Current state of malicious Powershell script blocking

Discussion in 'other anti-virus software' started by itman, Aug 9, 2017.

  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    Just the opposite.
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    Although this Symantec link was posted in another thread, it deserves being repeated here: https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/increased-use-of-powershell-in-attacks-16-en.pdf . It was just published and is by far the most comprehensive publication to date on Powershell attacks.

    As I see it, Applocker notwithstanding its bypasses, currently offers the most protection against Powershell based malware. By default when AppLocker is employed, PowerShell runs in "Constrained Language" mode. Additionally unlike employing "Constrained Language" mode outside of AppLocker which allows for all Powershell script execution, scripts can be managed via AppLocker policy settings. For example, only allowing Microsoft signed scripts to run although a recent malware did just that. Note there are issues in this area as noted in reply #11, so those need to be factored in. AppLocker use on Win 10 with AMSI employed by your security product would offer the most protection.

    Outside of AppLocker use, Win 10 AMSI given you're using a security solution that employs it and "Constrained Language" mode offer the most protection although as previously noted both can be bypassed. The main current issue with AMSI use is the low detection of obfuscated scripts by security products. Although their use is currently low, it is a given that will increase in time.

    Finally, Powershell 2.0 needs to be uninstalled since it can bypass both AppLocker and AMSI. If possible, .Net 3.5 should be uninstalled on Win 8/10.
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,825
    Location:
    The Netherlands
    No why was I afraid you would be saying this? BTW, you don't need to register, just do a search for "Stripping the Malware Threat Out of PowerShell with enSilo", and then you can download the paper. It describes exactly what I mentioned earlier, it takes a different approach, it doesn't try to block PowerShell attacks in the early stages, which is difficult to achieve 100% of the time. But it's mainly focused on blocking the end-goal, which is often data stealing or encryption. That's good enough for me.

    Good point.
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    Since you failed to post the link to it, here it is: https://cdn2.hubspot.net/hubfs/487909/pdfs/ensilo-whitepaper-powershell-final.pdf?t=1491067283169 .

    Again, it is only blocking the outbound malware connection. It has a system logging facility that records all activity that you can then utilize to determine the malware activity. Note the following:

    1. It did not prevent any of the malware activity from occurring.
    2. You will have to manually perform remediation activity to undo any changes the malware performed.

    Further, I have posted multiple examples of Powershell based malware that requires no remote connection activity.
     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    I forgot to mention in reply #77 about the monitoring of powershell.exe execution in non-corp. environments.

    It is at best moderately effective. It will work for local disk based powershell.exe and only when started from the its default Windows directory. It won't work for memory based or remote execution of Powershell. Also depending on your monitoring security solution, it may not detect any stealth based child process initiated startup of powershell.exe.

    Malware can also drop a copy of Powershell in any directory it pleases. You can also rest assured that the dropped .exe won't be named powershell.exe. The ideal directory would be one of the Windows ones to avoid whitelist detection if it can gain admin privileges. Perform the following test. Copy the existing powershell.exe in C:\Windows\System32\WindowsPowerShell\v1.0 directory to C:\Windows directory. Rename it. Run it. See how your whitelisting solution, if your using one, behaves. VoodooShield much to my surprise did give me an alert about the .exe starting. Thought it didn't by default monitor the Windows directories? Perhaps only C:\Windows directory? In any case, the alert stated the xyz.exe had been scanned as clean by all the VT engines and it was safe to run the process.o_O In other words, it didn't detect that the process was in fact powershell.exe.
     
  6. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,447
    Location:
    Slovenia
    VT checks hash of scanned file so name of the file is not that important. Powershell is not malware so it's only logical to not get flagged by AV vendors on VT.
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    If that was true, VS should have detected the file as powershell.exe which it did not. The point being made is you're monitoring for powershell.exe startup and probably would allow xyz.exe to run based on available information given.
     
  8. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,447
    Location:
    Slovenia
    IDK how VS protects system, but AVs can't flag powershell exes as malicious (even if renamed).
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    @Rasheed187 since I can't edit reply #79, the only realtime protection mentioned in the enSilo whitepaper is given below and it appears to be directed to ransomware like activities:
     
  10. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,519
    Location:
    Paris
    The efficacy of an Outbound Firewall depends on the actual purpose of the Powershell malware. Some PS malware may be ransomware which may need no network connections to trash your system, but they also may be in the form of a Botnet, Banker, etc where Outbound alerts will prevent the malware from succeeding until the traditional AV vector can catch up with it.

    With Powershell malware it is important to remember that the actual mechanism of action, the ultimate purpose, and defense against it will vary very widely.
     
