MITRE ATT&CK T1086 PowerShell

 

 

 

In 2019, Picus Labs analyzed 48813 malware to determine tactics, techniques, and procedures (TTPs) used by adversaries in these malicious files. Picus Labs categorized each observed TTP by utilizing the MITRE ATT&CK® framework. As a result of the present research, 445018 TTPs observed in the last year were mapped to ATT&CK to identify the top 10 most common techniques used by attackers.

 

With the release of its version 7, MITRE ATT&CK framework combined Command Line Interface and Scripting techniques into a single technique named Command and Scripting Interpreter under Execution tactic. Also, several stand-alone techniques became sub-techniques of Command and Scripting Interpreter.

You can see our updated blog post on T1059 Command and Scripting Interpreter here.

Our research has found that PowerShell was the second most prevalent MITRE ATT&CK technique used by adversaries in their malware. PowerShell is a powerful interactive command-line shell and scripting language installed by default on Windows operating systems. Since PowerShell has extensive access to Windows internals, system administrators frequently use it to manage and configure the operating system, and automate complex tasks.

Not only system administrators, but also adversaries have realized the potential in incorporating such a powerful tool into their arsenal. Hence the reason, PowerShell appeared as the second most frequently used MITRE ATT&CK technique in our research.

The purpose of this blog post is to review:

  • the fundamentals of the PowerShell technique,
  • why and how adversaries use PowerShell,
  • which threat actors and malware use the technique, and
  • red, blue, and purple teaming exercises for the PowerShell technique.

Introduction

It is easy to detect a third-party program that is used to execute commands on Windows OS. Therefore, adversaries frequently use built-in Windows command-line and scripting tools to run their commands. PowerShell is one of those tools that enable attackers to:

On this account, the technique provides three significant benefits for adversaries:

  • create fileless malware that runs in the memory without leaving any traces on disk
  • perform sophisticated actions with extensive access to OS internals
  • persist on the system by regularly loading malicious code into memory
  • discover information, collect and exfiltrate data
  • move laterally through networks

Although the PowerShell technique is categorized only in the Execution tactic of the MITRE ATT&CK framework, it is also a powerful technique to achieve the Defense Evasion tactic. Adversaries use PowerShell to employ the following defense evasion techniques:

  • direct, in-memory loading and execution of malicious code
  • downloading and executing malware payloads without writing any data to disk (fileless execution)
  • executing complex code without installing additional software (T1064 Scripting)
  • evading Antimalware Scan Interface (AMSI) and changing Windows Defender settings (T1089 Disabling Security Tools)
  • blocking events by disabling Script Block Logging (T1054 Indicator Blocking)
  • injecting malicious code into legitimate processes (T1055 Process Injection)
  • locating and impersonating user logon tokens (T1134 Access Token Manipulation)

How do threat actors leverage publicly available PowerShell tools?

Extensive capabilities of PowerShell have attracted the attention of red teams and penetration testers. Consequently, powerful red team and penetration testing frameworks and tools have been developed using PowerShell, such as Empire (PowerShell Empire) [1], PowerSploit [2], Nishang [3], PoschC2 [4], and Posh-SecMod [5]. 

All of these tools are open source and publicly available. Although these tools are developed with the intention of using red teams and penetration testers, threat actors frequently leverage them for malicious purposes in cyber incidents. The following table presents some use cases of these PowerShell post-exploitation frameworks by threat actors.

Threat Actor
Target Industries
Target Geographies
Use Case
Tools

APT 19 [6]

Defense, Energy, Telecommunications, High Tech, Education, Manufacturing, Legal Services
Australia, North America
Defense Evasion

Empire

APT32 [7]
Government, Media

East Asia

Defense Evasion, Execution, Command and Control
Nishang, PowerSploit
APT33 [8]
Energy, Aerospace
North America, Middle East, East Asia
Persistence, Command and Control
PoshC2, PowerSploit, Empire
APT41 [9]
Healthcare, Technology, Telecommunications, Media, Education, Retail
Europe, East Asia, Middle East, North America
Persistence
PowerSploit
CopyKittens [10]
Government, Education, Defense, Technology
Middle East, Europe, North America
Defense Evasion, Execution
Empire
Hades [11]
Finance
Europe
Defense Evasion, Command and Control 
Empire
FIN7 [12]
Retail, Hospitality
North America
Defense Evasion, Command and Control
Empire
FIN10 [13]
Mining
North America
Persistence

