Fernando Tomlinson - Gaining 20/20 vision during an incident with PowerShell

is gaining 20/20 vision during an incident with PowerShell this talk revolves around the use of PowerShell and supporting aspects as a suitable solution for incident response solutions for endpoints in your environment to include short Clause of the language our freezing tape present a tall right so welcome to these sides of Gustav man this is awesome all right something like a thousand tickets plus so right here in the CSRA as Josh said we're definitely gonna be using some PowerShell talking about some incident response not really a hundred percent solution but definitely giving you some visibility where you may not happen Oh again Fernando Thompson been with the DoD roughly eighteen years started off my career as a system

administrator dealing with domains and enterprise services and then roughly the last six years been and what we know is cyber operations if you will currently I'm a technical director of a cyber operations center previous to that I was leading an incident response team and since we're in Augusta I'm an adjunct at Augusta Tech so I see some of my present and current students in here all right good to see you all and definitely a PowerShell enthusiast doing a little bit of red and blue team type tools for the last couple of years just recently the PowerShell conference book volume two dropped so I'm a co-author Annette definitely wish hope that you support that we make no money from it it goes to

support under privileged underrepresented individuals giving them a start in cybersecurity all right stuff like these conferences not everybody can afford them so all proceeds from that go to that cause and then if you're interested in connecting you see a couple of sites of mine I'm definitely looking to interact with everybody outside of this organization as well alright so here's our agenda we'll talk about a number of great things that we could use PowerShell for to get after our Incident Response tasks and purposes now why are we really here even talking about this well there are some things we can see comment and there's other things we can't write but at the end of the day

no matter what happens we have to react to it so in this case alright don't really necessarily have the ability to see you come in you should do you see the train coming off the track and at that point you're trying to react now if that's not you but that's not your organisation maybe you have a plan and definitely kudos to you but guess what not all plans go as we desire so even when we have a plan the execution of it may not end in a manner in which we desire that leads us to incident response alright and when we look at what that really means we kind of look to three reputable cybersecurity

organizations in this field and while their definitions are slightly different overarching lis they're roughly the same when we look at the actual phases we'll look at this alright National Institute for Standards and Technology and we'll look at sans another company in this field all right we see mist has it broken out into four phases while stan has it broken down into six and largely speaking those are all most wanted the same they just do them at different points when we look at how that really maps to each other it's like so so this whole preparation of sorts now we're talking about identifying the people the training the exercises the SOPs really understanding what it's gonna take for

us to do an incident when it happens because it's a matter of win not necessarily if all right putting together our jump bags so when that fire happens we just grab and go then we look at the whole identification perspective or in this case identification detection and analysis and now this is the point where we're looking for indicators work proactively trying to find these things whether it's from an endpoint perspective network analysis the data is data right the more we collect the more we just need to sift through it as you heard the keynote speaker sometimes there are diseases in our organization and we may not know that we're in need of some type of health

care so we have to proactively go out there and look for it and then once we find it now we have to kind of understand it and contain it right we may do that by isolation we may do that by neutering whatever the process or whatever is being used to kicked off that thing as a whole but really there's no fine way for us to do it and once we get to that point now we have to eradicate it how do i cure myself of this cancer if you will and once we've done that now this is a touch point because if we do this too soon we show our hand to the adversary and they're

probably going to go dormant or they're gonna come back stronger than they were before so you kind of have to do this in a concerted effort you have your instant response team but really everybody in that IT staff and other parts of the organization have a point to play in this as well once we have that we look at how do we get the organization back to where they once were before the intrusion whether that's restore from backups patch what have you a number of things and never take or never use a never let a good crisis go to waste so we want to really highlight lessons that we learned because every incident is an opportunity

for us to learn so we can then put it back into our cycle for the next time this happens so largely speaking hilltop perspective that's what we have but really what we're gonna focus on in this talk is really these areas all right how do we identify really detect it how do we contain it and how do we kind of eradicate it some common approaches is using some type of device all right could be open source could be commercial now I'm a fan of both but I would tell you depending on your organization as a pre-business responder I'd go to some organizations and they have the latest and greatest technology EDR that's out there because their organization can

afford it the staff supports it and then there's other organizations where maybe that funds the funds don't exist for them to provide or purchase that type of device and they look to open source but maybe they can't add that open source platform to their network so now what do we have we have an organization that can't afford the latest and greatest we have open source that's available that the organization doesn't want to take the risk of put on their organizations network so as a defender as an admin even or maybe as an incident responder what do we do you may feel like you're hung out to dry but that's not necessarily the case but why are we even

