In 2019, Picus Labs analyzed 48813 malware to determine tactics, techniques, and procedures (TTPs) used by adversaries in these malicious files. Picus Labs categorized each observed TTP by utilizing the MITRE ATT&CK® framework. As a result of the present research, 445018 TTPs observed in the last year were mapped to ATT&CK to identify the top 10 most common techniques used by attackers.
Our research has found that PowerShell was the second most prevalent MITRE ATT&CK technique used by adversaries in their malware. PowerShell is a powerful interactive command-line shell and scripting language installed by default on Windows operating systems. Since PowerShell has extensive access to Windows internals, system administrators frequently use it to manage and configure the operating system, and automate complex tasks.
Not only system administrators, but also adversaries have realized the potential in incorporating such a powerful tool into their arsenal. Hence the reason, PowerShell appeared as the second most frequently used MITRE ATT&CK technique in our research.
The purpose of this blog post is to review:
- the fundamentals of the PowerShell technique,
- why and how adversaries use PowerShell,
- which threat actors and malware use the technique, and
- red, blue, and purple teaming exercises for the PowerShell technique.
Introduction
It is easy to detect a third-party program that is used to execute commands on Windows OS. Therefore, adversaries frequently use built-in Windows command-line and scripting tools to run their commands. PowerShell is one of those tools that enable attackers to:
On this account, the technique provides three significant benefits for adversaries:
- create fileless malware that runs in the memory without leaving any traces on disk
- perform sophisticated actions with extensive access to OS internals
- persist on the system by regularly loading malicious code into memory
- discover information, collect and exfiltrate data
- move laterally through networks
Although the PowerShell technique is categorized only in the Execution tactic of the MITRE ATT&CK framework, it is also a powerful technique to achieve the Defense Evasion tactic. Adversaries use PowerShell to employ the following defense evasion techniques:
- direct, in-memory loading and execution of malicious code
- downloading and executing malware payloads without writing any data to disk (fileless execution)
- executing complex code without installing additional software (T1064 Scripting)
- evading Antimalware Scan Interface (AMSI) and changing Windows Defender settings (T1089 Disabling Security Tools)
- blocking events by disabling Script Block Logging (T1054 Indicator Blocking)
- injecting malicious code into legitimate processes (T1055 Process Injection)
- locating and impersonating user logon tokens (T1134 Access Token Manipulation)
How do threat actors leverage publicly available PowerShell tools?
Extensive capabilities of PowerShell have attracted the attention of red teams and penetration testers. Consequently, powerful red team and penetration testing frameworks and tools have been developed using PowerShell, such as Empire (PowerShell Empire) [1], PowerSploit [2], Nishang [3], PoschC2 [4], and Posh-SecMod [5].
All of these tools are open source and publicly available. Although these tools are developed with the intention of using red teams and penetration testers, threat actors frequently leverage them for malicious purposes in cyber incidents. The following table presents some use cases of these PowerShell post-exploitation frameworks by threat actors.
