PowerShell Security: Defending the Enterprise from the Latest Attack Platform

the b-sides DC 2016 videos are brought to you by clear jobs net and cybersex jobs.com tools for your next career move and Antietam technologies focusing on advanced cyber detection analysis and mitigation okay so before we get started I'm Sean Metcalfe I've started a new tradition at Derby con we're actually giveaway puppies before my talk so I have some puppies here I'm gonna ask some PowerShell questions who created PowerShell raise your hand if you have an answer no one knows who created power cell gets over there oh it's so close okay what was the original code name for PowerShell I raise your hand I don't know where she mo okay hey puppies okay um what is the default file

extension for a PowerShell script hands sorry it's already at first what is the what is what is my favorite PowerShell post exploitation tools written by Vera's raise your hand yeah what is the new hotness from varus that does recon in Active Directory the poopies thank you Wow even even with video problems it's still worked out pretty good so uh are we good on video I'm gonna be over here is that fine okay

so this is PowerShell security defending the enterprise from the latest attack platform and I am Sean Metcalfe and since it's 1:30 we're gonna get started so I'm the founder of Trimark a security company Microsoft Certified Master in Active Directory one of about a hundred in the world and a Microsoft MVP as of earlier this year I spoken at a number of different conferences it's my first time speaking at besides DC I'm very excited to be here I'm a security consultant and a researcher and I own and operate 80 security Touareg which hopefully many of you have been to and have checked out also at one point in time I raced armadillos long story so PowerShell what are we talking about

with this what is PowerShell I think most people here know what PowerShell is but we're gonna cover very briefly some cool things about PowerShell what its capability is I'm gonna talk about how it's used as an attack platform look at some real-world attack code that I found on the internet because everything on the internet is cool and awesome and we're gonna talk about how all of these new PowerShell security features are often bypassed by attackers so isn't PowerShell just C sharp with training wheels Wow kind of yes it absolutely is I posed this question to Matt graver and he kind of just turned around and walked away from me which makes sense because apparently the

squirrel doesn't know how to ride a tricycle so that's how it goes but PowerShell is an object based scripting language which leveraged leverages net originally written and design and c-sharp it has tremendous capability it has basic connectivity and ability to pull data from disparate data sources like the registry the event log WMI XML and so the power of it is the fact that you don't have to write your own parsers for a lot of this you can just natively pull in data from XML and work with it you can extend the PowerShell capability the commandments that are available on the box by importing command modules which then provide a whole lot of additional commandlets which are

purpose-built and specific to a specific purpose or area or command or data gathering session that you need or you want and it's almost ten years old now in fact next month PowerShell will be 10 years old and Here I am talking about it in DC it's pretty exciting so with PowerShell version 5 we get a lot of nice security enhancements PowerShell version 5 of course came out early this year technically it came out in December of last year but we're not talking about that it came out this year and we get some really great features script lock logging system-wide transcripts constrained PowerShell that that locks in locks down PowerShell when you have application whitelisting enabled like app Locker or device guard

and anti-malware integration with Windows 10 we can configure these settings we can configure these security through group policy and there's a number of different settings and options that we have here all this group policy is doing is setting items in the registry and I'm sorry it's very difficult to see but that's the registry those are the settings we just nod and smile we move on script lock logging we can enable through the group policy and basically script lock logging takes that PowerShell code that's delivered to the PowerShell engine and effectively just before it's executed it's logged so with module Augen the type of logging we have in power show on version 3 in version 4

and also in 5 what that gives us is whatever code is delivered to the engine is what gets logged well there's a problem with that because if that code is obfuscated if it's bunged around in such a way that it doesn't look like language it doesn't look clear to us it makes it very difficult to identify what's going on with script block log and we can actually get what PowerShell interprets and what it's a to run in order to look at that and create indicators so we want to turn that on because if someone is running an encoded command or doing some obfuscation in this event we're actually going to see that someone's running invoke mimikatz

another nice feature system-wide transcript so in PowerShell we've had the ability to have a transcript which is a file that gets written when you tell it to Pat tell PowerShell go ahead and write a file for me and say show everything that's shows up in the console the system-wide transcript is something that once enabled you can point it to a share on the network make it a right one share so that way that file is written there and cannot be modified and it's written anytime any user on that system opens up the PowerShell console or does something in PowerShell and it's effectively an over-the-shoulder transcript of what they're doing so you can go back to that

