PowerShell 2020: State of the Art / Hack / Infection - SANS@Mic Keynote Network Security

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

one two sans network security 2020. i hope you're having a wonderful time at the conference so far my name is jason fawson i'm a sans institute fellow i've been writing and teaching courses for sans since 1998 always with a windows focus and in the last 10 years especially with the powershell focus the main course that i do at sans is course sec 505 securing windows and powershell automation this presentation plus my other presentations plus hundreds of powershell scripts that i run i just give away for free in the public domain you can get it from blueteampowershell.com there's no email registration required or anything like that it's just a simple zip file so if you would like this slide deck or the slide deck of for example my process hacker talk that i did last year at this conference's keynote talk then you can get that slide deck as well inside the zip file if you'd like to follow me on twitter then there's my twitter handle and i promise that this is always related to powershell windows security malware something like that so what does this evening talk about well in the first section i'm going to discuss what is powershell many of you are attending courses here at the conference that include powershell labs but because of time constraints the instructors can't spend a lot of time discussing the background of powershell how it works underneath the hood rather you dive into the labs and then have fun so this keynote talk gives an overview of what is powershell especially if you're new to it you've only heard of it you've got labs that are coming up so we're going to talk about what is powershell especially under the hood after this we're going to discuss powershell security and the last couple years there's been a rash of powershell malware and for several years there's been powershell hacking tools so we'll talk about powershell security and then in the third section we're going to discuss the future of powershell like for example powershell on linux all right so what is powershell anyway well powershell is not a command shell powershell is more like an execution engine and that engine is implemented by a set of dlls now to call it an execution engine means that these dlls can be hosted in other processes besides command shell processes for example you could have a graphical application or a web application even a network service so if we had to just give a single thing and call it powershell it would likely be this dll but of course there's many components that make a power shell this is just one of the most important dlls again the main thing powershell is not a command shell it's an execution engine and yes it can be wrapped and interacted with through a command shell but there are other ways to interact with that execution engine now very importantly this dll and the other dlls that make up powershell they run on top so that means you have to have.net installed on the machine before you can install and run powershell there are two major flavors or editions of net so there's the full.net framework that came out like in 2002 versus the newer kid on the block dotnet core that came out in 2016. now i know that technically it's not called.net core anywhere the word core has been dropped from the description now she's called net but i'm still going to call it.net core to avoid confusion if you just talk about.net well that can be ambiguous are you referring to the originalfold.net framework on windows or the newer.net core or both or something else in between so i know that core has been dropped from the name but i'm still going to call it core again the full.net framework came out many years ago 2002. this is what's installed by default this is what windows powershell runs on top of now.net core that came out about 2016 and the most important thing about it is that net core is cross platform compatible you can install that on windows linux and mac os and corresponding to these two different flavors or editions of net we have two different editions or flavors of powershell so we have the original windows powershell that came out around 2006 that runs on top of the full.net framework for windows but there's also powershell core now that came out about 2018. again i know that the word core has been dropped from the name of well powershell core but if we just use the word powershell it's ambiguous are we talking about the original windows powershell the newer powershell core or both so i'm going to stick with using the word core because powershell whether it's windows powershell or powershell core is more of an execution engine and it's a set of dlls mainly dlls can't be run in the raw so to speak they can't be run directly there has to be a host process for those dlls so the host process needs.net plus the execution engine for powershell so the hosting process that could be a command shell graphical application web application network service this is important from a security perspective because for example if you're trying to restrict the execution of powershell on a machine if you just focus on the common host processes but you ignore the dlls well those dlls then they might be loaded into other host processes on the computer so what are the most common host processes that you'll interact with powershell.exe is for windows powershell when you run that on your computer you'll get what appears to be a traditional text oriented command shell very similar to the old cmd shell now powershell underscore ise powershell ise that's also for windows powershell and when you run that on your windows box you'll get an integrated scripting environment a more graphically oriented application that means you have a menu icons in the toolbar you can have multiple tabs open for multiple powershell sessions and multiple tabs open to edit multiple scripts at the same time so those two first host processes powershell.exe and powershell ise that's for windows powershell that's installed on windows 7 and later by default at the bottom you have pwsh that's for powershell core on linux and mac os it's just pwsh and on windows is pwsh.exe so you might look at this and say well so what why should we care about this what's so different about powershell yes it's an execution engine we hear you but so is java well the big difference between powershell and almost every other i almost said command shell or execution engine i'll just say command show the big difference between powershell and almost every other command shell in the history of the world is that when you execute commands in powershell the output of the command is a stream of objects objects with properties and methods almost never are you manipulating raw text most other command shells most other scripting languages are text oriented so you have bash on linux you run a command like ifconfig it outputs text you might pipe that into grep again you are piping text and manipulating text but in powershell on the other hand when you are executing commands virtually always the output of the command is one or more objects objects with properties and methods and almost always these are dot-net objects sometimes the objects are com objects com for component object model these are the same types of objects that you had in vbscript and javascript and powershell can manipulate com objects as well so for example in powershell if you run get process that'll output objects representing all the processes running on the machine if you have powershell on the machine in front of you right now feel free run get process you can see the output if you don't have powershell on the machine in front of you that's fine here's a screenshot this is for windows powershell ise when i run get process it outputs objects representing the processes running on the box but when you look at it you would swear that the output is text after all the pixels on your screen can be read and interpreted as text but it's an illusion get process is outputting objects defined by the dot net framework the objects represent processes those objects have many many properties like for example we can see some other properties in the output here like handles working set process id number and process name but there's many more properties on top of that it's just that powershell does not display them by default if you execute a powershell command like this get process if you don't pipe it somewhere yourself it's going to be piped secretly into another commandlet called out default and then outdefault decides what to do with those objects in this case i'm running powershell inside the ise editor so it selects powershell selects not us powershell selects some of the properties to be displayed powershell decides how to display those properties on the screen like in a table or a list and as you can see in this case powershell has selected about a half dozen properties and is displaying those properties as a table so you might think it's text but it's an illusion to make powershell behave and feel like well a traditional command shell then it selects some other properties for you displays it as text now this can lead to a very