)(CI)F /t /l /q /c
    rd "%ProgramFiles(x86)%\WindowsPowerShell" /s /q
    takeown /f "%WinDir%\System32\WindowsPowerShell" /a /r /d y
    icacls "%WinDir%\System32\WindowsPowerShell" /inheritance:r /grant:r Administrators:(OI)(CI)F /t /l /q /c
    rd "%WinDir%\System32\WindowsPowerShell" /s /q
    takeown /f "%WinDir%\SysWOW64\WindowsPowerShell" /a /r /d y
    icacls "%WinDir%\SysWOW64\WindowsPowerShell" /inheritance:r /grant:r Administrators:(OI)(CI)F /t /l /q /c
    rd "%WinDir%\SysWOW64\WindowsPowerShell" /s /q
     
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    No. Powershell attacks can be delivered by any method current malware employs.

    Related to many of the Powershell attack tools such as Mimikatz, many do require admin privileges. As we all know, those are fairly easy these days for malware to acquire. More so in your case since you don't set UAC to the max. level, so a UAC bypass is somewhat trivial to accomplish.

    Relating specifically to Mimikatz, here's a good read: https://www.sans.org/reading-room/whitepapers/detection/mimikatz-overview-defenses-detection-36780. Mimikatz is most destructive on Win 7 and below OS versions. However, it works quite well on Win 10 as evidenced by the MRG AMSI testing which deployed it. Of note from the SANS article is:
    The only current recommended way by security experts to detect an attack by Powershell tools is given in the previously posted adsecurity.org article:
     
    Last edited: Aug 20, 2017
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I did read a couple of things, and yes it's not simple. But if you read them too, you should be able to answer my question. It isn't any different than other in-memory malware, they all start with some type of exploit. If you block the exploit, or contain the exploited process, you should be able to tackle it, no matter if the malware/exploit is using PowerShell or not.

    https://www.carbonblack.com/2016/04/06/who-needs-malware-powershell-and-wmi-are-already-there/
    https://www.carbonblack.com/2016/03...ell-targets-organizations-via-microsoft-word/
     
  22. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
  23. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    No comment. You have a certain mindset in regards to exploits and further discussion is pointless.
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Come on, that sounds a bit silly itman. What is your mindset about exploits, that's the real question. I think it's a good idea to keep an eye on attacks that involve the use of PowerShell (with or without triggering powershell.exe) but let's not make it a bigger deal, it's not like it's unstoppable.
     
  25. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Rasheed, if you read then, you shouldn't need to ask the question. Gotcha.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.