Daniel Bohannon – Invoke-Obfuscation: PowerShell obFUsk8tion

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

so my name is Daniel Bohannon and today I'll be talking about powershell obfuscation techniques and how to try to detect them just a little bit about me this is what I normally look like I lost my razor on the plane and you know this is this is what happened but this is typically what I like to look like on the Internet to keep a low profile elsewhere this is my twitter handle as well as my personal blog where I talk about PowerShell stuff a little bit about me so for the past year and a half I have been an incident response consultant with mandiant based out of Washington DC prior to that I spent five years doing operations and security for a national restaurant franchise based out of the US so throughout this talk I just like to remind everyone that I am a blue Timur I'm actually that I did not set up to develop a Red Team tool although the red team is not organization like like what I've done here ultimately as a blue Timur I want to push the bounds of what is possible in PowerShell attacks and so that we as defenders collectively can do a better job at knowing what's out there and how can we detect without making dangerous assumptions that's exactly what we'll look at today there's a lot of content to cover so there's not going to be a lot of fun pictures there's a couple sprinkled at the end something to look forward to but just hold on tight all of the slides will be published talk will be published and I'll be around all day today and I can talk for as long as anyone is interested about PowerShell and I'm really excited about the things that I want to learn from everyone in this room as well a lot of great minds here so I'm really excited about that so a motivation why did I start doing this research on PowerShell about a year ago after that we're going to look at basically a single slide on preparing your in Department for PowerShell attacks much easier said than done there we're gonna look at an in-depth off you see a ssin example off you skating with this typically is called the remote download cradle in PowerShell then we're gonna look at additional methods for remotely downloading I'm just from a richness of PowerShell as a language then more obvious Gatien techniques on top of that and then how we can try to detect those techniques then we're going to look at some encoding and decoding fun looking at some common mechanisms as well as some uncommon mechanisms um that we've yet to see attackers use last we'll look at what I like to call launch techniques and then we'll do a quick demonstration of a tool that I wrote called invoke obfuscation this is open sources on my github links will be at the end of the of the slides so let's get started my motivation again I'm a blue team err my job is to detect evil and and so I really started to wonder okay well most of the investigations that our team performs PowerShell is used at some point in the attack and so as as investigators how are we detecting PowerShell so I started to look internally at our own techniques for looking at PowerShell started look at what our competitors were doing what our people in the industry doing to detect PowerShell and because it just really is so prevalent in attacks we see PowerShell being launched in a lot of interesting places registry file macros remotely all over the place and so at the end of the day the consensus that I found was most people are detecting malicious PowerShell looking at command-line arguments for powershell exe and hopefully by the end of this talk you'll see why that's not quite as simple as it may seem and there's a lot of bad assumptions even just in that so the current state of detection the two biggest things that we see attackers using a powershell are encoded command which is a base64 encoded command and then this new object NetApp client web client downloads string which is the again the most common remote download syntax which allows you to download a script in the memory execute it in memory no file hits disk however for both of these this is not the only way to write these functions and it's also not the only way to perform the functionality behind that function so the importance of knowing your options is huge here so what I started to do is starting with these examples I started to just kind of in a small research but will start to to syntactically look at what are other ways we can write these functions that break our current detection and as I found ways that broke our detection I then upgraded our detection to catch that and so kind of this cat-and-mouse game begin to go on and really it's been been the the most fun thing I've worked on for the past year is doing just this in building out our detection to look for off you skated PowerShell commands as well as alternate syntaxes to perform encoding decoding and remote download functionality in PowerShell and and most of these techniques were found kind of in a bubble and also reading other people's approaches and forums and blogs and stuff of that nature but as we started to find these techniques we actually started to see attackers using some of the some of the simpler techniques and a couple of the more complex one but most of what we're talking about today are things that we haven't yet seen attackers use but I attribute that mostly - most people don't have any visibility into what's happening in PowerShell and their environments and my hope is that the end of this talk that people will have more of a motivation to see why certain changes should be made in your environment to make detecting PowerShell attacks a lot easier proactively as well as a retro actively going back and seeing what exactly happened so my goal my hope for the blue team is that your awareness will be raised and that detection will change for you and your clients or your organization's for the red team I hope that you find these techniques to help you be more successful in your engagements ultimately hopefully benefiting the organization that the target so that they can learn from these attacks and better defend against them and then lastly one of my hopes is that the tool invoke a few skatin will help people to be able to very quickly implement all these techniques in a randomized fashion so that you can easily benefit from this research and test your own detection capabilities so preparing your environment this is probably the hardest slide in the entire talk because it's easy to say very difficult