look at that later and go oh that looks like partial Empire that looks interesting and this is what it looks like so we've got a lot of really good information at the top start time the user name who's run as machine it's on the host application if it's PowerShell dideoxy or maybe it's something else the version of PowerShell etc and we can see that maybe Katz is running on this which looks a little suspicious the enforced PowerShell constrained language mode locks down PowerShell to its core components so we can't run those advanced features that invoke mimikatz loves using like calling windows api's calling net etc and this locks down with AppLocker device guard once you have

that enforce mode so this means that these more advanced scripts such as those that are in power sploit like invoke invoke mimikatz or D gets keystrokes which is a keystroke logger within PowerShell or even just dumping a process from powersploit all those get blocked because as advanced functions functionality get blocked and if we run maybe Katz even if we're downloading it that's cue to get in memory it still gets blocked because constrained language mode says I don't know what you're trying to do only core types are available and in Windows 10 we get ms:i which is the anti-malware scan interface this is a big step up with Windows 10 traditional antivirus can only see and

scan files if they hit disk they don't hit this they have no idea what's going on so what does this mean if I download and execute invoke mimikatz in memory without it ever touching disk antivirus can't do anything about it but with Windows 10 and the MSI assuming that I have a registered anti-malware solution with MSI like Windows Defender PowerShell once it gets that code is going to kick it through the EMS ID or whatever that registered anti-malware is and it's checking and send back a status ok PowerShell will run it the same thing happens for vbscript and other windows scripting hosts and engines on that system so now we can get more insight into what's going on from a scripting

perspective on our windows boxes and this is what it looks like so if I download next cute that code memory it's gonna get stopped assuming that it's flagged as malicious and what's interesting about this if you look at the file path it's actually triggering on PowerShell DHC does anyone think that PowerShell you see is really malicious no it's not what happens is when you download that code and jam it into memory and execute it from memory it's not a file right it doesn't have a place on the hard drive that it can reference so there's effectively a virtual address that gets added or virtual file that gets added to PowerShell dot exe here and that's what

it's that's how it tracks it and we can see that here when we're looking at a couple of the powershell commandlets that will give us more information about threats that are detected by defender and in the top you can see that I was trying to copy a Reno renamed invoke mimikatz file to another named invoke mimikatz file and it flagged it as a threat it said that looks bad I'm not gonna let that happen and it stopped the copy the second one was actually pulling that code from the internet injecting it in memory and then executing it and you can see that it says PowerShell that Exe underscore 10.0 and then dot zero zero zero that's the

virtual file that it flags but it's not a hundred percent so with as with all new technology there's some issues sometimes PowerShell code does get through DLL hijacking so the guy who wrote pony show which is a PowerShell offensive toolkit and a single executable he realized that if you drop that executable on the Box pone shell on a box into a location and then added his own version of a MSI DLL effectively hijacking that DLL then it would go when a MSI would would get called it would go to that version and his version would say everything's good so it wouldn't cause any problems but Mac grader Raber actually figured out that he could tell

a Masai from within PowerShell that everything's fine using reflection and it would just work with everything and so this fits in a tweet which just amazes me because he was able to get this code that bypasses a msi into 140 characters so I mentioned that sometimes PowerShell code just works and gets through this is me testing invoke mimikatz downloading it from the internet executing it and you see Windows Defender actually popped up and flagged on it but it still ran because I still got credentials from that system so it's still being worked on and the other problem is that there's only three vendors today that support it which is kind of a mega fail because

Windows 10 has been out for a year so we're looking at Defender AVG and an ESET vert beta version and then all the others they have no statement on a MSI so please ask your vendor to support a MSI in Windows 10 so it's story time with Sean there's a kids story called a fish out of water I remember this when I was a kid I loved this story and basically it's about a little kid that gets a goldfish and he takes it home and he didn't listen to mr. Karp who said you know what give the fish this much and no more or something may happen you never know what okay Sean what does this have to do with

power shop so Microsoft with PowerShell version 5 has a new feature component security enhancement called just enough administration so the principle of least privilege says just as much of Rights of permissions of access and nothing more or something may happen you never know what I think we know what happens when someone has more access and they're supposed to but she is available with PowerShell version 5 Windows 10 Windows 2016 and effectively with jiya we get a constrained PowerShell remoting session with whitelisted commandlets so we specifically say these are the commandments that are allowed and specific parameters that are allowed with names of those parameters and actual parameter values that are allowed and this is baked into Windows 10 in