common mistake on powershell namely to assume that this is outputting text so you might run get process and then pipe the output into fine string or grep or said awk those kind of text oriented tools but then it doesn't quite work right it doesn't work the way that you expect but that's because it was never text to begin with is more like an illusion so if these commands are outputting objects with properties and methods how can we learn about these objects properties and methods well in powershell there are thousands of built-in commands it's really not possible to memorize them all but there's one commandlet to memorize it's get help one of the best things about powershell is the wonderful built-in documentation that's something that powershell definitely got right right from the very beginning it has great built-in documentation so if i wanted to get help on the get process commandlet i can run get help dash full and then the name of the commandlet that i want help for for example you'll now see what appears to be text on the screen and in this case it actually is reading from text and it's displaying it as text well it appears to be text it's actually string objects but in the get help dash full output you get a description of the command a list of all of its parameters and best of all near the output at the bottom you'll see examples of using the command for example for get process there's about nine examples and it shows how you can pipe those objects into other commands it discusses the output how to interact with the properties and so on so if you're first getting if you're now getting started with powershell or you're thinking about it there are thousands of built-in commands you can't memorize them all but the only one really you have to memorize is get help and from there you can get help on everything else but remember the output of these commands is a stream of objects with properties and methods usually not a stream of text and not bytes so here's another command to memorize you can run get process or any other powershell commandlet and pipe it into get member piping into get member is something that you'll do constantly in powershell because notice when i run get process and i pipe it into get member we're not piping text we're piping objects and what get member shows first of all is the type name or class name for the objects being piped into it so what type or class of objects does get process produce what is being piped into get member it's system.diagnostics.process think of this as like the full latin biological species name of that type of object so if you were to ask your neighbor who is a biologist what kind of dog do you have instead of your neighbor saying something like golden retriever or cocker spaniel your neighbor might give you the full latin biological name you know kingdom order genus species and so on well that's kind of like what this type name or class name is and the handy thing about it once you know the type name or class name you can do an internet search on that name and almost always the first link that you get will take you to microsoft's website describing that class in the dotnet framework it will describe the class the properties and methods and very often it shows sample code the sample code is often in c-sharp but because powershell is kind of like simplified c-sharp well the c-sharp examples are often very useful for powershell too but you know if you just do that exact same search where you search on the class name but then include the word powershell then the odds are great that you're going to find some blog or forum or other resource on the internet where someone using powershell is manipulating or interacting with that class but notice going back to the screenshot again you don't have to do an internet search because after the type name get member will list the names of all the properties and methods of that class of object again when you run get process it's powershell that decides which of the properties to display to you and the formatting of that display like a half dozen properties in a table but there's many more properties available you can't actually see these objects with your eyes someday in the future you'll have a fiber optic cable that'll go directly from the computer into your brain and then you can kind of directly grok or imagine with like internal virtual reality and then you can directly apprehend right the the form of the process like in plato's cave but we're not quite there yet right so how can we better visualize and see these objects that we can't actually see with our eyes well the second command i recommend you memorize is piping into get member because now you can do a search on the name of the class and you can see the names of the properties and methods but what about seeing the data inside those properties so there's one set of analogies for understanding powershell and they're mostly wrong they're all text oriented analogies you might say well powershell is the windows command shell i assume it's text oriented so i'll run some commands and i'll pipe it into fine string or grep or other text oriented tools and almost always that leads to frustration i've taught powershell to thousands of people for the powershell course at sands and this is the number one obstacle or roadblock it's the implicit assumption that powershell is like other command shells where you're executing commands that output text and so you are searching text and slicing and dicing text and redirecting or piping text but you're not so i recommend kind of setting aside all those analogies that lead down blind alleys where you think in terms of like text oriented tools and text manipulation now instead hopefully you have experience as a database administrator a dba or you have experience with sql structured query language or at least you have experience with spreadsheets like excel spreadsheets because databases and sql and spreadsheets these actually provide a much better set of analogies for understanding powershell for example there's several powershell command lists that are modeled on sql there's command that's like select object where object sort object so for example when i run get process i can pipe the objects it produces like i'm piping records from a table and a database and instead of talking about the properties of those objects we can talk about the fields of those records now this is a much more productive set of analogies for understanding powershell so how do we do something like a select query where i can get those records and fields in the screen here i run get process i pipe it into select object dash properties star now by analogy that's very similar to doing select star from get process so we can kind of treat get process as a table but of course it's not a table it's a command that's outputting objects or outputting records and then we're piping those records so here's what it looks like on your screen in this case i'm not going to get all processes instead i create one object that represents the lsas process and i pipe that one object into select property star now select property star tells powershell i want to see all of the properties on the left left-hand side those are the names of the properties and i want to see all the data inside those properties on the right-hand side so you can see on the left-hand side you have properties or how about let's call them fields you have fields like name process id number working set size vm for virtual memory and on the right hand side is the data inside of those fields but again in powershell we call them properties so if you have some experience manipulating databases or sql or just even excel spreadsheets that's a better set of analogies for understanding what's really going on under the hood with powershell and you can avoid frustration then by kind of giving up those old 20th century text oriented habits and instead thinking more like a dba where your objects are like records in a table and the properties of those records are like fields so again here's the short list there are thousands of commands built into powershell you can't memorize them all so where do you get started so here's perhaps the shortest cheat sheet ever right for getting started with powershell first i recommend get help dash full you can find all your commands and excellent built-in documentation and then after that you can run any commandlet type the output through get member that'll give you the class name or type name plus the names of all the properties and methods of the objects and that really drives home the whole idea that we are not piping text or piping objects from the dotnet framework and then for the analogies with sql you can run a command type it through select object star and that's very similar to in an sql query select star from a table but in this case we're kind of like piping that table into select instead of reading it passively okay so for getting started with powershell these are the three commandlets and the number one most important piece of advice i can give you are producing objects with properties methods not text and remember there's two major flavors or editions of powershell there's windows powershell that's been installed ever