Time
8 hours 28 minutes
Difficulty
Beginner
CEU/CPE
10

Video Transcription

00:00
hello and welcome to another application of the minor attack framework discussion. Today. We're going to be focusing on Power Shell. So with that, let's go ahead and jump over to our objectives.
00:14
So today's objectives are pretty straight forward. We're going to be looking at what power shell is. We're going to see what you can do with it as faras from the Threat actor standpoint, we're going to look at some mitigation techniques specifically toward Power Shell, and then we're going to also look at some detection techniques
00:34
as well.
00:35
So with that, let's go ahead and jump right in.
00:39
So Power Shell is
00:42
an interactive command line and scripting environment that is included with Windows operating systems. And so the great thing about it, from an administrative standpoint, is that power shell has a lot of additional flexibility and scripting mundane tasks,
00:58
given us the ability to automate setups of systems, to manage systems, to
01:03
do just a number of things that were otherwise limited with bash, script and things of that nature. And it's just got so many other functions and features in and of course,
01:14
with these functions and features come capabilities that threat actors air able to take advantage of. And so one of the things that power show can be used for is to download on Grun,
01:26
execute a bles on bacon, be ran on either the disk or in memory. So for those of you that are familiar with how
01:36
you know Anna, buyers can be circumvented. One of those ways is to run things in memory, and by doing that, by using power show for those functions,
01:46
threat actors can attempt to circumvent those controls. Now there's a number of offensive tools out there that include things like Empire Power Spoiled and PS Attack.
01:59
And these are essentially libraries that are built on top of power shell that allow you to either for legitimate purposes, do security testing or for illegitimate purposes. Take advantage of that framework and use those tools. Teoh either Compromise systems, take passwords, do
02:16
surveying activities, whatever the case may be there.
02:21
And so
02:22
let's talk about some things that threat. Actors conduce you with power shell, so
02:27
Power Shell Scripts installed its services, and so this essentially allows a threat actor toe work in a manner that could evade detection by posing as a legitimate part of the operating system. And so this could be effective in intrusion detection type systems in point detection type systems where
02:46
maybe if
02:47
you get the software or the script to run as a legitimate service, maybe it will overlook that now.
02:54
If you've got a good endpoint detection system in place and you've got appropriate correlation rules in place for logging and things of that nature,
03:04
it should notice a nonstandard service operating in a nonstandard way or even a standard service. Maybe that, you know, this script has taken the place of running in a manner that's not
03:16
indicative of that service. And so there could be some ways to still catch that. But this is one thing that you can do with Power Shell now, using malicious Mac Rose to launch run commands or scripts in the background. So this typically starts with user interaction in the form of email attachments. And so
03:36
again it comes back to. This isn't just something that threat actors do right out the gate. There has to be that initial access that's gained to the system through something like a spear, phishing link or some type of spearfishing attachment
03:50
or
03:51
and end user goes to a sighting, downloads what they think is legitimate software or legitimate
03:57
components to the system. And they run that without really doing any further research.
04:01
No,
04:03
we did talk about injecting malicious code into memory, and so again, this provides a means for ah threat actors to evade anti virus systems and to evade other controls that may be put in place. Now, in kind of continuing the discussion,
04:20
I took some time to pull some snippets from power split off of my Cali Lennox distribution. And so this is just its founding Kelly Lennix. But you can easily download
04:31
power exploit and the scripts and things of that nature that it comes with
04:36
again. This is based on power shell scripts that can be used in this case post exploitation. But as you'll see here, they've got some modules within this framework for bypassing antivirus code execution. Exfiltration. There's a mayhem piece here. Persistence. Here's some power split pieces that run prove prove sack.
04:56
There's a read me re kon
04:58
script modification and tests, and then, if you look, the directory that it's sitting in here is the user share Windows Resource is power exploit I did a quick LS of that directory, which lists it. And as you can see here, everything that was found above when we initially executed power exploit has come up
05:16
now. We went down into the ex filtration
05:20
directory and just did a quick listing of that directory as well as you can see here. There's some wasted you can evoke Mimi Cats, which can be used for taking password information. G P P password here
05:33
invoked token manipulation. So there's a number of things again that could be done with this framework. And it's not just for malicious entities. It could also be used for legitimate security testing and things of that nature as well. So this is just one example of the tools that we mentioned. But Power Shell scripts can be written without tools
05:53
and can be used outside of this friend work as well. So it's not just limited to a tool or something of that nature.
06:00
Now let's step into some mitigation techniques that can be applied here, so use code signing to only allow power shell to execute signed scripts. Now there were some legitimate reasons that I had seen as far as when I was working with Power Shell where you may not want to use code signing.
06:19
But really, the risk probably doesn't outweigh the reward there, so it would definitely be beneficial to ensure that that is enabled. Remove the power shell features from the system entirely on Lee after confirming how this will impact administration and if there any
06:35
dependency. So if you're administrators have already designed power show scripts to run on a scheduled task or
06:42
something of that nature, it may be beneficial to, you know, do that research and make sure that those things are not going to get messed up in the process. And then Onley allow power shell execution as an administrator so standard users probably don't need access to
07:00
Power Shell. They probably don't need it.
07:02
So
07:03
if you convey, validate that, then this just further limits the ability of a threat actor again to easily get into a system and start causing issues.
07:13
Now, as faras detection is concerned, it would be good to look for changes to execution policy, which is something that threat actors normally do. As soon as they get into an environment they're trying to use power shell So if you're monitoring for that activity specific to
07:30
Power Shell or if you're in the environment that does not use power Shell,
07:33
then any time that tool is used or an attempt to use the tool is made than it should definitely be reviewed, you're going toe. Also want to take advantage of some of the logging capabilities that are built into power show now, and this can assist security teams in gathering power shell execution details. So this will help you to
07:54
again. Better understand what a threat actor Maybe trying to do
07:58
what activities were successful, what were not successful.
08:01
And then you could also just again look to see if it's tied to legitimate business use. And it never hurts to to have something like that in place again, making sure that those logs and that information is going off site so that if an administrator or party that's privy to that long information were compromised, a threat actor wouldn't be ableto white that information out.
08:20
So with that, let's do a quick check on learning true or false. Another name for power Shell is power exploit.
08:31
All right, well, if you need some additional Tom please go ahead and pause the video. So this is a false statement. Power shell is power. Shell power split is a tool that takes advantage of powers Power show. So power exploit is not another name
08:52
for power shell in this case.
08:54
So with that, let's go ahead and jump into our summary. So today we reviewed what power shell is again. It is a command line tool that also allows us to do some advanced scripting and things of that nature. So definitely a step above using just the standard command prompt in Windows.
09:11
We reviewed some uses that threat actors could have for it, such as running processes or services in memory,
09:16
on installing things in memory so that they can avoid end of arson things of that nature.
09:22
We talked about some mitigation techniques, such as only allowing things that are signed to be run through power shell or completely removing power shell from the environment. And then we went on to review some detection techniques. Remember,
09:37
any time you can long activity as's faras when power shell is run or when any command prompt is run,
09:43
it would be good to have that information so you can tie activities back to a threat actor. So with them in mind, I want to thank you for your town today, and I look forward to seeing you again
09:56
soon.

Up Next

Application of the MITRE ATT&CK Framework

This MITRE ATT&CK training is designed to teach students how to apply the matrix to help mitigate current threats. Students will move through the 12 core areas of the framework to develop a thorough understanding of various access ATT&CK vectors.

Instructed By

Instructor Profile Image
Robert Smith
Director of Security Services at Corsica
Instructor