2016 otherwise you can install PowerShell version 5 and configure gyah on other system supported systems like Windows 7 20 2008 r2 but what's really interesting is you can Det when you delegate server rights it can leverage a virtual account on that system assuming that you're using gyah on a supported platform for that which actually abstract Sacre den shalls' that are being used for it even more and we can gain insight into what those activity are through PowerShell logging and transcription which we don't really get when someone's using RDP or using the NFC or using another tool but we can get that if we can identify what those tasks are and actually PowerShell those tasks which is ideal for server admin

delegation if your server admins really just need to connect into a box and restart a service or maybe clear the event log or save the event log or do a few other things why do they need to be able to RDP in as an admin so configuring G is something that sounds like it could work right but there's a number of things that we have to do and we need to make sure we have prerequisites which domain join PowerShell remoting is enabled G is supported etc but the second one is really the most important how many people actually know what the admins are doing what their rights are what their rights that they actually are required

to do so if I'm an admin I might get the main admin why it's easier I say I need to do these things ok domain admin go ahead and do that I don't need to main admin I could just do this no no that's fine just just use that that's easier we need to start identifying what admins really need to do because then we can start leveraging technology like this and make sure that admins have this much and no more so we identify the tasks we restrict as appropriate we confirm they work with you because they have to be powershell commandlets and it actually needs a plugin correctly we can configure these identified tasks and a

role capability file P SRC and then we're going to register a session configuration which exposes those role that role capability and we need to make sure that we follow a principle lease privilege but of course the important thing here is that we test that so if we just go ahead and configure gyah for a bunch of admins and we say go ahead and do this PowerShell remote in we actually may be opening up another Avenue of attack for something else so we definitely need to look at this but this is a great capability and it's great feature and it's something we need to look at and start getting away from having admins already pee in his systems

all the time when maybe we can give them a customized PowerShell script that they can run and more easily manage all of the systems they have to giving them back more time so PowerShell obviously is very helpful as an attack platform

meant for administrators but like all good admin tools can be used for more nefarious purposes but attackers have options so it's not just about PowerShell attackers have always had options custom executables Windows command tools RDP window scripting this is just another tool in their toolkit Python even well how did we get to the point where we are now in the summer of 2010 about six years ago Dave Kennedy and Josh Kelly presented at DEFCON oMFG PowerShell like what this is crazy all this stuff I can do and they described in that talk which I highly recommend you check out most if not all of the PowerShell attack techniques we see today bypass execution policy encoded commands invoke expression and

they released a tool that dumped the Sam database on the windows box with a PowerShell based tool entirely built in PowerShell by the way all these slides will be available now on on 80 security so just so you know and in 2012 just a couple years later Mac raver released power sploit a github repo with a number of PowerShell attack tools which started with invoke shell code he realized that you could take PowerShell code and inject them into the process of your choosing and originally this was from retur but it could be used for just about any shell code and then a year later the shot heard around the world was when invoke mimikatz was released by Joe Balak and

now Minnie Katz was no longer just an executable you have to control now it's a PowerShell script you need to stop from downloading from the internet from people carrying around from Casey Smith putting into a an image file and this leverages invoke reflection PE injection which just blows my mind you can take a dll file encode it into a PowerShell script which is a text file and run that and push that into memory push that code into memory that DLL and then call it in memory without anything ever touching disk so PowerShell there beneficial for the admin lots of capability can run lots of different types of things can call windows api's but there's a lot of

things that attackers love about it the things that admins love about it attackers love also and the interesting thing is that historically most organizations haven't had good visibility in a powershell it's gotten much better but this is another reason why attackers like to use it so let's talk about real-world PowerShell attacks yeah that'd be great so like I said I found a lot of things off the internet I also reached out to some people in the industry and said hey send me your PowerShell attack code I'll use it for good I promise so I'm putting it up here we're using it for good as education so as we know macros are code that run in documents VBA Visual Basic

