This is the twentieth in my Security Series of Connect articles. For more information on how to keep your enterprise environment secure using often-overlooked capabilities of Symantec Endpoint Protection (and the OS upon which it functions), see Mick's Greatest Hits: Index of Helpful Connect Security Articles. This article was last updated February 2019.
I never dreamed, that it would turn out to be PowerShells! They've always been our friends!
Built into MS Operating Systems for the past ten years, Powershell is an incredible tool- for good or ill use. To quote from its makers, Microsoft:
Windows PowerShell® is a task-based command-line shell and scripting language designed especially for system administration. Built on the .NET Framework, Windows PowerShell helps IT professionals and power users control and automate the administration of the Windows operating system and applications that run on Windows.
Admins have been able to create cmdlets and .ps1 scripts to automate many helpful tasks. However, malware authors and hackers have also been making more and more use of its... erm, power... to sting innocent victims. The following (free!) white paper is an excellent resource warning of the forthcoming fileless danger:
THE INCREASED USE OF POWERSHELL IN ATTACKS
Symantec has also created a two-minute What is a Powershell attack? video providing a brief overview.
So: what do these real-world PowerShell attacks look like?
We have been invaded, by an enemy far more lethal than any human force
A SWARM OF KILLER BEES, against which no gun or bomb will prove an effective defense? Not quite. Still, an attack that most computer users, admins and security tools are not used to fighting...
One trend at the moment is a surge in cryptocurrency miners. (With the price of bitcoins above $10,000.00, creating coins can be very profitable.... especially when using someone else's equipment.) If an admin notices that the CPU is always at 100% and other programs are having trouble running due to lack or resources, it's time to investigate whether a miner is at work. (An example, seen February 2018: MSH.Bluwimps) A big clue that a miner is at work is if Symantec Endpoint Protection's IPS component raises this red flags, and identifies Powershell.exe...
[SID: 30253] System Infected: Bitcoinminer Activity 6 attack blocked. Traffic has been blocked for this application: C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE
If IPS is not installed (please, please, use IPS! And configure mining and SMB-related Audit signatures to BLOCK!) then Sysinternals/Microsoft's wonderful Process Explorer and Process Monitor can help troubleshoot. I'll cut right to the scene were an admin, wearing a stylish 70's scientist lab coat, takes a closer look at what is running PowerShell:
That's no ordinary honeybee! That is one very suspicious command line! Where did it come from? And are there any more of them-?
They're more virulent than the Australian Brown-Box Jellyfish!
Running a full system scan with SEP will not identify any malware. PowerShell is a legitimate tool: SEP's AntiVirus component will not stop it.
|Tip! SEP customers with a current contract can contact Technical Support, who will help put an optional extra measure in place to prevent the misuse of Powershell.
Otherwise, ensure the computers have all available Windows patches applied. Identify which remote IP Addresses and domains these processes are trying to communicate, and block them at the corporate firewall. Then from Windows Task Manager, kill the PowerShell processes.
There will be no air drop, until we know exactly, what we are dropping, and where, and how!
To properly fight a threat that is mis-using PowerShell, it's crucial to get visibility on what PowerShell is doing. The default version of PowerShell on most computers (v1.0) has only very basic logging. Here is the event log information (Event ID 400) when a threat attempts to use PowerShell to download a malware payload:
Not much useful, there.
So, get a (free!) copy of the latest WMI and PowerShell release from Microsoft and install it on machines throughout the organization. The logging is far superior. Here's a good page and a current latest:
Installing Windows PowerShell
Download Windows Management Framework 5.1
Once installed, configure advanced logging for PowerShell as recommended on page 30:
Then be sure to monitor, especially for Event ID 4688:
Command line process auditing
Here's the Event ID 400 details from the same threat as seen above, but with the improved logging....
We now know what domain to block (redacted, above) and what file to submit to Symantec Security Response (Roaming.exe). That's a far better way to fight back than a bunch of guys running around with flame throwers!
The World Might Just Survive
- Be aware that PowerShell can be mis-used.
- Even if a SEP full system scan turns up no malware, malicious code might be running in memory via PowerShell. Get visibility into what PowerShell is doing!
- The latest version of PowerShell has excellent logging capabilities. Put it onto your computers!
- SEP's logs, as well as Process Monitor and other tools can also provide visibility
- Take action! Block any IP addresses or URLs being used by a PowerShell threat. Identify any unexpected scheduled tasks that launch PowerShell, and disable them!
- SEP customers with a current contract, please contact Technical Support for an optional extra protective measure!
There are additional tips, too, on how to prevent PowerShell's misuse while still benefiting from legitimate scripts. An article on Connect offers excellent advice to block W97M.Downloaders:
Preventing PowerShell from running via Office
Conclusion and Resources
Thanks for reading! This article has bought us all some time. Now go take action before it is too late.
Related Symantec links:
System Infected: Bitcoinminer Activity 6
The Increased Use of PowerShell in Attacks
PowerShell Threats Grow Further and Operate in Plain Sight
Browser-Based Cryptocurrency Mining
Enjoy the few minutes while computers reboot and leave your comments below.