since windows 7 that runs on top of the full.net framework but there's the newer powershell core that runs on top of net core but again i know that the word core has been dropped officially but that's the newer kit on the block that's the cross platform an open source version of powershell now all that being stated in the next section we're going to discuss powershell security or insecurity in the last several years there's been a rash of powershell malware and a whole plethora of powershell hacking tools so why do hackers love powershell so much oh old habits are hard to forget why do threat actors love powershell so much right so why did we switch from hackers to threat actors because it's scarier that's how you get more money from the superiors above you in your organization right hackers now refers to like you know cute you know uh you know well-intentioned teenagers like from that old hackers movie you know with oh gosh it's so horrible right it just makes you cringe but it's so bad it's good right it's like you know hackers with angela jolie and you know that blonde guy whatever so hackers that's not scary enough anymore why do threat actors love powershell so much is because why wouldn't they if you're living off the land and you break into a windows 7 or later machine powershell provides a built-in encoder friendly wrapper for the entire operating system picture powershell as something like a friendly octopus where all the tentacles of the octopus reach deeply into the operating system the services drivers protocol stack processes everything all those tentacles deeply embedded in but it's not a malicious octopus it's friendly again the documentation is great you have lots of online support the powershell community is is very large and positive and encouraging and friendly so if you were to hack into a machine why wouldn't you use powershell through powershell you have access to more or less the entire operating system and net so through powershell we have access to the.net class library you have access to com objects like in vbscript and javascript powershell is also deeply integrated its tentacles are deeply integrated into the wmi service wmi hackers love that as well wi is great you can use it for remote command execution persistence searching event logs tons of things in fact many powershell commandlets are like thin wrappers on top of the features like things like namespaces classes and instances that you get access to through the wmi service so many powershell commandlets especially the networking commandlets are kind of like thin wrappers for wmi and that's another way of saying that powershell and wmi are deeply integrated together but it goes beyond that imagine that you have a powershell script that's 2 000 lines long but 1 700 of those lines are c sharp and when you run your powershell script it compiles that c sharp code into a module in memory now the rest of your powershell script can now access and use that module to for example access functions provided by the windows api the windows api is a low-level programming interface to the kernel of the operating system so things that you might assume you could only do with a compiled binary program may be written in c plus instead you could access with an uncompiled powershell script because that powershell script has c sharp code on the flies compiled in memory and then using that module you can access much of the rest of the operating system and of course on the hard drive you still have traditional binary tools so we have ipconfig if config and all the other hundreds of binary tools that powershell can run powershell can also access other machines over the network again this is another reason that threat actors love powershell there's powershell commandlets for remoting using the web services for management protocol you can powershell remote into other machines to upload and download files remotely execute commands remotely execute whole scripts for example if you have server 2012 or later machines those machines by default are listening on port 5985 waiting for inbound powershell remoting connections and if you can authenticate as someone who's a member of the administrators group well then now you can start uploading and downloading files remotely executing scripts and in other words move laterally from machine to machine inside the lan you have to have the necessary credentials first but once you have the credentials of an account that's in the administrator's group on all your machines well then one of the ways that you can move laterally is just use built-in powershell remoting now for client operating systems like windows 7 and windows 10 powershell remoting is not enabled by default but it's easily enabled like through a powershell command or group policy there's several powershell commandlets that can use rpc connections or can go through the wmi service to establish an rpc connection to other machines and of course you can use smb like for uploading and downloading files and using rpc on top of smb there's also a powershell equivalent of curl or wget is called invoke web request now you can access web services or if you're running malware your malware can phone home it might establish an outbound https connection download a command file and then it'll start executing the commands from that file with powershell core by the way powershell core was designed for interaction i'm sorry integration with ssh so you can set up open ssh servers connect with tools like putty or the ssh client from linux but you could also use powershell core and commands like invoke command in this case when you execute commands over ssh on other machines you get back objects not just raw text and speaking of raw you can also use powershell to listen on tcp and udp ports just like a service or you can access the tsp and udv ports on other machines for example you could implement something like how about metasploit could metasploit be rewritten top to bottom in powershell yes so again why wouldn't hackers use powershell after taking over the machine especially if you need to live off the land so in the last few years there has been lots of talk about powershell attacks think of you know the attack matrix from mitre but let's think about that a little bit more as you examine the attack matrix as you read about these so-called powershell attacks what you find is that powershell is almost never used for the initial compromise of the target box or the target lan instead almost always powershell is used for post exploitation so your adversaries they might send you hundreds of thousands of phishing emails to the employees in your organization some of the employees click on the links or the attachments now because of flaw in the browser or the pdf viewer or some other component of the operating system the malware seizes control of the box connects back out to the internet perhaps with the browser or its library as itself and then downloads a powershell script now is this really a powershell attack couldn't that exact same code download a binary or javascript or vbscript or how about just an old-fashioned batch script so this case i would describe that attack as well a browser attack or a phishing attack the vulnerability that a our adversaries to take over the machine was a flaw like in the browser or the pdf viewer or some other application on the box but yes your adversaries are executing powershell code but not for the initial compromise not for the initial break-in but almost always for post-exploitation and again why wouldn't they powershell is great so if it's already installed in the machine and you can use it for lateral movement and exfoliation everything else that you want why wouldn't you use it so now we come to your ciso's question you may have heard this how do i secure powershell or how do we in the organization secure powershell i've heard this myself as a consultant now implicit in the question always is kind of the implicit assumption how do i secure powershell separately from the operating system as though powershell kind of floats disconnected like a ping-pong ball floating on a you know on a stream of air above the operating system that is not how powershell works powershell does not float disconnected above the operating system it's the opposite it's more like a hundred tentacle friendly octopus with all this tentacles deeply integrated into the operating system the file system the registry everything so when your ciso asks how can we secure powershell separately from the operating system well the answer is separately you can't powershell and the operating system are merged together almost as one now yes i know that technically under the hood powershell is running as a user mode process it's using.net and all the protections that not vet provides but from a management perspective again the question is why do hackers love it so much it's precisely because all of his tentacles are deeply integrated into the operating system so how do we secure powershell well you can't secure it separately instead focus on host and network hardening we want to prevent that initial compromise through the browser or the email application and we want to thwart lateral movement as much as possible because