for applications when you click on enable macro we know that's running code unfortunately it's called enable macros and people see that as I need to see the stuff that's in this file right but this is what actually runs behind the scenes and this is interesting because this word macro calls PowerShell it has a FG process create power in quotes and shell in quotes and dot exe in quotes execution policy bypass etc and then it's downloading some stuff from the internet and then executing it pretty standard but interesting way to do it from a word macro and then we also see that another one can download code and upload recon data so there's a number of

different variables here that are key to what that system is and how its configured which then get uploaded right back again so pull the code down execute it pull some recon off the system and then upload it up upload it to the system of their choice download code execute so the first one here and I'm sorry the people on the back is a little more difficult to see we haven't expanded here invoke shell code is being executed on this system to obviously inject some shell code and then some additional things are done here to get some additional Paik payloads so a lot of times malware authors use stagers right you use one part to use then but go to

another part to do another part makes it a little more difficult to track this one I really love so the first one pulls an executable off of a website and then drops it locally and executes sit in C users app data roaming which is why it's a good idea to actually block users from running executable content from these locations but the second one is really interesting because it's pulling down a JPEG and then renaming it as an executable so on the internet it's jpg but locally it's not exe this one I love so what we're going to do is we're going to create a new task on this system we're gonna call it update Google but really it's gonna just

run some PowerShell and so it's running invoke shellcode and that means that we're going to get some stuff that the system administrator is not expecting to be on that system and then as we look and dig into it we see DLL import kernel32.dll which is something attackers love using because it gives a lot more functionality to their powershell script and then they can do additional things like jam in more shell code or do pretty much whatever they can want this is fascinating because this powershell script actually monitors what windows are open and then looks for specific financial and sensitive information in those in these windows like LastPass PayPal Discover Expedia interesting things and when it sees it

then it starts extracting information from those sites and has a key logger component that's logging what this typed in we can also take screenshots with PowerShell on a regular basis to screenshot what's going on and get more information about what the users are doing or the admin is doing and last year at blackhat Mac Raber talked about WMI as a backdoor that's a great persistence method and mechanism well we have Windows scheduled tasks but there's also this management interface buried into Windows called double yemaja that's been around for 20 years and what is that it basically provides for valid reasons but also for attackers a way to set up a scheduled task that you really

can't find unless you write some PowerShell code it's very difficult to get this because what's what you do is you actually configure this w my tab in several different parts the first part is to say when this situation occurs and then the other part is I want you to do this and then the third part is say when you see this then do this and here it's going to run evil dot exe which I don't know about you but that sounds pretty suspicious so what does Microsoft think about all this and I can apologize for the screen what does Microsoft think about all this at derbycon last month Jeff's recent over created PowerShell Lea Holmes who actually wrote all of

these PowerShell version 5 security features had keynoted at Derby Khan and they said well we know that attackers using powershell fir for attacks but they're also using RTP they're also using MMC they're also using all these other tools that are there for admins so they put up here and said we know you have your choice of post exploitation languages so we thank you for hacking with PowerShell

but we don't just need powershell data yuxi we can execute power shell from other places and why is that we can execute and run PowerShell from net because PowerShell is system management automation dot dl l it is a dll it is not powershell data you see it's not powershell underscore is c dot exe those are just consoles that call that dll in the right side you can't really see it but this is code from MSD and that says how to actually create a an application that calls PowerShell code and it's simple as going powershell PS equals powershell Dockery and then prints and benton who spoke at Derby Con this year and also last year talked

about his not PowerShell which is an executable that's totally not PowerShell but you can actually run PowerShell code from it so we can create a c-sharp application that references this dll we can leverage that automation assemblies functions to execute the PowerShell code and this is pretty much how powershell dot exe works solely Christensen someone said hey this is how this works when we do it this way and he goes what about over here and they said no no that doesn't really work that way he's like ok and he went off for like a month and figured out I'd do it so he wrote unmanaged power show which is the foundation for just about every attack

