Investigating PowerShell Attacks - Black Hat

[Pages:50]Investigating PowerShell Attacks

Black Hat USA 2014 August 7, 2014

PRESENTED BY: Ryan Kazanciyan, Matt Hastings

? Mandiant, A FireEye Company. All rights reserved.

Background Case Study

Attacker Client

Victim VPN

WinRM, SMB,

NetBIOS

Victim workstations, servers

? Fortune 100 organization ? Compromised for > 3 years

? Active Directory ? Authenticated access to

corporate VPN

? Command-and-control via

? Scheduled tasks ? Local execution of

PowerShell scripts ? PowerShell Remoting

? Mandiant, A FireEye Company. All rights reserved.

2

Why PowerShell?

It can do almost anything...

Execute commands Reflectively load / inject code

Enumerate files Interact with services Retrieve event logs

Download files from the internet Interface with Win32 API Interact with the registry Examine processes Access .NET framework

? Mandiant, A FireEye Company. All rights reserved.

3

PowerShell Attack Tools

? PowerSploit

? Reconnaissance ? Code execution ? DLL injection ? Credential harvesting ? Reverse engineering

? Nishang

? Posh-SecMod ? Veil-PowerView ? Metasploit ? More to come...

? Mandiant, A FireEye Company. All rights reserved.

4

PowerShell Malware in the Wild

? Mandiant, A FireEye Company. All rights reserved.

5

Investigation Methodology

WinRM

PowerShell Remoting

evil.ps1

Local PowerShell script

backdoor.ps1

Persistent PowerShell

Registry

File System

Event Logs

Memory

Sources of Evidence

? Mandiant, A FireEye Company. All rights reserved.

Network Traffic

6

Attacker Assumptions

? Has admin (local or domain) on target system ? Has network access to needed ports on target system ? Can use other remote command execution methods to:

? Enable execution of unsigned PS scripts ? Enable PS remoting

? Mandiant, A FireEye Company. All rights reserved.

7

Version Reference

2.0 Default (SP1)

3.0

Requires WMF 3.0 Update

Default (R2 SP1)

Requires WMF 3.0 Update

Default

4.0 Requires WMF

4.0 Update

Requires WMF 4.0 Update

Requires WMF 4.0 Update

Default

Default

Default (R2)

? Mandiant, A FireEye Company. All rights reserved.

8

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download

To fulfill the demand for quickly locating and searching documents.

It is intelligent file search solution for home and business.

Literature Lottery

Related download
Related searches

©2024 5y1.org, Inc. All rights reserved.