again let's just imagine that powershell tomorrow just suddenly disappeared well there's still vbscript and javascript and bash scripts and binary tools so if your adversaries are compromising your machine like through phishing attacks or watering hole attacks it's not like they're going to give up right because powershell goes away they're still going to be running attack tools it's just that there won't be powershell tools to be written in some other language after this upgrade to the latest operating system you can and quickly apply patches we want to remove as many exploitable vulnerabilities as possible whether it's in powershell the operating system or anything else and of course we want to get users out of the administrators groups on their machines for example let's imagine that powershell were perfect it had zero flaws no vulnerabilities whatsoever but the user is a member of the administrators group and the user is tricked like through social engineering into clicking on a hyperlink or an email attachment now the malware executes powershell scripts as the user but the user is a member of the administrators group well the machine is totally compromised again there could be zero flaws in the design of powershell zero vulnerabilities and let's take it a step further you could have zero vulnerabilities whatsoever in the windows operating system but if that powershell script is running with administrative privileges the machine is still compromised now if that one box is compromised what about the other machines so again we want to use multi-factor authentication whenever possible because now that the machine has been compromised and your adversaries are trying to move laterally hopefully they're trying to attack a service that requires multi-factor authentication and the malware does not have access to your multi-factor authentication token like maybe a smart card a ub key or something else for the lateral movement we also need host-based firewalls for defense and depth we should assume that our adversaries are already inside of our networks and they're leapfrogging from machine to machine inside the land firewalls are not just for the perimeter not just for laptops every machine inside the land should have a firewalling capability it doesn't mean that you're dropping all packets by default but you need at least a firewalling capability you might allow all packets to and from your workstations inside the lan and then you'll have firewall rules to drop or block what you know that you don't need for example with powershell remoting perhaps you'll only allow powershell remoting from the jump servers and the workstations of the administrators but otherwise regular users are not permitted to even talk to the powershell remoting ports just like in a linux environment who should be able to ssh into those critical database servers do you really want to expose port 22 to the entire internal network or the entire internet well if we wouldn't do that for ssh we wouldn't do that for the powershell remote import either and what about zero trust the cloud vendors talk about zero trust always in terms of well accessing cloud services now xero trust we would have just called common sense years ago but now it's become a marketing term for the cloud vendors inside your lan you could use xero trust with ipsec now this is not ipsec for a vpn this is just using the native ipsec driver built into the protocol stack and now you could do role based access control you could require authentication to access some of the listening ports and services on your workstations and servers limit access to those ports based on their group memberships and active directory so we can now do role-based access control at the port level so for defense and depth then we want host space firewalls and ipsec and you know that's really true whether your adversaries are using powershell vbscript binary tools that's true in any case so again when the ciso asks how can i secure powershell the implication is secure powershell separately from the operating system separately from our users and their security training and the fact that they're in the administrators group so how can you secure powershell separately from these things you can't powershell is deeply integrated into the os now what about something that's more unique or internal to powershell amsi stands for anti-malware scan interface with amsi as powershell code runs in memory your antivirus scanner or endpoint security product can examine the powershell code right before it executes and if that powershell code is obfuscated compressed encrypted or whatever techniques your adversaries are attempting to use to hide the powershell code from the endpoint security products like av scanners as each layer of compression or obfuscation is stripped away going through the amsi interface your antivirus scanner can examine each layer as it's being stripped away because eventually that malware has to expose and execute normal powershell commands and hopefully that's when your av scanner will detect it and block it so whoever your favorite antivirus vendor is ask the vendor do you support amsi if the vendor doesn't support it dump them and get somebody better and then the next question is this product this av product it supports amsi is it enabled by default how do i turn it on on my machines now we all know that antivirus is not perfect not by a long shot but we're trying to raise the bar a centimeter by centimeter that our adversaries have to jump over to compromise the machine or to move laterally inside the land that's what we're aiming for here by using endpoint security products like av scanners that support amsi you can also use application control technologies think of like carbon black or app locker application control technologies that can restrict the scripts that are being executed the powershell dlls and the powershell host binaries again a common mistake is to use an application control product to control powershell.exe powershell ise pwsh visiostudio code let's say that's a mistake because remember powershell is an execution engine it's a set of dlls you're better off actually focusing on restricting the dlls and then secondarily also restrict the common host processes like powershell.exe now very similar to this concept of application control is the language mode of powershell so internal to powershell itself now powershell implements internally policies about what bells and whistles of powershell can be used so the default language mode is full language mode in full language mode all the bells and whistles of powershell are available to you and also available to your adversaries now the opposite of that is so called no language mode like if you're using a just enough admin sandbox the gia endpoint with the g endpoint all commands are blocked by default and you can put the language mode into no language mode now in no language mode almost all the bells and whistles of powershell are turned off for example you can't even use flow control keywords like while switch and for each what's in the middle though in the middle between full language mode and no language mode is constrained language mode now microsoft's goal here is to leave enabled the bells and whistles of powershell that are very commonly used while disabling the bells and whistles that are typically only used by hackers and advanced developers now microsoft on the whole has done a good job it's never going to be perfect there's always going to be some scripts right that you wish would run correctly in constrained language mode it's just that you have a few lines in that script that are using advanced techniques which are blocked by the language mode but the benefit of using constrained language mode is huge the majority of powershell hacking tools simply do not run at all or do not run fully in constrained language mode now how do you enable this well you could use something like app locker or you could set an environment variable to turn it on on the internet just research powershell constrained language mode on microsoft's website and of course i talk about it in my powershell course too but this is a quick win you'll have to do some testing to confirm that it doesn't break any of your legitimate tricks but the good news is your odds are fairly good fairly good that your powershell logon scripts and scheduled tasks will run just fine even in constrained language mode and remember that if you're managing this like through group policy or other enterprise management product different machines can have different language modes configured now after the last few slides you might say well why not just block powershell completely then why not just take the next logical step and just block powershell now by analogy what if somebody said think of not pecha wannacry eternal blue we should get rid of port 139 445 disable and stop the server service also known as the final printer sharing service and just get rid of that entirely now yes that would help with the eternal blue exploit and you know the wannacry worm and similar attacks against that service in the smb protocol but think of what you're missing you are now losing out on mapping drive letters downloading logon scripts