Attacks that forego the use of malware in favor of more subtle techniques like PowerShell and other script based attacks have seen an uptick in popularity. These attacks often avoid detection by traditional AV solutions. In an article written by pentestlab.blog the author illustrates how a simple script generated in a widely available tool, bypasses security measures. In this article we’ll illustrate Falcon using multiple detection capabilities to prevents PowerShell and other script based attacks.
An updated Kali linux machine with metasploit and a Windows 7 host were used. Next we’ll look at the steps needed to recreate the attack.
Step 1: Generate a Certificate
The script generated is an encoded PowerShell command which establishes an encrypted connection from the target back to the attacker. This encryption prevents a HIPS system from inspecting the packets.
The following steps come directly from the informative blog posted by pentestlab.blog
First to generate a certificate for the encrypted channel I used the Metasploit module, impersonate_ssl and chose a common domain to impersonate. Once complete, verify that the file generated is on the desktop.
Step 2: Configure the Listener
This step isn’t in the same order as the original article but accomplishes the same goal. The listener will define the attacker machine and .pem file to use when creating a communication channel. It will also state that SSL is to be used when communicating with the victim.
Step 3: Generate a Payload
Finally use Metasploit MsfVenom is used to generate a payload. In this case the payload is .bat file that when ran will launch an encrypted PowerShell script that will open a communication channel from the victim to the attacker. This payload leverages the certificate generated in step 1 to establish the encrypted connection.
Example: Falcon Protects Against PowerShell and other script-based Attacks
The Falcon Platform is a single agent that performs multiple functions. In this scenario I’ll use the Falcon Prevent capabilities to identify what this threat is trying to accomplish.
In the alert below the process tree provides a clear idea of how this attack works and what it’s trying to accomplish. We can see that explorer.exe launches a command prompt and in that command prompt we see the command line opens the batch script created in Metasploit, “crowdstrike.bat”.
Looking at the next two steps we see that the new command prompt calls PowerShell and then runs an encoded command. The subsequent PowerShell process is the same encoded process running.
Finally, the last process is the attempted execution of the encoded script. In this instance illustrates 3 separate suspicious behaviors, although Falcon only needs one to prevent. The green text indicates a suspicious process was identified and prevented. Next Falcon recognizes that there was an encoded command in PowerShell and this is suspicious. Finally the presence of Metasploit’s meterpreter is identified and was loaded into a process.
On the right, in the details pane, we get additional information on what the script was trying to accomplish. The network operations section identifies the attacker server and that communications were over port 443. In the Disk Operations a list of all the DLLs and files read, and written to disk, are available for further investigation.
In conclusion script based and other PowerShell type attacks often avoid detection by both new and old detection capabilities. CrowdStrike utilizes many types of detections methods to both identify and stop the broad range of attack vectors utilized today.
- CrowdStrike Tech Center
- Sign up for a weekly Falcon demo
- Request a 1:1 Demo
- Guide to AV Replacement
- CrowdStrike Products
How to Block Malicious PowerShell Activity: Bypassing Traditional AV
Today’s attacks are seemingly endless. They come from almost any source and exploit any number of different vulnerabilities. A security solution has to have the ability to stop all the more common attacks, but also each of the obscure or lesser-known attacks.
In this demo, we’ll generate a script using Metasploit. It is designed to create an encrypted communication channel between the attacker and victim. This channel will allow the attacker to deliver a malicious payload without the detection of a traditional HIPS-like product.
To get started, I’ll open the Metasploit framework and load the module impersonate_ssl. In this situation, I’ll use a common URL– google.com, for example– and then run.
Once that is completed, a certificate file will be created. In my situation, the file was placed into the Downloads folder. I’ll move it to the desktop for ease of use for the other steps.
Next, I’ll configure a listener. I’ll configure the IP address of the attacker machine and the port on which it should communicate.
Next, I’ll specify the path of the certificate file that I generated and placed on the desktop.
And then finally, I’ll configure a validation of the SSL certificate for new connections.
Once that is complete, the last step is to use msfvenom to configure the payload. In this case, the payload will be a batch script that launches an encoded PowerShell command. Once that’s done, the script, which I named “crowdstrike.bat,” is output onto the desktop.
Finally, to start the hammer, I’ll type “run.” Once that’s listening, I’ll go over to the victim machine and run the script.
In a real scenario, the attacker would have to find a way to launch this script in the target environment. I’m going to skip delivery for brevity’s sake, but delivery could happen in any number of ways, from phishing, watering hole, or the use of the stolen credentials.
Lauching the script from a command prompt, we briefly see the encoded command before the process is killed. In the Falcon UI, let’s see what we were able to detect in that brief moment before the process was killed.
Refreshing the UI, we see a new detection with a “+2.” This indicates that there were multiple behaviors detected in this single event. Expanding the event, we can see the process tree that ends with a PowerShell process being stopped.
The first thing I want to point out is the cmd.exe process that we started. In the Execution Details pane on the right, we see the command prompt opening.
Then the next cmd.exe line is the script being loaded. We can see the full command line details as well. We can see that the script opens PowerShell and then runs an encoded command.
Next in the process tree, we see that the PowerShell ran and the full encoded command generated by the MSFvenom tool in Metasploit.
Finally, at the bottom of the process tree, there are three separate alerts associated with this process. The first is the prevention of the suspicious process. Next is the highest-severity suspicious activity that identified the encoded PowerShell command. And finally, Falcon recognized my interpreter being loaded into a process.
To get even more detail, we can expand the Network Operations and Disk Operations sections on the right. In the Network Operations section, we see the attacker IP and port number, and in the Disk Operations, all the DLLs accessed, files written, and files read are also listed.
This demo is just a single example of the many different ways Falcon is designed to stop all kinds of attacks and provide insight into the adversary behavior. For more information on how Falcon stops breaches, head over to crowdstrike.com.