Current state of malicious Powershell script blocking

Just the opposite.

 

Although this Symantec link was posted in another thread, it deserves being repeated here: https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/increased-use-of-powershell-in-attacks-16-en.pdf . It was just published and is by far the most comprehensive publication to date on Powershell attacks.

As I see it, Applocker notwithstanding its bypasses, currently offers the most protection against Powershell based malware. By default when AppLocker is employed, PowerShell runs in "Constrained Language" mode. Additionally unlike employing "Constrained Language" mode outside of AppLocker which allows for all Powershell script execution, scripts can be managed via AppLocker policy settings. For example, only allowing Microsoft signed scripts to run although a recent malware did just that. Note there are issues in this area as noted in reply #11, so those need to be factored in. AppLocker use on Win 10 with AMSI employed by your security product would offer the most protection.

Outside of AppLocker use, Win 10 AMSI given you're using a security solution that employs it and "Constrained Language" mode offer the most protection although as previously noted both can be bypassed. The main current issue with AMSI use is the low detection of obfuscated scripts by security products. Although their use is currently low, it is a given that will increase in time.

Finally, Powershell 2.0 needs to be uninstalled since it can bypass both AppLocker and AMSI. If possible, .Net 3.5 should be uninstalled on Win 8/10.

 

No why was I afraid you would be saying this? BTW, you don't need to register, just do a search for "Stripping the Malware Threat Out of PowerShell with enSilo", and then you can download the paper. It describes exactly what I mentioned earlier, it takes a different approach, it doesn't try to block PowerShell attacks in the early stages, which is difficult to achieve 100% of the time. But it's mainly focused on blocking the end-goal, which is often data stealing or encryption. That's good enough for me.

Good point.

 

Since you failed to post the link to it, here it is: https://cdn2.hubspot.net/hubfs/487909/pdfs/ensilo-whitepaper-powershell-final.pdf?t=1491067283169 .

Again, it is only blocking the outbound malware connection. It has a system logging facility that records all activity that you can then utilize to determine the malware activity. Note the following:

1. It did not prevent any of the malware activity from occurring.
2. You will have to manually perform remediation activity to undo any changes the malware performed.

Further, I have posted multiple examples of Powershell based malware that requires no remote connection activity.

 

I forgot to mention in reply #77 about the monitoring of powershell.exe execution in non-corp. environments.

It is at best moderately effective. It will work for local disk based powershell.exe and only when started from the its default Windows directory. It won't work for memory based or remote execution of Powershell. Also depending on your monitoring security solution, it may not detect any stealth based child process initiated startup of powershell.exe.

Malware can also drop a copy of Powershell in any directory it pleases. You can also rest assured that the dropped .exe won't be named powershell.exe. The ideal directory would be one of the Windows ones to avoid whitelist detection if it can gain admin privileges. Perform the following test. Copy the existing powershell.exe in C:\Windows\System32\WindowsPowerShell\v1.0 directory to C:\Windows directory. Rename it. Run it. See how your whitelisting solution, if your using one, behaves. VoodooShield much to my surprise did give me an alert about the .exe starting. Thought it didn't by default monitor the Windows directories? Perhaps only C:\Windows directory? In any case, the alert stated the xyz.exe had been scanned as clean by all the VT engines and it was safe to run the process. In other words, it didn't detect that the process was in fact powershell.exe.

 

VT checks hash of scanned file so name of the file is not that important. Powershell is not malware so it's only logical to not get flagged by AV vendors on VT.

 

If that was true, VS should have detected the file as powershell.exe which it did not. The point being made is you're monitoring for powershell.exe startup and probably would allow xyz.exe to run based on available information given.

 

IDK how VS protects system, but AVs can't flag powershell exes as malicious (even if renamed).

 

@Rasheed187 since I can't edit reply #79, the only realtime protection mentioned in the enSilo whitepaper is given below and it appears to be directed to ransomware like activities:

 

The efficacy of an Outbound Firewall depends on the actual purpose of the Powershell malware. Some PS malware may be ransomware which may need no network connections to trash your system, but they also may be in the form of a Botnet, Banker, etc where Outbound alerts will prevent the malware from succeeding until the traditional AV vector can catch up with it.