downloading group policy objects all this requires the smb protocol so if you were to get rid of smb and the file print sharing service entirely well yes strictly speaking you are getting rid of current and future vulnerabilities that could be exploited but the cost is just way too high remember if you get rid of powershell completely yes your adversaries can't use it but neither can you and now you can't use it like for hardening threat hunting auditing some might say your system might say all right i agree we can't you know chop off our arms and legs just because our arms and legs sometimes are frail or have vulnerabilities we need those arms and legs so what if we strike like a balance what if we try to run powershell in some kind of sealed sandbox and again it's that image of powershell like floating like a ping-pong ball on top of a cushion of air above the operating system besides you can hear your ciso say isn't the future things like docker containers microsoft sandbox wrapping potentially malicious code inside of special protected enclaves and memory isn't that the industry trend but remember what's the purpose of powershell what if you could run powershell in some kind of sealed sandbox in memory where it couldn't touch the file system or the registry or the network or services or applications or anything i mean what would be good for i guess you could have like a a powershell version of of tetris or maybe some text oriented adventure game like from the 1980s but even then right you're still typing in on your keyboard and sending it into that sealed sandbox and it's displaying out on your graphical interface in some sense so the problem is if you could run powershell in some kind of sealed sandbox like that floating ping pong ball floating above the operating system suddenly now powershell is useless ironically if you were to get rid of powershell completely your adversaries would just follow the next path of least resistance they would just take the next soft target they're still living off the land your adversaries are still doing fishing attacks and sprinkling flash drives in your parking lot ironically you want your adversaries to use powershell because powershell logging is great again this is one of the best things about powershell the built-in help the transcription logging all the different forms or flavors of logging that powershell provides that's actually great microsoft has done a really good job here for the logging now as your adversaries are using powershell like to move laterally from machine to machine or for post exploitation you can log their commands the command line arguments and even the output of those commands we can now feed that log data over the network into a sim so just like you asked your av vendor about amsi contact your favorite sim vendor and ask does your product ingest powershell log data now almost all of them are going to say yes now once you get them to answer yes to that question can you ingest powershell log data now here's the follow-up question and can your sim analyze in real time or at least near real time that log data as is flowing in looking for patterns that indicate potential indicators of compromise or signs of actual compromise and lateral movement and all the other patterns that we care about now this is where you have to pin them to the wall we're paying those sim vendors for these products we're supposed to be getting like real time alerts or at least near real time let's say within 15 minutes when there's indicators of compromise while powershell is being abused but this is where the sim vendors are really kind of dropping the ball and i'm not going to name any names that i've gotten in trouble for that i know that in the last couple years there's been like a a cottage industry of you know let's say like a forensics tool that can manually extract powershell logs from one machine and then examine those logs looking for these patterns and don't get me wrong those tools are great like for instant response and forensics but does that scale it doesn't what we need is for the sim vendors to do that same type of pattern analysis either with regular expressions or artificial neural nets or whatever that vendor wants to implement but that sim vendor is the one that should be analyzing that log data streaming in from hundreds or perhaps even thousands of machines looking for those indicators of compromise so ask your antivirus vendor do you support amsi and then ask your sim vendor can you ingest and analyze powershell logs looking for potential indicators of compromise so doing incident response and forensics that's that's extremely useful but that's after the fact what we need is ideally real-time analysis and that's where the sim vendor should be stepping up to the plate all right so that's an overview then of what to do about powershell security but really talking about powershell security separate from the users their administrative group memberships and the underlying operating system talking about these things as though they're separate is a mistake now so far i've talked about lots of good things about powershell let's talk about the future now it's not that there's bad things about the future it's just that there's big question marks so windows powershell came out about 2006 it's been around for a long time powershell core had general availability in 2018. this is the new kit on the block but why powershell core well it's the new microsoft microsoft doesn't really sell shrink wrapped licenses anymore instead microsoft is a cloud provider and all of their activities is designed to get you into the cloud keep you in the cloud and to milk you month after month after month forever for all the services and data that microsoft provides in the cloud so all roads now lead to azure microsoft 365 sharepoint online and exchange online and in tune and all those other cloud services like azure active directory all roads lead now to microsoft's cloud that's the entire business model microsoft doesn't talk about it much but over half of the virtual machines or containers and azure don't run windows server they run linux in fact i wouldn't be surprised at all if today it's over 75 and frankly i would only be shocked for like a second or two if it were something like 80 or 90 percent of the virtual machines in azure were running linux i wouldn't be surprised really that much microsoft also missed out on the whole mobile device pod of gold windows phone was crushed by android and iphone well the next gigantic pot of gold that all the big cloud providers are going after is the internet of things pot so very soon we will have many hundreds of billions and eventually trillions of devices that all have wireless connectivity up to the cloud eventually your cat will have a chip either embedded inside or in its collar and you'll be able to get the gps coordinates and the temperature right and the heartbeat of your cat right through the cloud so this is the next gigantic pot of gold that microsoft wants to go after and not miss out like they missed out on mobile but most iot devices today run linux and the ones that don't run linux most of them run a specialized like real-time operating system and in any case they don't run windows here's something else a large percentage of developers prefer mac os over windows for doing their development work we need microsoft needs a version of powershell then that can run on mac os linux and windows it needs to be cross-platform compatible because if powershell is windows only then these other ships are sailing away i i a s right infrastructure as a service virtual machines iot devices and the developers own personal computers what is microsoft's biggest competitor here very often powershell is compared to something like bash on lennox or maybe z shell or fish and that's fine there's characteristics that are in common between powershell and those other command shells but again powershell is not really not truly a command shell it's more of an execution engine with its own scripting language the 10 000 kilogram gorilla in the room is python python is the main competitor for powershell so if you've never seen the redmonk scores horizontally across the x-axis at the bottom we have popularity rank on github this is basically just a crude count of projects and the language that's used for that project and on the vertical or y-axis on the left-hand side we have popularity rank on stack overflow again by the tags for the uh operat for the scripting or programming languages that are used so in the upper right hand corner you find in general just roughly speaking uh don't put too much weighting on the exact ordering here but in the upper right hand corner in general you tend to find the most popular vibrant or up-and-coming languages so there's powershell way up there in the upper right-hand corner again i've been teaching uh the powershell course for sans for over 10 years now and every year powershell gets more and more popular and it's just been creeping up this uh this diagram but notice what's at the far right upper right hand side it's python for years i've been worried about this because again mainly i do you know powershell uh you know training and consulting so i've