 Presenting the detecting the not PowerShell gang with TAS and with that I will let TAS take it away. All right, thank you so much. Hello everyone. Welcome to this talk title, detecting the not PowerShell gang. It's by me, TAS. You can find me on Twitter, anywhere else, TAS manager. All right, let's get to know me for a little bit. I'm a third hunter working for a major Canadian communication company. We also do MSP, MSSP, ISP, whatever you can think of. So my main task in this company is to do third hunting, a lot of involvement with third intelligence also, and a lot of automation, which is programming, coding, etc. I have some previous experience in application security, and also some security auditing slash legal. I graduated from Sheridan College, so I am based in Toronto, Canada. So if you are around, you know, if you're a company around Canada and you're looking for good talents, you can definitely look into that school. So yeah, so that's pretty much me with my medium, small security budget fighting the bad people one lock at a time. All right, so if you ask like you just do work, no, I do play a lot. I like to do fun security stuff, CTF, I like presenting, attending conferences. I also love to do photography, specifically astrophotography, some landscape photography. Also, I do have drone and just taking pictures and videos. I play guitar at times, and I love to go to festivals and concerts. And of course, like everyone else gaming at something that it's always fun to do. Just some pictures of me doing stuff, taking pictures of stuff, just to show that I'm not working all the time. All right, first of all, let's start with disclaimer. All the opinions are my own. And this doesn't reflect any views of my employer. So with that in mind, let's move forward. So also notes, this presentation, it's actually a compressed version of similar presentation that I did in Hackfest last year. So if you would like to see more about the tools, demonstration, et cetera, you can go watch it on Hackfest YouTube channel, the link is there. The slides, also the extended version available in my GitHub. Okay, so let's talk about the content. We just, you know, talking about me. So we get three major parts. We'll have some introduction about the gang itself. How do we detect each member of the gangs? There's some bonus detection. There's some bonus members of the gang. And we close everything with some outro and Q&A idea. Yeah, so in this section, we'll get the basic understanding of what is exactly not PowerShell gang, not PowerShell tools. So I did this research roughly like one to two years ago. And I see a bunch of, we actually see a bunch of tools that acting in the same way that act to try to avoid PowerShell security logging and mechanism, but they achieve it with different ways. So this is really interesting to me. So I just pretty much bundle them together and then, yeah, build detection for all of them, and then see the unique way each one of the tools doing. So one question you're going to ask like, why these tools are even exists? Why don't they just use PowerShell? Well, because the PowerShell of Gluten, this is a blog posted back in 2015 when they released version five of PowerShell. There really is a lot of security feature and it is actually really bad for Red Team. So pretty much friends it ended with the Red Team. Now, Gluten is Microsoft best friend. So is it that bad? Actually, it is. You get protected logging. So whenever you type anything, PowerShell will be locked. Whenever you enter script, you enter commands, it will be locked. If the Blue Team have centralized scene, that's it. That's the end for the defender. Sorry, for the attacker, right? Also, I'm seeing integration, which is anti malware mechanism. So there's a lot of bypass being released, but this is pretty much a never ending race between Microsoft and then the Red Team slash offensive tool makers. So they bypass the patch, they bypass the patch. It's just never ending. And lastly, we get the constraint language mode, CLM, that able to limit the capability of the sensitive, in the sensitive environment, for example, in your PCI DSS server, in your production server, you can limit things to do with PowerShell. So that's not really good, actually. Five years later, so there was this EMA, ask me anything, event going on in one of the Slack channel of one of the big security company in the US. So I just jump in and ask the question, from your recent engagement, do you still use PowerShell at all? And then most of the answer is like, not really. We just drop it. We don't really use it. So that's the idea, how bad it is. Even five years later, people just start forgetting PowerShell at all. And that's why we have the whole gang. So now we understand what's not PowerShell. And let's move forward and just get some understanding about the detection. Make sure that you have these requirements ready. If you're trying to deploy this detection, because this is the environment that I have, that we have when we tested it. And