Product and service reviews are conducted independently by our editorial team, but we sometimes make money when you click on links. Learn more.

PowerShell Tools Have Become an Attackers Weapons

By - Source: Toms IT Pro

Find out what presenters at BlackHat and DefCon 2017 suggest blue team defenders do to protect their networks.

PowerShell is rapidly becoming a weapon of choice for post-breach (infiltration) steps, used in many recent high profile breaches. PowerShell, according to Dave Kennedy, is "BASH for Windows" – it's a scripting language and framework that in Windows is used for automation and control.

In the past few years, PowerShell tools, such as PowerSploit, Nishang, PowerUp, and Empire have made PowerShell one of an attacker's choice weapons. As Symantec's recent PowerShell paper reported, many attackers are using PowerShell because it's a native tool, can execute in memory, and malicious use of it unlikely to be flagged. One recent large breach, likely Anthem, was shown to have been aided by very clever use of PowerShell to hide and facilitate the attackers' movements – it became a cat and mouse game. 

MORE: Everything You Ever Wanted to Know About PowerShell

What is a blue team defender to do? Two outstanding presentations at BlackHat and DefCon 2017 drove home the point of being prepared to detect malicious PowerShell attacks, introduced a new defensive tool, and suggested copious use of some new free Microsoft detective tools.


Lee Holmes and Daniel Bohannon at DefCon 25Lee Holmes and Daniel Bohannon at DefCon 25Daniel Bohannon (Sr. Incident Response, Mandiant) and Lee Holmes (lead security architect, Azure stack) gave a talk entitled: Revoke-Obfuscation: PowerShell Obfuscation Detection (and Evasion) Using Science at both DefCon and BlackHat. They introduced the tool, Revoke-Obfuscation, which detects obfuscated PowerShell scripts.

In the first part of their talk, Bohannon and Holmes described many ways of obfuscating a PowerShell attack, such as Invoke-CradleCrafter, a tool Daniel created. Other nefarious methods demonstrated included various string manipulations, a blank page, use of a maximum of five ASCII characters, and multiple examples of Invoke-Obfuscation, a tool Daniel created previously.                                                                                                                   

An obfuscated PS script using few characters; Credit: Bohannon and Holmes.An obfuscated PS script using few characters; Credit: Bohannon and Holmes.Given all the PS obfuscation techniques what is a blue team member to do? Bohannon and Holmes examined more than 408,000 scripts from various sources by 28,748 authors, and found 1,600 obfuscated scripts. One of their techniques was to run an Underhanded PowerShell Contest. They tried to examine the scripts via looking at similarities and code examples, along with other standard techniques to check for obfuscation, then did a statistical analysis on the results. That analysis showed that the accuracy was only about 71 percent, and depending on what they optimized, showed a higher false positive or false negative score.     

Bohannon and Holmes thought they could do better. They used the context and characteristics of the scripts to identify which scripts were obfuscated, and hence, potentially malicious. With current sample size, the accuracy was 96 percent, with 1 percent false positive and 2 percent false negative results. The Revoke-Obfuscation download is here. They expect that with additional algorithm — weighting and such — and sample pool refinement, the accuracy will increase.

By using script context and characteristics, Bohannon and Holmes were able, with a high degree of accuracy, to identify obfuscated PS scripts. Credit: Bohannon and Holmes.By using script context and characteristics, Bohannon and Holmes were able, with a high degree of accuracy, to identify obfuscated PS scripts. Credit: Bohannon and Holmes.

Tactical Nukes

Chris Thompson at DefCon 25Chris Thompson at DefCon 25Chris Thompson's (Red Team Lead, IBM X-Force) talk was entitled MS Just Gave the Blue Team Tactical Nukes, (and How Red Teams Need to Adapt). Windows Defender Advanced Threat Protection (ATP) is one of these features Chris highlighted now part of Windows 10, in the fall release of Windows 10 Update, the so-called Creators Update (release 1703). There are many new features and updates to the security piece (Defender) of what is now an ecosystem:

  • Windows Defender AV (new name for Defender)
  • Windows Defender Advanced Threat Protection (ATP)
  • Windows Defender Exploit Guard (EMET)
  • Windows defender Application Guard
  • Credential Guard
  • Works with Windows Server 2012 R2, Windows 2016, and Linux

So What's The Problem?

After the initial foothold – post breach, an attacker wants to run use some tools and contact their C&C (command and control) server to do reconnaissance, privilege escalation, steal credentials, move laterally, and for Windows, grad the NTDS.dit. PowerShell 5, with enhanced logging and suspicious script block logging (default) detects some activities. Previous versions (a new 4.0 release includes the logging) provide "little evidence of attacker activity." AMSI (anti-malware scan interface) is also enabled by default, and doing previous tricks (downgrading to PS v2 or using NotPowerShell no longer work.

Reconnaissance activity is detected by Windows ATP. Credit: Chris ThompsonReconnaissance activity is detected by Windows ATP. Credit: Chris ThompsonAccording to Thompson, though many attacks are detected with PS 5 and APT, some are still undetected: bypassing script logging/AMSI and using encoded payloads; using VBA shellcode injection without Kernel 32 API declarations; and other executables designed to avoid detection, etc. APT has some built-in protection against uninstalling from an elevated prompt, but is susceptible to some blocking attempts. Used in combination with Defender AV, some of these blocking attempts would be detected. 

Another tool described by Thompson is Windows ATA – Advanced Threat Analytics, a behavior platform that parses many types of network traffic and is designed to detect some post-breach activities, such as reconnaissance, lateral movement and persistence.  Many suspicious activities are detected, but not enumeration via WMI local name space.

Windows ATA detects suspicious activities. Credit: Chris ThompsonWindows ATA detects suspicious activities. Credit: Chris ThompsonGrabbing a copy of NTDS.dit, the active directory database, by volume shadow copies would normally be detected, but if you use WMI Win32_ShadowCopy class, this isn't detected by ATP. ATA flags this as a low severity event. Similarly, using AES to encrypt mimkatz's grabbing a golden ticket is also not detected.

Conclusion: A Combination of Techniques and Tools Provides Detection

Based on the two talks and other PowerShell best practices, here's a summary of techniques that would detect or prevent many malevolent PowerShell uses:

  • Upgrade to PowerShell 5, if you haven't done so
  • Make sure Module, Transcription Logging (with short polling times), and ScriptBlock are turned on
  • Monitor processes in real time with a host IDS
  • Process and Command Line Auditing; Windows Sysinternals Sysmon also works; make sure these are forwarded
  • Limit PS remote sources to dedicated administration work stations
  • Use JEA (Just Enough Administration) to prevent lateral movement success
  • Harden SQL servers, review forest trusts
  • Use Windows ATP and ATA (or similar third party threat analytics) and integrate SIEM and VPN logs into ATA
  • Use Revoke-Obfuscation, especially on suspicious scripts