been doing amazon advanced book searches at least since 2015. so if i do a search for printed books printed after november of 2006 because that's when powershell first came out and you have to keep the subject category computers and technology otherwise you'll get things like monty python and python snakes that sort of thing and i've just been doing a kind of a rough count of how many books amazon has available on these products so back in 2015 there were 484 python books and 119 powershell books but now i did that same search again just a few days ago there's over 2 000 books on python and why is it only 2 000 well that's the limit of what the search will show doing some other searches i think it's more like in the ballpark of like five or seven thousand and how about for powershell it's it's only 471. so where's powershell for kids powershell for machine learning powershell for big data analytics so as a competitor then is python coder friendly yes cross-platform yes object-oriented yes mostly how about built in so may of last year he was an article on microsoft's website it kind of tongue-in-cheek said who put python in the windows 10 may update well python is actually not installed but what is installed is a so-called app execution alias you can actually see this if you go to the all settings app and then do a search for app execution alias or just alias and you can see that there's python.exe and python3.exe so that on windows with the appropriate update applied if you were to go to a command shell and then run python a graphical app pops up prompting you to install python from the windows store the microsoft store they made it as easy as possible microsoft and the python team they work together to make it as easy as possible to install python now that's pretty darn close to getting python installed by default i mean i wouldn't be shocked if next year if windows 10 enterprise had python installed by default i don't think it's going to happen but i wouldn't be totally shocked and by the way when hackers take over those machines they will happily use python right so are we now going to start talking about python attacks well not really it's going to be python post exploitation if that were to happen microsoft also wants to appeal to developers with windows subsystem for linux so developers might use mac os or linux because they're developing code that runs on linux servers but with the windows subsystem for linux you get a real linux kernel running on top of windows it runs in something like think of it as a like a deeply tightly integrated virtual machine or docker container i know it's not exactly that it's just an analogy but think of it as like a deeply integrated container or vm integrated into the underlying operating system almost like an octopus might have tentacles into the underlying operating system you see the whole point because if the windows subsystem for linux ran as kind of like a disconnected hermetically sealed bubble it would be useless but it is tightly integrated into the underlying operating system in fact i don't know if you saw the announcement but windows systems linux will soon be able to directly mount entire drives maybe a drive formatted with etx maybe zfs or other linux oriented file systems now of course with the windows subsystem for linux almost every distribution of linux that you would install this way will come with python so microsoft's approach is pretty optimistic when it comes to powershell core the ideas is very optimistic if we build it they will come linux and mac developers will come to powershell if we build it so this has been a major engineering effort at microsoft to develop powershell core to make it cross-platform and open source and so on you can go to github github.com powershell you can now download powershell core for different operating systems in different package formats for windows linux and mac os on ubuntu for example you can also install it as a snap package it's very easy snap install powershell dash classic so microsoft has done a good job at making powershell core easy to install in linux but remember the tentacles analogy again how for example the windows powershell command list for managing networking most of those are like thin wrappers for the wmi service but the wmi service does not exist on linux in windows powershell there's over 200 command lists related to networking many of them for hyper-v and software-defined networking now what about those networking-related commandlets for powershell core running on linux well on the right hand side this is a screenshot from twitter steve lee is the main program manager at microsoft for powershell somebody asked him what about the networking commandlets for linux and the answer is there's currently no plan to port those to non-windows operating systems so that means you're using tools like ifconfig and ip netstat lsof and mcli and all the other traditional tools right for managing networking on linux well all right that's fine i mean no command shell can have all batteries included for all platforms whatsoever so maybe it's all right but what about other ways of using powershell on linux for example i really think microsoft should invested like ten thousand dollars to hire a developer or two to create a powershell module for samba because that's kind of like a natural migration pathway you could have a windows administrator on a windows file server who's now in charge of a samba file server running on linux so shared folders and permissions and user accounts the whole bit it's kind of like a natural migration pathway so that could be a good story for microsoft to tell you say here's a great module microsoft supports it you can now use powershell command list designed for samba but it doesn't exist yes there's some samba scripts out there for powershell but these are not officially supported and financially supported by microsoft to make it a really robust uh package right to act as a magnet to draw people to powershell and linux and of all the things on linux that i think that is ideally suited for powershell it's systemd systemd is what makes lennox more like windows uh don't send me hatemail right don't shoot the messenger but what makes linux more like windows really is systemd so think of all the unit files and all the commands that you have for systemd well that would so easily map onto powershell commandlets so you can have objects that represent the units and so on and something else is kind of near and dear to my heart is zfs the zfs tools like zpool and zfs these are very well-written well-behaved tools so that when you run these tools you can have powershell intercept the output and then convert that text into objects where all your zf data like your z devs and your pools and whatnot all that can be represented as all that data can be represented as properties of powershell objects in fact i even started working on some of those scripts myself but i'm just one person this needs microsoft backing if microsoft is saying if we build powershell core then linux people will come there's got to be a reason to come so if it's not networking and it's not samba or systemd or zfs so what is it now here's something else this is a screenshot of bash well terminal but inside of terminal i'm running bash on ubuntu linux and the first line at the very top if you're not familiar with the dd command i'm getting six bytes saving those bytes to a file test.bin now the exact bytes doesn't matter that's why they're random but there's now a file test.bin it contains exactly six bytes of data now remember at the very top of this screenshot i'm still in bash on ubuntu so now we run cast and i'm using the full path to cat to make sure that there's no doubt about what version of cat i'm using but i cap that file test.bin into hexdump and that shows in hexadecimal the six bytes of data in the file i now launch powershell pwsh i run the same ubuntu cat i pipe the output into hexdump and notice the output that's not the same that's not six bytes it's not even the same six bytes like repeated multiple times and even if it were repeated multiple times or even if it were a unicode or no matter what the explanation is it's not the original six bytes and notice that down below at the bottom if i run hex dump from within powershell and i directly pass in that file well then it correctly displays the six bytes the culprit here is the pipe symbol the pipe symbol in powershell is designed around the piping of objects not piping text streams or byte streams now for my consulting clients for for my students in my course i have to talk about this i mean i i would be professionally and morally remiss if i did not show this to linux developers or linux administrators and say watch out this is a known issue and by known issue it's it's been at least a couple years that this is known so this is not like some kind of surprise to microsoft microsoft knows about it they're working about it they care about it again sometimes people say things like oh well those microsoft developers you know they're not very sharp or hard working they're bad programmers that's not true the powershell team they care they're sharp they're hard working they know about the issue but of course