then, yeah, pretty much the whole goal of this presentation is to utilize BoreWox. So you can use whatever, since ocean you want, Splung outside, I can go, okay, I can keep going on and on, but you get the idea. So yeah, so there's two types of detection that I will be sharing. The first one will be the low-hanging foots, the easy detection that easy to create and easy to bypass. The next one is a more complicated detection, the advanced detection based on TTP or behavior of the tools. It's really kind of hard to make, but also kind of hard to bypass by the attacker. So we'll see. So the first tool, we call it InfiShell, no, we call it, the maker call it InfiShell. The tagline is like, sure, we can hook it, because the people from Javelin Networks, when they make these, all they do in the tools is just hooking, hooking, hooking. They hook the system management automation.dll, the library of PowerShell. They hook the system corridor.dll to bypass the logging mechanism. And then they hook the anti-mullware mechanism. They just hook everything. But it is worked perfectly fine, because when they hook it, and then they override the input line for those attributes, the three attribute buff, into zero line. So it's pretty much nonexistent, which equals to not functioning PowerShell detection, which is great for them. So we have five detection here. We get the first one is low-hanging fruits. So as you can see there, there is a DLL called InfiShell Profiler.dll, and then there's a bad file that run with Pat as admin. So this file are pre-compiled already, so it's available on the GitHub. So when people run it, as is, you can detect it. That's the goal of low-hanging fruits. You detect it by using Sysmon Ivan 97 and Sysmon Ivan 81, and you deploy the rolling nursing. When you run the tools the first time, you will see this unique trace on Sysmon Ivan 91. You will see PowerShell in the command line section, in the command line field, just PowerShell, no EXE, no parameters, etc. And then the parent command line will uniquely be EXE that is calling a bad file, or that is being, yeah, you get the idea. So there's EXE and the bad file in the same parent command line. So you can combine this to information and then make a detection out of it, which is what we do, what I do. And then the next one, this tool actually able to do some privilege escalation by adding some entries in the registry key. So we need to watch when they do this using REC-EXE, for example, and then there's certain value, specifically in PROC server 32, and those flag that you can see. The parent command line will be the same parent command line as the previous one. So you will have the dot EXE and then the dot bad. Again, if you combine that and then you combine additionally the REC-EXE tools, you pretty much have pretty strong detection there. The next one, it's the in PROC server 32 registry key changes or addition, I would say. So if you see here, you can see the target object is the in PROC server 32, but they're trying to load the malicious, not malicious, like the not PowerShell DLLs that they are using, which is the in physical profiler.dll. So you can watch for anything that is not system 32 being loaded to this particular target object, because that's kind of fishy. And again, you will be using sysmon, specifically even at the 13 of the registry value set. The last detection for this tool, it's actually watching the DLL being loaded to the legitimate PowerShell, because again, it will hook the PowerShell library. So there you need to load the module from the DLL to the EXE, but the thing is usually PowerShell will load stuff from Microsoft because it's on Microsoft tools. And then you can also see the signature status, it's false and also unaffable. So that's kind of questionable. So we can combine this, what do you call it, like a interesting thing, combine it together and you can make a row out of it and start building detection. And the next tool is PowerShell DLL. So it's not PowerShell, it's PowerShell DLL. And the tagline for this, yeah, we got DLL for that because it's on the name already. So Penta pretty much created, this is also one of the tool that having a lot of stars in GitHub. So this tool actually to mode, you can use the DLL mode, and then the EXE mode. For the DLL mode, you need to use the DLL loader. So this is a low bus components that will be used. And you load the particular DLL that you feed, or you can use pre-compile EXE. So you just run the double click the EXE and it will just do the job. So you'll use, there's options of five different DLL loader thing, or proxy execution EXE that you can use. So this binary is signed by Microsoft. So sometimes it's not, it's normal when people what listed it. So make sure you pay attention in this particular area. And then moving forward for the EXE mode, it will load the EXE itself, it load 57 PowerShell automation, DLLs, and other supporting DLLs for the operation. So all the lists, all the 57 DLLs are listed on the appendix at the end of the presentation. For the