to do at the end of the day if you want to detect malicious PowerShell for the most part what you would at least like the have severe minimum is command-line arguments if you don't have this I really I don't know I really feel for you but you can have this in event log so if you have your 46 88 upgraded in it long as you'll have process arguments as well as parent process arguments also you can install sysinternals system on the ID one will give you very similar information and a bit more um or if you have some kind of real-time agent that would can basically monitor event long or monitor process command-line arguments or something open source like up route IDs can do the same thing in addition that's the bare minimum the PowerShell team at Microsoft has developed fantastic logs available on starting in PowerShell version 3 and in much much better logs available in five many of which have been back ported into four these logs are superb however you have to keep in mind I'm not going to say what a limitation is but when we go to these examples you'll see that some of these off eustachian techniques actually do persist into those logs so I like to say is at the end of the day if you have command-line arguments if you have all the PowerShell logging in able and you're actually looking at it all the information is there it's just not not all in any one place so let's look at an example the remote download cradle we see attackers using this all the time and you know it's really because it's what people know it's what they talk about it's easy it's what's copied and pasted in forms it's what popular tools output when you're looking for PowerShell commands so let's play a little cat-and-mouse game we have a red team command at the top which is remotely downloading this bitly link which is totally legit I promise and then it invokes what comes back so that it's run entirely in memory so on the bottom we're going to start to build some as a blue team build some detection rules to look for this syntax so if we have a rule and say okay if I see PowerShell run and the arguments contain invoke expression new object system net-net web client and download string HTTP then that this would catch this right it would catch this exact syntax correct but let's start to see how can we escape this F at a pure syntactic old level to bypass our detection and as we bypass our detection we'll adjust our detection to make sure we're caching it to try to find the lowest common denominator that we can accurately detect this activity so first whenever you see system dot and PowerShell it's referencing a dotnet class underneath system dot will automatically be prepended so you don't actually have to specify system dot most people don't but sometimes you'll see tools that generate that so what would remove that from our attacker command will remove it from our detection next the URL this is a string we can concatenate this in line we can set it as variables we can do all sorts of things so we're gonna remove HTTP from our detection down there you can use single quotes you can insert whitespace there so we'll just go ahead and move that double quote from the detection as well all right keep going download string this is a member argument for the net value web client class however it's not the only option you have download string data and file and then you have a sink and task go onto any of those string is the most common one because it downloads an expression in the memory download data also downloads in the memory but it's actually a byte stream so you have to convert it we've seen attackers use that before a lot of commodity commodity malware we use download file to hit disk so why don't we just get rid of the string part and just say we look forward download for our indicator so we'll catch you know all those options the the parentheses this doesn't necessarily have to be there um some tools will set a new object net that web client as a variable typically calling it WC and then you can just have a variable dot download string so let's remove that parenthesis from our trigger so how how could the dot download be problematic well because I'm very stubborn and I like to bang away and at this from a syntactic perspective and see can I put this here can I put this I move this around I found that with a member you can actually put single quotes around it so now that now dot download isn't even necessarily reliable we have to just stick with download which is a little bit less of an attractive you know trigger string but then also found you can put double quotes around it and I want you to look really carefully at download string because I promise you this next slide this actually works I put a tick mark before the L now why does this work well the tick mark is the escape character in PowerShell typically you'll see it before as 0 for null or between these other seven before these other seven lowercase characters to do like newline or something like that when you ever have you a long line in PowerShell you can actually wrap it a little multiple lines by ending the line in the tick that's because it is escaping the implied newline character that's there so if you put a tick in from something that doesn't have any special meaning it's totally cool with it in runs now why does this matter as a defender well we can put ticks in front of all the characters aren't these special characters and actually if we uppercase those special characters it works so now we can put tick marks in front of any character we want and a member argument when it's wrapped in double quotes and this is important because they persist in the command line arguments as well as PowerShell script lock logging which should kind of be the source of truth of what's being executed right and it technically is however it will basically show you script lock also show you every layer of deification or decryption that is being cast into an invoke function however at this layer we're not passing any of this into an evoke function it is the command itself so you can see our ticks are still there our concatenation whitespace it's all there in both command-line arguments and script lock logging so we can regex all the things and try to catch all these possibilities of tick marks which I initially thought was probably a good idea quickly found out that's it's not a great idea so we're just going to scratch it's just as an indicator if you did try to go the regex route keep in mind that in addition to download string file and data you also