.ipynb .pdf

Binder ThebeLab

On this page

Edit this page

PowerShell Remote Session

Metadata

id	WIN-190511223310
author	Roberto Rodriguez @Cyb3rWard0g
creation date	2019/05/11
platform	Windows
playbook link	WIN-190410151110

Technical Description

Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. In addition, it can be used to execute code remotely via Windows Remote Management (WinRM) services. Therefore, it is important to understand the basic artifacts left when PowerShell is used to execute code remotely via a remote powershell session.

Hypothesis

Adversaries might be leveraging remote powershell sessions to execute code on remote systems throughout my environment

Analytics

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/hunters-forge/mordor/master/datasets/small/windows/execution/empire_invoke_psremoting.tar.gz"
registerMordorSQLTable(spark, mordor_file, "mordorTable")

[+] Processing a Spark DataFrame..

[+] Processing Data from Winlogbeat version 6..
[+] DataFrame Returned !

[+] Temporary SparkSQL View: mordorTable 

Analytic I

FP Rate	Log Channel	Description
Medium	[‘PowerShell’, ‘Microsoft-Windows-PowerShell/Operational’]	Process wsmprovhost hosts the active remote session on the target. Therefore, it is important to monitor for any the initialization of the PowerShell host wsmprovhost

df = spark.sql(
    '''
SELECT `@timestamp`, computer_name, channel
FROM mordorTable
WHERE (channel = "Microsoft-Windows-PowerShell/Operational" OR channel = "Windows PowerShell")
    AND (event_id = 400 OR event_id = 4103)
    AND message LIKE "%Host Application%wsmprovhost%"
    '''
)
df.show(10,False)

+-----------------------+---------------+----------------------------------------+
|@timestamp             |computer_name  |channel                                 |
+-----------------------+---------------+----------------------------------------+
|2019-05-18 17:15:36.218|IT001.shire.com|Microsoft-Windows-PowerShell/Operational|
+-----------------------+---------------+----------------------------------------+

Analytic II

FP Rate	Log Channel	Description
Low	[‘Security’]	Monitor for any incoming network connection where the destination port is either 5985 or 5986. That will be hosted most likely by the System process. Layer ID:44

df = spark.sql(
    '''
SELECT `@timestamp`, computer_name, Application, SourceAddress, DestAddress, LayerName, LayerRTID
FROM mordorTable
WHERE channel = "Security"
    AND event_id = 5156
    AND (DestPort = 5985 OR DestPort = 5986)
    AND LayerRTID = 44
    '''
)
df.show(10,False)

+-----------------------+---------------+-----------+-------------+-------------+---------+---------+
|@timestamp             |computer_name  |Application|SourceAddress|DestAddress  |LayerName|LayerRTID|
+-----------------------+---------------+-----------+-------------+-------------+---------+---------+
|2019-05-18 17:15:34.303|IT001.shire.com|System     |172.18.39.106|172.18.39.105|%%14610  |44       |
|2019-05-18 17:15:35.228|IT001.shire.com|System     |172.18.39.106|172.18.39.105|%%14610  |44       |
|2019-05-18 17:15:35.618|IT001.shire.com|System     |172.18.39.106|172.18.39.105|%%14610  |44       |
+-----------------------+---------------+-----------+-------------+-------------+---------+---------+

Analytic III

FP Rate	Log Channel	Description
Low	[‘Security’]	Process wsmprovhost hosts the active remote session on the target. Therefore, from a process creation perspective, it is to document any instances of wsmprovhost being spawned and spawning other processes

df = spark.sql(
    '''
SELECT `@timestamp`, computer_name, ParentProcessName, NewProcessName
FROM mordorTable
WHERE channel = "Security"
    AND event_id = 4688
    AND (ParentProcessName LIKE "%wsmprovhost.exe" OR NewProcessName LIKE "%wsmprovhost.exe")
    '''
)
df.show(10,False)

+-----------------------+---------------+-----------------------------------+---------------------------------------------------------+
|@timestamp             |computer_name  |ParentProcessName                  |NewProcessName                                           |
+-----------------------+---------------+-----------------------------------+---------------------------------------------------------+
|2019-05-18 17:15:34.608|IT001.shire.com|C:\Windows\System32\svchost.exe    |C:\Windows\System32\wsmprovhost.exe                      |
|2019-05-18 17:15:35.882|IT001.shire.com|C:\Windows\System32\wsmprovhost.exe|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe|
+-----------------------+---------------+-----------------------------------+---------------------------------------------------------+