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    In regards to Win 10 AMSI and the obfuscated script issue, there is a new nasty variant of Locky ransomware on the scene. You can read about it here: https://heimdalsecurity.com/blog/locky-ransomware-new-lukitus-extension/ . Locky is famous for using the Nemucod downloader for ransomware payload delivery.

    Nemucod is also notorious for using heavily obfuscated scripts. There is a great example and write up of one here: http://www.kahusecurity.com/2016/deobfuscating-the-nemucod-downloader-script/. The main thing to note is:
     
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,825
    Location:
    The Netherlands
    It has both post and pre-execution protection. So if it can block malware from running via AV, it will do so. But if it can't block it in the first stage, the behavior blocker will eventually step in.

    https://www.ensilo.com/platform/post-infection-protection/
    https://www.ensilo.com/platform/forensics/

    It's not only directed to ransomware, it can also block data ex-filtration. So it's mostly focused on data protection, and they try to keep it simple. SentinelOne seems to be a more comprehensive solution, but I'm not sure if it's more effective. But in theory it should also be able to tackle PowerShell attacks.

    https://sentinelone.com/platform/

    Then what is the purpose? Malware always has a goal.
     
  13. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Yeah, but again to try Sentinel one you have to jump thru hoops. They don't want our business
     
  14. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    If you can find an AV Lab test or even an independent review of Ensilo, I would be most interested. I couldn't find anything in this regard.

    -EDIT- Here's a joint MRG and A-V C Next Gen comparative done last year: https://www.av-comparatives.org/wp-content/uploads/2016/11/avc_mrg_biz_2016_nextgen_en.pdf .

    SentinelOne was good against conventional malware but not the best; Barracuda was. However as far as exploit protection goes, it scored a dismal 28%.

    Hopefully, the test will be done again next month with more participants.
     
    Last edited: Aug 24, 2017
  15. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,916
  16. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,742
    The same features that make PowerShell appealing to admins and IT techs also make them attractive to hackers.

    Its a tool - and like any tool, it can be abused. You have to live with the fact PS is part of the bad guys' toolkit.
     
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,825
    Location:
    The Netherlands
    I also couldn't find anything, but I do believe these guys are the real deal. Keep in mind, they came up with the AtomBombing and Captain Hook attacks, and they are able to block PeddleCheap, not from running, but from reaching its end-goal, see third link.

    https://blog.ensilo.com/atombombing-a-code-injection-that-bypasses-current-security-solutions
    https://blog.ensilo.com/intrusive-applications-6-security-to-watch-out-for-in-hooking
    https://blog.ensilo.com/nsa-tools-vs-ensilo

    Strangely enough they don't seem to be focused on blocking exploits, but all of them did manage to spot the infection. And here is their response to NSS Labs:

    https://www.sentinelone.com/blog/nss-test/
     
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Doesn't matter on either of these two. They don't want our business so to me they are irrelevant. They are set up for business, and they only will schedule a demo, they don't post trials or prices, they want to get a shot with their sales folks. No thanks.
     
  19. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    @Rasheed187 CSO Magazine has an article on the top 2017 security solutions for corp. environments here: http://www.csoonline.com/article/3206685/security/top-security-tools-of-2017.html#tk.csoendnote . The product they recommend and have internally tested is Minerva's Anti-Evasion solution which is designed to work with and supplement any existing endpoint AV solution that might be installed. Reference links below:

    https://www.minerva-labs.com/

    https://daks2k3a4ib2z.cloudfront.net/5757fcb8825e8dbc6c852e3c/59870aa599d8940001246b6e_Minerva_Endpoint_Defense_Brochure.pdf
     
  20. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Interesting concepts, but from the approach, I suspect 1) I can't afford it and 2) I probably don't need it.
     
  21. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    Here's another ref. to a free Spora ransomware vaccine Minerva provides plus a POC ref within on GitHub:http://www.minerva-labs.com/post/va...ransomware-a-proof-of-concept-tool-by-minerva

    -EDIT- A bit more detail on how Minerva AE works:
    http://www.csoonline.com/article/32...ts-endpoints-with-trickery-and-deception.html
     
    Last edited: Aug 26, 2017
  22. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    @Rasheed187, SC Magazine did a detailed review on Sentential One a few years ago. The main thing to note is given below which is these are all vendor managed solutions including malware mitigation:
    https://www.scmagazine.com/sentinelone-epp-endpoint-protection-platform/review/7035/
     
  23. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    123,578
    Location:
    Texas
  24. Macstorm

    Macstorm Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    2,641
    Location:
    Sneffels volcano
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,825
    Location:
    The Netherlands
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.