have open read which is similar and that it gets the by array or a byte stream and we've seen one attacker use this before as well in addition and this is why I wouldn't go the right to try out for number arguments you can actually this is a little different in PowerShell two versus three and later but there's two different ways that you can basically treat a member argument as a string and now you can start to do inline concatenation or even like reordering of that string with something like the dash F format operator such that you never actually see download string anywhere because some some folks will use the approach of let me just remove special characters from the command line arguments and then look at what's left and this will completely bite you if you just rely on that because you can start to reorder essentially any component of a PowerShell command as a string and then it never shows up like you'd expect it to but it still works so let's just remove that download as an indicator next network that web client this is an argument to the command new object this one's really easy we can do double quotes and ticks we can do treat as a string if we wrap it in parenthesis or we can set it as multiple variables chop it up in little pieces we're good to go so let's go over the first option throw some ticks in there get rid of that as an indicator new object now PowerShell again is a such a robust language there's so many options and a lot of times for command you'll have a lot of pay Lisa's shorten ways to basically say the same thing so I looked at new object I thought well this is great there's no aliases for this this should actually be a pretty good indicator but it's not and there's a reason because there again there's so many options and power so sometimes you'll forget what commands are available so you have this nice thing called git command so let's say ok I know that I have a command that new dash P something so Minister would get command on new dash P wild card that shows you all the commands that are at your disposal as well as powers everything in power so really it's not returning text those are actual PowerShell objects being returned and what that means is that if I can return a single object I can actually then invoke that object so this I have get command new object and that's returning a single object and then I can invoke that object and it's the same as calling new object and of itself in addition we have we can do invoke expression on that object or we can use the ampersand or the dot invoke operators now the next piece is where it gets really fun remember those wild cards that's a new object that every single one of these as long as you're returning a single object is now new object so if you're looking for the string new object on the command line or in script lock values you're gonna see that in addition get command as an alias of GCM it also has an alias of command this is not documented why does command work well PowerShell will automatically pre pin to get - to whatever you type to say hey is listen alias there's an order of operations that it goes through so now command actually resolves to get command and if you start triggering off of any time you see an ampersand or a period or the word command in an argument it's doing a lot of false positives because a lot of these start to take on meanings in different places for example a - command is actually a legitimate execution argument in PowerShell still in the command line so if you're starting to build out regex looking for some of these terms you need to take that into account you're gonna get a lot of false positives I know from a lot of false positive experience in addition we can forget command instead of using asterisks we can set the command name as a string and these variables or whatever else we want again trying to figure out how can we break up this information into as many little pieces as possible so it's more difficult to assemble if someone's manually looking at it but the main reason is so we can get around current detection again if I know as an organization that you're looking for a new object I can totally get around that by using these techniques and as defenders that this should be startling to see but it should also give you an awareness of what things you need to start looking for and shifting not just from looking for known bad but also looking for what I like to call indicators of a few station looking for weird stuff like this and it gets weirder in addition with PowerShell one auto if you look at posh code org there's some great stuff out there with PowerShell one bit of syntax that I've really not seen any attackers using to this point but there are some really interesting advantages especially for red team's more logging perspective if you can find a ways to accomplish your tasks either calling dotnet directly or using PowerShell one letter syntax so in this we're using PowerShell one I do to do git command and get command line if you're not looking for execution context that weird variable there's there's a lot of crazy stuff you can do with that that most people aren't aware of or looking for in addition you can do get commands get commandlets or a combination of those to be able to use wildcards and again this is all in the slides I'm just quickly going through some these examples will just go with the first one with GCM so now that's a new object we can do the same thing with git alias alias or gal although instead of dealing with a full object there command name you're dealing just with the alias name but works just the same and for all these examples if you look at PowerShell module logs it will show the correct parameter binding of this so actually eventually show new object is called with an argument of net that web client and it will remove that off you station and show you that as well so again when I said earlier all the evidence is there it's just spread across different places and as an attacker if I can put that information in different places and make it harder to have any one event log you can key off of and that's good for an attacker as a defender we just need to be aware that's possible we're not placing all of our defensive eggs in any single basket you can also just put ticks in front of it in these commandlets you only have to put quotes around it in addition there's this great little thing called splatting so now I can use again our friendly invoke operators ampersand or dot and treat the commandment as a string so we can either try