Defending Against PowerShell Attacks - Triangle …...Defending Against PowerShell Attacks Jon Fox...
Transcript of Defending Against PowerShell Attacks - Triangle …...Defending Against PowerShell Attacks Jon Fox...
![Page 1: Defending Against PowerShell Attacks - Triangle …...Defending Against PowerShell Attacks Jon Fox @jofoMSFT Security PFE Adopted from a presentation by Lee Holmes Lead Security Architect,](https://reader034.fdocuments.us/reader034/viewer/2022043022/5f3dfb00f7ea911d3f1d1fd3/html5/thumbnails/1.jpg)
Defending Against PowerShell Attacks
Jon Fox
@jofoMSFT
Security PFE
Adopted from a presentation by
Lee Holmes
Lead Security Architect, Azure Management
@Lee_Holmes
![Page 2: Defending Against PowerShell Attacks - Triangle …...Defending Against PowerShell Attacks Jon Fox @jofoMSFT Security PFE Adopted from a presentation by Lee Holmes Lead Security Architect,](https://reader034.fdocuments.us/reader034/viewer/2022043022/5f3dfb00f7ea911d3f1d1fd3/html5/thumbnails/2.jpg)
INTO THE ABYSS
![Page 3: Defending Against PowerShell Attacks - Triangle …...Defending Against PowerShell Attacks Jon Fox @jofoMSFT Security PFE Adopted from a presentation by Lee Holmes Lead Security Architect,](https://reader034.fdocuments.us/reader034/viewer/2022043022/5f3dfb00f7ea911d3f1d1fd3/html5/thumbnails/3.jpg)
https://twitter.com/JohnLaTwC
![Page 4: Defending Against PowerShell Attacks - Triangle …...Defending Against PowerShell Attacks Jon Fox @jofoMSFT Security PFE Adopted from a presentation by Lee Holmes Lead Security Architect,](https://reader034.fdocuments.us/reader034/viewer/2022043022/5f3dfb00f7ea911d3f1d1fd3/html5/thumbnails/4.jpg)
![Page 5: Defending Against PowerShell Attacks - Triangle …...Defending Against PowerShell Attacks Jon Fox @jofoMSFT Security PFE Adopted from a presentation by Lee Holmes Lead Security Architect,](https://reader034.fdocuments.us/reader034/viewer/2022043022/5f3dfb00f7ea911d3f1d1fd3/html5/thumbnails/5.jpg)
![Page 6: Defending Against PowerShell Attacks - Triangle …...Defending Against PowerShell Attacks Jon Fox @jofoMSFT Security PFE Adopted from a presentation by Lee Holmes Lead Security Architect,](https://reader034.fdocuments.us/reader034/viewer/2022043022/5f3dfb00f7ea911d3f1d1fd3/html5/thumbnails/6.jpg)
![Page 7: Defending Against PowerShell Attacks - Triangle …...Defending Against PowerShell Attacks Jon Fox @jofoMSFT Security PFE Adopted from a presentation by Lee Holmes Lead Security Architect,](https://reader034.fdocuments.us/reader034/viewer/2022043022/5f3dfb00f7ea911d3f1d1fd3/html5/thumbnails/7.jpg)
https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html
WHAT DOES APT LOOK LIKE?
