Automating security with PowerShell

okay I'm just going to keep on going right away everyone okay with that good so today I'm here to talk about automating security using PowerShell my name is yap I'm a little bit short on time today with everything I want the show so tumbleweed I will explain who I am later and otherwise check out my Twitter or my blog so the agenda of today there will be a lot of PowerShell PowerShell is my hammer I love using PowerShell because it's what I know so this presentation will feature a lot of PowerShell just to get an idea how many people actually use PowerShell so I know what a level is here all right I'd say about 50% you know optimistic Sam

okay so at first I'll be talking about PowerShell how it's being used both offensively and defensively then I'll show a demo using mimikatz and how we can how we can see what is being executed then I'll move on to a bit about offensive and defensive PowerShell I will do a demo to show how to how to work with obfuscated code and at the end hopefully I'll have some time for Q&A and after every demo I'll just check if anyone has any questions if there's any questions I'll do a quick one two questions and move on with the presentation good so PowerShell has been around for quite some time it's obviously a Microsoft Microsoft product we've reached version 5 with the release

of Windows release of Windows 10 and Server 2016 and with version 5 we got a lot of cool benefits from a security point of view they really double down on what will be locked when it's executed so in previous versions of PowerShell what you had you could set up transcription using PowerShell profiles and stuff like but it was very easy to to get a gown death they've been some projects on github called NPS not PowerShell which was just a simple a simple c-sharp program that's loaded the PowerShell engine and then you could execute power shell code with no more logging so starting from version 5 it's no longer about it's so possible to do it but if you have login

configured which I'll show is very easy to do you'll be able to see what is going on on your system am i doing this

ok let's see where did I leave off logging yep I love logging so in the demo I will be showing a recorder the video I'll use mimikatz who here is familiar with me me cats I think pretty much every security conference someone will demo something with me me cats so I'll I'll be the one this time so me me cats and PowerShell logging I'll first explain what kind of what kind of system I have I have Server 2008 r2 it's an old operating system I deliberately chose 2008 to show the benefit of actually installing installing PowerShell 5 on top of it actually it's running PowerShell 5.1 but it's not a huge difference one thing to

consider if you have Windows systems is that PowerShell will not automatically be patched by Windows Update so if you want to have a new version of PowerShell you actually actively have to have some kind of strategy to deploy it in your environment all right let's see if it actually other place there we go so first things first I'm going to enable logging I said it was really easy it's basically to get to see keys the top one is skip lock invocation logging that means that's the the most robust way of logging so in enable that and skip lock logging skip work logging will enable logging in the Windows Event log in a PowerShell operational log so this

is set up I'll be working with a power sploit module this is a power module that use a lot of Metasploit functionality I'll import it there's a lot of commands available here sorry for the static alright so okay so mimikatz I'm showing some examples here of how you can use it it's very simple invoked as mimikatz and then you can execute it so let's see when I'm actually going to type it should be coming soon there we go invoke mimikatz and this will just be executing mimikatz and dumping my credentials because it's a little bit hard to read and we were working with plain text let's see the operational log I didn't do any different configuration it's set

to 15 15 megabytes size of 50 megabytes and it automatically goes over so if you have a lot of events it will just do circular logging alright Here I am showing mimikatz so you can see my username and password it's a little bit small it's administrator and besides Amsterdam so it's it's very good it has numbers and capital letters so what else do we need so we can see here the oldest record number is number seven thousand so we can see that it has already rolled over to show what will happen if I execute mimikatz five times in a go we will see that a lot of events will be generated in the event log so

this will done it actually takes longer to run but like hopefully cut it short it will run five times and every time a skip book is running it will it will log it in the event log and every time he does that you can see here it again five times and it's now up to 340 thousand events that have been lost since because of circular logging so the fact that we enable the most verbose logging also means that every time one command is being executed we get about 10 megabytes of logging so it's a lot of logging so we should probably turn that off which is what I'm doing here so I said the invocation skipper logging to zero so we

have a little bit less for both logging but we'll actually be able to get the information we want because right now before we weren't able to see what had been executed so I cleared the event log so we can start from scratch and because how he configured the logging I open a new powershell because otherwise it uses the old settings it only checks it when when the session loads so I execute mini cuts again and get the passwords just like the same way I'll check the event log and I can see one of the first events in there was invoke mimikatz so we can use this to take a look what kind of commands are being executed on your