looking to get some type of device well we want we want visibility into what's going on in our network if we can't see what's going on our network sure we're gonna say all is okay all right so we want to be able to highlight that understand the noir normality of our network and really baseline it as a whole I want to put together some type of threat database whether it's reputation based or not behavioral analysis statistical analysis and we want to be able to in a fast perspective go out there and handle or attend to these incidents within our network so again if you can't afford this or your organization hasn't provided it for you an open source

that's not an option you may feel like your tool kit is like that now I don't know about you but if somebody came to my house to fix my sink right a plumber and he came with the tool kit like this one nothing in there I'd probably be questioning why I'm paying money for you to come but I don't want you to feel like this because really you do have something your tool kit specifically windows and most recently across platform you probably guess what it is yeah it's PowerShell absolutely all right so you have at least one item that you can put in your toolkit and that one item is really an array of items and

it's neat so Lily how do we even get to that well I'm glad you asked here's how we do that before we do that let's get the disclaimer out of the way all right might be a tldr too long didn't read or it might be too small couldn't read they're real short of this is I'm not saying commercial open source tools have no use they absolutely do but I would tell you not every organization is already the same when it comes to the funds understanding buying into what you're trying to do in order to meet their intent and their goals and when that doesn't exist for you specifically more on the Windows system but again

more recently cross-platform PowerShell can give you some visibility you can definitely do that all right so we'll start with is information I'm sorry Internet Information Services so an a Windows Server build there are these features and roles and one of them is I is that is a Windows or a web server built into a Windows Server platform we just have to enable that and some organizations who have a web server are using that the good thing about this is there's some good logging that we can get out of it things like the source IP the URI the method if there's a refer ok I'm digging it alright because I don't want to have an application or I recommend you don't

have an application that you don't have visibility into what's going on with it the good thing is if we host our website which is by default C in it pub our logs will be there as well and if we're not gonna host our website there wherever we are hosting it on disk that's where all the logs will be so they are written to disk that's cool it is a text file but the problem with it is very difficult to read there's a format but it's really unstructured ASCII and you can control F or select string or fine string or if you're gonna put it onto a NIC system you could grep your way through it but

that's very tech going that doesn't scale very well what I really want personally I want to get it to the event log and I'll talk more about the event logs in a minute what if we're logging we can contact we can track really catch potential incidents or potential misuse recons and which somebody's trying to start their campaign but we could find ourselves lost in that so here's an example of our is log typically rolls every day very unstructured in a sense right not a CSV of sorts in which we could parse it very easily what I have highlighted in red are at least the fields at least the fields okay cool so I'm not gonna ctrl F my way through this

I'm gonna utilize PowerShell I'm going to convert this flat text into an object alright yes PowerShell is object oriented so we're gonna convert this into an object in which I can select the properties or really attributes I care about it okay so that log all that good stuff in it what do we really have yeah we have our system on the Left trying to reach out to a resource on our web server on the right they're calling upon the root or whatever that index is going to be that that request is successful that data is returned back so we get a response code of 200 we see them now calling upon index that is successful we

get a 200 we see them calling upon whatever's hosted at slash 2021 design 200 okay awesome maybe these the things that I really want people to see maybe it's miss configuration on my perspective maybe they've been a directory traversal and are just you know navigating all the way around maybe I have stuff and robots that text that I really don't want to be indexed in somebody's like well you don't want to be indexed I'm gonna go look at it but nonetheless we have people just randomly doing this maybe automated and function or a factor but still nonetheless still doing this so we have our first one which is like our last one but then we

also have our second one where somebody's trying to grab whatever is being hosted EDD actually be on our site now what's being returned here is a 404 so that resource is not found interesting then we have the next one where somebody's trying to grab command dot PHP very very interesting all right because command dot PHP is typically a web shell so I have somebody trying to maybe blindly grab the see of a web shell that's there maybe they exploit it on and part of the payload was to upload this web shell and now they're trying to go and access it interesting so all that that's gonna be in the logs but if it's that flat text and unstructured I'm