![Page 8: Defending Against PowerShell Attacks - Triangle …...Defending Against PowerShell Attacks Jon Fox @jofoMSFT Security PFE Adopted from a presentation by Lee Holmes Lead Security Architect,](https://reader034.fdocuments.us/reader034/viewer/2022043022/5f3dfb00f7ea911d3f1d1fd3/html5/thumbnails/8.jpg)
http://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/
![Page 9: Defending Against PowerShell Attacks - Triangle …...Defending Against PowerShell Attacks Jon Fox @jofoMSFT Security PFE Adopted from a presentation by Lee Holmes Lead Security Architect,](https://reader034.fdocuments.us/reader034/viewer/2022043022/5f3dfb00f7ea911d3f1d1fd3/html5/thumbnails/9.jpg)
POWERSHELL FOR POST-EXPLOITATION
![Page 10: Defending Against PowerShell Attacks - Triangle …...Defending Against PowerShell Attacks Jon Fox @jofoMSFT Security PFE Adopted from a presentation by Lee Holmes Lead Security Architect,](https://reader034.fdocuments.us/reader034/viewer/2022043022/5f3dfb00f7ea911d3f1d1fd3/html5/thumbnails/10.jpg)
• Compiled exe files
• DLLs (i.e.: Load Path tampering,
application dependencies)
• Perl
• Python
• Ruby
• Bash
• VBScript
• JScript
• COM objects
• Macros / Visual Basic for Applications
(VBA)
• csc.exe
• HTML Applications (HTAs)
• SQL
• PowerShell
(SOME) POST-EXPLOITATION OPTIONSON A COMPROMISED MACHINE
![Page 11: Defending Against PowerShell Attacks - Triangle …...Defending Against PowerShell Attacks Jon Fox @jofoMSFT Security PFE Adopted from a presentation by Lee Holmes Lead Security Architect,](https://reader034.fdocuments.us/reader034/viewer/2022043022/5f3dfb00f7ea911d3f1d1fd3/html5/thumbnails/11.jpg)
![Page 12: Defending Against PowerShell Attacks - Triangle …...Defending Against PowerShell Attacks Jon Fox @jofoMSFT Security PFE Adopted from a presentation by Lee Holmes Lead Security Architect,](https://reader034.fdocuments.us/reader034/viewer/2022043022/5f3dfb00f7ea911d3f1d1fd3/html5/thumbnails/12.jpg)
• Doesn’t address the underlying security problem
• Removes your most secure and security-transparent management tool
LET’S BLOCK POWERSHELL!
![Page 13: Defending Against PowerShell Attacks - Triangle …...Defending Against PowerShell Attacks Jon Fox @jofoMSFT Security PFE Adopted from a presentation by Lee Holmes Lead Security Architect,](https://reader034.fdocuments.us/reader034/viewer/2022043022/5f3dfb00f7ea911d3f1d1fd3/html5/thumbnails/13.jpg)
OOPS!
PowerShellIsn’t Just
PowerShell.exe
https://blogs.msdn.microsoft.com/powershell/2013/10/01/paap-windows-powershell-as-a-platform-part-1/
![Page 14: Defending Against PowerShell Attacks - Triangle …...Defending Against PowerShell Attacks Jon Fox @jofoMSFT Security PFE Adopted from a presentation by Lee Holmes Lead Security Architect,](https://reader034.fdocuments.us/reader034/viewer/2022043022/5f3dfb00f7ea911d3f1d1fd3/html5/thumbnails/14.jpg)
![Page 15: Defending Against PowerShell Attacks - Triangle …...Defending Against PowerShell Attacks Jon Fox @jofoMSFT Security PFE Adopted from a presentation by Lee Holmes Lead Security Architect,](https://reader034.fdocuments.us/reader034/viewer/2022043022/5f3dfb00f7ea911d3f1d1fd3/html5/thumbnails/15.jpg)
Patching & Antivirus
Application Whitelisting in “Allow” Mode
Auditing of Protections
Forensic capture of host-based artifacts
Forensic capture of
memory-based artifacts
Application Whitelisting in “Deny” Mode
http://www.leeholmes.com/blog/2014/12/08/maslows-hierarchy-of-security-controls/
MASLOW’S HIERARCHYOF SECURITY CONTROLS
![Page 16: Defending Against PowerShell Attacks - Triangle …...Defending Against PowerShell Attacks Jon Fox @jofoMSFT Security PFE Adopted from a presentation by Lee Holmes Lead Security Architect,](https://reader034.fdocuments.us/reader034/viewer/2022043022/5f3dfb00f7ea911d3f1d1fd3/html5/thumbnails/16.jpg)
https://blogs.msdn.microsoft.com/powershell/2017/04/10/a-comparison-of-shell-and-scripting-language-security/
WE’RE LISTENING
![Page 17: Defending Against PowerShell Attacks - Triangle …...Defending Against PowerShell Attacks Jon Fox @jofoMSFT Security PFE Adopted from a presentation by Lee Holmes Lead Security Architect,](https://reader034.fdocuments.us/reader034/viewer/2022043022/5f3dfb00f7ea911d3f1d1fd3/html5/thumbnails/17.jpg)
https://blogs.msdn.microsoft.com/powershell/2017/04/10/a-comparison-of-shell-and-scripting-language-security/
WE’RE LISTENING
![Page 18: Defending Against PowerShell Attacks - Triangle …...Defending Against PowerShell Attacks Jon Fox @jofoMSFT Security PFE Adopted from a presentation by Lee Holmes Lead Security Architect,](https://reader034.fdocuments.us/reader034/viewer/2022043022/5f3dfb00f7ea911d3f1d1fd3/html5/thumbnails/18.jpg)
PS> mstsc /v Server1Access Denied
“Jeffrey I need to be admin on Server1 to restart DNS”
“No gentilkiwi.
