![SEC555 | SIEM with Tactical Analytics 20
Base64 Encoding
Common to see base64 encoded PowerShell attacks
• Can be extracted using regex and then decoded
Example: (?<base64_code>[A-Za-z0-9+/]{50,}[=]{0,2})](https://image.slidesharecdn.com/detectingmodernpowershellattackswithsiem-180119022759/85/Detecting-modern-PowerShell-attacks-with-SIEM-20-320.jpg)
Detecting modern PowerShell attacks with SIEM
- 1. SEC555 Detecting Modern PowerShell Attacks with SIEM Justin Henderson (GSE # 108) and Tim Garcia (SANS Certified Instructor) @SecurityMapper Presentation based on SEC555: SIEM with Tactical Analytics
- 2. SEC555 | SIEM with Tactical Analytics 2 About Us Justin Henderson • Author of SEC555: SIEM with Tactical Analytics • GIAC GSE # 108, Cyber Guardian Blue and Red • 58 industry certifications (need to get a new hobby) Tim Garcia • Information Security Engineer • SANS Certified Instructor Cyber Defense curriculum (SEC 301, 401, 501, 511, and 555)
- 3. SEC555 | SIEM with Tactical Analytics 3 Welcome! A copy of this talk is available at: https://github.com/SMAPPER/presentations More free stuff: https://github.com/HASecuritySolutions Special Thanks: Thank you to Lee Holmes and the Microsoft PowerShell team for their research and pure awesomeness!
- 4. SEC555 | SIEM with Tactical Analytics 4 PowerShell Awesomeness PowerShell is one of the BEST things that ever happened • For both defense and offense • It is an equal opportunity employer Defenders • Automate everything (firewalls, IDS, etc.) • Administration, Auditing, Hunt teaming, and much more Attackers • Completely own you and bypass controls
- 5. SEC555 | SIEM with Tactical Analytics 5 PowerShell = Attacker's Choice Award Attackers/malware love PowerShell, but why? • On lots of systems with multiple versions • Almost always enabled and allowed • Whitelisting - Allowed • Antivirus - Allowed • NextGen whatever / EDR - Allowed • Can be enabled remotely even if currently disabled • Lots of pre-built attacks available using PowerShell
- 6. SEC555 | SIEM with Tactical Analytics 6 Sample of PowerShell Evilness Common attack tools and frameworks available: • PowerSploit - Collection of evil modules and goodies • PowerShell Empire - Post-exploitation agent framework • Nishang - Useful all around pentesting framework • Invoke-Mimikatz - Memory based version of Mimikatz Attack Devices • Rubber Ducky - Keyboard emulation • Bash Bunny - Pure evilness with a cute bunny
- 7. SEC555 | SIEM with Tactical Analytics 7 Disabling PowerShell If PowerShell is so evil why not just disable it? • You need it… You really, truly need it • Automation is key tool in a defenders toolbelt • The good can/should outweigh the bad In a world without PowerShell… • Attackers would simply pick a different attack vector • Your defense capabilities would be weak
- 8. SEC555 | SIEM with Tactical Analytics 8 PowerShell Prevention Talk is primarily around detection rather than prevention • Specifically using logs and a SIEM (super powerful) Worth mentioning some PowerShell security mechanisms • ExecutionPolicy - Not really a security feature • Just Enough Administration (JEA) - Controls who can do what with PowerShell • Constrained Language Mode - Limits certain functionality often used by malware (non-core features)
- 9. SEC555 | SIEM with Tactical Analytics 9 Catching PowerShell Evil Ideally you want to catch PowerShell attacks… at scale • For this we need SIEM + log sources Key PowerShell data sources • Module logging • Script Block logging • Transcription logging • Process creation events • Sysinternals Sysmon logs PowerShell specific Command line logging
- 10. SEC555 | SIEM with Tactical Analytics 10 Module Logging Enables Event ID 4103 • Records module use • And parameters • Very verbose…
- 11. SEC555 | SIEM with Tactical Analytics 11 Module Logging Example Invoke-Mimikatz.ps1 ran on Windows 7 box with PS v5.1 • 8,555 events logged from running script once • Includes functions and parameters called • Logs based on every time a module is used