probably not gonna find it I'm gonna get lost in the data hey yeah I can control that but again not really for me at scale so we look at our fields again we converted this to an object we now have properties and methods so we have really the output of that and we see the date we see the time we see all that stuff being highlighted in the red text box below and each one of the items below it now if I care about it I could select the particular property that red text box and then I could specify the things I care about in there and now that I have it in some structured format if I don't

have elq's blanc or whatever else you're using for log aggregation I can utilize out grid view in PowerShell which is what we see here and do some form of analysis okay so I'm getting somewhere when I'm looking at this in parsing it a little bit more I start to see people grabbing other things that I would have missed PHP admin that's a nice try not here right that's not what we're using wp-admin that second red text box okay not WordPress because we're using iis but somebody's trying to grab in the dark they're doing some type of blind scanning blind analysis in the sense of just trying to get into our server and then we get to

the bottom and then we have that command dot PHP and then we have shelled out PHP again somebody trying to grab what they believe to maybe be a web shell there but those are all returning 404s I could look a little bit deeper or I could go on about my merry business but nonetheless I want to go a little bit deeper in this I want to say a little bit deeper really what I want to do is kind of group this stuff together is this a one-time occurrence you know drive-by or is this something where people were seriously trying to get there over and over again so breaking it down we see our least amount

of time we see the most amount of time something was called upon but really this really highlights to me just using this subset of a sample guess shell and command that PSP PHP we got it from the same ip now I want to know what's up with that IP maybe it's tor maybe it's some type of redirection through some other device that doesn't know it's doing it but nonetheless I want to understand that a little bit more and then that wp-admin is there as well but this whole PHP admin there's 11 IPS that tried to hit that could be the look of the draw could be a little bit more but nonetheless I'm taking this flat text

ville tax text file converting it to an object parsing it and we're doing this all in PowerShell could we get a little bit more with some other tool possibly but I'm working with what I have I'm still accomplishing what my task and mission is without saying and I can't actually do it so we talked we stack this and we're able to determine the rate of least occurrence now if we want to go to a little bit deeper in this any tool I talked about on here there are tools that I developed you'll be able to get them off my github all the code is already there so we have invoke PS geo locator cool so now I'm able to take IPS

that I'm seeing in an IAS log and now I'm able to get information about as far as geolocation we're able to utilize free API from that side it's listed and now I can pull IPS out of my out of my is log and get some geo information about it so in this case I see my IP I see the city region country continent all that good stuff depending on my organization this may be alright or it could highlight things right and if we are able to take this information and look up a little bit further maybe from a reputation based device maybe reputation based in our own environment we could start to either say this is more suspicious we need to

further investigate or maybe this is benign but nonetheless we can go a little bit deeper I would tell you from the server which we're using this on I don't know anybody in Russia in Moscow right and this service that's being provided should not be of liking to them so I may go a little bit deeper in that aspect now again we're trying to do something with a little bit we have and we could utilize virustotal now we're not going to upload any barren areas to that but we can look at utilizing you know scanning of files again we're not gonna upload binaries rekha me don't do that but we could look at some hashes we go to get domains

we're gonna get URLs and kind of get a reputation based analysis alright what does the rest of the community think about this if I don't have some type of internal reputation based analysis for myself cool well there's a pay for service but there's also a free service that free service allows you to get an API submit for a request per minute and then you see how many requests per day so there's some throttling in there now I'm not going to do this with every IP we'll look more at a specific suspicious perspective and then let's say you wanted to look at all binaries hashes on your disk that's going to be very time intensive to submit at the virus total

but if we started to look at running processes on our system alright what are the hashes of those and then running those to virustotal and then hey if I've seen this before writing it to my own hash table or dictionary list if you come from another language all right local so that way the next time I get ready to run it if I've already ran that hash once I've already can say it's good to go now I have something across my organization of sorts so we can utilize to invoke proc virus total scan we can feed it hashes we can have it just go off of running processes and then we spit out how many you submitted how long

it's going to take again I'm using a free API so 15 seconds allows me to do 4 for a minute and then it doesn't matter if it's md5 sha-1 triple des if that's your thing alright but then we start to get this information back see my a-v the version of the a/b that was shoes whether it was detected the result because some IVs no virus viruses under different names versus other ones we see one last time that that that bad file was actually updated and we see that hash when we parse this a little bit more we bring it back in an actual a table and we can see our ABS on that first column and then that subsequent

