Thanks to all of our ATT&CKcon participants. All sessions are here, and individual presentations will be posted soon.

PowerShell

PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. [1] Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer.

PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.

Administrator permissions are required to use PowerShell to connect to remote systems.

A number of PowerShell-based offensive testing tools are available, including Empire, [2] PowerSploit, [3] and PSAttack. [4]

ID: T1086

Tactic: Execution

Platform:  Windows

Permissions Required:  User, Administrator

Data Sources:  Windows Registry, File monitoring, Process monitoring, Process command-line parameters

Supports Remote:  Yes

Version: 1.0

Examples

NameDescription
APT19

APT19 used PowerShell commands to execute payloads.[5]

APT28

APT28 downloads and executes PowerShell scripts.[6]

APT29

APT29 has used encoded PowerShell scripts uploaded to CozyCar installations to download and install SeaDuke. APT29 also used PowerShell scripts to evade defenses.[7][8]

APT3

APT3 has used PowerShell on victim systems to download and run payloads after exploitation.[9]

APT32

APT32 has used PowerShell-based tools and shellcode loaders for execution.[10]

AutoIt backdoor

AutoIt backdoor downloads a PowerShell script that decodes to a typical shellcode loader.[11]

BRONZE BUTLER

BRONZE BUTLER has used PowerShell for execution.[12]

Cobalt Group

Cobalt Group has used powershell.exe to download and execute scripts.[13][14][15][16][17]

Cobalt Strike

Cobalt Strike can execute a payload on a remote host with PowerShell. This technique does write any data to disk.[18]

CopyKittens

CopyKittens has used PowerShell Empire.[19]

DarkHydrus

DarkHydrus leveraged PowerShell to download and execute additional scripts for execution.[20][21]

Deep Panda

Deep Panda has used PowerShell scripts to download and execute programs in memory, without writing to disk.[22]

DownPaper

DownPaper uses PowerShell for execution.[23]

Dragonfly 2.0

Dragonfly 2.0 used PowerShell scripts for execution.[24][25][26]

FIN10

FIN10 uses PowerShell for execution as well as PowerShell Empire to establish persistence.[27][2]

FIN6

FIN6 has used a Metasploit PowerShell module to download and execute shellcode and to set up a local listener.[28]

FIN7

FIN7 uses a PowerShell script to launch shellcode that retrieves an additional payload.[29][30]

FIN8

FIN8's malicious spearphishing payloads are executed as PowerShell. FIN8 has also used PowerShell during and.[31][32]

Gorgon Group

Gorgon Group malware can use PowerShell commands to download and execute a payload and open a decoy document on the victim’s machine.[33]

HALFBAKED

HALFBAKED can execute PowerShell scripts.[29]

HAMMERTOSS

HAMMERTOSS is known to use PowerShell.[34]

Helminth

One version of Helminth uses a PowerShell script.[35]

Leviathan

Leviathan has used PowerShell for execution.[36][37]

Magic Hound

Magic Hound has used PowerShell for execution and privilege escalation.[38][39]

menuPass

menuPass uses PowerSploit to inject shellcode into PowerShell.[40]

Mosquito

Mosquito can launch PowerShell Scripts.[41]

MuddyWater

MuddyWater has used PowerShell for execution.[42][43]

OilRig

OilRig has used PowerShell scripts for execution, including use of a macro to run a PowerShell command to decode file contents.[44][45]

Patchwork

Patchwork used PowerSploit to download payloads, run a reverse shell, and execute malware on the victim's machine.[46][47]

Poseidon Group

The Poseidon Group's Information Gathering Tool (IGT) includes PowerShell components.[48]

POSHSPY

POSHSPY uses PowerShell to execute various commands, one to execute its payload.[49]

POWERSOURCE

POWERSOURCE is a PowerShell backdoor.[50][51]

PowerSploit

PowerSploit modules are written in and executed via PowerShell.[52][53]

POWERSTATS

POWERSTATS uses PowerShell.[54]

POWRUNER

POWRUNER is written in PowerShell.[44]

Pupy

Pupy has a module for loading and executing PowerShell scripts.[55]

QUADAGENT

QUADAGENT uses PowerShell scripts for execution.[56]

RATANKBA

There is a variant of RATANKBA that uses a PowerShell script instead of the traditional PE form.[57][58]

RogueRobin

RogueRobin uses PowerShell for execution.[20]

SeaDuke

SeaDuke uses a module to execute Mimikatz with PowerShell to perform Pass the Ticket.[7]

Socksbot

Socksbot can write and execute PowerShell scripts.[47]

Stealth Falcon

Stealth Falcon malware uses PowerShell commands to perform various functions, including gathering system information via WMI and executing commands from its C2 server.[59]