detection, we get four things here. We get the low hanging fruits, which is simple thing like description field, product field, even the image, so the file name itself. So you can definitely use that. Again, this is a low hanging fruit detection. Just a tip, if you want to change it, you can just go to the code before you compile it. And then those are the information by default, the PowerShell DLL copyright 2016, you can easily change it to anything. But again, low hanging fruits detection supposed to be easy detection. The next one, PowerShell DLL loading DLLs, to be precise, PowerShell DLL loading the PowerShell DLLs, so the real PowerShell DLLs. So this is applicable for the DLL mode. For example, you're running it using the RunDLL32.exe. And then RunDLL32.exe is loading a bunch of PowerShell related DLLs. It's like they're trying to do something related to PowerShell, right? So yeah, that's what they're trying to do. So we can watch them, again, with the system on iPhone 97. And then more general to that, we can actually watching what the loaders do. So whenever they are loading and sign DLLs or the DLLs that doesn't have any signature, we can create an alert on that. But the problem with this, it's actually quite noisy. There's some application, third-party application that do this. On the top of mine, I can say notepad++ do that. This is, that's the first thing that triggers the role when we deploy it in the production and like, okay. But yeah, you kind of want this state for sure. But the next one is when the EXC mode loading 57 different DLLs. So this will happen in millisecond, just like that. Just instantly load 57 DLLs. And you can see all of this from Sysmon even 97, but make sure you add those DLLs into the Sysmon config. Just make sure you modify the config to watch for those specific DLLs. For this to make it easier or to make it detection better, you can use correlation or cardinality. So whenever one DLL being loaded, the rule itself will look for the other 56 DLLs if it's being loaded around maybe like in the last one minute or like in the last 50 seconds, et cetera. So you can just see if at the end, like as a bigger picture, if all of them being loaded at the same time. So some examples of correlation on the same that you can do, it's elastic search, I think they have cardinality rules, ArcSight correlation engine for sure. And then Splang, you can combine multiple indicators. So you will have 57 indicators. And then when everything trigger at the same time, you create a rule out of it. And then you can also use elastic Kibana heat map. If you want your analysts to do that, just to look into stuff. And you can do it over Python for sure, because yeah, what Python cannot do, right? Powerless shell, the next tools, the tagline is don't worry, we got low last year, because Mr. Unicoder, I think he's in Montreal, local Canada also. So yeah, so he what in his mind when making this tool is just to use a lot of low bass. There's two all about specifically being used here, the MS build.exe that will be used to compile a payload that you send from the outside from attacker machine to the target machine. So it relies on the MS build.exe for execution. So you will provide a script either PowerShell or whatever. And then it will compile it for you. But the unique thing is they are not using the one that is already in the machine. So they bring the whole exe from the outside. And then rename it to something else can be something random can be to known process name, for example, cop.exe or cndo.exe. And then from there, it will get the instruction from the script file from the PowerShell script or whatever script you provide it, it will encode the command using certain utility, another low bass, and then they'll perform some kind of obfuscation, make it confusing for the analysts for the gluten. So you can see here, the function and variable names is just like Mambo Jambo, you don't understand what it is. The last, not the last components, the component that is sitting on the upside on the attacker machine to generate all of those stuff, are a PowerShell.py, which is like a Python code that pretty much the engine of the tool will create everything. And then you can ship those three file to the victim machine. For the detection for the low hanging fruits, we will have creation of the, remember, that they will rename the MS build.exe. So you can check on the dotnet framework folder if there is any new exe file being created. For example, if you see cmd.exe created in the dotnet framework folder, that will be so suspicious. You'll be using sysmonivanna.de11 for that PowerShell logging. Well, it's because this tool is not really evading the PowerShell detection. It is still recording the output of the PowerShell script being deofuscated. So after all the encoding, you can still see the final content of the code. You can detect more PowerShell payload, etc., using the even ID 4104 from the Microsoft thing it's at. If I'm not mistaken. Moving on, detecting the low bass. The first component, 