information going across now we see that my second hash out of the 50 to 60 AVS just offered this screenshot here we have about 7 that said it was bad for me that causes concern alright and then we can go a little bit deeper in there and if that's the case then I can proceed accordingly but I'm taking hashes that I have getting some reputation based analysis off of it and then I'm feeding my own reputation based system event logs my my my event logs are awesome all right I think if we look at a methodology of sorts it's log to the event logs step one because that's a little bit harder for somebody to wipe

if they wipe that that's gonna generate at 11:02 and maybe some special tools and stuff out there but nonetheless the second part of the methodology is to offload it to another server all right make it difficult for an adversary to do so well we can look at PowerShell and utilize two command let's get one event that's gonna do our classic log so like security application system that also does our event technology logs and our event tracing logs so the newer logs that are with modern windows OS is distant above get a vent log only does those classic logs we talked about both of them have the ability to do it across a subset of machines so that's great we also have

the ability to take export it logs and read them back in now I can generate some code call it a parser do it one time and then run it against a subset of logs over and over again as an analyst I already know what I want to see and how I want to see it I generate that code once and then I reuse it many times there are a lot of event logs a lot of them are not logging by default if I could only pick one out of some of the most interesting ones in my opinion man 46 88 process creation I want to know when a process has started on my box maybe not at the moment but if there's

ever a time when that becomes up interest to me I want to be able to go back and get that information we would need to cut that on through auditing because again it's not all by default but when we get that and we try to look at that event log by default we see all this googly garbage right we see the time the source we see the message but really I'm really getting the count in which a process started and not really getting the meat and potatoes so we can expand that and when we expand that we see that message field that message field contains the real stuff I care about cool a process started thank you I

really want to know what is the process name what path were there any arguments what started that process alright maybe what user notepad running this system probably not a thing at least in my environment I don't know about yours right could be it's 20 you're going to be 20 20 things are different all right oh but again those are some of the things I'd be interested in in it's all in that message field what we can do to really get that particular information instead of saying hey look in the message field and if it's in there return the whole message field we want to get really deep into the actual things we want well we can utilize these

things called this case extended properties and I've kind of expanded it here because for every item in that message field up top we have these extended properties that we can expand and then call upon them so then we can go in there say hey give me that account name give me that processed name give me that app it alright because we may not be able to get a task list or process list and see the process running at that time maybe it kicks off spawned something else and then dies so timing is everything when we're able to dial into that extended property we can then again pull out the stuff we care about so for each one of

these properties for that process ID we cared about the time it was created whatever the process is the command-line argument what account was tied to it and then what the crater was that's gonna be the parent okay awesome I'm writing it to the event log again if somebody wipes this that's gonna be 1102 I'm not taking to account some other tactics that can be done but now that I have any event log I want to ship that off somewhere else but more specifically this could enable me this evenings take all this data I have chopped it down into something more manageable feeding me the information and I need making the nearly impossible or difficult stuff

need to see more easily visible and understandable digestible in this case we have what we proceed to be netcat going out to whatever that IP is on quad for us right and this being kicked off by command dot exe I wouldn't have necessarily seen that by just looking at the message field as a whole and again how shall be an object-oriented we can break it down into something that is more manageable for us using what's called out grid view kind of like an excel on steroids type view we can look at it but if that's not your thing you can ship it somewhere else you can do whatever you want with it now that is in

a better readable format and then we have this so let's say I'm malicious I get on a system I'm going to look around see if something is logging and if it's not I may proceed on with what I came to do when we utilize custom event logs we could essentially fake out somebody of malicious intent because we're able to log things that maybe weren't log about before or maybe we just don't have on for example I go back to that previous example right I get on them I look to see if 46 88 was being logged it's not that allows me to then maybe go ahead because whatever I bring may not be logged as a process created so I have a

false sense of hope what the admin could be logging it as a custom log or what do they name it whatever they want to they can call it an ad man or Agusta besides right but likely we would call it something that blends in with some of the other logon we have and when we do that we come right exactly what we want how we want it to the event log so I had this one and I call fine notepad I have an event ID of one three three seven because well in elite speak and then really anytime no pet was started I wanted to log the process ID and I wanted to log what use responded but I

could have logged whatever I wanted to in a fashion that I found which would make sense for me so what's the methodology for this well first you got to retrieve the data then you got to filter it for what you really care about once you have it send that bad boy to the actual event log and the format that makes sense for you and this is gonna be as an object so we can then take it and do something with it later on now as an option because we talked about getting it off with the system hey we could use something like slack as a log aggregation server now this would not work in every environment because again

