#ThreatThursday - PowerShell

This week we will look at a MITRE sub-technique that deserves a #ThreatThursday of its own, PowerShell. As an interactive command-line interface and scripting environment included in all supported versions of the Windows operating system, many threat actors have some history of leveraging PowerShell. This sub-technique is an example of a TTP you cannot prevent in your environment; Microsoft includes PowerShell as part of the underlying operating system and it is virtually impossible to remove. Our focus for this #ThreatThursday is on executing PowerShell with powershell.exe and is a case study we just did during a Purple Team Consulting engagement where the target organization did not believe they used PowerShell in their environment and wanted to be alerted every time powershell.exe was executed.

This week I had the pleasure of being on a Podcast where I covered the exact test case we follow in this blog, for the current client, and have done in previous large organizations:

Cyber Threat Intelligence

PowerShell is an inherent part of all supported versions of Windows. It is a command-line interface that allows interacting with local and remote systems. It is not officially a Living of the Land Binary as its functionality IS to work with the operating system and criteria for LOLBAS is to have extra "unexpected" functionality. On MITRE’s ATT&CK page for PowerShell we can see that it can be executed with powershell.exe or by interacting with the underlying System.Management.Automation assembly DLL exposed through .NET. We can also see the VERY long list of Procedure Examples from many threat actors that have been documented by MITRE. Lastly, there are multiple C2 frameworks that have agents available in PowerShell. A quick filter on the C2 Matrix shows C2s like Empire, FudgeC2, bombshell, Ninja, Octopus, PoshC2, PowerHub, ReverseTCPShell, and TrevorC2 all have PowerShell agents.

Adversary Emulation Plan

Emulating PowerShell from powershell.exe is very simple. We created a simple PowerShellAndEncoding threat that will start powershell.exe and run whoami as well as run with -enc for encoding (often used for defense evasion. Here is the plan:

 

Tactic

Description

Summary

Execute PowerShell through powershell.exe, run whoami, and use -enc to encode the whoami command for defense evasion.

Objective

Repeatedly test that powershell.exe execution is detected in the target environment.

Command and Control

T1071.001: HTTPS over 443

Execution

T1059.001: powershell.exe whoami

Defense Evasion

T1132.001: powershell -exec bypass -nop -enc dwBoAG8AYQBtAGkA

Discovery

T1033: powershell.exe whoami

We ran the threat, exporting it to CSV, and imported it into VECTR for a nice illustration of the steps:

With SCYTHE 3.1, we can also export to ATT&CK Navigator JSON which can be viewed dynamically on the Navigator site:

Detecting PowerShell

As mentioned on the podcast, what we need to do is run this executable to see if there is any detection or alerting when powershell.exe is executed in an environment that “does not leverage PowerShell”. Our first run showed no detection whatsoever so we installed Sysmon and started looking at Event ID 1 (Process Create) for powershell.exe. Once we logged locally, we needed to get the log to our log aggregator, we made changes and tried again. It did not work, so we tuned and tried again until it did. Once the log was appearing on the log aggregator, now we needed to turn on alerting. After 8 runs, it worked! But we also saw that there are indeed a couple of solutions in the environment that use powershell.exe and we need to look deeper into those.

Conclusion

On this #ThreatThursday we looked at a sub-technique worthy of its own post: PowerShell. PowerShell comes as part of all supported versions of Windows and cannot be removed, so you must set up detective controls. In this post we focused on the most basic of PowerShell execution, powershell.exe. We created an adversary emulation plan that runs through a few common TTPs so that we can tune our controls to detect powershell.exe. In future posts we will cover unmanaged PowerShell and how to detect the more advanced adversaries. We hope you enjoyed it!

This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.

About SCYTHE

SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email info@scythe.io, visit https://scythe.io, or follow on Twitter @scythe_io