PowerShell Remote Session

Metadata

collaborators

[‘Roberto Rodriguez @Cyb3rWard0g’, ‘Jose Rodriguez @Cyb3rPandaH’]

creation date

2019/05/11

modification date

2020/09/20

playbook related

[‘WIN-190410151110’]

Hypothesis

Adversaries might be leveraging remote powershell sessions to execute code on remote systems throughout my environment

Technical Context

None

Offensive Tradecraft

Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. In addition, it can be used to execute code remotely via Windows Remote Management (WinRM) services. Therefore, it is important to understand the basic artifacts left when PowerShell is used to execute code remotely via a remote powershell session.

Mordor Test Data

metadata

https://mordordatasets.com/notebooks/small/windows/02_execution/SDWIN-190518211456.html

link

https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/lateral_movement/host/empire_psremoting_stager.zip

Analytics

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor Dataset

mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/lateral_movement/host/empire_psremoting_stager.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable 

Analytic I

Process wsmprovhost hosts the active remote session on the target. Therefore, it is important to monitor for any the initialization of the PowerShell host wsmprovhost

Data source

Event Provider

Relationship

Event

Powershell

Windows PowerShell

Application host started

400

Powershell

Microsoft-Windows-PowerShell/Operational

User started Application host

4103

df = spark.sql(
'''
SELECT `@timestamp`, Hostname, Channel
FROM mordorTable
WHERE (Channel = "Microsoft-Windows-PowerShell/Operational" OR Channel = "Windows PowerShell")
    AND (EventID = 400 OR EventID = 4103)
    AND Message LIKE "%HostApplication%wsmprovhost%"
'''
)
df.show(10,False)
+-----------------------+------------+------------------+
|@timestamp             |Hostname    |Channel           |
+-----------------------+------------+------------------+
|2020-09-20 17:09:11.871|WORKSTATION6|Windows PowerShell|
+-----------------------+------------+------------------+

Analytic II

Monitor for any incoming network connection where the destination port is either 5985 or 5986. That will be hosted most likely by the System process. Layer ID:44

Data source

Event Provider

Relationship

Event

Process

Microsoft-Windows-Security-Auditing

Process connected to Port

5156

df = spark.sql(
'''
SELECT `@timestamp`, Hostname, Application, SourceAddress, DestAddress, LayerName, LayerRTID
FROM mordorTable
WHERE LOWER(Channel) = "security"
    AND EventID = 5156
    AND (DestPort = 5985 OR DestPort = 5986)
    AND LayerRTID = 44
'''
)
df.show(10,False)
+-----------------------+---------------------------+-----------+-------------+-----------+---------+---------+
|@timestamp             |Hostname                   |Application|SourceAddress|DestAddress|LayerName|LayerRTID|
+-----------------------+---------------------------+-----------+-------------+-----------+---------+---------+
|2020-09-20 17:09:09.8  |WORKSTATION6.theshire.local|System     |172.18.39.5  |172.18.39.6|%%14610  |44       |
|2020-09-20 17:09:11.902|WORKSTATION6.theshire.local|System     |172.18.39.5  |172.18.39.6|%%14610  |44       |
|2020-09-20 17:09:12.962|WORKSTATION6.theshire.local|System     |172.18.39.5  |172.18.39.6|%%14610  |44       |
+-----------------------+---------------------------+-----------+-------------+-----------+---------+---------+

Analytic III

Process wsmprovhost hosts the active remote session on the target. Therefore, from a process creation perspective, it is to document any instances of wsmprovhost being spawned and spawning other processes

Data source

Event Provider

Relationship

Event

Process

Microsoft-Windows-Security-Auditing

Process created Process

4688

df = spark.sql(
'''
SELECT `@timestamp`, Hostname, ParentProcessName, NewProcessName
FROM mordorTable
WHERE LOWER(Channel) = "security"
    AND EventID = 4688
    AND (ParentProcessName LIKE "%wsmprovhost.exe" OR NewProcessName LIKE "%wsmprovhost.exe")
'''
)
df.show(10,False)
+-----------------------+---------------------------+-----------------------------------+---------------------------------------------------------+
|@timestamp             |Hostname                   |ParentProcessName                  |NewProcessName                                           |
+-----------------------+---------------------------+-----------------------------------+---------------------------------------------------------+
|2020-09-20 17:09:09.825|WORKSTATION6.theshire.local|C:\Windows\System32\svchost.exe    |C:\Windows\System32\wsmprovhost.exe                      |
|2020-09-20 17:09:12.968|WORKSTATION6.theshire.local|C:\Windows\System32\wsmprovhost.exe|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe|
+-----------------------+---------------------------+-----------------------------------+---------------------------------------------------------+