Empire

menuPass [14]
Healthcare, Defense, Aerospace, Government
East Asia
Execution, Command and Control
PowerSploit
MuddyWater [15]
Telecommunications, Government, Energy
Middle East, Europe, North America
Defense Evasion, Execution

Empire, PowerSploit

TG-3390[16]
Government
Middle East
Persistence, Privilege Escalation
Nishang
Turla [17]
Government, Military, Defense
US, Europe, Middle East
Defense Evasion, Execution, Command and Control
Empire, Posh-SecMod, PowerSploit
WIRTE [18]
Government
Middle East
Execution, Command and Control
Empire

Example: Getting Network Configuration Discovery via PowerShell

This section presents a simple PowerShell command that simulates the following techniques.

Techniques

Tactic

System Network Configuration Discovery (T1016)

Discovery

PowerShell (T1086)

Execution

Hidden Window (T1143)

Defense Evasion

Obfuscated Files or Information (T1027)

Defense Evasion

Read Teaming - How to simulate?

Briefly, the following PowerShell one-liner gets IP configuration properties using an encoded command.

PowerShell -w hidden -en RwBlAHQALQBOAGUAdABJAFAAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgA=

Let’s split and analyse the command:

  •  -w parameter: there is no parameter named -w according to the official PowerShell documentation [19]. In fact, the -w parameter is completed by PowerShell as the -WindowStyle parameter because of the parameter substring completion feature of PowerShell .
  • PowerShell Parameter Completion: Substrings of parameters like -NoEx (- NoExit), -Executi (-ExecutionPolicy), -w (-WindowStyle) are used in the PowerShell command instead of using the complete parameter string to avoid detection. Because of the way that PowerShell handles parameters, parameter substrings like -W, -Wi, -WindowSt, -WindowSty, are all valid ways of specifying an execution argument such as -WindowStyle. -w can be used for -WindowStyle , because -WindowStyle is the only parameter that starts with -w
  •  -hidden value: Adversaries commonly use the -WindowStyle parameter with Hidden value in malicious PowerShell commands to avoid detection (T1143 Hidden Window). Actually, -WindowStyle Hidden does not entirely hide the PowerShell command windows, it shows the command window for a while before hiding it [19].
  •  -en parameter: Similar to -w , there is not a parameter named -en according to the official PowerShell documentation [19]. The -en parameter is completed as -EncodedCommand parameter by PowerShell. -EncodedCommand accepts a base-64-encoded string version of a command [19].
  • RwBlAHQALQBOAGUAdABJAFAAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgA= value: this string is the value of the -EncodedCommand parameter. Therefore, we must use base64 decoding to reveal the PowerShell command (T1027 Obfuscated Files or Information). This string is the base64 encoded version of the following command: Get-NetIPConfiguration.

    Get-NetIPConfiguration: This PowerShell cmdlet gets IP configuration properties for all non-virtual connected interfaces on a computer(T1016 System Network Configuration Discovery) [20].

Blue Teaming - How to detect?

Sigma Rule

To detect network configuration discovery via Get-NetIPConfiguration cmdlet, 

title: Network Configuration Discovery via PowerShell Cmdlet
status: experimental
description: Detects the attempt to obtain network configuration via Get-NetIPConfiguration cmdlet of PowerShell. This technique is commonly utilized for discovery.
author: Picus Security
references:
  - https://attack.mitre.org/techniques/T1016/
  - https://attack.mitre.org/tactics/TA0007/
  - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/powershell
  - https://docs.microsoft.com/en-us/powershell/module/nettcpip/get-netipconfiguration?view=win10-ps
logsource:
    product: windows
    service: security
    definition1: 'Requirements: Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Detailed Tracking\Audit Process Creation'
    definition2: 'Requirements: Group Policy : Computer Configuration\ Administrative Templates\ System\ Audit Process Creation\ Include Command Line'
detection:
    selection:
        EventID: 4688
        NewProcessName: '*\powershell.exe'
        ProcessCommandLine: '*Get-NetIPConfiguration*'
    condition: selection
falsepositives:
    - Legitimate administrative activities
level: low
tags:
    - attack.discovery
    - attack.t1016
    - attack.ta0007