to regex all that we just covered or we can just remove new object as an indicator so we'll just do that so we're left with invoke expression which is actually a really really good indicator in and of itself if you see IX or invoke expression on the command line that that's something worth looking into however what's potentially problematic about invoke expression well we have the alias IX ordering also isn't important you can have it before or after the expression you can put tick marks just like you can have any command you can do splatting which now you're breaking it up into string objects which you can then reorder those and then you have kind of the cousin of invoke expression which is this thing called invoke command now typically you'll see invoke command used to say I want to run this command on this remote system but if you don't specify another system name it executes locally the biggest difference is that invoke expression is expecting a string or an expression but invoke command is expecting a script block and it has a lot of options we have invoked command IC m dot invoke Oregon ampersand or dot so if we're trying to piece all this together into our into our learning trigger how would we expect to really not get a ton of false positives if we're looking for a dot or an ampersand that's crazy right well if we know that it's associated with a script block we could say ok and we can try to pair that with curly braces but as we'll see that's that's not always the case again with PowerShell one that oh we have this nice syntax invoke command invoke script which will actually work on an expression or a script block something else to be looking for we can add in text to any of these so again I said if we're trying to reduce false positives for the ampersand of the dot by looking for braces which again typically is what you'd see denoting a script block not the case we can convert expressions or strings so script locks using.net syntax or once again powershell one letter syntax i know this is a small but again it's in the slide so you can go back and look at this and say are we actually looking for these methods being used especially on the command line and for any of these syntaxes we can off you skate them and what you'll find is that when you do this the the whole command we just worked off you skate it's now a string object which is this red expression which means that we can after we off you skate all the tokens of a command we can then take that command treat it as a string and now like like a layer two perspective do any string manipulation on that command and once we look at the tool administration you'll see how you can basically start to stack all these layers on top of one another and it's build this garbled mess that eventually comes down into the original command but makes it a very difficult to detect unless you're looking for these indicators of Occupation here's just an example of off use getting the.net command those are in the slides for your pleasure later so let us go with the one that has syntax for invoking expression so this is our command now so unless we're wanting to do just insane regex which computationally is really going to suck if he charts 2d regex on some of this stuff then then that's gonna be really frustrating and this is just one example this is just looking at net dot web client for this remote download functionality but what other options exist so let's look at some additional methods so again we looked at this basic one which is mostly what we see attackers using with PowerShell 3 and later we have invoked web request and invoked rest method not PowerShell 3 any version going back we have these dot net methods and again that system dot isn't really necessary so we actually have seen some attackers use some of this where basically you have to treat the byte stream back into an expression before you invoke it but it's being used out there and a lot quieter in the PowerShell logs so again if you can do something in dotnet directly then it's maybe not gonna actually show power so Long's at all so but what if what if we're an organization and we we feel really confident in our regex and we're looking for all this stuff and we're finding all this all the stuff we just talked about and on top of that we realize in our own humility that there's probably ways that we don't know about that can be used I would bypass our best efforts at the technique so what if we said ok well why don't we just look for anytime the powershell exe makes a network connection you can do something like that with the system on the id3 looking it basically binds a network connection with the binary that causes that connection so as a nefarious attacker what if we opened up notepad and we're going to open the file but instead of a filename we typed in a URL to something like I don't know invoke mimikatz and we hit enter notepad actually fetches the remote contents so this got me thinking how can we automate this process of PowerShell and it's a great little class dotnet class called sin Keys allows you to interact interactively with an application or anything you want so this code opens up notepad sets it as the active application then sends a control o to go to the open prompt and then types in the URL of whatever you want hit sinner waits a second and then it sends a control a to select all or control C to copy all the last bit of the command back-end PowerShell rips the contents out of the clipboard invokes it in PowerShell never makes a network connection notepad does so this totally bypasses our detection if we're only looking for PowerShell making network connections now in this example we use send keys the top these both do the same thing the top is using PowerShell syntax to do this the bottom is using dotnet and if you can manage to get avoid those void strings in from a dotnet you're going to be golden silent when it comes to PowerShell logs so again if you're an attacker then it's really helpful to think whenever power shall make something easier for you it typically is also gaining additional visibility for the blue team so if you can not take the easy road you can do some really cool stuff as a defender why does this matter we need to be looking for all this this is all important to us not just one or the other and this really works with any application with the open file GUI functionality POCs for all of those however it's not it's actually not entirely in memory when you do this kind of weird stuff the file actually does temporarily