Just use PowerShell to connect to the server”
PS> Enter-PSSession Server1Server1> Restart-Service Dns☺
Server1
Server1> Steal-SecretsError: You are not authorized to Steal-Secrets
JUST ENOUGH ADMINISTRATION (JEA)
![Page 19: Defending Against PowerShell Attacks - Triangle …...Defending Against PowerShell Attacks Jon Fox @jofoMSFT Security PFE Adopted from a presentation by Lee Holmes Lead Security Architect,](https://reader034.fdocuments.us/reader034/viewer/2022043022/5f3dfb00f7ea911d3f1d1fd3/html5/thumbnails/19.jpg)
SECURITY EXPOSURE = TIME X CAPABILITY
![Page 20: Defending Against PowerShell Attacks - Triangle …...Defending Against PowerShell Attacks Jon Fox @jofoMSFT Security PFE Adopted from a presentation by Lee Holmes Lead Security Architect,](https://reader034.fdocuments.us/reader034/viewer/2022043022/5f3dfb00f7ea911d3f1d1fd3/html5/thumbnails/20.jpg)
PRIVILEGED IDENTITY MANAGEMENT = TIME
![Page 21: Defending Against PowerShell Attacks - Triangle …...Defending Against PowerShell Attacks Jon Fox @jofoMSFT Security PFE Adopted from a presentation by Lee Holmes Lead Security Architect,](https://reader034.fdocuments.us/reader034/viewer/2022043022/5f3dfb00f7ea911d3f1d1fd3/html5/thumbnails/21.jpg)
JUST ENOUGH ADMINISTRATION = CAPABILITY
![Page 22: Defending Against PowerShell Attacks - Triangle …...Defending Against PowerShell Attacks Jon Fox @jofoMSFT Security PFE Adopted from a presentation by Lee Holmes Lead Security Architect,](https://reader034.fdocuments.us/reader034/viewer/2022043022/5f3dfb00f7ea911d3f1d1fd3/html5/thumbnails/22.jpg)
@{
# Description of the functionality provided by these settingsDescription = 'Role Capabilities for DNS Maintenance'
# Modules to import when applied to a sessionModulesToImport = 'DnsServer'
# Cmdlets to make visible when applied to a sessionVisibleCmdlets = 'Get-Service', 'Restart-Service','Get-DnsServerCache', 'Clear-DnsServerCache','Show-DnsServerCache'
# Functions to define when applied to a sessionFunctionDefinitions = @{
'Name' = 'whoami''ScriptBlock' = { $PSSenderInfo } }
}
JEA ROLE CAPABILITY EXAMPLE
![Page 23: Defending Against PowerShell Attacks - Triangle …...Defending Against PowerShell Attacks Jon Fox @jofoMSFT Security PFE Adopted from a presentation by Lee Holmes Lead Security Architect,](https://reader034.fdocuments.us/reader034/viewer/2022043022/5f3dfb00f7ea911d3f1d1fd3/html5/thumbnails/23.jpg)
LOCAL SANDBOXING
![Page 24: Defending Against PowerShell Attacks - Triangle …...Defending Against PowerShell Attacks Jon Fox @jofoMSFT Security PFE Adopted from a presentation by Lee Holmes Lead Security Architect,](https://reader034.fdocuments.us/reader034/viewer/2022043022/5f3dfb00f7ea911d3f1d1fd3/html5/thumbnails/24.jpg)
https://aka.ms/jea
JUST ENOUGH ADMINISTRATION!