Analytic IV

FP Rate	Log Channel	Description
Low	[‘Microsoft-Windows-Sysmon/Operational’]	Process wsmprovhost hosts the active remote session on the target. Therefore, from a process creation perspective, it is to document any instances of wsmprovhost being spawned and spawning other processes

df = spark.sql(
    '''
SELECT `@timestamp`, computer_name, ParentImage, Image
FROM mordorTable
WHERE channel = "Microsoft-Windows-Sysmon/Operational"
    AND event_id = 1
    AND (ParentImage LIKE "%wsmprovhost.exe" OR Image LIKE "%wsmprovhost.exe")
    '''
)
df.show(10,False)

+-----------------------+---------------+-----------------------------------+---------------------------------------------------------+
|@timestamp             |computer_name  |ParentImage                        |Image                                                    |
+-----------------------+---------------+-----------------------------------+---------------------------------------------------------+
|2019-05-18 17:15:34.611|IT001.shire.com|C:\Windows\System32\svchost.exe    |C:\Windows\System32\wsmprovhost.exe                      |
|2019-05-18 17:15:35.884|IT001.shire.com|C:\Windows\System32\wsmprovhost.exe|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe|
+-----------------------+---------------+-----------------------------------+---------------------------------------------------------+

Analytic V

FP Rate	Log Channel	Description
Low	[‘Microsoft-Windows-Sysmon/Operational’]	Monitor for outbound network connection where the destination port is either 5985 or 5986 and the use is not NT AUTHORITY\NETWORK SERVICE

df = spark.sql(
    '''
SELECT `@timestamp`, computer_name, User, Initiated, Image, SourceIp, DestinationIp
FROM mordorTable
WHERE channel = "Microsoft-Windows-Sysmon/Operational"
    AND event_id = 3
    AND (DestinationPort = 5985 OR DestinationPort = 5986)
    AND NOT User = "NT AUTHORITY\\\\NETWORK SERVICE"
    '''
)
df.show(10,False)

+-----------------------+---------------+--------------+---------+---------------------------------------------------------+-------------+-------------+
|@timestamp             |computer_name  |User          |Initiated|Image                                                    |SourceIp     |DestinationIp|
+-----------------------+---------------+--------------+---------+---------------------------------------------------------+-------------+-------------+
|2019-05-18 17:15:35.319|HR001.shire.com|SHIRE\pgustavo|true     |C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe|172.18.39.106|172.18.39.105|
|2019-05-18 17:15:36.444|HR001.shire.com|SHIRE\pgustavo|true     |C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe|172.18.39.106|172.18.39.105|
|2019-05-18 17:15:36.704|HR001.shire.com|SHIRE\pgustavo|true     |C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe|172.18.39.106|172.18.39.105|
+-----------------------+---------------+--------------+---------+---------------------------------------------------------+-------------+-------------+

Detection Blindspots

Hunter Notes

• Explore the data produced in your lab environment with the analytics above and document what normal looks like from a PowerShell perspective. Then, take your findings and explore your production environment.

• If powershell activity locally or remotely via winrm happens all the time in your environment, I suggest to categorize the data you collect by business unit or department to document profiles.

• Layer 44 translatest to layer filter FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4 / FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6. This filtering layer allows for authorizing accept requests for incoming TCP connections, as well as authorizing incoming non-TCP traffic based on the first packet received. Looking for destination ports related to remote PowerShell Sessions and Layer 44 is very helpful.

Hunt Output

Category	Type	Name
signature	SIGMA	powershell_remote_powershell_session
signature	SIGMA	sysmon_remote_powershell_session_network
signature	SIGMA	sysmon_remote_powershell_session_process
signature	SIGMA	win_remote_powershell_session

References

• https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-6#windows-powershell-remoting

• https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_remote_requirements?view=powershell-6

• https://docs.microsoft.com/en-us/windows/win32/fwp/management-filtering-layer-identifiers-

WMI Win32_Process Class and Create Method for Remote Execution Collection