With Powershell malware it is important to remember that the actual mechanism of action, the ultimate purpose, and defense against it will vary very widely.

 

In regards to Win 10 AMSI and the obfuscated script issue, there is a new nasty variant of Locky ransomware on the scene. You can read about it here: https://heimdalsecurity.com/blog/locky-ransomware-new-lukitus-extension/ . Locky is famous for using the Nemucod downloader for ransomware payload delivery.

Nemucod is also notorious for using heavily obfuscated scripts. There is a great example and write up of one here: http://www.kahusecurity.com/2016/deobfuscating-the-nemucod-downloader-script/. The main thing to note is:

 

It has both post and pre-execution protection. So if it can block malware from running via AV, it will do so. But if it can't block it in the first stage, the behavior blocker will eventually step in.

https://www.ensilo.com/platform/post-infection-protection/
https://www.ensilo.com/platform/forensics/

It's not only directed to ransomware, it can also block data ex-filtration. So it's mostly focused on data protection, and they try to keep it simple. SentinelOne seems to be a more comprehensive solution, but I'm not sure if it's more effective. But in theory it should also be able to tackle PowerShell attacks.

https://sentinelone.com/platform/

Then what is the purpose? Malware always has a goal.

 

If you can find an AV Lab test or even an independent review of Ensilo, I would be most interested. I couldn't find anything in this regard.

-EDIT- Here's a joint MRG and A-V C Next Gen comparative done last year: https://www.av-comparatives.org/wp-content/uploads/2016/11/avc_mrg_biz_2016_nextgen_en.pdf .

SentinelOne was good against conventional malware but not the best; Barracuda was. However as far as exploit protection goes, it scored a dismal 28%.

Hopefully, the test will be done again next month with more participants.

 

I don't know if that article adds anything substantial but still ...

https://www.wired.com/story/microsoft-powershell-security

 

The same features that make PowerShell appealing to admins and IT techs also make them attractive to hackers.

Its a tool - and like any tool, it can be abused. You have to live with the fact PS is part of the bad guys' toolkit.

 

I also couldn't find anything, but I do believe these guys are the real deal. Keep in mind, they came up with the AtomBombing and Captain Hook attacks, and they are able to block PeddleCheap, not from running, but from reaching its end-goal, see third link.

https://blog.ensilo.com/atombombing-a-code-injection-that-bypasses-current-security-solutions
https://blog.ensilo.com/intrusive-applications-6-security-to-watch-out-for-in-hooking
https://blog.ensilo.com/nsa-tools-vs-ensilo

Strangely enough they don't seem to be focused on blocking exploits, but all of them did manage to spot the infection. And here is their response to NSS Labs:

https://www.sentinelone.com/blog/nss-test/

 

@Rasheed187 CSO Magazine has an article on the top 2017 security solutions for corp. environments here: http://www.csoonline.com/article/3206685/security/top-security-tools-of-2017.html#tk.csoendnote . The product they recommend and have internally tested is Minerva's Anti-Evasion solution which is designed to work with and supplement any existing endpoint AV solution that might be installed. Reference links below:

https://www.minerva-labs.com/

https://daks2k3a4ib2z.cloudfront.net/5757fcb8825e8dbc6c852e3c/59870aa599d8940001246b6e_Minerva_Endpoint_Defense_Brochure.pdf

 

Here's another ref. to a free Spora ransomware vaccine Minerva provides plus a POC ref within on GitHub:http://www.minerva-labs.com/post/va...ransomware-a-proof-of-concept-tool-by-minerva

-EDIT- A bit more detail on how Minerva AE works:

http://www.csoonline.com/article/32...ts-endpoints-with-trickery-and-deception.html

 

@Rasheed187, SC Magazine did a detailed review on Sentential One a few years ago. The main thing to note is given below which is these are all vendor managed solutions including malware mitigation:

https://www.scmagazine.com/sentinelone-epp-endpoint-protection-platform/review/7035/

 

Was already posted over here:

https://www.wilderssecurity.com/thr...ll-script-blocking.395997/page-4#post-2701655