Threat Actor |
Target Industries |
Target Geographies |
Use Case |
Tools |
APT 19 [6] |
Defense, Energy, Telecommunications, High Tech, Education, Manufacturing, Legal Services |
Australia, North America |
Defense Evasion |
Empire |
APT32 [7] |
Government, Media |
East Asia |
Defense Evasion, Execution, Command and Control |
Nishang, PowerSploit |
APT33 [8] |
Energy, Aerospace |
North America, Middle East, East Asia |
Persistence, Command and Control |
PoshC2, PowerSploit, Empire |
APT41 [9] |
Healthcare, Technology, Telecommunications, Media, Education, Retail |
Europe, East Asia, Middle East, North America |
Persistence |
PowerSploit |
CopyKittens [10] |
Government, Education, Defense, Technology |
Middle East, Europe, North America |
Defense Evasion, Execution |
Empire |
Hades [11] |
Finance |
Europe |
Defense Evasion, Command and Control |
Empire |
FIN7 [12] |
Retail, Hospitality |
North America |
Defense Evasion, Command and Control |
Empire |
FIN10 [13] |
Mining |
North America |
Persistence |
Empire |
menuPass [14] |
Healthcare, Defense, Aerospace, Government |
East Asia |
Execution, Command and Control |
PowerSploit |
MuddyWater [15] |
Telecommunications, Government, Energy |
Middle East, Europe, North America |
Defense Evasion, Execution |
Empire, PowerSploit |
TG-3390[16] |
Government |
Middle East |
Persistence, Privilege Escalation |
Nishang |
Turla [17] |
Government, Military, Defense |
US, Europe, Middle East |
Defense Evasion, Execution, Command and Control |
Empire, Posh-SecMod, PowerSploit |
WIRTE [18] |
Government |
Middle East |
Execution, Command and Control |
Empire |
Example: Getting Network Configuration Discovery via PowerShell
This section presents a simple PowerShell command that simulates the following techniques.
Techniques |
Tactic |
System Network Configuration Discovery (T1016) |
Discovery |
PowerShell (T1086) |
Execution |
Hidden Window (T1143) |
Defense Evasion |
Obfuscated Files or Information (T1027) |
Defense Evasion |
Read Teaming - How to simulate?
Briefly, the following PowerShell one-liner gets IP configuration properties using an encoded command.
PowerShell -w hidden -en RwBlAHQALQBOAGUAdABJAFAAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgA= |
Let’s split and analyse the command:
- -w parameter: there is no parameter named -w according to the official PowerShell documentation [19]. In fact, the -w parameter is completed by PowerShell as the -WindowStyle parameter because of the parameter substring completion feature of PowerShell .
PowerShell Parameter Completion: Substrings of parameters like -NoEx (- NoExit), -Executi (-ExecutionPolicy), -w (-WindowStyle) are used in the PowerShell command instead of using the complete parameter string to avoid detection. Because of the way that PowerShell handles parameters, parameter substrings like -W, -Wi, -WindowSt, -WindowSty, are all valid ways of specifying an execution argument such as -WindowStyle. -w can be used for -WindowStyle , because -WindowStyle is the only parameter that starts with -w. - -hidden value: Adversaries commonly use the -WindowStyle parameter with Hidden value in malicious PowerShell commands to avoid detection (T1143 Hidden Window). Actually, -WindowStyle Hidden does not entirely hide the PowerShell command windows, it shows the command window for a while before hiding it [19].
- -en parameter: Similar to -w , there is not a parameter named -en according to the official PowerShell documentation [19]. The -en parameter is completed as -EncodedCommand parameter by PowerShell. -EncodedCommand accepts a base-64-encoded string version of a command [19].
RwBlAHQALQBOAGUAdABJAFAAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgA= value: this string is the value of the -EncodedCommand parameter. Therefore, we must use base64 decoding to reveal the PowerShell command (T1027 Obfuscated Files or Information). This string is the base64 encoded version of the following command: Get-NetIPConfiguration.
Get-NetIPConfiguration: This PowerShell cmdlet gets IP configuration properties for all non-virtual connected interfaces on a computer(T1016 System Network Configuration Discovery) [20].
Blue Teaming - How to detect?
