Introduction
This is the twentieth in my Security Series of Connect articles. For more information on how to keep your enterprise environment secure using often-overlooked capabilities of Symantec Endpoint Protection (and the OS upon which it functions), see Mick's Greatest Hits: Index of Helpful Connect Security Articles. This article was last updated December 2017.
I never dreamed, that it would turn out to be PowerShells! They've always been our friends!
Built into MS Operating Systems for the past ten years, Powershell is an incredible tool- for good or ill use. To quote from its makers, Microsoft:
Windows PowerShell® is a task-based command-line shell and scripting language designed especially for system administration. Built on the .NET Framework, Windows PowerShell helps IT professionals and power users control and automate the administration of the Windows operating system and applications that run on Windows.
Admins have been able to create cmdlets and .ps1 scripts to automate many helpful tasks. However, malware authors and hackers have also been making more and more use of its... erm, power... to sting innocent victims. The following (free!) white paper is an excellent resource warning of the forthcoming fileless danger:
THE INCREASED USE OF POWERSHELL IN ATTACKS
https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/increased-use-of-powershell-in-attacks-16-en.pdf
So: what do these real-world PowerShell attacks look like?
We have been invaded, by an enemy far more lethal than any human force
A SWARM OF KILLER BEES, against which no gun or bomb will prove an effective defense? Not quite. Still, an attack that most computer users, admins and security tools are not used to fighting...
One trend at the moment is a surge in cryptocurrency miners. (With the price of bitcoins above $10,000.00, creating coins can be very profitable.... especially when using someone else's equipment.) If an admin notices that the CPU is always at 100% and other programs are having trouble running due to lack or resources, it's time to investigate whether a miner is at work. A big clue is if Symantec Endpoint Protection's IPS component raises these red flags...
[SID: 30253] System Infected: Bitcoinminer Activity 6 attack blocked. Traffic has been blocked for this application: C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE
If IPS is not installed (please, please, use IPS! And configure this Audit signature to BLOCK!) then Sysinternals/Microsoft's wonderful Process Explorer and Process Monitor can help troubleshoot. I'll cut right to the scene were an admin, wearing a stylish 70's scientist lab coat, takes a closer look at what is running PowerShell:
That's no ordinary honeybee! That is one very suspicious command line! Where did it come from? And are there any more of them-?
They're more virulent than the Australian Brown-Box Jellyfish!
Running a full system scan with SEP will not identify any malware. PowerShell is a legitimate tool: SEP's AntiVirus component will not stop it.
| Tip! SEP customers with a current contract can contact Technical Support, who will help put an optional extra measure in place to prevent the misuse of Powershell. |
Otherwise, ensure the computers have all available Windows patches applied. Identify which remote IP Addresses and domains these processes are trying to communicate, and block them at the corporate firewall. Then from Windows Task Manager, kill the PowerShell processes.
There will be no air drop, until we know exactly, what we are dropping, and where, and how!
To properly fight a threat that is mis-using PowerShell, it's crucial to get visibility on what PowerShell is doing. The default version of PowerShell on most computers (v1.0) has only very basic logging. Here is the event log information (Event ID 400) when a threat attempts to use PowerShell to download a malware payload:
Not much useful, there.
So, get a (free!) copy of the latest WMI and PowerShell release from Microsoft and install it on machines throughout the organization. The logging is far superior. Here's a current latest:
Download Windows Management Framework 5.1
https://www.microsoft.com/en-us/download/details.aspx?id=54616
Once installed, configure advanced logging for PowerShell as recommended on page 30:
https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/increased-use-of-powershell-in-attacks-16-en.pdf
Then be sure to monitor, especially for Event ID 4688:
Command line process auditing
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
Here's the Event ID 400 details from the same threat as seen above, but with the improved logging....
We now know what domain to block (redacted, above) and what file to submit to Symantec Security Response (Roaming.exe). That's a far better way to fight back than a bunch of guys running around with flame throwers!
The World Might Just Survive
There are additional tips, too, on how to prevent PowerShell's misuse while still benefiting from legitimate scripts. An article on Connect offers excellent advice to block W97M.Downloaders:
Preventing PowerShell from running via Office
https://www.symantec.com/connect/articles/preventing-powershell-running-office
Conclusion
Thanks for reading! This article has bought us all some time. Now go take action before it is too late.
Enjoy the few minutes while computers reboot and leave your comments below.