tool that's out there that runs PowerShell code on a system without actually calling PowerShell dot exe how does it do this but starts up net and performs in memory loading of a custom c-sharp assembly that executes that PowerShell and it runs it from an unmanaged process Metasploit uses it as of March of this year unmanaged PowerShell tremendously enhance the capability of Metasploit because that means that it can do a lot of things that they couldn't otherwise do unless they were calling PowerShell dideoxy so how do we sidestep PowerShell security man that's too bad so this is a graphic of a road in the middle with a gate there and you can see in the snow

that all these other cars have just gone right around that road because they can just drive in the grass and there's a gate in the middle so it's not so effective when you have to explain your graphics so let's talk about power show without power shell one of my favorite actually I can't say favor because jared has quoted me on that this is not my favorite power shell attack tool that is a power is an executable that's not power shell I like to explain it because it's one of the easier ways to explain how this works it is a self-contained custom executable that has power shell offensive attack code inside of it that can be leveraged just by running that

executable and it calls this power shell components through net but what's pretty cool about it is all these power shell modules inside of this executable are encrypted and when you run the executable these are decrypted and then place it in a memory so this means that antivirus really never gets a chance to see what the code really is because they're encrypted in the executable in that file and then when it's executed they're shoved up into memory so this is pretty interesting you run PS attack it decrypts these modules in a memory and we can run a command lit within PS attack called get attack we want to do recon we say get attack recon or get attack netcat get attack

passwords to see what's available to us so here's the interesting thing about PS attack when I run PS attack and run invoke mimikatz there is no powershell dot exe that's executing its PS attack if i rename it or call it something else and that would show up that's what would show up what about constraint language mode Sean you said how great that is how we can stop invoke mimikatz but I see invoke mimikatz is running on the bottom when you run PS attack yes that is true so constrain language mode only constrains PowerShell exe the PowerShell console components does not constrain when you have an application a dotnet exe calling PowerShell code you can bypass that

constraint language mode Sean why did Microsoft do this I asked that very question and the answer I got was because of compatibility with other applications you might have constraint language mode and that application would stop working at which point they would blame Microsoft Q support hassles small violin etcetera so invoke mimikatz works in constrain language mode when it's called from this executable and it doesn't show up in the task manager okay that's interesting it bypassed Rayyan language mode how does it do that well I mentioned how it does that but is there anything else that it's doing that's unusual what about all those great PowerShell version 5 security logs that I was talking about they're not

there so I run invoke mimikatz from within powershell PS attack and there are no logs that show up in the powershell operational log why is this it seems really weird but there are the original PowerShell logs so event ID 400 of NIT 800 the ones you got with PowerShell like in the version 2 days your default Windows 7 ones how does this work it works because PS attack is actually using PowerShell version 2 on that system and these capabilities are not available in PowerShell 2 there is no script block logging there's no module logging so at the top here I run from a command prompt PowerShell - version space - so I'm basically invoking calling PowerShell

but I only want to use the version 2 libraries the only only want to use version 2 associated PowerShell and I run a command called get process you can't see it on the right side I apologize but the slides are online and we cannot see that event but the one below it where I just call PowerShell where it's running PowerShell version 5 on this system that happens to be a Windows 10 system we can see it run here and then if you could actually see the event there you would see that it saw that they can't see the top one because it's running PowerShell version 2 so how do we detect this and this is an

awesome graphic with like RGB colors it actually had like 16 K colors this is a Where's Waldo picture again explaining your memes is not so interesting or exciting but we have to figure out where Waldo is and it's very difficult to figure out where Waldo is because we have an executable that's calling PowerShell that bypasses our standard traditional security visibility through our logs so I ran proc Mon by sysinternals to look at what PS attack was doing well there's a lot of dot in that call to PowerShell one and as I dug into it and also some help from Carlos Perez realize that we could look for PowerShell on non-standard processes so we can do get

process and pipe it and look for the system management automation because that is the dll that's called by those executables to run PowerShell outside of PowerShell not exe if we dig in a little bit more we can see all of the modules that it's calling so kernel32 again pretty pretty interesting but system management automation ni dll so we can run Windows 10 with an AMS I wear a V like defender and when we do that what do we get it doesn't work when it's trying to load those modules and decrypt them and put them in a memory MSI kicks it over to defender and defender goes no that is not good code we're not going to run that