they have to deal with budget constraints and all the internal politics at microsoft so down at the bottom right you see some github links you can read about the issue in the middle this came directly from github somebody writes i don't know what the right solution is but as a powershell core 7 powershell and external or native executables are like separate worlds so when you're executing powershell commands within powershell you're producing objects and piping objects but on linux when you run an external command let's say like ifconfig or lsof that's like a separate universe a separate process and if you do things like pipe the output of that external process into a powershell commandlet or into other tools that pipe symbol in powershell it might change the data on the fly in unexpected ways in fact even sometimes text is modified in unexpected ways the problem is the new lines so is it carriage return line feed is it just carriage return is it just line feed sometimes they're just extra new lines so yes if the extra new lines doesn't break anything then then that's fine you can work your way around it but sometimes it does break things and what about sending or receiving raw byte streams like for example if you know about zfs how you can do zfs send and receive over an ssh connection now what if you're running a powershell script with these zfs and ssh tools and because of the piping going on what if it's corrupting the data on the fly again this would be a nightmare so in the bottom left this was a tweet from just a few days ago as i was making these slides and here's someone complaining about these issues talking about it asking microsoft about it and says this is a real bummer right talk about an understatement this is a bummer in fact this is the sort of issue i'm reluctant to even be open about raising with my unix admins on my team because i'm worried they'll seize on it as an opportunity to dunk on powershell as a whole and i agree that is a huge risk because again when i go back to that prior slide showing even something simple as cutting a binary file into hex dump and it's not outputting what you expect i mean this is it's it's unacceptable so what about textual configuration files so if we're not going through like systemd then a lot of linux in unix administration is reading textual configuration files out of the etsy folder modifying those config files and then writing them back again powershell has select string and other tools and classes in the dotnet framework for text manipulation but the thing is they're not as good as said grep and awk they're not as fast as like said grep and awk they're not as reliable so if you're using a powershell script but really you're just using it to run like you know said and grep and other tools for doing text manipulation to manage these etsy configuration files i mean then again where's that special powershell magic that will draw in linux administrators to actually use powershell instead of bash let's say now a few years ago microsoft was busily working on something called desired state configuration this potentially could be a reason why you would go to powershell core on linux you want to use dsc so dsc competed with things like puppet chef ansible and salt now the problem though is that dsc kind of imploded under the weight of its own complexity and the lack of financial and other backing from microsoft so in my powershell course at sans i had a big module in multiple labs on dsc in fact i was going to use dsc through all the days of the week but then about a year and a half ago microsoft started making some announcements they said we're making some planned changes and some things are being delayed and we're not quite sure what to do about x y and z and things kind of stalled out and today where's dsc does microsoft talk about it much anymore not really that's even a separate team from the powershell team dsc now has become kind of like a marketing bullet point for azure and ironically who's using dsc more out there in the world i think are the competing technologies like like puppet for example in fact puppet just made an announcement i think like literally like 12 or 24 hours ago about new deeper integration with puppet and dse resources and great i i hope it's successful but what about on linux again so in linux with powershell core you have invoke dlc resource but that one little commandlet is experimental even after all this time still experimental so if you have a choice between something like puppet chef ansible and salt these are mature products very popular and something experimental and it's just one little tool and what about pull servers and push mode and partial configurations and well all the other bells and whistles that we need in my opinion dse is probably dead so it's still kicking around out there but you know if you've been following microsoft for years you've seen this story before think of silverlight isis server which then became threat management gateway or network access protection or groove or zoom right it's not as though microsoft suddenly decides well we don't think this product has a future put out a press release right zune is dead they just don't do that really well they did that for windows phone so dsc is kind of struggling along and i feel really bad because the people the volunteers out there who put so much time and effort into dsc what's going to happen to all that code all those resource modules so for example the main website for this today is dscommunity.org notice it's not dsc.microsoft.com it's dse community in other words microsoft is kind of well punted in some ways they say hey community out there if you want it then go ahead and run with it but we're not going to invest a huge amount of money instead we're going to do like azure guest policy configuration and and we'll see what happens maybe that'll be a good marketing bullet point for azure maybe not it seems like microsoft is not really committed to it it's like development is slow as a glacier i have to admit i kind of laughed when i i saw this uh this article the sharepoint dsc is one of the bigger more popular uses of dsc out there like it might even be the most popular use of dse out there in the world and here's an article sharepoint dse is still alive so if if you have to say something like that that's not an indication that this is a vibrant growing thriving community so what i tell my attendees at sans and my consulting clients is do not invest in dse invest in something like puppet chef ansible or salt instead and yes i know that dse resources can be used by these products like puppet and that's nice but are you really going to bet your organization's future on that we'll see so i recommend investing in something else dsc i think is probably dead so powershell core on linux i think is just a big question mark is it attracting developers is it attracting linux administrators so microsoft is devoted to it they're putting lots of time and effort putting out the packages but who's coming just because you build it doesn't mean they will come and what about powershell core now on windows if powershell core and linux is just a big question mark what about on windows it seems that the odds would be better and there's good things about powershell core and windows for example powershell core and open ssh together is great it works great it's fast i mean it's really really nice finally after all these years we get open ssh from windows and powershell core is faster so if that's your number one consideration you need the code to run faster or then switch to powershell core now you can use things like for each parallel and the web oriented commandlets were rewritten and they're great they're more reliable they're faster they work they're great microsoft uh mark krauss i mean just did a great job on this so when will powershell core be installed on windows by default that's probably the number one reason that it's being held back on windows it's just not installed by default there's already windows powershell so somebody asked congratulations this is for uh powershell 7. will powershell 7 be installed in the second half of 2020 on windows 10. and here's the answer from steve lee at microsoft there is currently no plan to ship powershell core inbox now it's not that the powershell team doesn't want to do this they would love to do this but they don't have control over microsoft as a whole remember powershell core runs on top of net and that's a whole separate team and there's all these issues at microsoft of for example supportability long-term release versus you know the semi-annual releases microsoft instead is focusing on making it as easy as possible to install powershell core on windows kind of like you know python remember several slides ago we were talking about that app execution alias for python where it pops up a graphical dialog box and prompts you to install python on your machine and who knows maybe next year python will be installed by default now related to this is another product another project called windows terminal and you can run powershell inside of windows terminal it's kind of a long verbose tweet here a set of tweets on the right hand side but it's the most concise thing