I write it to the event log I'm taking some risk by leaving it there I really want to get it off of this system so utilizing slack we could near a near real-time get it off the system on any other platform we could also ensure that it doesn't get wiped locally now an adversary would need to gain access to our portion of the slack platform to get access but there there come some cons right it is definitely stored on somebody else's server if you look at the Terms of agreement I'm probably not in there all right probably not something you should be doing but there could be some transient concerns and again this is definitely not for enterprise use now I

have to be a little bit of diligent and what I'm actually looking for what I care about so and us test in this I utilize just this little bit of code this little bit of code allows me to send a message of howdy it allows me to send it under a BOTS name of logger and then I have my API that obviously don't have up there on the screen but that's the URI dead slack provides to me and then I have the arguments based upon their API documentation once I do that this is what I see in my slack channel logger howdy and then that channel which gin okay all right okay now I'm gonna go a little bit

further now I'm gonna actually retrieve some data filter it for items that I care about right this data to the event logs because that's step one then I want to monitor for those event logs being written as and did I want to send those particular things off the site again not in every event type thing but I'm trying to make it difficult for somebody trying to clean up their tracks now from that this is the code that allows me to do it and really the meat and potatoes of this is where I'm filtering for the events largely speaking it's the previous code but now I'm looking at that aspect and then what do we see well we see this in

my slack channel time creative process command line the account the Creator the same thing that we had seen previously when we will parse in it now I've got it in slack the things I care about that's gonna keep me up at night or maybe generate a be a resume generating event right some visibility and in this case we see defend 64 being kicked off by what is that cache 64 hey let's be real here you throw 64 or 32 on most binaries a lot of people will be like that looks legit let's go on about our business all right then we see some power shows and some stuff that probably should not be happening down below now you talk to any

defender alright anybody in this space really and they'll tell you that probably processes and connections or nets that are important I'm not gonna tell you any different they absolutely are important from a powershell perspective we could get processed we could also use git net TCP connection that's gonna be a V 5 or newer feature that last one all right we get a lot of great information and what we want to do is really take that information and put it together because independently we have information but now we need to go run this again go back over here and look at that we want to correlate it together we really want to join it now if that doesn't make sense I

present to you this everybody loves rhesus right I mean let's be real this was this was awesome like my employed alright Reese's Cups get Reese's Pieces you put it together in this like slow clap why didn't I think of it alright so we're going to do the same thing with our processes in our connections and I call that get verbose process all right giving me that that clearer site reduces some over some human oversight like as I look at processes and I remember what I care about and then as I try to transition over to connections maybe I can't remember if that was a one versus a 2 that's too much I want to put it all

together in one visual aspect that a user an analyst can actually see and comprehend and then guess what if my organization gets me a sim logger aggregation server I can easily export that and import it into that so what does that look like well we have two individual instances that we are looking at hence the two red boxes and we see the local IP local port 4 and IP foreign port okay for each one of them again two individual connections and processes and then we see whatever that process is to include the pid' the process command line itself words running from like SVC host not be running out of C windows or a user's path but guess what we also see

that hash let's go ahead and hash that thing all at the same time okay and then if we want to add a little bit more code to it we can look at that reputation based server that we're already doing from a virustotal perspective okay but what started this because there are some things that it just doesn't make sense that it would start it so didn't we get that as well we get that in one picture I'm not doing a swivel chair trying to tie it back together I get it in one picture now I should be a little bit more deadly in my analysis in my approach anybody using McAfee products out there mcafee virusscan when it finds something that's

malicious it says it deletes it but it doesn't really delete it it quarantines it and by default that's ridding to see quarantine now it encrypts it so it makes it unusable to the user and it's really just XOR in it so exclusive X / or exclusive or but really what we want to do is understand why it quarantined it maybe all right I implement a new item I run it and then it corn tainted cool it shouldn't have been bad let me understand why or maybe somebody else and portrayed in my box McAfee caught it quarantined it but now I don't have that binary sample because it makes it unusable to the user we want