except remember I said Mac Raber tweeted out how bypass and then Jared went ahead and integrated into PS attacks and now it works again so it's always this cat-and-mouse game try to figure out how to defend against something and then someone comes out with a better Mouse or a better mousetrap or you get a cat and then you have a cat running around and then the cat's not good enough because there's a rat and then you need to get a snake and then a snakes not good enough you get a mongoose then you have a mongoose running around the house which is not so great with kids no matter what you heard about rikki-tikki-tavi and

then you get like an eagle and trust me you cannot have them in the house at any point in time and then just goes onto this thing where you just keep escalating and it goes crazy and I'm off topic so how do we detect PS attack so I looked into this and I saw that event 400 is one of those events that starts with the original earlier version of PowerShell PowerShell version 2 and what we can look here is that the host name the host engine but we can look at the engine version and it says 2.0 which means this executable is calling PowerShell version 2 which is really weird because I have PowerShell 5 on

there so in Windows 10 we can actually uncheck Sabbagh uncheck a box and say I don't want PowerShell 2 on my ten box and it will remove it we can do the same thing with 8.1 and so when I try to run PowerShell version 2 it goes I don't know what you're talking about and so once we uncheck that box here and say there's no more PowerShell version 2 and then we run PS attack and have to do all of this interesting activity guess what all the script block logging starts showing up again so 4104 shows us what it's trying to do 40 140 103 we get the logs that we would normally be we would

normally get from this type of activity and that we're accustomed to so how do we detect it well we can look at event ID 800 which means that if you're not pulling the original PowerShell logs you probably need to pull those in addition to your operational logs we can look for those host applications not a standard Microsoft tool it's not gonna be a hundred percent but it's something to look at because if it says PS attack it's probably not PowerShell dot exe a version mismatch system management automation being hosted in a non-standard process if you're using a tool that's able to look at processes and what they're loading this is a good way to identify that and then the other

thing is custom executables are executables they can call Windows api's directly they can call net directly they don't need to run PowerShell code so the problem here isn't PowerShell it's the fact that untrusted code is running on the system that belongs to someone who doesn't work for your organization so how do we detect this how do we how do we improve our logging how do we find the bag that's out there

well we use PowerShell module long and we enable that if you PowerShell version 3 or 4 or 5 you can enable it through group policy there's enhanced logging in version 5 and of course version sorry you enhanced logging in version 4 version 5 has some more compelling features and we can go in and set this and basically say we want to enable PowerShell module logging and we want all modules so star log all of them for us please so we log all our attack to all our PowerShell activity and then we look for interesting things like dotnet web client download invoke expression and coda command bits activity etc that's a good start but I'm going to

show you why if this is how you're looking for PowerShell bad we're missing a lot so invoke expression is pretty much it's been referred to as the hackers powershell command line with good reason invoke expression is a way to take any text anywhere pull it in a PowerShell and say this is code execute it which means that we can just pipe code into it and invoke it and PowerShell goes okay it's a script I'll run it so if you have execution policy set up to block scripts from running all I have to do is pipe text from anywhere and say invoke expression that and it'll run net-net web client download very popular we've seen it in the real world attack

tools there's also a way to use the IE comm object there's a number of different net methods to do this as well and there's actually powershell commandlets that allow you to pull code down from the internet so there's a lot of different ways this can be done not just dotnet web client download so how do we detect invoke mimikatz as we care about right we want to find the bad stuff that we know is out there we look for we can do it the the antivirus way look for many cats general key we invoke many cats but unfortunately someone told the bad guys there's this tool called search replace and we can just take mini cats

and replace it with kitty cats and then we can't find these things anymore the end of our offenders haven't really figured this part out yet but they're working on it they've got teams of people working on it so i went through and looked at the most popular powershell attack tools and i know they're the most popular because i just went to the empire power Empire github repository and looked at all that power salt act tools that were there open them all up went through and looked at all of them and start pulling out function calls and figured out what all those were and then just part of putting them together and parsing them out and these are the ones