Analytic IV

Process wsmprovhost hosts the active remote session on the target. Therefore, from a process creation perspective, it is to document any instances of wsmprovhost being spawned and spawning other processes

Data source

Event Provider

Relationship

Event

Process

Microsoft-Windows-Sysmon/Operational

Process created Process

1

df = spark.sql(
'''
SELECT `@timestamp`, Hostname, ParentImage, Image
FROM mordorTable
WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
    AND EventID = 1
    AND (ParentImage LIKE "%wsmprovhost.exe" OR Image LIKE "%wsmprovhost.exe")
'''
)
df.show(10,False)
+-----------------------+---------------------------+-----------------------------------+---------------------------------------------------------+
|@timestamp             |Hostname                   |ParentImage                        |Image                                                    |
+-----------------------+---------------------------+-----------------------------------+---------------------------------------------------------+
|2020-09-20 17:09:09.817|WORKSTATION6.theshire.local|C:\Windows\System32\svchost.exe    |C:\Windows\System32\wsmprovhost.exe                      |
|2020-09-20 17:09:12.956|WORKSTATION6.theshire.local|C:\Windows\System32\wsmprovhost.exe|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe|
+-----------------------+---------------------------+-----------------------------------+---------------------------------------------------------+

Analytic V

Monitor for outbound network connection where the destination port is either 5985 or 5986 and the use is not NT AUTHORITY\NETWORK SERVICE

Data source

Event Provider

Relationship

Event

Process

Microsoft-Windows-Sysmon/Operational

User connected to Port

3

df = spark.sql(
'''
SELECT `@timestamp`, Hostname, User, Initiated, Image, SourceIp, DestinationIp
FROM mordorTable
WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
    AND EventID = 3
    AND (DestinationPort = 5985 OR DestinationPort = 5986)
    AND NOT User = "NT AUTHORITY\\\\NETWORK SERVICE"
'''
)
df.show(10,False)
+-----------------------+---------------------------+-------------------+---------+---------------------------------------------------------+-----------+-------------+
|@timestamp             |Hostname                   |User               |Initiated|Image                                                    |SourceIp   |DestinationIp|
+-----------------------+---------------------------+-------------------+---------+---------------------------------------------------------+-----------+-------------+
|2020-09-20 17:09:11.867|WORKSTATION6.theshire.local|NT AUTHORITY\SYSTEM|false    |System                                                   |172.18.39.5|172.18.39.6  |
|2020-09-20 17:09:11.877|WORKSTATION5.theshire.local|THESHIRE\pgustavo  |true     |C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe|172.18.39.5|172.18.39.6  |
|2020-09-20 17:09:13.263|WORKSTATION5.theshire.local|THESHIRE\pgustavo  |true     |C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe|172.18.39.5|172.18.39.6  |
|2020-09-20 17:09:13.264|WORKSTATION5.theshire.local|THESHIRE\pgustavo  |true     |C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe|172.18.39.5|172.18.39.6  |
|2020-09-20 17:09:14.375|WORKSTATION6.theshire.local|NT AUTHORITY\SYSTEM|false    |System                                                   |172.18.39.5|172.18.39.6  |
|2020-09-20 17:09:14.443|WORKSTATION6.theshire.local|NT AUTHORITY\SYSTEM|false    |System                                                   |172.18.39.5|172.18.39.6  |
+-----------------------+---------------------------+-------------------+---------+---------------------------------------------------------+-----------+-------------+

Known Bypasses

Idea

Playbook

False Positives

None

Hunter Notes

  • Explore the data produced in your lab environment with the analytics above and document what normal looks like from a PowerShell perspective. Then, take your findings and explore your production environment.

  • If powershell activity locally or remotely via winrm happens all the time in your environment, I suggest to categorize the data you collect by business unit or department to document profiles.

  • Layer 44 translatest to layer filter FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4 / FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6. This filtering layer allows for authorizing accept requests for incoming TCP connections, as well as authorizing incoming non-TCP traffic based on the first packet received. Looking for destination ports related to remote PowerShell Sessions and Layer 44 is very helpful.

References

  • https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-6#windows-powershell-remoting

  • https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_remote_requirements?view=powershell-6

  • https://docs.microsoft.com/en-us/windows/win32/fwp/management-filtering-layer-identifiers-