Current state of malicious Powershell script blocking

Discussion in 'other anti-virus software' started by itman, Aug 9, 2017.

  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    True if .Net Powershell assemblies are to be executed locally such as previously described via a WMI Consumer Event. Remember that in a Empire Powershell attack that would employ a script only, all that is needed is for Empire to remotely load the script into the target's memory space and execute it. .Net not required in this case. Remember that Empire is running PowerShell from the attack server.
     
  2. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    2,228
    Location:
    Italy
    Correct.
    I would like to emphasize that, based on the topic of this discussion, I think it is easier to protect XP compared to other OS.;)
    But others will have different opinion.:)
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    Looking for "ingenious" ways for PowerShell attack methods, I started "blue skying" the possible use of Node.js. This lead me to the following which will embed PowerShell within it:
    https://www.npmjs.com/package/node-powershell

    There is one problem with Node.js usage however. It must be installed on a web server. So that rules out a desktop attack. Or, does it? Well what happens if one of your trusted apps actually installs a Node.js web server on your desktop? This scenario actually occurred last year curtesy of NVidia. And what is illuminating is you have all PowerShell's attack capability w/o actually employing it.

    Abusing NVIDIA’s Node.js To Bypass Application Whitelisting
    https://www.sec-consult.com/en/blog/2017/04/application-whitelisting-application/index.html

    BTW - if you have GeForce Experience 3.xx installed, you need to read this: http://nvidia.custhelp.com/app/answers/detail/a_id/4459
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    Last edited by a moderator: Mar 26, 2018
  5. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    41,863
    PowerShell Obfuscation Ups the Ante on Antivirus
    September 12, 2018
    https://threatpost.com/powershell-obfuscation-ups-the-ante-on-antivirus/137403/
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,441
    The write-up is from Sept 12 but ESET has blocked the domain with the payload since July 18 which is when they submitted the file for analysis at VT. According to the time of submission, ESET was already blocking the hostname at that time.

    Scanning just a downloader script does not give a whole picture of how well a particular AV can protect the system.
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    Cylance is at it again I see. Actually, I read the article yesterday but decided to abstain from comment since again, it just the same old propaganda spewing by Cylance.:argh:
     
  8. guest

    guest Guest

    yes... you know, for Cylance, VT represent the true power of the AV listed, with all features right...? because real world users disable all pro-active features...:rolleyes:
     
  9. Gein

    Gein Registered Member

    Joined:
    Dec 8, 2013
    Posts:
    213
    What do you expect them to do run the script against the 59+ engines on VirusTotal so they don't catch flak from itman and guest on the wilders forums?
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
    Good point and wasn't Cylance bad in blocking script based malware?
     
  11. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,309
    The consumer version (Smart antivirus) doesnt have the Script Control module present in the enterprise product (Cylance Protect), so only the home version can be considered weak against script based malware.
     
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    The issue of highly obfuscated PowerShell, etc. scripts is nothing new. Malware Research Group well over a year ago conducted an ad hoc test on the subject:
    https://www.mrg-effitas.com/research/current-state-of-malicious-powershell-script-blocking/

    Appears to me Cylance is just "scrapping the bottom of the propaganda barrel" in its never ending attempts to discredit its competition.

    Also of note is that with the next release of Win 10, you will be able to unconditionally block any obfuscated PowerShell script via WDEG ASR mitigation. Somewhat of a moot point since by now, almost all are monitoring/blocking PowerShell execution.
     
  13. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    I hope this is an appropriate thread for this post. I had been playing around with the 'setx' command line app a few weeks ago and came up with another way to enable/disable Constrained Language Mode in an easy way. I used to always go through Control Panel - System - Advanced system settings - Environment Variables anytime I needed to temporarily disable CLM for whatever reason.

    I was seeking a quicker method which I could use in an Admin command prompt or with shortcut or batch script. Anyway, I figured I would share this in case it is useful to anyone else.


    Enable Constrained Language Mode:
    Code:
    setx __PSLockdownPolicy "4" /M
    Disable Constrained Language Mode: (revert to Full Language Mode)
    Code:
    setx __PSLockdownPolicy "0" /M
     
  14. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    One more Win utility .exe to monitor since it can likewise be used by malware to disable constrained language mode.

    A few other points to consider:
    https://ss64.com/nt/setx.html
     
  15. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    Case in point about SETX.

    Windows Defender new sandbox protection can be enabled/disabled using it from any malware w/admin privileges or bypass:
    https://www.bleepingcomputer.com/news/microsoft/microsoft-sandboxes-windows-defender/

    Or, just use SET to remove the entire environment variable.

    Did we just discover a security hole for this new WD sandbox protection? Let's see how long it takes for a POC bypass using this.
     
    Last edited: Oct 29, 2018
  16. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,309
    How this is a security hole? Could you please explain further?
     
  17. mekelek

    mekelek Registered Member

    Joined:
    May 5, 2017
    Posts:
    518
    Location:
    Hungary
    same way malware disabled WD entirely, can also disable this as well.
     
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    Thought I already did that?

    Look for previous malware examples that abused existing Win system utility process. Again, we'll just wait for some pen tester to develop a POC on how to so. Don't believe that will take that long.
     
  19. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,778
    Location:
    U.S.A. (South)
    Perhaps but 8.1 also, properly conditioned, is and should compare up with XP very well in the protection category. Just a reminder :)
     
  20. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @itman Great points, thank you for sharing. :thumb:
     
  21. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    FYI.

    Ensilo has a good article in regards to environment variable exploiting and SETX usage:

    Elastic Boundaries – Elevating privileges by environment variables expansion
    https://blog.ensilo.com/elastic-boundaries-elevating-privileges-by-environment-variables-expansion

    One scenario among many:

     
  22. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    Last edited: Nov 6, 2018
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.