I came up with so token privileges system reflection system runtime token impersonate token duplicate token privileges system reflection these are the core components of these attack tools this is how they work they can't really obfuscate those asterisks because if they do then they won't work when they get called again there's an Asterix on that and I'll get back to that which is now power saw obfuscation so powershell obfuscation up until recently meant that we did some stuff we changed some things around but it wasn't that difficult to see what it was until invoke obfuscation was released by noted red teamer Daniel Bohannon at Derby con and it's kind of changed the world of detecting bad PowerShell

it highlights the gaps in finding these offensive PowerShell code how because basically it is a full tool daniel spent hundreds of hours on his research and on this tool and basically invoke obfuscation to take a script lock code or an actual script and obfuscate it to the level where my indicators don't work anymore most indicators don't work anymore so what does this look like that's a shame so what yeah probably okay so we'll look at this uh-huh invoke expression new object net web client download string a bitly link right no we look for this we know what this is we look for a net web client we look for invoke expression we know this we got it right

except this is what it looks like when you run it through info confiscation my indicators don't work on that okay but we have script lock logging so we're okay well we'll just pull it out of script block logging right it's a ampersand on the beginning and some quotes and some other stuff um it looks exactly the same in script block logging this means that our tools need to evolve we need to figure out a better way to find these things because it also looks like this if you run it through again now it's got brackets with numbers in it I can't even like what is that and it looks like that in the script block logging that's the event how am I

supposed to find that as a blue team err so invocation I highly recommend everyone here check it out Daniel's talk at Derby Khan was fantastic the slides are online the videos online but download the tool take some scripts obfuscate them run them in your sim see what you get out of it run it and then send it to spawn pull that data back because this is what invoke mimikatz looks like this is a function and invoke mimikatz right one of my indicators is image NT optional hd60 for magic right okay that's a that we kind of need for that to work this is what it looks like for invoke obfuscation for those in the back or in

the front they can't see it it's brackets with numbers in it its quotes it's single quotes double quotes commas ampersands and it actually gets worse because this obfuscation bypasses antivirus because the antivirus doesn't even know what it is it's looking for those strings that it can't find anymore so the top one is your standard invoke mimikatz the bottom one is an obfuscated version of mini cats that i just ran through invoke obfuscation select the defaults and ran it once and it ran so then I decided to get creative and I'm like what about Power View so I took Power View and ran it through invoke obfuscation and I got this which looks nothing like the PowerShell code that

will harm Joey and then I ran it through again and it looks like this and I I just I'm not even sure what to do with this there's how many lines of code I mean will as your coding skills gotten that bad where you're just putting random numbers and brackets now I don't even know like this is what happens when you have obfuscation at a very high level against code that you normally would be able to detect and find info confiscation removes comments it removes white spaces it removes typical things that antivirus vendors are looking for if you're looking for power sploit by looking for at manifestation or at obscure sec it doesn't work anymore

so what can we do is defenses how do we get our gang of velociraptors lined up so we can actually stop this and and and get ourselves in a good place well constrained PowerShell it's not a panacea we can deploy this just by setting a environmental variable and those initial attack codes like invoke anemic ATS won't work we can use group policy to deploy this but it's not a panacea it's not going to stop everything there's a way to get around it but in order for someone to get around it they have to actually remove the constrained language mode and if we're deploying this via group policy it's going to reapply after a certain amount of time and we know that this

will stop a lot of these more advanced attack tools not everything but quite a bit so how do we find obfuscated evil and this was like one of my big slides and it's tough to see so I'm sorry about that I was chatting with Lee Holmes earlier this week of the senior dev on the PowerShell team and he said he's been looking at obfuscated PowerShell code for a while and he has a script that looks at this the deviation standard deviation to distribution of characters and PowerShell code so he pulled from Posche code about 3,500 PowerShell scripts ran this on them and looked for things that were unusual so typically if everyone in here writes a