![Page 25: Defending Against PowerShell Attacks - Triangle …...Defending Against PowerShell Attacks Jon Fox @jofoMSFT Security PFE Adopted from a presentation by Lee Holmes Lead Security Architect,](https://reader034.fdocuments.us/reader034/viewer/2022043022/5f3dfb00f7ea911d3f1d1fd3/html5/thumbnails/25.jpg)
Module / Pipeline logging
System-wide transcripts
Script Block logging
Antimalware Integration
http://aka.ms/MVAps5
MAKING POWERSHELLSECURITY TRANSPARENT
![Page 26: Defending Against PowerShell Attacks - Triangle …...Defending Against PowerShell Attacks Jon Fox @jofoMSFT Security PFE Adopted from a presentation by Lee Holmes Lead Security Architect,](https://reader034.fdocuments.us/reader034/viewer/2022043022/5f3dfb00f7ea911d3f1d1fd3/html5/thumbnails/26.jpg)
CONFIGURATION
![Page 27: Defending Against PowerShell Attacks - Triangle …...Defending Against PowerShell Attacks Jon Fox @jofoMSFT Security PFE Adopted from a presentation by Lee Holmes Lead Security Architect,](https://reader034.fdocuments.us/reader034/viewer/2022043022/5f3dfb00f7ea911d3f1d1fd3/html5/thumbnails/27.jpg)
MODULE / PIPELINE LOGGING
![Page 28: Defending Against PowerShell Attacks - Triangle …...Defending Against PowerShell Attacks Jon Fox @jofoMSFT Security PFE Adopted from a presentation by Lee Holmes Lead Security Architect,](https://reader034.fdocuments.us/reader034/viewer/2022043022/5f3dfb00f7ea911d3f1d1fd3/html5/thumbnails/28.jpg)
SYSTEM TRANSCRIPTS
![Page 29: Defending Against PowerShell Attacks - Triangle …...Defending Against PowerShell Attacks Jon Fox @jofoMSFT Security PFE Adopted from a presentation by Lee Holmes Lead Security Architect,](https://reader034.fdocuments.us/reader034/viewer/2022043022/5f3dfb00f7ea911d3f1d1fd3/html5/thumbnails/29.jpg)
SCRIPT BLOCK LOGGING
![Page 30: Defending Against PowerShell Attacks - Triangle …...Defending Against PowerShell Attacks Jon Fox @jofoMSFT Security PFE Adopted from a presentation by Lee Holmes Lead Security Architect,](https://reader034.fdocuments.us/reader034/viewer/2022043022/5f3dfb00f7ea911d3f1d1fd3/html5/thumbnails/30.jpg)
![Page 31: Defending Against PowerShell Attacks - Triangle …...Defending Against PowerShell Attacks Jon Fox @jofoMSFT Security PFE Adopted from a presentation by Lee Holmes Lead Security Architect,](https://reader034.fdocuments.us/reader034/viewer/2022043022/5f3dfb00f7ea911d3f1d1fd3/html5/thumbnails/31.jpg)
![Page 32: Defending Against PowerShell Attacks - Triangle …...Defending Against PowerShell Attacks Jon Fox @jofoMSFT Security PFE Adopted from a presentation by Lee Holmes Lead Security Architect,](https://reader034.fdocuments.us/reader034/viewer/2022043022/5f3dfb00f7ea911d3f1d1fd3/html5/thumbnails/32.jpg)
https://blogs.technet.microsoft.com/mmpc/2015/06/09/windows-10-to-offer-application-developers-new-malware-defenses/
ANTIMALWARE INTEGRATION (AMSI)
