Current state of malicious Powershell script blocking

The AlpineSecurity article used a basic easy to understand example to deploy Empire on the target host. There are much more stealthier ways to do so.

 

Interesting, I had not thought of this aspect. Particularly for malware copying PowerShell modules in different directories and such. Thanks for the insight!

 

Some doubts here too:

https://www.powershellempire.com/?page_id=273

@itman

Read the article below:

http://www.alex-ionescu.com/?p=97

 

Agree. Extremely useful info!

PowerShell introduced a whole new twist into matters of PC tampers but hats off to diggers who been combing over every single conceivable use and bringing them to light

 

http://www.nosuchcon.org/talks/2014/D3_05_Alex_ionescu_Breaking_protected_processes.pdf

Much easier way that works on Win 10 RS2: https://github.com/Mattiwatti/PPLKiller

 

@itman

The one below is stopped by OSA "Main Protection":

I also think PPLKiller but it would be necessary to ask the Developer.

 

As far as the script shown in the AlpineSecurity article, it is run via an Empire agent; not by any version of Powershell installed on the target's device.

 

PPLKiller uses a kernel mode driver. As such, doubtful it would be detected.

 

Yes, that's nice tool. Capturing exes while they're written to HDD is clever approach.

 

@itman

OSA should stop the installation sequence of PPLKiller.
But to be sure you need to ask the Developer.

I'm just a poor fisherman.

 

Email attempts are 100% inert and DOA on my machines, that's been a long established given.
ERP Vulnerable Settings is been a sole tie down to prevent errant PS engagements and frankly nothing whatsoever is ever even had a chance to try, except the user, me. And I been cautious as possible when monkeying in an area I really haven't given my ALL yet in examining.

But as far as i'm concerned it's still a function that is operable at at any rate. I don't have it closed off. Not quite that paranoid.

 

Speaking of kernel drivers (PPLKiller), does MZWriteScanner also detect/block when .sys binaries are dropped to disk? I don't recall from my testing which was a while back.

 

Sure.
As long as there is a MZ header, it will be detected (the extension itself doesn't matter)
I have created a simple file and it looks like this:

While the file was dropped, it was detected by MZWriteScanner:

Code:

2018/02/28_17:28    WX    C:\Program Files (x86)\XYplorer\XYcopy.exe    C:\drop\test.sys
2018/02/28_17:35    WX    C:\Program Files (x86)\XYplorer\XYcopy.exe    C:\drop\test.txt

Edit: To be clear, drivers [.sys binaries] can be "detected" (=they appear in the logfile of MZWriteScanner) because of the MZ Signature (viewing them with a hex edtior is sufficient to see the signature) but not blocked.
A good solution for blocking of kernel mode drivers would be for example NoVirusThanks Driver Radar Pro (but it has no co-signed driver by Microsoft yet)
Edit 2: It can block drivers. Blog-entry with some information:

 

@mood Thank you for confirming (and with all of the great details you are known to provide). You always provide thorough answers and with data to go along with it for good measure. On top of that, you have a great way of explaining things without over-complicating the fact.

Wow, so that is a ridiculous amount of power to have in that case!

I need to get off my lazy *** and start playing around with MZWriteScanner again, clearly.

 

Just to rid and clarify of interest any (what's he waiting for and why not add XCubits drivers by now), those are such a unique and foolproof as much as anything might be, I am saving buying those when I buy a brand new machine this year.

With the security goodies we already have on hand courtesy some razor sharp but rare developers I decided to save the POWER SECURITY programs anew with new machines. My current ones are at a point of so terribly tasked anymore and have been (due to beta testing-my own tinkering) that, well you guys n gals know, you want to apply them to systems you intend to be around for the long term (whatever that may be).

I absolutely salivate over the ExQubits drivers (having tested them) and with the other usual dependable familiars, I like to start new machines out on a tried and true collection of the best of the best.

And who knows those types any better then Wilder's group of notorious testers/users. Just clarifying for interest of anyone wondering, that's it.

 

Perhaps I am missing an obvious point, but any decent default/deny setup will block or monitor an unrecognized file that wants to execute. So how does this Empire attack get started? Doesn't it start with an executable file?

 

And Empire? It doesn't need to execute anything at all on your system?

 

I'll do my best
MZWriteScanner isn't a whole defense against all attacks but if dropping of files (with MZ-header) is involved, it is showing its strength.

In the Empire-example cscript.exe is executing C:\Temp\Katz.js
But i guess there must be some kind of exploitable vulnerability on the system before Mimikatz or Empire can do its work (or are even loaded).
(...something must launch "cscript.exe C:\Temp\Katz.js")