3a, is certutile. So because they encode the thing, the payload, they need to decode it in the victim machines. So they use certutile to decode the hex. So you can watch for any certutile doing decode hex function because it's actually really rare in the production. You can use sysmonivanna.de11 for that. And then the next part of it, the second half, it's msbuild.exe, the rename one. So not really msbuild as the name, but it is from the description field, you know it's msbuild. Because the only way you can change the description field is to reverse engineer the whole application and then change the value, which is like too much work for just be fading this stuff, right? So the msbuild.exe will be combined with the random 5 to 25 upper and lower characters. So you can watch on that combination, sysmonivanna.de11 again. Process masquerading, this is pretty much can cover not only these tools, but pretty much any masquerading, which is always suspicious. So the file msbuild.exe being renamed to smss.exe or on the right side, you can see it's a random name, can even pronounce it. Again, sysmonivanna.de11 for both. And then we have number five, the .NET DLL loading. So you see here in the image, it's smss.exe. We already know it's not smss, but you can see why does smss.exe is loading Microsoft build or msbuild.tas.dll. So that's definitely suspicious, so you can build detection on this. sysmonivanna.de11 again. And lastly, PowerShell.dll loading that is always visible via process access. So again, our, you know, like that exe smss.exe can be seen making some access trying to touch poking system management automation.dll, which is again, it's a PowerShell engine. Like why would smss.exe doing that? Like are they trying to get some functionality out of it? Probably is. So you can use sysmonivanna.dll to build that. You can combine all this information together. Tools number four, no PowerShell. The tag line is, can you C-sharp? Because bits admin create this tool implemented in C-sharp. And this is really popular these days. If you look for offensive researcher, they are start using more C-sharp, C-sharp, C-sharp, which is, because it's hard to detect C-sharp operation because it's not using PowerShell. It's not using PowerShell.dll. It's just goes straight to the native.net library. And this tool, it's actually trying to mimic PowerShell. So you get the same cmdlets. For example, you have things like get process, get user, et cetera. There's two modes. You can run it by using rundll32. Again, similar to PowerShell.dll. Or you can run it using cobaltstrike. There's two components for cobaltstrike. You get the exe file. And then you get the cni, the cobaltstrike file. For the dll, there's two options that you can do, depending on your target machine. You can use the 32-bit dll or the 64-bit dll. And then you'll need to load it using rundll32. But I suspect you can use the other dll loader. And it's exactly acting like PowerShell.dll mode. We get four detection for this, low hanging fruits. Again, because it's written in C-sharp based on .net, just look for the description product, just in case the user forget to change it. Because it is always too, too positive when this value showing up in your logs. This is not false negative. This is false. This is true positive. So for the cobaltstrike mode detection, well, unfortunately, our team doesn't have access to cobaltstrike yet. If we can find some cobaltstrike people after this talk, maybe we can build detection on it. Yeah. But thanks to all of our talk, we get detection. He created detection on this particular mode by using even at E8 from sysmon. So you will see there the even description of create remote thread. The process name will contain PowerShell.exe. But the unique thing here, you will see that target process address will always end with 0B80, which is really unique. But there's more story if you read in the blog. There's some interaction between him and also the creator of the tools and for some, they made some changes and then it's no longer the case. But still, if someone used the older version of the tools, they can still detect this. DLL modes, again, similar to policy DLL, you need to watch the loaders whenever around DLL32, it's loading on sign or not available signature DLLs. You create alert on that. And then the next one is .NET version downgrading. So this has actually happened by mistake. So I forget that this tool require a lower version of .NET. So I run it in the version 4 or 4.5, if I recall. And then it's just like, oh, I don't like this version. Can you bring it down? And it actually can. So it tries to call the fontudo.exe, which is, I think, upgrade, downgrade.exe on the Windows server. And then ask them to enable feature the .NET FX3, which is the version 4.2 slash 3.5. So you can watch that on system-enabled but the thing is legitimate application might do this because who doesn't love doing backtrack using old application, right? So, yeah. Other than that, we got some bones here. We got two tools that is pretty