hit disk and temporary Internet files here's some examples here most of the time it retains the original file name with Excel it doesn't but there's some other quirky things that change for these applications for like opening a recent files from remote locations so from a forensics perspective there's actually really interesting pieces of evidence we can look for that these applications are used nefariously in this way so sin Keys is kind of fun but really a sloppy example right most users hopefully if they see notepad popping up then those they'll call someone up that hey add something something strange is happening with my computer so I think the more dangerous thing to be looking for is Power Cells interaction with calm objects here's an example of PowerShell using a comma via to say hey let me spawn internet explorer process that actually isn't even spawned by PowerShell DxO you something to think about so I'm another process and let me interact with it silently so it's not just minimized it's completely hidden from the user and make Internet Explorer go fetch my content and then I can parse out of the HTML whatever elements I want to invoke as an expression is there it looking for notepad making interconnections that should be really weird right like a big no-no what about Internet Explorer making internet connections that's this whole job that is that is normally mo for internet explorer in addition this will use the default user agent string for that user so this is a really nice clean method in in my opinion so again as defenders are we looking for PowerShell doing contact interactions so more occupation techniques and detection attempts I'm going to super fast growth of these a basically number I said if you can take your entire command and treat it as a string you have tons of options to basically manipulate it at a string level so you can do stuff like reversing your command so now if you're looking for a new object the whole thing is in Reverse or inserting garbage delimiters and splitting it before you invoke it or replacing those de limiters before you invoke it or a concatenated and concatenating it in weird ways before you invoke it just to mess with what appears on the command line arguments as well as what some script block logging but it still works so how can we detect some of these techniques well we can start looking for some of these string manipulation functions and again there's so many ways to do this you have Power Cells manipulation functions you have Nets manipulation functions but there's actually there's a lot of false positives I can come with us because there's some legitimate stuff that uses this but again if you're doing a single organization then absolutely you should be looking for these but like for us when we're trying to scale to all of our clients at the same time it becomes a bit trickier so we have to be a little bit more specific about what we're looking for you can soak our hive count to certain characters again like in the earlier examples like how many tick marks did you legitimately expect the show up on the command line for PowerShell like probably not 50 but there could be some cases where you'd have some but something to look for just keep in mind that with any of these techniques there are always ways around it and in addition if there's any if as an attacker if I know that this organization my target is looking for certain high counts of characters I can just do a ASCII chart conversion on the fly so that my character in this case strange char 59 at the semicolon so now I just put in delimiter x' in my command and so this is what she does well my command line and then in memory I replaces the limiter so whatever characters I want so that it works from a functionality perspective but that character never shows up at all so as a defender am I looking for string cast for char casts on the command line how often should that be the case token type off you station you can do this a little bit differently in PowerShell two versus three and later or you can do what's called direct typecast which is something I just added to invoke obfuscation in yesterday's or two days ago in the release so encoding/decoding getting close so what our attackers actually using toffee scalar codes typically just encoded command because PowerShell gives it to them they also you'll typically see these flags like not 19 all stuff like that and these are the common syntax as you'll see with that as we though there's a lot of ways where you can basically accomplish the same task by changing a registry key a lot of come out commodity malware starting to do this where instead of as defenders if you're looking for execution policy bypass then if as an attacker you just change that registry key before you launch PowerShell you don't have to specify that so window style is another one where attackers would do that basically change where you want the PowerShell window to show up maybe I don't know you know one pixel by one pixel way out in left field that way you don't have to define it on the command line so encoded commands this is typically what we seen attacker to use encoded command encoded ENC and as I started to play with certain tools I saw that you were using - II like Metasploit uses - actually even it's like this isn't documented but it works what why it just kind of confused me for a bit so as an attacker or as a defender if we basically look for these indicators would we catch all these examples of encoded command well yeah we were looking for again white space - encoded command white space that would catch that right however these aren't all the options so PowerShell gives us EC for short and encoded command but they also give us that that every single one of these works all the way down to - II because PowerShell Auto pins and asterisks to the end so as long as the parameter for the function you're calling is specified just long enough to return a single parameter you're good to go that's why you have not Nani and all because that's the shortest string it takes to return only that one flag so this is terrible for defenders because this means that all of our assumptions we just made about cashing these flags is completely shattered if we're counting on white space being after the end of those flags and assigning on this in invoke a few station when you're building your launchers when you select whatever these flags you want well I've done the tool is basically I will randomly choose substring in the valid range of each of those