Sigma Rule
To detect network configuration discovery via Get-NetIPConfiguration cmdlet,
title: Network Configuration Discovery via PowerShell Cmdlet |
Appendixes
Appendix A - Aliases of Threat Groups
Threat Group |
Aliases |
APT19 |
Codoso, C0d0so0, Codoso Team, Sunshop Group |
APT32 |
SeaLotus, OceanLotus, APT-C-00 |
APT33 |
Elfin |
menuPass |
APT 10, Stone Panda, Red Apollo, CVNX, HOGFISH |
MuddyWater |
Seedworm, TEMP.Zagros |
TG-3390 |
Threat Group-3390, Emissary Panda, BRONZE UNION, APT27, Iron Tiger, LuckyMouse |
Turla |
Waterbug, WhiteBear, VENOMOUS BEAR, Snake, Krypton |
References
[1] EmpireProject, “EmpireProject/Empire,” GitHub. [Online]. Available: https://github.com/EmpireProject/Empire. [Accessed: 25-Apr-2020] [2] PowerShellMafia, “PowerShellMafia/PowerSploit,” GitHub. [Online]. Available: https://github.com/PowerShellMafia/PowerSploit. [Accessed: 13-Apr-2020] [3] samratashok, “samratashok/nishang,” GitHub. [Online]. Available: https://github.com/samratashok/nishang. [Accessed: 25-Apr-2020] [4] nettitude, “nettitude/PoshC2,” GitHub. [Online]. Available: https://github.com/nettitude/PoshC2. [Accessed: 25-Apr-2020] [5] darkoperator, “darkoperator/Posh-SecMod,” GitHub. [Online]. Available: https://github.com/darkoperator/Posh-SecMod. [Accessed: 25-Apr-2020] [6] “Publicly Available Tools Seen in Cyber Incidents Worldwide | CISA.” [Online]. Available: https://www.us-cert.gov/ncas/alerts/AA18-284A#Lateral%20Movement%20Framework:%20PowerShell%20Empire. [Accessed: 25-Apr-2020] [7] A. Dahan, “Operation Cobalt Kitty: A large-scale APT in Asia carried out by the OceanLotus Group.” [Online]. Available: https://www.cybereason.com/blog/operation-cobalt-kitty-apt. [Accessed: 25-Apr-2020] [8] G. Ackerman, “OVERRULED: Containing a Potentially Destructive Adversary,” FireEye. [Online]. Available: https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html. [Accessed: 25-Apr-2020] [9] “[Report] Double Dragon: APT41, a Dual Espionage and Cyber Crime Operation,” FireEye. [Online]. Available: content.fireeye.com. [Accessed: 25-Apr-2020] [10] “[No title].” [Online]. Available: https://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf. [Accessed: 25-Apr-2020] |
[11] GReAT, “Olympic Destroyer is still alive.” [Online]. Available: https://securelist.com/olympic-destroyer-is-still-alive/86169/. [Accessed: 25-Apr-2020] [12] Y. Namestnikov and F. Aime, “FIN7.5: the infamous cybercrime rig ‘FIN7’ continues its activities.” [Online]. Available: https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/. [Accessed: 25-Apr-2020] [13] “[No title].” [Online]. Available: https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin10.pdf. [Accessed: 25-Apr-2020] [14] “[No title].” [Online]. Available: https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf. [Accessed: 25-Apr-2020] [15] T. Micro, “MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools - TrendLabs Security Intelligence Blog,” 10-Jun-2019. [Online]. Available: https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/. [Accessed: 25-Apr-2020] [16] R. Falcone and T. Lancaster, “Emissary Panda Attacks Middle East Government SharePoint Servers,” Unit42, 28-May-2019. [Online]. Available: https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/. [Accessed: 25-Apr-2020] [17] ESET, “A dive into Turla PowerShell usage.” [Online]. Available: https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/. [Accessed: 13-Apr-2020] [18] Dex, “WIRTE Group attacking the Middle East,” 02-Apr-2019. [Online]. Available: https://lab52.io/blog/wirte-group-attacking-the-middle-east/. [Accessed: 25-Apr-2020] [19] SteveL-MSFT, “about_PowerShell_exe - PowerShell.” [Online]. Available: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_powershell_exe. [Accessed: 26-Apr-2020] [20] andreabarr, “Get-NetIPConfiguration (nettcpip).” [Online]. Available: https://docs.microsoft.com/en-us/powershell/module/nettcpip/get-netipconfiguration. [Accessed: 26-Apr-2020] |