Carbon Black & VMware Announce Expanded Partnership to Secure the Software-Defined Data Center (SDDC) Learn more

How to Detect PowerShell Empire with Carbon Black

How to Detect PowerShell Empire with Carbon Black
bent2
August 14, 2015 / Ben Tedesco

Update 03/02/2016: After further research, Benjamin  updated his malicious PowerShell query to the following:

  • process_name:powershell.exe AND netconn_count:[1 TO *] AND (cmdline:”-Enc” OR cmdline:”-Exec” OR cmdline:”bypass” OR cmdline:”hidden”)

Brief Overview:

Carbon Black can detect PowerShell Empire behavior using the following watchlists:

  • cmdline:”powershell.exe -NoP -NonI -W Hidden -Enc”
  • cmdline:” -s -NoLogo -NoProfile” AND process_name:powershell.exe
    • ALTERNATE:
      • cmdline:””C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” -s -NoLogo -NoProfile”
  • ipaddr: <PowerShell Empire C&C Address>
    • Once the PowerShell Empire C&C server has been identified using the queries above, use the network connection criteria as a pivot to determine if PowerShell Empire has been injected into any other running processes.

As a former Blue Team operations lead, I kept a relatively low profile at DEF CON 23. The talks, vendors and the “socializing” at this year’s conference definitely did not disappoint. There were a number of themes that ran through the conference from hacking cars to my personal intrigue, the use of PowerShell as a post-exploitation attack vector.

The talks I found most fascinating were the “Red vs. Blue” talk by Sean Metcalf and Rich Kelly’s “Harness: PowerShell Weaponization Made Easy (or at least easier).” In both of these talks (as well as a few other sessions), PowerShell Empire gained notoriety as the de facto framework for those engaging in offensive security operations leveraging PowerShell.

PowerShell Empire enables one to rapidly configure, build, and deploy various PowerShell launchers that communicate back to a command-and-control (C&C) listener operating on a Debian Linux server. From here, an attacker can issue any number of PowerShell commands or employ a wide variety of modules for further entrenchment and exploitation within a target environment. Reference the screenshot below for a small sample of the available modules included in PowerShell Empire:

PS1

Given the extensive capabilities of this tool, its relative simplicity of use and the broad range of exposure that was been generated within the security community, I felt that a blog prescribing a mechanism to detect and respond to threats leveraging this utility was sorely needed.

The basic sequence to establish a C&C structure with PowerShell Empire is a three-phased process:

  1. Create a listener on your Kali box. This is a relatively straightforward procedure in which you can configure various options including the “Host” address used for the C&C communications (shown below).

PS2

After configuring the various options for the listening interface, you can “execute” the listener to prepare the server to receive communications from the agent on a target.

PS3

  1. Create a stager (payload) to launch the remote PowerShell session on the target. In this step, you must specify the attack payload type and associate the listener (created in step #1) with the stager package.

Note: You can list all stager options by simply entering “usestager <TAB>” (shown below).

PS4

Before creating a stager package, you will need to set the “listener” variable. After, you should run the “execute” command to create the attack package.

PS5

The newly created launcher.bat stager is shown below:

PS6PS7

  1. After creating the attack package, have the payload launch on the target system and a remote PowerShell session will automatically be established between the target and the listener resident on the Kali server.

PS8

Once the session is established, simply “interact” with this session and then begin issuing PowerShell commands to the remote system.

PS9PS10PS11PS12

  1. (optional) If desired, you may inject into another process on the target host to further obfuscate their presence.

PS13

Once injected into the specified process (explorer.exe), you may continue with the actions and objectives under the guise of this hijacked process.

PS14

Detection and Response

After building out several different stagers and playing around with the various attack vectors, I began to notice several patterns in how PowerShell Empire behaves when interacting with a remote host. Once identified, these behaviors provide one with a starting point to begin various detection, scoping and triage activities.

Below are a subset of the sample stagers that I analyzed in my test lab:

PS15PS16PS17

Detection Methods:

By far, the most rapid and effective way to detect PowerShell Empire activity is to have a real-time, kernel-level process monitoring agent in place to provide enterprise-level monitoring and alerting.

METHOD #1: The easiest way to detect an attack leveraging PowerShell Empire is to monitor for and alert on the initial attack vector behaviors used by this toolkit.

After reviewing the samples displayed above, you will quickly recognize that PowerShell Empire initializes its command sessions using similar arguments. We can then create the following watchlist in Carbon Black to monitor for this behavior:

  • cmdline:”powershell.exe -NoP -NonI -W Hidden -Enc”

(The results of this search are shown below)

PS18

When you analyze this process in Carbon Black the following behavior is observed:

PS19

METHOD #2: When you select the child PowerShell process, an additional indicator is discovered to detect PowerShell activity spawned from this process:

PS20

  • cmdline:””C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” -s -NoLogo -NoProfile”
    • ALTERNATE: cmdline:” -s -NoLogo -NoProfile” AND process_name:powershell.exe

(The results of this search are shown below)

PS21

METHOD #3: After discovering an existing PowerShell Empire connection using METHOD #1, filter the process event data for network connections, this will reveal then the C&C server being used in the attack:

PS22

  • ipaddr:<PowerShell Empire C&C Address>

Use this criterion as a pivot to determine if PowerShell Empire has been injected into any other running processes.

NOTE: Now we see the instances of explorer that were injected into during the attack.

PS23Using a host-based, real-time, kernel-level monitoring agent that leverages a big data, back-end correlation engine is the only way to effectively and rapidly respond to emerging threats such as PowerShell Empire.

As demonstrated in this post, Carbon Black will detect and identify serious breaches that would go undetected by a traditional IDS/IPS.

The Bit9 + Carbon Black integration takes the detection phase one step further by providing the security team a mechanism to instantly alert on and respond to a breach using the Bit9 enforcement engine.

Once notified of malicious activity, Bit9 can automatically respond to the breach by banning the PowerShell process (thus killing any currently running processes on the endpoint). Bit9 also can be configured to automatically elevate the level of enforcement on the compromised system, thus preventing other malicious binaries from executing and ensuring near real-time breach defense and remediation.

– –
Benjamin Tedesco is a technical services consultant working at Bit9 + Carbon Black as a digital forensics and incident response SME. He assists Carbon Black customers by enabling them to leverage the Bit9 + Carbon Black tool suite in their existing incident response and detection capabilities. Before coming to Bit9 + Carbon Black, Benjamin was responsible for leading a number of high-profile APT hunt-and-detection engagements. Currently, he is pursuing a master’s degree in information security and forensics at Penn State University.

To connect with me, feel free to drop me a line on LinkedIn: https://linkedin.com/in/bentedesco

TAGS: attack vector / bit9 / Carbon Black / endpoint security / PowerShell / PowerShell Empire

Related Posts