PowerShell script you're gonna have different types of stuff that people are going to do different techniques but it's not going to look like a bunch of characters like on the right side which is highly obfuscated versus letters on there on the left side and he also identified that if you look at the entropy of these characters in the distribution the ones that are much more similar are the ones that are obfuscated so we have some information to work off of and so I put this together deploy powershell version 5 so we get script lock logging and look for lots of rackets figure out work with your sim vendor work with Splunk figure out how we can

get that so when our script lock log gives us something crazy like that it gets flagged I don't know about you but I don't code like this I'm not data look for lots of quotes single and double quotes and ampersands and other things that are unusual random function names are many unusual characters or just special characters because in this one where we're looking here the top one is is actually a dollar sign the next one is open curly brackets closed curly brackets and pluses and equals I don't code that way I'm not that great of a coder but I don't code that way so this is my detection cheat sheet that I put out before and I've updated with

create delegate and hamster utils to detect some of the things that Mac ravers been doing recently this is a good foundation this will detect the things that people are not highly obfuscating where they're not just throwing things against it to see what they get so it's a good start and we need to start we can't just throw up our hands ago I give up because that right we want to set up our layers of Defense's we want to make sure that what we're doing has impact any of the things that we're doing to defend our environment to defend our network should align to one of three buckets detect what's going on mitigate it or block it prevent it so we

should hit one of those three and I'm actually an advocate for going for detect as much as possible if we can detect there's obfuscated code out there where it's being run what system it's being run to me that's a much more value than a lot of times blocking that initial attack because then we get more information about it's being done instead of having a block never know about it and then they do something else which we never ever see so get PowerShell to a new modern version like PowerShell 5 there are some caveats with it there's some application and compatibility so be aware of that get those logs is your central logging system pull them from your workstations

your servers your domain controllers know what and how PowerShell is being used use Windows event forwarding it works very well in large organizations identify your PowerShell usage you can use SCCM software metering or something like that see who's spawning PowerShell dot exe is still very much being used today and you can leverage constrain language mode where possible great place for this is on shared servers like terminal servers there's no reason for users to be running PowerShell doing special advanced functions like calling the Windows API so this one's a little tricky code sign your PowerShell scripts that you're using for administration if you're using PowerShell scripts for a scheduled task and you're not code signing it how do

you know it hasn't been modified how do you know that someone hasn't snuck something else in there how how often do you check these scripts how often do you validate them you have them all over the place right we all do we write a script that works great scheduled tasks it runs over here but that's a perfect persistence method for an attacker and of course we need to limit our admin rights we want to make sure that we're boiling it down to just this much and no more and please reach out to your antivirus or anti-malware your anti bad code vendor and ask them when they're going to support a msi on Windows 10 because

you want that I think we all want that block Microsoft Office macros in 2016 there's an option in the GPO to block all macros in files that originate from the internet that'll solve 99% plus of your problems and you shouldn't have too much user outrage about that if at all possible digitally signed any macros I don't get into macros here there's an appendix to the end of the the slide deck because I couldn't get to it the other thing is oh le packager is used by attackers to embed code to embed an attachment into an email so that when the user runs it runs code even if macros are blocked will and I spoke about this in showed a demo at Derby con

and actually did a post on ad security yesterday about how to lock all this down on Windows workstations and certainly look at application whitelisting figure out how to control your executables your DLLs what's being run in your systems because yeah it's great to control PowerShell but not if anyone can download any executable and run it on any system they want and at least what we can do is deploy AppLocker most organizations pretty much own it deploy AppLocker and blacklist those home directory profile pass see user locations so the users can't run execute or content that they just download that are there so in summary what's good for the admin is great for the attacker we know that PowerShell can

be leveraged from outside of the standard powershell executables and securing that isn't straightforward I mean that's a lot of stuff right invoke obfuscation I mean I don't have a good answer for today but that's how this industry works that was released last month and Daniel said that there's attackers using some of those techniques already so we need logging we need visibility we need to better understand what's going on in organizations how tools are being used and we should look at version 5 to be that new baseline because attackers using more than PowerShell so look at PowerShell but make sure your visibility covers the whole gamut if you have Mac's in your environment guess what Python has no

logging whatsoever there is no constraint log logging mode for Python is Python installed on every Mac yes so you need to layer your defenses know what's going on understand what's out there and the slides like I said will be or actually there right now on presentations at 80 Security org and thank you very much thank you Ben Thank You Carlos Thank You Daniel Jared Jeffery Justin Lili Matt Matt Matthew we'll thank you very much that's been my time thank you so much for yours [Applause]