![Page 33: Defending Against PowerShell Attacks - Triangle …...Defending Against PowerShell Attacks Jon Fox @jofoMSFT Security PFE Adopted from a presentation by Lee Holmes Lead Security Architect,](https://reader034.fdocuments.us/reader034/viewer/2022043022/5f3dfb00f7ea911d3f1d1fd3/html5/thumbnails/33.jpg)
PROTECTED EVENT LOGGING
![Page 34: Defending Against PowerShell Attacks - Triangle …...Defending Against PowerShell Attacks Jon Fox @jofoMSFT Security PFE Adopted from a presentation by Lee Holmes Lead Security Architect,](https://reader034.fdocuments.us/reader034/viewer/2022043022/5f3dfb00f7ea911d3f1d1fd3/html5/thumbnails/34.jpg)
Log Name Event ID Purpose
System 104 An event log was cleared
Security 4656 Auditing of configured files, registry keys:
PowerShell profiles (*profile*.ps1)
Security settings (HKLM:\Software\Policies\*)
Windows PowerShell 400 PowerShell Startup, including hosting application,
version
Windows PowerShell 800 Command and Parameter Logging
Microsoft-Windows-PowerShell/Operational 4104
Warning
ScriptBlock automatic logging – used APIs or
techniques commonly associated with malware
Microsoft-Windows-PowerShell/Operational 4104
Verbose
ScriptBlock logging
Microsoft-Windows-PowerShell/Operational 53507 PowerShell debugger attached to a process
Microsoft-Windows-WinRM/Operational 91 User connected to system with PowerShell
Remoting
https://www.fireeye.com/content/dam/fireeye-www/global/en/solutions/pdfs/wp-lazanciyan-investigating-powershell-attacks.pdf
USEFUL EVENTS
![Page 35: Defending Against PowerShell Attacks - Triangle …...Defending Against PowerShell Attacks Jon Fox @jofoMSFT Security PFE Adopted from a presentation by Lee Holmes Lead Security Architect,](https://reader034.fdocuments.us/reader034/viewer/2022043022/5f3dfb00f7ea911d3f1d1fd3/html5/thumbnails/35.jpg)
https://channel9.msdn.com/Events/Ignite/2015/BRK2336
DEVICE GUARD AND APPLICATION WHITELISTING
![Page 36: Defending Against PowerShell Attacks - Triangle …...Defending Against PowerShell Attacks Jon Fox @jofoMSFT Security PFE Adopted from a presentation by Lee Holmes Lead Security Architect,](https://reader034.fdocuments.us/reader034/viewer/2022043022/5f3dfb00f7ea911d3f1d1fd3/html5/thumbnails/36.jpg)
POWERSHELL WITH DEVICE GUARD
![Page 37: Defending Against PowerShell Attacks - Triangle …...Defending Against PowerShell Attacks Jon Fox @jofoMSFT Security PFE Adopted from a presentation by Lee Holmes Lead Security Architect,](https://reader034.fdocuments.us/reader034/viewer/2022043022/5f3dfb00f7ea911d3f1d1fd3/html5/thumbnails/37.jpg)
• Language elements that provide access to Win32 APIs
• COM objects
• .NET methods, property setters, types, and conversions
• Add-Type
• XAML-based workflows
• PowerShell Classes (because they create .NET classes)
• DSC configuration declarations
Constrained Language removes the language capabilities that make PowerShell useful for attackers.It is not a RBAC sandbox like JEA.
Like cmd.exe, it is designed to allow interactive administration, and therefore still allows access to executables and cmdlets.