similar to powerless shell or no power shell for the sharp peak. So the first one will be power line. It is MS build, really remind you to power less shell, a lot of compilation stuff. And the sharp peak will be, this is actually a tool that it used to demonstrate our tests, the blocking of power shell, and just to bypass uplocker because I don't think a red teamers like uplocker at all. Bonus detection ideas, system system on even at 10, process access. So any application that accessing power shell but not power shell because you are not supposed to do that. Windows power shell, even at 403. So this is locked from power shell. But when the context application is not power shell, isn't it questionable? So yeah, I think we should be watching for that also. And lastly, you can use ETW for .NET library tools. So you can analyze this information using message analyzer and logman. But I think there's also some tools out there. I think Splunk have like a converter for it. There is a select ETW. Roberto Rodriguez played with it a bit. There's a series of block talking about analyzing more .NET blocks. So I think it will be interesting for you to try. Well, that's pretty much the talk. It's pretty much, yeah, it's a compressed version as I mentioned. So if you like to know more, you can always go to my presentation previously on Hackfest. Just some messages for red team, blue team. So just do all of this stuff. Use power shell, update power shell, now for blue team, et cetera, et cetera. And lastly, of course, be nice to each other. If you're a purple team, you can take both sides. Yeah, at the end of the day, right? We need to be nice for each other because we are in the same boat. At the end of the day, we just want to be Megazord and protect our security company, not security company, our organization. We work together and then, yeah, we just upgrade our security posture. And all right, that's pretty much it. Don't forget to grab some Sigma rules on your way up because I made a lot of Sigma rules just for this presentation in the past week. I actually never wrote Sigma rules before, but I definitely know what is Sigma rules now. So make sure you grab that. You can convert the Sigma rules to any other same curator, spoil, elastic, arc site, whatever you want. You can use either encoder.io and or Sigma, but I tested it on Cata.io. So all the Sigma should be able to be converted to the other type if you use encoder.io. But Sigma, it's also an option if you like to do like CLI kind of thing. So I'm so sorry that I didn't mention my other attack right from the strat from the start because I'm a threat hunter. But yeah, I need to mention that all the rules, all 20 rules that I've made for the force tools are mapped to the closest attack TTPs. And it is also using the newest version of the TTPs that using sub techniques. So I try my best to map it. So if it's not, it's not perfect. If you want to change it for sure, you can do it. Yeah. So this is the slides that you want to take a picture of that you want to scan that you want to send it to your, I don't know, like subordinates. So yeah, make sure you grab it. It's going to take you to my GitHub. It's not going to download anything funny. Promise. A special thanks to my employer, of course, for supporting me to do this, understanding taking me taking sometimes to do the research. ScoobyMTL, you should have attend his workshop earlier today in the Blue Team Village because it is great. And also my friend I've made 13 of me for inspiration, guide and feedback. I call workers at work. Literally I'm making me understanding PowerShell from zero to hero. And also .NET. I don't really like .NET. Amazing, not PowerShell tools creators like making us, the Blue Teamers need to spin our head around, do a lot of research. And lastly, not lastly, Infoset community, Olaf Hortons for the detection, and he will be speaking later tonight. So make sure you check that. Sigma team, Mitre attack, of course, and subprime uncutter.io because it's a really useful tool. And please, at the last and not the least, DevCon and the Blue Team Village organizer, thank you so much for accepting my talks for the volunteers for the time and all the attendees for the talk right now. Thank you so much. If you'd like to connect with me and my team, you can find me on Twitter, on GitHub, on LinkedIn, if you'd like to be more professional, or you can check out a blog for my team through Hunting Team on Medium and Hunting Thread on Twitter. We post it stuff sometimes. And yeah, if you scan this barcode, it will take you to the my GitHub page pretty much all my presentation is. So yeah, that's pretty much my presentation. Thank you so much. Thank you very much, Tess, for the wonderful presentation. As always, we encourage you guys to join our Blue Team Village Discord server and ask questions and talk, text, talk, track one. And yeah, if there's no questions, which I do not see at the moment, I think we are set. And the presenter will be around for a little bit to answer questions, otherwise.