arguments I will then randomize the order of those arguments and then insert random whitespace between them and it's not just to be mean or cruel but it's because a lot of people have built detection is based off of very specific spacing as well as forms of those encoded command flags and stuff like that even a lot of Ava vendors do that and it's it's bound to fail because it's super easy to change so I just want to go ahead and break that habit with this tool and show you have to be aware of the possibilities of the ranges of these flags and build better detection based on those possibilities so that's using encoded command there's also the dotnet basically for methods which again a lot of tools use this as well so are we looking for convert from basics before strings if we're not it's a really good indicator to look for but what about some what about some different ways of encoding we've actually seen if you use cobalt strike you'll see they use bitwise xor quite a bit but what about ASCII or hex octal or binary these all would totally work and I put them in the tool because they work but I haven't seen them being used before but again if has the finish we rely on on looking at certain certain this Bay 64 encoded strings this will break it so are we looking for ways that we can basically convert ascii values into hex or binary and there's a ton of different functions to do that and as with every other element of the invoke off you station tool every syntax I found that works I've included that into the tool and will randomly choose one of those options for every element of every command every time you run the tool so that you will never get the same output twice and again it's not to be mean it's to show that it is possible and we have to be aware of all those options as defenders when we're looking for it otherwise we're gonna get burned so what about a different way of encoding with PowerShell I got to looking at this earlier this year I said well PowerShell when you done with passwords has this great thing called secure string right and does anyone know recognize this command oh wait that's secure so you know the whole ass there's wild-card things so it resolves to a secure string so anyways what this is doing is we're basically reading in a password and storing it as a secure string object you can then convert it from a secure string object into this plaintext and if you don't specify a key the uses the user name and the computer name for the keys which is using DP API however this makes it such that hopefully the password I have on my system you can't easily run on your system but if I specify a key then it can work on any system that has that same key so the size limit on secure string is 65,000 characters I felt pretty good about my passwords but I've never felt like 65,000 character good about my passwords like why is it so big and when I saw that they got me thinking what if I put like an entire script in a PowerShell secure string password object so that's what I did and when you do this this is actually just putting a very small command but you can see the considerable bloat that comes from this so secure string encoding after technically it's a encryption it's AES encryption 16 24 32 bit depending on the size of the key that you use this is in the tool and and yeah it's a lot of fun it will bloat considerably so I'd use this one with caution this is what it looks like on the target system and again in the tool there's three different to.net versions in one PowerShell version of the syntax I've actually extracting the command which is really or the password was really a command or script into memory before you invoke it so if you have like a really large script like invoke mimikatz it's gonna take a really long time to decrypt that and your CPU is going to spike gonna take like 30 seconds so for that what I do is I just chop it up in a lot of little pieces secure string each object with the delimiter post it somewhere like a paste bin and then pull it down in memory and for eat and basically split on the limiter for each secure string object unsecured string it build out my full command when it's all there I then execute the full command and it takes one second so after I finish this POC I was a trolling around on TechNet and found this guy who said hey this was like back in 2010 is there an off you skater for PowerShell this person says I guess you could put something in secure string and then pull it out and invoke it like ah dang it I thought I had something kind of original and so I talked to my boss and say hey like I just finished those POC yeah I think it's pretty cool but this other guy I feel like I deserve the credit because he came up with it first and my boss was like dude I got zero up votes you're good man but it ends up the guy is this just Carl rock star on tech net so kudos to him for having that insight several years ago but again I still think it's a cool POC and it's in the tool to make it easy to test lastly launch techniques what I'm not going to talk about here is unmanaged PowerShell using calling PowerShell without power supply exe other folks like Benton I've covered that a lot better than me there's other talks out there something to be aware of I'm talking about weird ways to launch powershell that exe such that you can abstract the arguments from ever showing up in powershell that you exceeds arguments so powershell you can specify - command or you can just use a - for standard input so what this looks like right here you can also use the input variable is that we're echoing our command in the powershell so that the arguments Canal antagonist or powershell don't actually show the commands at all there in the parent process so as defenders already looking for all these things that just looked at we're looking for these in other processes besides powershell and it's much it's a lot bigger problem than just command we do the same thing by setting our command in an environment variable then spawning powershell to hit that variable commodity malware like coped or does this we're seeing this quite a bit already I'm gonna keep going you can do the same thing with a clipboard just have you know pipe into clip and then respond PowerShell process to route the contents of the clipboard and execute it the actual commands in the parent process so does this mean we can just look for all this stuff in PowerShell or the parent process and we'll be good no not quite what you can actually do is let's say we're gonna introduce a third process