to get that raw binary so we can do some analysis on it either determine whether it's good determine is bad but definitely McAfee don't just take it from me or I can't do anything with it but thanks to McAfee they publish their key online so now we can reverse their encryption tactic and that stuff is gonna stay in the C quarantine for 28 days by default so we're gonna take a binary subset of binaries that have been booked and we're going to reverse dead I can't tell if you can see that very well can you see that very well okay awesome so I got a number of things have been bucked they're unusable to me I want to

reverse that so I'm going to utilize some power show here and we're gonna do unfocus Pesa phi our path and we'll specify our Cordain folder it's gonna one and then it's going to reverse that process now if I'm doing this on the berry system it triggered on before it's just gonna rebuffing so I'm going to zip it password-protected most people would do something like malware I'm gonna call it infected but that process is done so now when I come in here and look I start to see that raw idle looks like this woman it was being downloaded from google drive it was still in the process of being downloaded and there was a certain part of that probably

executable in which it triggered us being bad alright but now that we have this we can go in there and actually look at it again we wouldn't do this on the very system that we have antivirus running on we would do this on our actual analysis system and then we could make a determination what is this really bad oh this is bad this is good right let's let's grab this and now we have that raw binary sample thanks McAfee I can't say that too often but nonetheless we can utilize that

okay here's another one powershell Rapid Response I recall going into an organization as an incident responder and I'm like cool I'm here to help I got all these great tools I want to put this on your network and I'm gonna find badness and when I'm done guess what I'm gonna take my tools back and now I'll leave you oh you're been portrayed it again cool I'll come back with my tools I'm not really helping you long term so I came up with PowerShell Rapid Response because in the Windows environment you have it so it's gonna be an instant response framework in which the defender the local person can actually start to defend their network not call upon me as

much all right but also really empower them this is gonna help them with identifying anomalies across their network there's right now roughly 20 items of interest that I care about but it's extensible through plugin so if there's something particular that we don't have in here add it in there all right it's open source it's on github so do a pull request and then help with the project it utilizes the pull method so if you pull every 30 minutes you could be missing stuff so it's not necessarily no real time but it absolutely gives you some visibility where I haven't an agent on the box that data is gonna come back as a CSV and also in a sequel database

it uses a network logon so we don't have to worry about made me cats or anything like that we start to see really some of the things that we can get utilize in PowerShell Rapid Response and then when we look at actually running this we have so

so I'm going to run it we've got a number of options I can pull it straight off of all my systems an ad I completed a text file I can input IPs or I can do my local machine I'm going to do one machine so I'll select option three put in that IP and then it's going to run all right it's threaded so it's not going to be one after the other now as that's running i've already ran this before so we could start to look at some of our old data every time this is ran it creates a directory with the actual CSVs from that run so maybe you want to take that import it into Splunk

elq we get back into powershell for analysis or just really identify a particular instance from a larger perspective all these items are written to a sequel database so I can if this equals your thing you can conduct some analysis utilizing that and that gets appended to so there's gonna be one database that's for application events or there's one database that talks about drivers or disk information and I'll just utilize just sequel Lite here and we'll open one of these databases let's say drivers all right and I can start ooh do my analysis maybe this is the way you want to do it maybe you want to take these databases load it up as part of a

back-end to a greater front-end for visualization but at the core will giving you options here get the data you need conduct the analysis you want to do and really highlight the things somebody is employing you to do all right I got it there

all right so as we look at DNS really the methodology or really the process is this such user navigates to let's say Google com the system searches its localhost file if there's an item in there that points to that domain it then tries to navigate to that IP if not it checks the local DNS cache if it's been resolved before it didn't a vigus at IP if that's not the case it looks at whatever DNS server it's tied to or point of that and then that DNS server checks this cache if that you are or IP is in there it didn't respond if it doesn't it checks to see if it's authoritative for that domain if it is

it responds with the IP if it's not it will look at root hints or a forwarder just really depends on how that DNS server is configured so with us understanding that on a high level we recognize that some malicious folks look to use domains and their malware all right we want to affect that we want to limit that and really reduce it contain it if you will based upon that process we really have two places I could go into a host Val and list out domains and say hey they resolved to loopback that's cool when I have one or two machines when I got an enterprise of machines look and in the famous words of that one

lady ain't nobody got time for that right so what I need to do is look at trying to do it from an enterprise perspective and we can do that with the second orange box we're going to utilize our DNS server check to see if it's authoritative for that domain and if it is we're gonna do something with it call it sinkhole in sinkhole in yeah check this out we have a car driving that's trying to get to that building over there there's a sinkhole there they're gonna either stop or go into that sinkhole but either way they're not gonna get to the other side okay I got it so we're gonna utilize a method that