that i could find and in this case someone was asking one of the program managers at microsoft about windows terminal and how with windows terminal if a new update is released windows terminal has to be terminated as a process so that it can be passion updated and then it can be relaunched again now the problem is what if powershell is running inside a windows terminal or what if powershell is installed from the windows store the microsoft store in the exact same way as windows terminal and notice down at the bottom this is actually part of a whole conversations and i couldn't fit it on the slide but at the bottom the program manager at microsoft or powershell says unfortunately this is out of the app's control for anything installed from the microsoft store namely what's out of its control the fact that that application might be terminated as a part of the patch or update process so yes it might be a lot easier to install powershell core on windows from the microsoft store but then what if you're running like a backup script that takes 12 hours you get that script running after dinner and then you intend to let it run all night long but unfortunately then that's when an update occurs now i haven't been able to reproduce this myself and and i'm happy to be wrong about this but the implication of all this implies that yes a running powershell core instance because it's installed from the store there's a chance that that would be terminated in order to patch or update it again i don't know if that's true or not but that seems to be the implication and if you're worried about this then that means definitely you would install from github and in fact notice that's the recommendation for installing windows terminal if you're worried about windows terminal being terminated by microsoft while it's being updated well the recommendation from kayla cinnamon is to install terminal from github not from the windows store and apparently that applies to powershell core as well here's something else i do lots of training for the dod lots of people who take my course i'm sometimes half of the people in my course are all dod related people and for you dod people out there you often know that you're working in air gaps you don't have internet access you'll never have internet access from that air gap or skiff so with powershell core on windows not linux but only on windows when you launch powershell core inside the air gap depending on how dns is configured you might have to wait nine seconds and literally i have time this multiple times you have to wait nine seconds for powershell to launch and become available now the reason for it is long and convoluted but the short of it is you're waiting for a dns query to time out and if you're internal dns servers if you disable recursion well then you immediately send a query and immediately get a response back right that for a failed query and then powershell launches like normal so the delay here is is not really humanly noticeable it's only like like a like 100 milliseconds or something but if you don't have recursion disabled in other words if recursion dns recursion is enabled inside your air gap well then you'll have to wait nine seconds for powershell core on windows to launch so here's a little posting from github here's some cranky person working through all this trying to figure it out and again microsoft developers are aware of this they care about it they want it to be fixed too and i tried to to summarize it as quickly as as concisely as i could and i'm speaking as though i'm a microsoft manager so to speak and my hands are tired and i'm frustrated as a microsoft manager dealing with this problem and so kind of speaking as microsoft i say so the app locker people don't intend to update app locker because even if you don't have any app locker rules enabled this still impacts you but we're not willing to refactor this part of powershell core to be like windows powershell which doesn't suffer this problem but we still want you to switch to powershell 7 anyway despite the 9 second startup delay in your air gap if this is not acceptable the nine second delay please make a system-wide change to how windows checks certificate revocation lists not going to happen or disable recursion on your dns servers which might happen but seriously for the sake of powershell you're gonna disable recursion on your dns servers so down at the bottom this is a response from a hard-working person who does care response and says well basically your comment adds nothing new in other words i take that as kind of like an implicit confirmation that this summary is correct so powershell core on windows in an air gap might literally have to wait nine seconds before you can get to your command prompt on linux there is no delay and for windows powershell there is no delay it's only powershell core on windows but now we get to the real heart of the matter on a windows machine why would i switch from windows powershell to powershell core again open ssh the performance improvements those are really nice don't get me wrong but in powershell core on windows if you run a command that does not exist in powershell core under the hood windows powershell is secretly launched in the background powershell core talks to the secret background windows powershell executes the command the output is relayed back up to powershell core and then displayed on your screen you can read all about it if you run that command shown at the bottom of the slide then that's like a little essay that's built into powershell and it describes how the windows powershell compatibility module works but the way it works is like the wizard of oz so pay no attention to that windows powershell remoting session behind the curtain we want you to use powershell core anyway even though oftentimes when you're executing commands those commands don't natively exist they're not natively implemented by powershell core instead you are secretly running windows powershell in the background well if that's the case why would i not just cut out the middleman and just launch windows powershell so here's another recent uh tweet uh ashlyn mcloone is a well-known powersheller and he posted a poll are you deploying powershell core in the enterprise why or why not and notice that the answers came back 52 percent no now i know that statistically 276 votes that's not statistically significant but there's no other poll that i could find and remember who would see this tweet it's someone who's either following the powershell hashtag or they follow ashley because he's a well-known powersheller so with 256 votes for people who are following the powershell hashtag or following ashley but 52 of them say no we are not deploying it i wouldn't be surprised at all if we were to do a random sampling of all like small medium and large organizations all around the world if we could somehow do a random sampling of like 10 000 organizations around the world how many of them are deploying powershell core on windows or linux is it what two percent one percent i mean what if i'm off by an order of magnitude what if it's something like ten percent again why would i do it so now we come back to this diagram again from redmonk when it shows that powershell is very popular really that's windows powershell redmonk doesn't distinguish as far as i know between powershell core and windows powershell but i think the popularity of powershell is for windows powershell so the future of windows powershell on windows is bright and getting better again i've been doing the powershell course at sans for uh just over 10 years every single year powershell is getting more and more popular it's being more widely used all around the world so the future of windows powershell is is assured it's very popular but powershell core on windows i think it's just a big question mark it's not that it's bad it's just that it's not installed by default and then it has these well issues i think when someday in the future powershell core is installed by default but then things will change and then we can reassess the future but in the meantime most people using powershell they're just using windows powershell the future of powershell core is just a big question mark all right thank you very much for attending this talk i hope you're having a wonderful time at the conference if you're interested in taking my powershell course that stack 505 and for the gorilla in the room right powershell's number one competitor that's python and sans also has a great python course a sec 573. if you'd like to contact me then here's my twitter handle my email address at sans and again if you want this slide deck and the slide decks for my other talks plus all my scripts they're all in the public domain and you can get them from blueteampowershell.com again thank you very much for attending this talk thank you and have a wonderful conference

Info

Channel: SANS Institute

Views: 4,246

Rating: 4.9245281 out of 5

Keywords: sans institute, information security, cyber security, cybersecurity, information security training, cybersecurity training, cyber security training, Powershell

Id: ZIQ62IZO58s

Channel Id: undefined

Length: 87min 16sec (5236 seconds)

Published: Thu Oct 01 2020