Current state of malicious Powershell script blocking

Discussion in 'other anti-virus software' started by itman, Aug 9, 2017.

  1. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,825
    Location:
    The Netherlands
    I was just checking if you fully understood what this stuff is all about, since you seem to be fascinated by it, and almost seem to believe it's not stoppable and even a big threat to home users, which it is not AFAIK.

    Exactly my point, no magic involved. :thumb:
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    @Zoltan_MRG "chastised" me in another threat about using the exploit term loosely. By definition an exploit requires a system/app software vulnerability. Now if you subscribe to concept that the Windows OS itself is one huge vulnerability like I do, then your "exploit" references are in context. Otherwise, the PowerShell attacks noted in this thread are "abuses" of Powershell which do not require an existing vulnerability to be carried out.
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,825
    Location:
    The Netherlands
    OK, I see what you mean. But like I said, normally when PowerShell is used to deliver malware, it's done via some app exploit. But it's still possible to contain or block the malware that is delivered. Of course it gets trickier with stuff like MimiKatz and PeddleCheap who both run in-memory, but like the MRG test showed it's still possible to catch them, or to at least block their activities.
     
  4. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,309
    I share the same opinion of @Rasheed187 in this topic, why PowerShell malware is a big deal? Why for all purposes is it different from executable malwares delivered by email or drive by download?

    As I see users are much safer now than in the past, thats why malware creators need to use PowerShell to deliver payload, it isnt a doom scenario as some articles may paint for the reader; security fatigue doesnt help anyone.

    I mean, when a malicious file runs for all purposes you are dommed anyway, doesnt matter the kind of attack used; I will seriously worry the day that this kind of malware runs without any user interaction in a up-to-date OS.

    I respect @itman insights and expertise, this kind of information is very interesting for us (geek users) but for the average joe it is just malware, it isnt the end of the world like the media "reports".

    https://blog.malwarebytes.com/101/2017/04/how-to-fight-security-fatigue/
    https://www.nist.gov/news-events/ne...mputer-users-feel-hopeless-and-act-recklessly
     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    Oh, my ............. o_O

    The MRG test showed the exact opposite.

    7 out of 12 products tested detected a disk base Mimikatz delivered Powershell script - or slightly over 50%.

    When a memory based script was used by Mimikatz and the Win 10 AMSI feature was employed by the security product, the detection rate dropped to 5 out of 12. Finally when a memory based obfuscated script was used, the detection rate dropped to 3 out of 12.

    -EDIT- Of note and something I should have posted previously and MRG should have noted is the incident of obfuscated PowerShell scripts is quite low:
    https://www.symantec.com/connect/bl...e-954-percent-analyzed-scripts-were-malicious

    Assume that on a non-Win 10 OS or Win 10 w/o AMSI use, security product memory based script detection rate would be close to 0%. Additionally, AI/Next Gen products have dismal protection scores against memory based script malware detection.

    Again, review the above attack postings where no script was employed for example, .Net was used instead, or Powershell was run entirely from memory.
     
    Last edited: Aug 20, 2017
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    As far as applicability of the noted pentester's bypasses is this comment. Casey Smith's regsvc32.exe "squibbiedoo" bypass was "theoretical" when introduced last year. If you look at recent malware attacks, it is increasingly being deployed in these.
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    So ..... Just how dangerous and how much of a threat are PowerShell based attacks?

    If your point of reference is externally delivered disk or memory based scripts, they are without a doubt overwhelming malicious:
    https://www.theinquirer.net/inquire...954-percent-of-powershell-script-is-malicious

    Overall stats on PowerShell malware:
    https://ajarr.org/home/security-blog/item/68-increased-use-of-powershell-in-attacks

    https://www.carbonblack.com/wp-content/uploads/2016/04/Cb-Powershell-Deep-Dive-A-United-Threat-Research-Report-1.pdf

    Relating to fileless use of PowerShell:
    https://securityintelligence.com/news/security-tools-must-adapt-to-fileless-nonmalware-attacks/
     
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    Came across this very recent PowerShell AppLocker bypass. This article combines attack methods previously discussed; Empire, Casey Smith's regsvc32.exe "squibbiedoo" bypass, and DotNetToJScript neatly to download and run Powershell in memory.

    The important thing to note is all that is needed to pull off a like successful attack is to get the Powershell offensive tool downloaded to the target. Then launch the attack to run the tool remotely.
    https://bneg.io/2017/07/26/empire-without-powershell-exe/
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,825
    Location:
    The Netherlands
    Yes but some did stop all of those tests right? So is it stoppable or not? Also, this type of stuff isn't a real threat to home users AFAIK. Would be cool if MRG tested Next Gen AV's, since they are supposed to block or contain these kind of attacks in corporate environments. Here is an example of such a tool:

    https://www.barkly.com/

    Exactly my point. I don't think I have ever seen Peter2150 so afraid LOL. There is nothing special about this kind of stuff.
     
