Endpoint Protection

 View Only

What You Can Do About Powershell Threats 

Dec 06, 2017 10:37 AM

Introduction

This is the twentieth in my Security Series of Connect articles.  For more information on how to keep your enterprise environment secure using often-overlooked capabilities of Symantec Endpoint Protection (and the OS upon which it functions), see Mick's Greatest Hits: Index of Helpful Connect Security Articles. This article was last updated February 2019.

 

The (Powershell) Swarm

I never dreamed, that it would turn out to be PowerShells! They've always been our friends!

Built into MS Operating Systems for the past ten years, Powershell is an incredible tool- for good or ill use.  To quote from its makers, Microsoft:

Windows PowerShell® is a task-based command-line shell and scripting language designed especially for system administration. Built on the .NET Framework, Windows PowerShell helps IT professionals and power users control and automate the administration of the Windows operating system and applications that run on Windows.

Admins have been able to create cmdlets and .ps1 scripts to automate many helpful tasks.  However, malware authors and hackers have also been making more and more use of its... erm, power... to sting innocent victims.  The following (free!) white paper is an excellent resource warning of the forthcoming fileless danger: 

THE INCREASED USE OF POWERSHELL IN ATTACKS
https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/increased-use-of-powershell-in-attacks-16-en.pdf

Symantec has also created a two-minute What is a Powershell attack? video providing a brief overview.

So: what do these real-world PowerShell attacks look like?

 

We have been invaded, by an enemy far more lethal than any human force

A SWARM OF KILLER BEES, against which no gun or bomb will prove an effective defense?  Not quite. Still, an attack that most computer users, admins and security tools are not used to fighting...

One trend at the moment is a surge in cryptocurrency miners.  (With the price of bitcoins above $10,000.00, creating coins can be very profitable.... especially when using someone else's equipment.)  If an admin notices that the CPU is always at 100% and other programs are having trouble running due to lack or resources, it's time to investigate whether a miner is at work. (An example, seen February 2018: MSH.Bluwimps)  A big clue that a miner is at work is if Symantec Endpoint Protection's IPS component raises this red flags, and identifies Powershell.exe...

[SID: 30253] System Infected: Bitcoinminer Activity 6 attack blocked. Traffic has been blocked for this application: C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE 

If IPS is not installed (please, please, use IPS! And configure mining and SMB-related Audit signatures to BLOCK!) then Sysinternals/Microsoft's wonderful Process Explorer and Process Monitor can help troubleshoot.  I'll cut right to the scene were an admin, wearing a stylish 70's scientist lab coat, takes a closer look at what is running PowerShell: 

Powershell Bitcoin Miner

That's no ordinary honeybee!  That is one very suspicious command line! Where did it come from?  And are there any more of them-?

Several Powershell Bitcoin Miner Threads Running

 

They're more virulent than the Australian Brown-Box Jellyfish!

Running a full system scan with SEP will not identify any malware.  PowerShell is a legitimate tool: SEP's AntiVirus component will not stop it. 

Tip! SEP customers with a current contract can contact Technical Support, who will help put an optional extra measure in place to prevent the misuse of Powershell. 

Otherwise, ensure the computers have all available Windows patches applied.  Identify which remote IP Addresses and domains these processes are trying to communicate, and block them at the corporate firewall.  Then from Windows Task Manager, kill the PowerShell processes. 

 

There will be no air drop, until we know exactly, what we are dropping, and where, and how!

To properly fight a threat that is mis-using PowerShell, it's crucial to get visibility on what PowerShell is doing.  The default version of PowerShell on most computers (v1.0) has only very basic logging. Here is the event log information (Event ID 400) when a threat attempts to use PowerShell to download a malware payload:

Not much useful, there.

So, get a (free!) copy of the latest WMI and PowerShell release from Microsoft and install it on machines throughout the organization.  The logging is far superior.  Here's a good page and a current latest:

Installing Windows PowerShell
https://docs.microsoft.com/en-us/powershell/scripting/setup/installing-windows-powershell

Download Windows Management Framework 5.1
https://www.microsoft.com/en-us/download/details.aspx?id=54616 

Once installed, configure advanced logging for PowerShell as recommended on page 30:
https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/increased-use-of-powershell-in-attacks-16-en.pdf
 

Then be sure to monitor, especially for Event ID 4688:

Command line process auditing
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing

Here's the Event ID 400 details from the same threat as seen above, but with the improved logging....

We now know what domain to block (redacted, above) and what file to submit to Symantec Security Response (Roaming.exe).  That's a far better way to fight back than a bunch of guys running around with flame throwers!

 

The World Might Just Survive

To summarize:

  • Be aware that PowerShell can be mis-used.
  • Even if a SEP full system scan turns up no malware, malicious code might be running in memory via PowerShell. Get visibility into what PowerShell is doing! 
  • The latest version of PowerShell has excellent logging capabilities.  Put it onto your computers!
  • SEP's logs, as well as Process Monitor and other tools can also provide visibility
  • Take action! Block any IP addresses or URLs being used by a PowerShell threat.  Identify any unexpected scheduled tasks that launch PowerShell, and disable them!
  • SEP customers with a current contract, please contact Technical Support for an optional extra protective measure!

There are additional tips, too, on how to prevent PowerShell's misuse while still benefiting from legitimate scripts.  An article on Connect offers excellent advice to block W97M.Downloaders:

Preventing PowerShell from running via Office
https://www.symantec.com/connect/articles/preventing-powershell-running-office

 

Conclusion and Resources

Thanks for reading!  This article has bought us all some time.  Now go take action before it is too late.

Related Symantec links:

MSH.Bluwimps
System Infected: Bitcoinminer Activity 6
JS.Webcoinminer
PUA.WASMcoinminer

The Increased Use of PowerShell in Attacks


PowerShell Threats Grow Further and Operate in Plain Sight

Browser-Based Cryptocurrency Mining

 

Enjoy the few minutes while computers reboot and leave your comments below. 

Statistics
0 Favorited
24 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Apr 15, 2019 02:49 AM

you have to force stop powershell threats from command prompt or going to task manager and goin to running services and end task it.

Mar 26, 2018 08:47 AM

A good (free!) webinar that discusses PowerShell and fileless malware, then gives a demo of ATP:

Your Hidden Adversary: Understanding and Responding to Fileless Attacks
https://www.brighttalk.com/service/player/en-US/theme/default/channel/13361/webcast/296829/play​ 

Dec 13, 2017 11:24 AM

Extra note!

The new Symantec Advanced Threat Protection (ATP) 3.0 has the capability to detect a series of suspicious PowerShell activities.  Some details:


The incidents that ATP creates
http://www.symantec.com/docs/HOWTO126023
 

Related Entries and Links

No Related Resource entered.