This week we will look at a MITRE sub-technique that deserves a #ThreatThursday of its own, PowerShell. As an interactive command-line interface and scripting environment included in all supported versions of the Windows operating system, many threat actors have some history of leveraging PowerShell. This sub-technique is an example of a TTP you cannot prevent in your environment; Microsoft includes PowerShell as part of the underlying operating system and it is virtually impossible to remove. Our focus for this #ThreatThursday is on executing PowerShell with powershell.exe and is a case study we just did during a Purple Team Consulting engagement where the target organization did not believe they used PowerShell in their environment and wanted to be alerted every time powershell.exe was executed.
This week I had the pleasure of being on a Podcast where I covered the exact test case we follow in this blog, for the current client, and have done in previous large organizations:
Cyber Threat Intelligence
PowerShell is an inherent part of all supported versions of Windows. It is a command-line interface that allows interacting with local and remote systems. It is not officially a Living of the Land Binary as its functionality IS to work with the operating system and criteria for LOLBAS is to have extra "unexpected" functionality. On MITRE’s ATT&CK page for PowerShell we can see that it can be executed with powershell.exe or by interacting with the underlying System.Management.Automation assembly DLL exposed through .NET. We can also see the VERY long list of Procedure Examples from many threat actors that have been documented by MITRE. Lastly, there are multiple C2 frameworks that have agents available in PowerShell. A quick filter on the C2 Matrix shows C2s like Empire, FudgeC2, bombshell, Ninja, Octopus, PoshC2, PowerHub, ReverseTCPShell, and TrevorC2 all have PowerShell agents.
Adversary Emulation Plan
Emulating PowerShell from powershell.exe is very simple. We created a simple PowerShellAndEncoding threat that will start powershell.exe and run whoami as well as run with -enc for encoding (often used for defense evasion. Here is the plan:
We ran the threat, exporting it to CSV, and imported it into VECTR for a nice illustration of the steps:
As mentioned on the podcast, what we need to do is run this executable to see if there is any detection or alerting when powershell.exe is executed in an environment that “does not leverage PowerShell”. Our first run showed no detection whatsoever so we installed Sysmon and started looking at Event ID 1 (Process Create) for powershell.exe. Once we logged locally, we needed to get the log to our log aggregator, we made changes and tried again. It did not work, so we tuned and tried again until it did. Once the log was appearing on the log aggregator, now we needed to turn on alerting. After 8 runs, it worked! But we also saw that there are indeed a couple of solutions in the environment that use powershell.exe and we need to look deeper into those.
On this #ThreatThursday we looked at a sub-technique worthy of its own post: PowerShell. PowerShell comes as part of all supported versions of Windows and cannot be removed, so you must set up detective controls. In this post we focused on the most basic of PowerShell execution, powershell.exe. We created an adversary emulation plan that runs through a few common TTPs so that we can tune our controls to detect powershell.exe. In future posts we will cover unmanaged PowerShell and how to detect the more advanced adversaries. We hope you enjoyed it!
This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.
SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email firstname.lastname@example.org, visit https://scythe.io, or follow on Twitter @scythe_io.