TA459

TA459 has used PowerShell for execution of a payload.[60]

Threat Group-3390

Threat Group-3390 has used PowerShell for execution.[61]

Thrip

Thrip leveraged PowerShell to run commands to download payloads, traverse the compromised networks, and carry out reconnaissance.[62]

Turla

Turla has used a custom executable to execute PowerShell scripts.[63]

Mitigation

It may be possible to remove PowerShell from systems when not needed, but a review should be performed to assess the impact to an environment, since it could be in use for many legitimate purposes and administrative functions. When PowerShell is necessary, restrict PowerShell execution policy to administrators and to only execute signed scripts. Be aware that there are methods of bypassing the PowerShell execution policy, depending on environment configuration. [64] Disable/restrict the WinRM Service to help prevent uses of PowerShell for remote execution.

Detection

If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity.

It is also beneficial to turn on PowerShell logging to gain increased fidelity in what occurs during execution. [65] PowerShell 5.0 introduced enhanced logging capabilities, and some of those features have since been added to PowerShell 4.0. Earlier versions of PowerShell do not have many logging features. [66] An organization can gather PowerShell execution details in a data analytic platform to supplement it with other data.

References

  1. Microsoft. (n.d.). Windows PowerShell Scripting. Retrieved April 28, 2016.
  2. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  3. PowerSploit. (n.d.). Retrieved December 4, 2014.
  4. Haight, J. (2016, April 21). PS>Attack. Retrieved June 1, 2016.
  5. Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018.
  6. Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
  7. Symantec Security Response. (2015, July 13). “Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory. Retrieved July 22, 2015.
  8. Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016.
  9. Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016.
  10. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  11. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  12. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  13. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
  14. Positive Technologies. (2017, August 16). Cobalt Strikes Back: An Evolving Multinational Threat to Finance. Retrieved September 5, 2018.
  15. Positive Technologies. (2016, December 16). Cobalt Snatch. Retrieved October 9, 2018.
  16. Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018.
  17. Klijnsma, Y.. (2018, January 16). First Activities of Cobalt Group in 2018: Spear Phishing Russian Banks. Retrieved October 10, 2018.
  18. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  19. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  20. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
  21. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
  22. Alperovitch, D. (2014, July 7). Deep in Thought: Chinese Targeting of National Security Think Tanks. Retrieved November 12, 2014.
  23. ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.
  24. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  25. Symantec Security Response. (2017, September 6). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.
  26. US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.
  27. FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved June 25, 2017.
  28. FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.
  29. Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
  30. Gorelik, M.. (2017, June 9). FIN7 Takes Another Bite at the Restaurant Industry. Retrieved July 13, 2017.
  31. Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.
  32. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  33. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
  1. FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved September 17, 2015.
  2. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  3. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  4. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  5. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  6. Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018.
  7. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  8. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
  9. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  10. Villanueva, M., Co, M. (2018, June 14). Another Potential MuddyWater Campaign uses Powershell-based PRB-Backdoor. Retrieved July 3, 2018.
  11. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  12. Falcone, R. and Lee, B. (2017, October 9). OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan. Retrieved January 8, 2018.
  13. Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.
  14. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  15. Kaspersky Lab's Global Research and Analysis Team. (2016, February 9). Poseidon Group: a Targeted Attack Boutique specializing in global cyber-espionage. Retrieved March 16, 2016.
  16. Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.
  17. Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.
  18. Brumaghin, E. and Grady, C.. (2017, March 2). Covert Channels and Poor Decisions: The Tale of DNSMessenger. Retrieved March 8, 2017.
  19. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
  20. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
  21. Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018.
  22. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  23. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
  24. Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018.
  25. Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.
  26. Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.
  27. Axel F. (2017, April 27). APT Targets Financial Analysts with CVE-2017-0199. Retrieved February 15, 2018.
  28. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
  29. Security Response Attack Investigation Team. (2018, June 19). Thrip: Espionage Group Hits Satellite, Telecoms, and Defense Companies. Retrieved July 10, 2018.
  30. ESET Research. (2018, May 22). Turla Mosquito: A shift towards more generic tools. Retrieved July 3, 2018.
  31. Sutherland, S. (2014, September 9). 15 Ways to Bypass the PowerShell Execution Policy. Retrieved July 23, 2015.
  32. Malware Archaeology. (2016, June). WINDOWS POWERSHELL LOGGING CHEAT SHEET - Win 7/Win 2008 or later. Retrieved June 24, 2016.
  33. Dunwoody, M. (2016, February 11). GREATER VISIBILITY THROUGH POWERSHELL LOGGING. Retrieved February 16, 2016.