Appendixes

Appendix A - Aliases of Threat Groups

Threat Group

Aliases

APT19

Codoso, C0d0so0, Codoso Team, Sunshop Group

APT32

SeaLotus, OceanLotus, APT-C-00

APT33

Elfin

menuPass

APT 10, Stone Panda, Red Apollo, CVNX, HOGFISH

MuddyWater

Seedworm, TEMP.Zagros

TG-3390

Threat Group-3390, Emissary Panda, BRONZE UNION, APT27, Iron Tiger, LuckyMouse

Turla

Waterbug, WhiteBear, VENOMOUS BEAR, Snake, Krypton

References

[1] EmpireProject, “EmpireProject/Empire,” GitHub. [Online]. Available: https://github.com/EmpireProject/Empire. [Accessed: 25-Apr-2020]

[2] PowerShellMafia, “PowerShellMafia/PowerSploit,” GitHub. [Online]. Available: https://github.com/PowerShellMafia/PowerSploit. [Accessed: 13-Apr-2020]

[3] samratashok, “samratashok/nishang,” GitHub. [Online]. Available: https://github.com/samratashok/nishang. [Accessed: 25-Apr-2020]

[4] nettitude, “nettitude/PoshC2,” GitHub. [Online]. Available: https://github.com/nettitude/PoshC2. [Accessed: 25-Apr-2020]

[5] darkoperator, “darkoperator/Posh-SecMod,” GitHub. [Online]. Available: https://github.com/darkoperator/Posh-SecMod. [Accessed: 25-Apr-2020]

[6] “Publicly Available Tools Seen in Cyber Incidents Worldwide | CISA.” [Online]. Available: https://www.us-cert.gov/ncas/alerts/AA18-284A#Lateral%20Movement%20Framework:%20PowerShell%20Empire. [Accessed: 25-Apr-2020]

[7] A. Dahan, “Operation Cobalt Kitty: A large-scale APT in Asia carried out by the OceanLotus Group.” [Online]. Available: https://www.cybereason.com/blog/operation-cobalt-kitty-apt. [Accessed: 25-Apr-2020]

[8] G. Ackerman, “OVERRULED: Containing a Potentially Destructive Adversary,” FireEye. [Online]. Available: https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html. [Accessed: 25-Apr-2020]

[9] “[Report] Double Dragon: APT41, a Dual Espionage and Cyber Crime Operation,” FireEye. [Online]. Available: content.fireeye.com. [Accessed: 25-Apr-2020]

[10] “[No title].” [Online]. Available: https://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf. [Accessed: 25-Apr-2020]

[11] GReAT, “Olympic Destroyer is still alive.” [Online]. Available: https://securelist.com/olympic-destroyer-is-still-alive/86169/. [Accessed: 25-Apr-2020]

[12] Y. Namestnikov and F. Aime, “FIN7.5: the infamous cybercrime rig ‘FIN7’ continues its activities.” [Online]. Available: https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/. [Accessed: 25-Apr-2020]

[13] “[No title].” [Online]. Available: https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin10.pdf. [Accessed: 25-Apr-2020]

[14] “[No title].” [Online]. Available: https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf. [Accessed: 25-Apr-2020]

[15] T. Micro, “MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools - TrendLabs Security Intelligence Blog,” 10-Jun-2019. [Online]. Available: https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/. [Accessed: 25-Apr-2020]

[16] R. Falcone and T. Lancaster, “Emissary Panda Attacks Middle East Government SharePoint Servers,” Unit42, 28-May-2019. [Online]. Available: https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/. [Accessed: 25-Apr-2020]

[17] ESET, “A dive into Turla PowerShell usage.” [Online]. Available: https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/. [Accessed: 13-Apr-2020]

[18] Dex, “WIRTE Group attacking the Middle East,” 02-Apr-2019. [Online]. Available: https://lab52.io/blog/wirte-group-attacking-the-middle-east/. [Accessed: 25-Apr-2020]

[19] SteveL-MSFT, “about_PowerShell_exe - PowerShell.” [Online]. Available: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_powershell_exe. [Accessed: 26-Apr-2020]

[20] andreabarr, “Get-NetIPConfiguration (nettcpip).” [Online]. Available: https://docs.microsoft.com/en-us/powershell/module/nettcpip/get-netipconfiguration. [Accessed: 26-Apr-2020]