allows us to do that will run invokes and codomain will utilize individual black hole domains that we want to use maybe we can put those in maybe we grabbed them from some reputable site something like malware domains com and then we're gonna create what's called a forward lookup song in our DNS server that's what's gonna allow us to become authoritative for that domain and then when we resolve that domain we're gonna put in there that the address for it is quad zeroes it ain't going nowhere we've essentially sync holding now if the malware author wants to use IP addresses cool but guess what domains allow them to be a little bit more modular IP addresses they're

probably going to have a list right it's gonna be a cat and mouse game but when we look at the adness into our DNS server we see a number of domains that we've added off to the left and then we see our DNS a record for ipv4 we could do a quad A's as well if ipv6 but we see we're resolving that two quad zeros quad zero so we're sink holing that communication awesome now we're doing this from an enterprise perspective let's say we've identified the malware we see it's running we probably have some type of conversation about it and we don't really want to stop it because we don't necessarily know what's the next steps maybe it tips off the

malicious author or we just want to understand it a little bit more we could pause that process really suspend it and the way we do that is we attach a debugger to it all right cool now the real point of this is we need to at least have the su debug privilege but this allows us to pause and really suspend a process and we can when we suspend it we could get ransomware keys the ransomware is what we're going after and we could really ensure we don't break critical processes so when we really utilize this we're gonna do something like so I'm gonna have a binary that literally just prints out to the screen that it's calling home even

though it's not

so every second it's just gonna spit that out just a numerating adding so we'll run and VOC process the spin actually we won't run that first we need to identify the pit of this thing we see the pit is eighty seven twenty so that's the one that we're gonna pause so now we can come back in here and we can suspend it eighty seven twenty and when we've done that we noticed the process is stopped it's still running right in the context of it's a process executing but it's actually doing stuff because we have a debugger attached to it not so much so now we can triage understand a little bit more without fully stopping it and then when we're

done doing that we can resume it specifying our ID and then we see it continue on alright a tactic a thing that we can use to kind of aid us in our incident response process

all right who in here's her to fail to ban all right cool I like it sir you've heard of it right okay all right awesome all right so I like it all right and does what I need especially from an internet facing thing but hey not everything runs on Nicks so from a Windows perspective what do I have there's some some items out there but they don't really get after the full complexity of what I'm trying to accomplish so end up coming up with and voke failed to ban from a Windows perspective all right and really what that allows us to do is essentially everything that fellow demand does but it writes to our actual event log then

it writes to you guessed it sequel database right because I want to give the analyst options for interoperability with other tools or capabilities they may have what this allows us to have some oversight into our internet facing items without allowing somebody to just tag at them every second of the day so how is that being done well we'll utilize this diagram we got the system on the Left trying to log into the system on the right first time he tries to admin one two three the red signifies that that password was wrong all right and he continues on then he gets to the point where it's admin P at sign dollar dollar and it was right so he tried a

number of times and he was good now they could have had on there a lockout threshold based upon the number of times somebody entered a password didn't lock them out but let's be real here that may not always be the case and then guess what maybe it only locks him out for 60 minutes we use invoke fill to ban we can set our threshold we can customize really finite in the sense of how long we want to lock them out and it's all automated for us all right so we see this person trying to log in three times and now it locks him so he no longer communicates with that machine so we'll do that and we'll look at that so we'll

come in here with invoke build to Bend

I'm gonna run this I got a couple options I can just start monitoring I can list whatever banned IPS and I have in my database and whatever that status is we could also list our whitelisted IPS because let's be real you definitely don't want to lock itself out or we can just say in a hasty manner let's unblock everything so I'm gonna select start monitoring and then I have the option to outside of whitelist in my own IP s but I have the ability to add additional IPs no I do not want to add anymore it returns to me all IP is associated with my system I'm gonna press ENTER to start I'll come over here and I'll try

to log into that machine three times right now I have the polling rather aggressive just for the demo all right cool so it triggered and now when I come over here and look I see a ban for that IP that actually tried to login I get to the point where now I go look at the event log I see the data that's in there that I care about and it continues to monitor and then once that threshold has been met as far as how long I wanted to actually lock that system or block that system it releases it