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    If you read the MRG blog posting which obviously you did not, there is the following comment in this regard:
     
  11. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    The only thing more humous then questions is the Barkly.com link. Rasheed haven't you figured out that Marketing hype, and engineered reality are to two different worlds. If only the marketing promises were genuine protection. Now as to my being afraid. Afraid no, but being aware yes. I agree most home users have no concern. But I do have a business, and many of my clients are in corporations or government. And I frequently see emails which are a clear indication they have been infected. So I need to be alert and some of these advanced threats.
     
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    In regards to "oldies but goodies" still work in PowerShell based attacks is this article from redmondmag.com. Another way to attack w/o use of poweshell.exe. This one has limited scope and definitely does not work on Win 10. Also note that "Constrained Language" mode will prevent this one from running for Powershell v3+. Also, another "bugger" that uses .Net 2.0.

    By now most Wilders folks know about SysInternals PsExec but what about PS2EXE?
    https://redmondmag.com/articles/2017/01/27/convert-a-powershell-script-into-an-exe-file.aspx
     
    Last edited: Aug 21, 2017
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,825
    Location:
    The Netherlands
    Yes I did read it, they clearly say "most solutions", so would be cool to see which of the big names is able to tackle this stuff. Also, it's all about stopping the end-goal, so if you can block the attack in a later stage it's still effective. All of these next gen tools are made to tackle file-less attacks. Here is another interesting tool:

    https://www.ensilo.com/platform/product/
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,825
    Location:
    The Netherlands
    OK I see. What products do you use to tackle this threat? And yes I agree, until these tools are actually tested, you never know for sure if they can truly protect. However, with some of these tools we already have experience, for example Sandboxie/Invincea should be able to protect against attacks on MS Office.
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Yes but, running Outlook 2010 in Sandboxie and is dodgie at best. In terms of my office Apps I have the following defenses:

    1. Emsi Anti Malware
    2. Appguard
    3. Hitman Pro Alert
    4. Email common sense.

    No. 4 is critical. I've made clear to the two girls who handle the business email, that they are two use their judgement and intuition and even if the email is from a client, to act on their judgement. If a client gets upset, that is my job.

    Also from some the the threat analysis I've read, I am not sure even sandboxie is 100$
     
  16. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    Like any good perimeter network security appliance, Ensilo is blocking the outbound connection from the offensive Powershell tool as shown in the below screen shot. You can do the same with a good firewall by monitoring your outbound connections. Of course, you have to know what to allow and what to block. This is getting exceedingly difficult given that attackers are increasing using legit Windows processes as part of their attack strategies. Additional, the malware is still resident on the device and forensic analysis needs to be performed to find and remove it. Really, I thought you knew better than to fall for the Next Gen/AI marketing crap.

    Ensilo.png

    -EDIT- BTW, at the minimum you should have firewall rules to monitor all inbound and outbound activity from powershell.exe and regsvc32.exe.
     
    Last edited: Aug 21, 2017
  17. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    My bold
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,825
    Location:
    The Netherlands
    My point is that it will do the job, no matter how it's called, and no matter if it's old or new tech. Perhaps you should sign up and download this white-paper and report back, perhaps it will convince you. Also, firewalls won't help if code injection is used.

    https://pages.ensilo.com/stripping-the-malware-threat-out-of-powershell-with-ensilo

    My bad, I already knew that setup, but I thought you also advised your clients/other business how to secure their systems. About Barkly, the proof is in the pudding:

    https://blog.barkly.com/powerpoint-malware-installs-when-users-hover-over-a-link
    https://blog.barkly.com/blocking-sorebrect-ransomware-fileless-infection-technique
    https://blog.barkly.com/ovidiy-stealer-credential-theft-malware
     
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Nope, I don't advise my clients on that stuff. I don't have the time and don't want the responsibility. I just protect my self. I hate say this but there is no proof in those links. The proof is in running their software and putting it to the test.
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,825
    Location:
    The Netherlands
    Well yes, but I don't think those videos are faked. BTW, perhaps you can fool around with this, if you have the time:

    https://www.barkly.com/stackhackr
     
  21. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    What proof?

    You posted three links of which only one mentions based PowerShell execution. From the details given, I see nothing "earth shattering." A more recent attack is here: https://isc.sans.edu/diary/22730 that required no user interaction; it launched immediately upon opening the document.

    Sucks, the eclipse went by a couple of hours ago and I could have been "barking" when it passed.:D
     
    Last edited: Aug 21, 2017
  22. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,825
    Location:
    The Netherlands
    Was just a general post about their malware blocking capabilities, because Peter2150 was quite skeptical. And please do sign up for the enSilo report, would love to know what you think about it. Not sure why you seem to think that all of these PowerShell related attacks are unstoppable. Again, there is no magic involved.
     
  23. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    I will let that statement stand as it w/o comment.
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,825
    Location:
    The Netherlands
    OK, so I assume you do NOT think they are unstoppable. Then we're on the same page. :D
     
  25. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Wouldn't waste my time. 1)Any of these "tests" always force me to turn off protection to get them to run. Dumb 2 ) I don't need their silly test, I test against real malware.
    3) They want a business email. Not happening.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.