- 12. SEC555 | SIEM with Tactical Analytics 12 Script Block Logging PowerShell v5 added Script Block Logging (Event ID 4104) • Records blocks as they are executed • If too large spans multiple events • Data is decoded in log • Event type of WARNING used to log suspicious commands • WARNING events enabled by default • Can log start/stop times (4105, 4106)
- 13. SEC555 | SIEM with Tactical Analytics 13 Script Block Logging Example Invoke-Mimikatz.ps1 on same system = 509 events • Volume is a bit more easy to handle • But still a lot of data Includes what is executed only • Does not log output
- 14. SEC555 | SIEM with Tactical Analytics 14 Transcription Logging Also introduced in v5 was transcription logging • Contains both input and output • Saves to a file Default: “My DocumentsyyyyMMdd” • Location can be changed to centralized location
- 15. SEC555 | SIEM with Tactical Analytics 15 Transcription Example
- 16. SEC555 | SIEM with Tactical Analytics 16 Endpoint Logging Today, client-side attacks are more common • Means the attack occurs at the desktop • Which means you need desktop logs… Yet, cost of desktop logs is considered too high • If strategy is collect everything, that is true • If strategy is to stay nimble and tactical, it is more expensive not to log… Advanced agent filtering is helpful or file server tricks
- 17. SEC555 | SIEM with Tactical Analytics 17 PowerShell Command Line (Event ID: 4688) PowerShell is now commonly used for modern attacks
- 18. SEC555 | SIEM with Tactical Analytics 18 Command Line Adversaries like to bypass script files due to AV detection • Thus long, obfuscated commands are common • Or calls to download and execute code are made • Another example of their strength = their weakness Key augmentations for discovery: • Command line length (> 500 is odd) • Base64 discovery • Execution of downloaded code
- 19. SEC555 | SIEM with Tactical Analytics 19 Command Line Length
- 20. SEC555 | SIEM with Tactical Analytics 20 Base64 Encoding Common to see base64 encoded PowerShell attacks • Can be extracted using regex and then decoded Example: (?<base64_code>[A-Za-z0-9+/]{50,}[=]{0,2})
- 21. SEC555 | SIEM with Tactical Analytics 21 Download and Execute Code can be downloaded and run to minimize length • Also works with base64 encoding Invoke-Expression (iex) runs commands passed to it • Net.WebClient acts as a PowerShell web browser
- 22. SEC555 | SIEM with Tactical Analytics 22 PowerShell Downgrade Attacks PowerShell v5 awesome security features • Bad guys do not like v5 • But v5 systems have v2 - v5 Downgrade attacks bypass security • Except Event ID 400 gives it away • Look for EngineVersion less than 5
- 23. SEC555 | SIEM with Tactical Analytics 23 PowerShell Command Monitoring JEA requires modifications and process changes • Alternative solution is to parse and monitor commands from module logging Group regex match can extract all commands to an array Parses into
- 24. SEC555 | SIEM with Tactical Analytics 24 PowerShell Whitelist Detection Alternative method can be used to export all cmdlets • Export from trusted systems • Use as whitelist of cmdlets • Then alert on anything new Can be expanded to include • Parameters • Users • Systems
- 25. SEC555 | SIEM with Tactical Analytics 25 PowerShell Without PowerShell PowerShell does not equal PowerShell.exe • It can be loaded using DLLs System.Management.Automation.Dll System.Management.Automation.ni.Dll System.Reflection.Dll Catching requires monitoring DLL load events • Such as with Sysmon Event ID 7 or commercial software
- 26. SEC555 | SIEM with Tactical Analytics 26 Sysmon PowerShell Example
- 27. SEC555 | SIEM with Tactical Analytics 27 Summary PowerShell is awesome yet scary • Learn it, know about it, and detect unauthorized use Simple detects can find a lot • Look for long command line lengths • Look for encoding • Check cmdlets against whitelist == Totally awesome • Look for downgrade attempts • Look for PowerShell use outside powershell.exe