we have command command PowerShell if we run this command it actually works but the parent process still has the command what we have to do is actually escape that pipe one layer of escaping so it is escape for the first command but not for the second one and when we do this PowerShell doesn't have the arguments parent processes and have the arguments the grandparent does and there's nothing stopping from cooking this even further in the launcher section of my tool I have all these techniques there as a simple push of a button so you can actually build out the syntax on the fly just like that handles all the escaping and you can run it to see are we able to detect this kind of stuff and here's what it looks like kind of from an outline structure of that command you also have crazier things where you have completely unrelated processes again think about the clipboard example you have this process of here you have your parent process spawn this can and echo into a clipboard then spawn another powershell process to call the contents of the clipboard and if you see this powershell syntax running you could recursively look for the parent you'll never actually find the command right here and this example is actually using WM on we we have seen an attacker use this where they basically spraying their command into several different processes into the arguments and then spawn an unrelated powershell process to use w my query out the command line arguments to piece it back together and then execute it crazy ready for a demo so my disclaimer is please don't use this for evil again i'm a bluefin i'm a blue team ER i really hope this helps the blue team and I hope that responsible red teamers would find this tool useful as well so again this is live on github I have version 1.3 which I'm pushing right after this talk I'm specifically for activity which actually introduces two new launch types which are clipboard for the parent process and clipboard for the grandparent process so be on the lookout for that but basically you just import the module and run invoke off you station I really like asking a lot so I do a little animated ASCII art there so here's the main page and we have a menu everything's color coded because I'm OCD and hopefully that's fun for other people and so basically options in yellow will take you to another menu or another prompt and options in green will actually apply off you see Asian or apply something to the payload that you have so the first thing we'll just go to tutorial now we actually just set our payload and you can do set script block or set script path and that can be a local path or even a remote location if you want to download an entire script so again all these off you see Asian techniques work for both a powershell command as well as an entire script if you want the bigger the script it's gonna take a little bit because every element that's possible to randomize that I found is randomized so performance isn't the key here when you're building the command is all about introducing as much randomization as possible so we've set our command we can also use to navigate the prompt so if you have at the bottom our token string and coding launcher we have back CD dot we can use home main to go to the beginning for this example we're going to go to the encoding menu and apply option number five remember green actually applies off eustachian so here's our secure string there's the output so let's go back to the tour oil we can at any time run tests or exact if we want to actually invoke what we currently had min I always want to do this but just for simple examples like this it's nice to see yeah this command store so we'll show you all the information about the original command the obfuscated command and all the obfuscation steps you've taken up to that point copy your clip bring it out to the clipboard out you can specify a file path to get to disk and as we see if we do show options again there's there's all the occupation we've applied up to this point the length as well if you're wanting to put this on command if you ever exceed the 9000 something women it'll tell you hey you've exceeded this if you want to put this on the command prompt it's not going to work so they want to reset so reset removes obfuscation from the current command let you go a little deeper so this was just a simple tutorial so let's go and actually use the invoke or use the remote download cradle and have a little fun with that so the first thing we'll do is go into token all right this is following the order of the talk we just looked at so first we look at how we off you skate from a syntactical level all the tokens of the command so first we'll look at string so the URL is a string object so if we type string well then see we have just one option for here just to concatenate in line so we type one now our URL is concatenated so we'll go back look at the next token command in this example we have invoke expression and we also have a new object as our commands so we go into the command menu we have tics or splatting one or two and so we'll choose I was gonna ask the audience which one they wanted to choose but it's kind of hard with a pre-recorded demo to do that so we chose two now we are doing splatting on both of those commands and there are randomly concatenated so next net that web client which is an argument will go into the argument menu we have three options here which options we'll go with two again so now and that web client has tick off you station download string this is a member argument so we go into the member menu again options are in green choose whichever one we want we'll go with three and that there's a small difference in how you have more options with how she'll three year later for office getting members but I made this tool to work for the payload to work on PowerShell 2 or later so because of that when you want to treat a member as a string and PowerShell 2 you have to add a dot invoke member so sometimes you'll actually want to run member twice just to make sure you catch it so there we ran it again and caught that invoke member with tics so now every token of this command has been off you skated we can copy the clipboard we can paste it into a PowerShell prompt and it works so from from defensive perspective let's go and look at the event log so let's look at PowerShell and we'll actually see there's our script block log with all of the occupation intact you'll notice a lot of warning level logs it's because a lot of these techniques