all right so we see it's now been released we refresh that rule is gone and we're good to go now if we get to the point where it's like hey I want to look at this a little bit more what other items that we have we can go in there and I would see right now we only have one IP and that database and we see currently it is not being blocked okay so we got a couple of things here that we can add to our toolkit right within powershell mmm I'm feeling good feeling accomplished but there's some pitfalls all right trust but verify somebody wants to tell me that actually I heard that again yesterday

trusting PowerShell and Windows API man that system is really compromised if it's really really compromised I don't know if I'd want to trust a binary that's already there definitely I feel a little skeptical when those api's at that point but if I am proactively looking and trying to identify maybe patient zero or who else is infected in some respect right maybe I'll utilize this my mileage will vary my organization will bury the tool sets I have will bury and really depict this not every network may be utilized or configured to utilize PowerShell remotely if that's the case then you may find yourself going from system to system and then that kind of defeats some of the purpose and then

power show may not answer every need nothing is a 100 percent solution but I tell you I was once sitting there with nothing and now I've been able to answer some information so alright our our mileage will vary with that as long as we understand that some other useful frameworks and scripts each comes with their pluses and negatives some overage but definitely worth taking a look at a lot of work has gone into these things all right so as we wrap up here you started with the toolkit like so now your tool kids like that yeah all right now if you show up as a plumber at the house I'm like um it sinks right there

but guess what what you don't see in there yeah you don't see that so I got one more thing I want to add really that times three the first is the power show cheat sheet I don't care what language you code in script in program in right nobody starts off remembering everything so here are some core aspects for PowerShell one cheater if you will and it's slowly but surely maybe you you get off of that you're like I don't need that anymore alright but a good reference sheet now did this back in 2017 but it's still very relevant today alright so your mileage will vary with that but a good starting point am i honest humbling opinion and then guess

what if you're looking for realistic on-demand 24/7 free fr ie capital lowercase mixed it doesn't matter free is free all right under the wire myself to other people developed it back in 2015 we got over 70,000 people unique people who have played this game roughly 78 countries of the 193 ish countries all right who so this gets after the core aspects of power show hey I want to do I want to look at a foul I want to filter for this right this is exploratory learning with the purpose and a goal in mind and then if you're like I'm beyond that then I imported to really use posh hunter partner allows you to have an actual VM the VM has

artifacts has some beaconing going on just benign beaconing right but there's ninety roughly challenges in which you jump in this environment utilize some PowerShell situational base and you answer questions call it a CTF on demand if you want to posh hunter is nonlinear whereas a is linear all of these challenges were based on tan accounts right the names will withheld - you know secure identities and all that good stuff but free free all right so summary commercial tools are great they very much are very much so if your organization can afford it ok true true open-source tools are great as well there but so if your organization will allow FairPoint powershell can provide access to vital data i don't think anybody's

going to combat that and able need to do more with less app salutely people want results incident responses in a vote and results driven field everything comes with a con PowerShell is no different so I want you to to really realize that now that brings us to the end if you want to connect with me that's how you do it I'll pause for a minute for questions now what oh all right who's the youngest other than my daughter who's the youngest in here who's 17 or younger come up up please who is 21 or younger come on up 23 or younger alright come on come up oh yeah I get oh here we go all right let's get the

youngest one I'm answering a question steel as we do this how how 14 Oh

somebody was 21 sorry I apologize you can shank me in the hallway alright thanks I'm coming up all right any questions if not that concludes my brief I'll stand by in the corner thank you all or really oh okay we've got a question uh it's coming I'm in the process now of highlighting something like posh r2 from a Linux perspective not necessarily Mac but yeah absolutely from a Linux perspective open source and power show was probably one of the greatest things that happened so the question was have we started applying anything like that towards Mac or Linux and the answer was definitely towards a Linux perspective sir

yeah so the question is how intensive is PowerShell across an organization running in trying to grab this information and I would say it really depends as long as it's done smartly it has the ability to do jobs so it's threaded out and as long as you're not like connect to this machine grab that one thing connect back to that machine grab this one thing it's not necessarily as bad right and if you have these centralized organizations maybe you put some of the code you're looking for on a local server in that actual geographic location and have systems grab it from there and then have that one machine come back to another geographic location as opposed to a machine of Seattle going

out all the way out to Atlanta or New York but your organization would definitely vary based upon bandwidth and everything else good question and other questions all right thank you I appreciate it [Applause]