system and based on that we can tie actions to that

so any questions about what I've shown here I know the forms is really small I didn't know how big the scheme would be here so what I've done I set up our share logging I use mimikatz to dump the credentials I then he configured the logging because I was generating too too many events and I don't want to buy a new sound just to be able to store my PowerShell logging I followed what was happening in event log and because of that I could see that the invoke mimikatz had gone on my system yes so the question was let me face it the question was can we also see what kind of commands have been executed to alsace

and can we go into that level of detail it depends if it's being executed by the PowerShell engine you'll be able to see it in the logging if it's outside of PowerShell then it's no longer in the logging if LSS is in here I didn't dig through all the events so I'm actually not sure in what in what sense we can see what has been executed there does that answer your question all right so offensive PowerShell because because of this logging a trend I've been seeing I've been seeing more is that people in the past two or three years PowerShell has really been packing up there's been a lot of pen testing frameworks now we're showing up that at

least one of the components of power is using PowerShell if not if not everything at least something is PowerShell is that because of the logging it also becomes easier to see what happening in the environment and have hurt situations at companies were at blue and get the team competitions where the blue team is trying to figure out what the GAT team is doing and there's been some big successes for blue team's because of the PowerShell logging because they could just follow step by step how they were going to in an environment unfortunately in in the real world even if PowerShell logging is available I personally haven't seen a lot of Server 2008 where anyone actually went

through the trouble of installing PowerShell 5 so in the real world it's still pretty good tool for an attacker it's easy to use I mean even I can use it so that that has to say something and because it's available on so many platforms and it is also available online X and Mac but yeah it's the same thing as Server 2008 nobody in so sit there so it it is a very easy target it's more it's a lot more versatile than using W skipped or C skip to get your code executed and as has been shown today it's very easy to just download arbitrary code from the internet and just directly executed because logging gives us the information in a previous

example I just showed that I typed invoke mimikatz and okay if you do that we can just make a simple regular expression if mimic at C being executed and another bunch of malicious commands that take your monitoring alert or do something with the system but then there's also the side of education because if there's good logging then obfuscation becomes becomes a good tool to hide what you're doing and to show what we can do against that I borrowed some escapes from Lee Holmes I'm not sure if anyone saw his talk on on black hat he used he used mathematics to determine how different escaped s from from known code so if you take skip the posit or E and

you analyze how the how the different characters that are used in the script or distributor then can calculate how different a piece of code is from that and based on that you could establish okay this is item malicious or someone doesn't know how to code and then we've arrived to the next demo so obfuscation and how we can detect this so here we go so the first thing I do I have two folders I have one folder that's randomly Pastore with about 300 skips in there and I have another folder with a couple of standard scripts and I put invoke mimikatz invoke mimikatz scaped in there as well so the first thing I'll do is I'll count the characters that are

that are in this sketch so I put it in a variable global global characters and I'll just load up my entire repo story so let's take a look what the top 10 characters are and we see it's just a little bit off the side but it's just a bit the normal letter so et are all the letters if you play Scrabble you won't get any points for it so here's a bit more code what we're doing here we're going to use the factors similarity and we're going to take a look at how to escape the weights against the entire equipo story how different how different is that code and based on that we can establish okay is

this going to be malicious or is this going to be just regular code like we would expect so we're going to into a pouch your objects and we're going to run this against the repo story with six normal skips and one is invoke mimikatz and we'll take a look what the Giza odds are if I'm going to press on enter there we go and what we would expect to see is that the normal skips they're going to get a good score close to a hundred percent similar to the keyboard story of course never a hundred percent and skips that are out of out of bounds are using obfuscation are using silly ways to try to avoid detection are

going to show up like invoke mimikatz over here it has a score of 57 percent similar so it's actually quite different and in part this is because it's using a lot of a lot of c-sharp code other part is that it uses a lot of base64 in there as well and that is not something you would using the regular code unless you have a very good reason alright so the next thing I'll do if the video continues there we go the next thing I'll do is this is one of one of my users for using obfuscation in any useful way what I like to do is sometimes I'd like to compress my escapes if I'm in environments where

it's necessary to have the code be as small as possible so I've made it compressed base64 of an existing script so it's just a whole bunch of garbage and I'm going to compare how that what kind of score this would get so we can see even though I didn't do anything special just make it base64 we can already see that it's rating has dropped to 72% to give you an indication anything under 85 percent is suspicious anything under 80 is definitely something you want to look at so here I'm showing that it's just a regular scape just to delete some old files nothing special in ISE I see is one of the script editors for