POWERSHELL CONSTRAINED LANGUAGE RESTRICTIONS
![Page 38: Defending Against PowerShell Attacks - Triangle …...Defending Against PowerShell Attacks Jon Fox @jofoMSFT Security PFE Adopted from a presentation by Lee Holmes Lead Security Architect,](https://reader034.fdocuments.us/reader034/viewer/2022043022/5f3dfb00f7ea911d3f1d1fd3/html5/thumbnails/38.jpg)
https://blogs.msdn.microsoft.com/powershell/2013/12/16/powershell-security-best-practices/
SECURE CODING
![Page 39: Defending Against PowerShell Attacks - Triangle …...Defending Against PowerShell Attacks Jon Fox @jofoMSFT Security PFE Adopted from a presentation by Lee Holmes Lead Security Architect,](https://reader034.fdocuments.us/reader034/viewer/2022043022/5f3dfb00f7ea911d3f1d1fd3/html5/thumbnails/39.jpg)
… AT SCALE
https://github.com/PowerShell/PSScriptAnalyzer
![Page 40: Defending Against PowerShell Attacks - Triangle …...Defending Against PowerShell Attacks Jon Fox @jofoMSFT Security PFE Adopted from a presentation by Lee Holmes Lead Security Architect,](https://reader034.fdocuments.us/reader034/viewer/2022043022/5f3dfb00f7ea911d3f1d1fd3/html5/thumbnails/40.jpg)
POWERSHELL INJECTION HUNTER
https://blogs.msdn.com/b/PowerShell
![Page 41: Defending Against PowerShell Attacks - Triangle …...Defending Against PowerShell Attacks Jon Fox @jofoMSFT Security PFE Adopted from a presentation by Lee Holmes Lead Security Architect,](https://reader034.fdocuments.us/reader034/viewer/2022043022/5f3dfb00f7ea911d3f1d1fd3/html5/thumbnails/41.jpg)
INTEGRATION WITH VISUAL STUDIO CODE
![Page 42: Defending Against PowerShell Attacks - Triangle …...Defending Against PowerShell Attacks Jon Fox @jofoMSFT Security PFE Adopted from a presentation by Lee Holmes Lead Security Architect,](https://reader034.fdocuments.us/reader034/viewer/2022043022/5f3dfb00f7ea911d3f1d1fd3/html5/thumbnails/42.jpg)
![Page 43: Defending Against PowerShell Attacks - Triangle …...Defending Against PowerShell Attacks Jon Fox @jofoMSFT Security PFE Adopted from a presentation by Lee Holmes Lead Security Architect,](https://reader034.fdocuments.us/reader034/viewer/2022043022/5f3dfb00f7ea911d3f1d1fd3/html5/thumbnails/43.jpg)
http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
WATCH FOR DOWNGRADE ATTACKS
![Page 44: Defending Against PowerShell Attacks - Triangle …...Defending Against PowerShell Attacks Jon Fox @jofoMSFT Security PFE Adopted from a presentation by Lee Holmes Lead Security Architect,](https://reader034.fdocuments.us/reader034/viewer/2022043022/5f3dfb00f7ea911d3f1d1fd3/html5/thumbnails/44.jpg)
Chris Thompson @retBandit
![Page 45: Defending Against PowerShell Attacks - Triangle …...Defending Against PowerShell Attacks Jon Fox @jofoMSFT Security PFE Adopted from a presentation by Lee Holmes Lead Security Architect,](https://reader034.fdocuments.us/reader034/viewer/2022043022/5f3dfb00f7ea911d3f1d1fd3/html5/thumbnails/45.jpg)
![Page 46: Defending Against PowerShell Attacks - Triangle …...Defending Against PowerShell Attacks Jon Fox @jofoMSFT Security PFE Adopted from a presentation by Lee Holmes Lead Security Architect,](https://reader034.fdocuments.us/reader034/viewer/2022043022/5f3dfb00f7ea911d3f1d1fd3/html5/thumbnails/46.jpg)
POWERSHELL: THE ULTIMATE ATTACKER HONEYPOT
![Page 47: Defending Against PowerShell Attacks - Triangle …...Defending Against PowerShell Attacks Jon Fox @jofoMSFT Security PFE Adopted from a presentation by Lee Holmes Lead Security Architect,](https://reader034.fdocuments.us/reader034/viewer/2022043022/5f3dfb00f7ea911d3f1d1fd3/html5/thumbnails/47.jpg)
• PowerShell ♥ the Blue Team
• https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell-the-blue-team/
• Australian Signals Directorate: Securing PowerShell in the Enterprise
• https://www.asd.gov.au/publications/protect/securing-powershell.htm
• Maslow’s Hierarchy of Security Controls
• http://www.leeholmes.com/blog/2014/12/08/maslows-hierarchy-of-security-controls/
• Who’s Afraid of PowerShell Security?
• https://blogs.technet.microsoft.com/ashleymcglone/2016/06/29/whos-afraid-of-
powershell-security/
• Windows Event Forwarding
• https://aka.ms/wef
• https://technet.microsoft.com/en-us/itpro/windows/keep-secure/use-windows-event-
forwarding-to-assist-in-instrusion-detection
REFERENCES