PowerShell is already recognizing it's suspicious but not all of them but are we looking for a warning level logs in PowerShell 4104 script block logs something we should probably start doing so let's get rid of that occupation that was kind of cumbersome to look for all the elements and choose each one so we also have a nice all function you just hit one it'll randomly you know choose the order of all those and you can do it as many times as you want and your command just gets bigger and bigger that's one of the hopes of this tool to show people how quickly commands can morph but still actually work so that was token level off you station we'll take a step back and look at string we have our concatenate reorder reverse which works just like we talked about in the presentation I'm gonna actually fast forward just a little bit to get to the more interesting stuff we have in coding options which again gives us our ascii hex octal binary secure string and they they all work here's me just going through all those examples launcher so here we have again all the launch techniques that we are most most of the launch techniques that we talked about still adding a couple more in but but yeah so we have environment variable or standard input as well as again the ones that have plus plus basically means we're going to push the arguments up to the grandparent process as opposed to just the parent process and for any of these you actually then have this menu for all the execution flags that you want to apply and again it'll randomly choose the order of the substring the white space in between for it applies and there's your prompt one thing to keep in mind is after you apply a launcher it's no longer just PowerShell you've wrapped it with command or something else like that so if you ever try to apply office again after you've applied a launcher it'll actually tell you hey like you've already applied the launch or you can't keep off you skating so you need to reset so yeah all these little fringe cases I've tried to handle in the tool helpful prompts but I'll be yeah once the launcher is kind of the last thing you apply you're done off you skating the PowerShell command the PowerShell level and you're wrapping it to actually launch it through some other means so we'll copy this the clipboard go and get out of PowerShell copy it straight into community XD and it works and again if we go and check our command line arguments we'll use system on then we'll see that the PowerShell arguments don't contain actual command that contains again randomized invoke a randomized standard input or environment variable invocation syntax and the actual command for payload will be stored in the parent process fast for just a little bit this is applying one the grandparent ones we run that it works this video is online or you can just download the tool and play with it that way alright so for the very last part we're doing kind of a rapid-fire we'll go ahead and reset off you station with our original command will go into token we'll office get all the tokens one two three times we'll go back let's now look at string level off you station we'll choose three to reverse the command we'll go back listen then apply encoding level off you sagacious hex test it still works we'll go back let's go into launcher let's choose standard input plus plus go-to move there's argument to the grandparent process we choose our flags now puts the command copy to clipboard paste it in the command prompt and it works it's pretty terrifying so as a blue team err this is kind of what I feel like often when I see this sort of stuff but again I don't do this to be cruel I really hope that this is I'd like to think and encouragement but I'm not that optimistic like I really hope that this knowledge transfer is helpful to two defenders who are here because attackers are already skating we can't think they're not Jeffrey Stover at a keynote at Derby con basically talked with the difference between real security and ignorance fuel or hope fueled by ignorance I really hope this talk shatters your hope like it does mine so that we stop relying on ignorance that it's really as simple as we think it is because it's not and it's possible to be much more complicated and attackers are aware of that they're already using small pieces of this so I really hope that this research in this tool enables all the defenders here to make testing of your detection easier so you don't have to spend the hundreds of hours that I have looking at all this stuff you can actually just take the results and start to look for how good our detection is you know so again a a purely command-line approach is extremely difficult it is possible but PowerShell logs are really where it's out pallet the PowerShell team from Microsoft has given us an amazing gift with these PowerShell logs with script lock module and transcription logging in the earlier slide my colleague Matt dental he's put together an excellent blog post outlining all these things something good to look at what about Python or VBA like how good are their logs right they don't exist again PowerShell has given us logging period like how crazy is that we should be so thankful and lastly we should break our assumptions of what we think is possible we should know our options from a language perspective as well as from a sophistication perspective of what is possible and hunt not just for known bad but also for indicators of off you station so this is my talk I just want to say thank you to the great people I get to work with on a daily basis as well as previous colleagues and really most importantly my wife she's really encouraged me in the past year and let me do this research and without her I wouldn't be here and she he Mirza Levi's listening to me talk about posh a lot and so any questions I'll be in the speaker's corner again I'm here all day please I feel like I'm pretty easy to find around here so please just stop me I'd love to hear your thoughts about PowerShell and criticisms and anything like that and I really please hit me up on Twitter I love to stay in touch and be a resource as best I can to help us as a blue team be successful going forward thank you very much you

Info

Channel: Hacktivity - IT Security Festival

Views: 9,799

Rating: 4.9806762 out of 5

Keywords: PowerShell, penetration tester, hacker, hacktivity, attacker, whitelisting, detection techniques, obfuscation techniques

Id: uE8IAxM_BhE

Channel Id: undefined

Length: 46min 4sec (2764 seconds)

Published: Tue Nov 29 2016