PowerShell there's a module called I see steroids and you can convert a script into obfuscated code and then you get something like this but I wouldn't know what this is doing anymore I mean LS what what the hell is that so I've gotten this to disk as well and I'm once again going to take a look what this is what kind of score it is going to get you can see by using this application it already drops to 64 percent while the regular script would be about 90 97 90 98% there we go so what I've shown here I use the script that's available in the powershell gallery to determine the character frequency so when we're looking at the

character frequency we exclude stuff like whitespace and line endings then I used vector frequency to take a look at how the character frequency relates to my entire repository then I encoded existing scripts and I looked at the different methods of of obfuscation so in one I used compression and base 64 the second example I used built-in belphin method in icy steroids to obfuscate escapes something else you can do in in powersploit it's powersploit or Empire which one was it Empire in Empire and other PowerShell module there's also it's also a function called invoke obfuscation and you can obfuscate your scripts in a lot of other different wastes and I've just shown here the just to give you an indication of how

you can see if something is suspicious code without even knowing what is being executed so any questions about this demo okay

so then defensive powershell how can we use how can we use PowerShell defensively or one of the recent example so when I was put in the position of having to use PowerShell defensively was with one Akai and everyone is familiar with one Akai and what happened there good it was not good you you would think that SMB one would not be enabled everywhere but we had we had some clients that were very unhappy when when this all happened but this was one of the cases where detection was not really that important because we we knew what was going on on those systems that what we use PowerShell for we use it as an impromptu configuration tool to make sure that

everything got either got smb1 disabled or got pets to a correct level so we used a number of escapes there that we combined to figure out which systems are vulnerable which systems are patched and based on that first based on the data get the data we gathered we continued on using custom scripts to to deploy the patches and to make sure that the systems were configured correctly and could no longer be targeted by one okay so that is how we used it defensively I've reached the end of the of this do you have any questions in regards to what I've discussed any questions

Thanks this your first question today god yeah I know right so you've shown us a lot of things what powershell can do may be a bit more of a personal note how did you get into powershell and why do you prefer it so much why is this your hammer so to speak I kind of I was put on a project where we had to migrate some stuff of a server and there was there was no way to get it off because it was a proprietary Symantec product and we didn't have vendor support anymore and we needed to get stuff off there and they just said you guys have two months you can figure out the strategy how to

do it we don't care if you just have to double click every file individually or you're going to do something in an automated way so we used the combination of vbscript it was a few years ago vbscript and powershell to to get that migration done and what it ended up being was a pretty easy job because after we prepared the escapes it took us about 3-4 months we spent the year afterwards performing all the migrations in a fully automated way and all we were doing were was let's just say I was drinking coffee while the migrations were taking place so that was my first time I really saw the benefit of automation and that I that I actually

put it in practice the reason it was PowerShell it was new at the time and it was on the Windows platform so PowerShell was the logical choice so I know you played with the logging the new logging stuff impartially five and um what logging level did you get but well I know that the option can't does get D obfuscated when the actual PowerShell command runs that's correct so in your experience what's the best logging level to continue to capture that's to capture that without losing out information

my strategy for for systems where it's actually can't go enough to have this kind of logging enabled is to enable event forwarding forward your events to for what your events to a different server just at the highest logging level the first one I configured with invocation logging and then figure out on that server which events can be discarded and which ones you actually want so I would enable for critical systems the highest level of logging I have kind of a follow-up or comment on that and that is if if you're in a situation where invocation logging is too much information or where you're repeating a lot of information because you know you have a bunch of script logs

executing one over the other you could complement the strategy of using script log logging without invocation logging with something like this one for example that will also give you at least a snapshot of changes to the environment which is what invocation logging is trying is trying to achieve so that's kind of an alternative yeah and Bachman there's also quite nice if for very short-term logging to see what what's going on so yeah definitely so I would be very happy if someone even if you don't have a question raise your hand on the guide side afterwards this is more of a comment slash follow-on to both those comments but we use both system on and PowerShell logging but the

cool thing about the event forwarding is you can there's some specific XML that you can use to tune event forwarding on the server so say you have administrators using a lot of the same scripts all the time throughout the day you can take those tune them out and then still have a large still have logging turned on at a higher level so you're not getting a lot of logs sent to your event server and we also use system on to answer your question what the process access turned on to see what's being injected into LSS thank you okay thanks thanks yep thank you [Applause]