5.

1 Introduction

5.2 PowerShell Hunting Tools

5.3 Windows Advanced Threat Protection

5.4 Windows Advanced Threat Analytics

5.5 PowerShell Defenses

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved
Threat Hunting - © Caendra Inc 2017 - All Rights Reserved
In this module we’ll look at some tools, built with PowerShell, that
are designed to gather and scan data at a large scale for incident
response and threat hunting purposes.

PowerShell is the future and is not going anywhere any time soon.

If you don’t know PowerShell, now is the time to learn it and

embrace it.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

We will also look at some new tools created by Microsoft that
can aid us hunt for and catch malicious actions and/or attacks
against machines in our environment.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Lastly, we will look at some additional techniques on how to
minimize and defend against the misuse of PowerShell in our
environments, aside just for hunting for malicious actions.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved
Kansa

Kansa is a PowerShell incident response framework.

This framework can be used in the enterprise to collect data

for use during an incident response, breach hunts, or for
building an environment baseline.

You can download Kansa from GitHub, here.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Kansa

The primary use of Kansa is to collect data from many hosts.

It takes advantage of Windows Remote Management and

PowerShell’s ability to run jobs across multiple machines in
parallel.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Kansa

Kansa was designed to be modular. It features a core script,

collector modules and analysis scripts. These analysis scripts
can perform frequency analysis of specific fields in a given
data set.

To enable these capabilities Kansa requires LogParser, a tool

we already discussed while hunting for web shells.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Kansa

https://trustedsignal.blogspot.com/search/label/Kansa

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Kansa

Its suggested that you download Kansa and get familiar with
this tool.

You can read more about the functionality of Kansa here and
here.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

PSHunt

PSHunt is a PowerShell Threat Hunting Module

designed to scan remote endpoints* for
indicators of compromise or survey them for
more comprehensive information related to
state of those systems (active processes,
autostarts, configurations, and/or logs).

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

PSHunt

PSHunt is divided into several modules, functions, and folders.

Below are the modules of PSHunt:

• Scanners • Utilities
• Survey • Analysis
• Discovery

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

PSHunt

You can download PSHunt from GitHub here.

You can also view presentation on PSHunt from BSidesLV

2016 here.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

NOAH

NOAH is an agentless open source Incident

Response framework based on PowerShell,
called "No Agent Hunting" (NOAH), to help
security investigation responders to gather a
vast number of key artifacts without installing
any agent on the endpoints saving precious
time.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

NOAH

NOAH was revealed at Black Hat USA 2017 at a presentation

called “NOAH: UNCOVER THE EVIL WITHIN! RESPOND
IMMEDIATELY BY COLLECTING ALL THE ARTIFACTS
AGENTLESSLY”.

You can download the tool from GitHub, here.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

You should become familiar with some, if not all of these
tools, as a threat hunter in the enterprise.

You want to hunt efficiently at scale and PowerShell is

definitely the tool to aid us with hunting.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved
Advanced Threat Protection

Windows Defender Advanced Threat Protection (ATP)

provides preventative protection, detects attacks and zero-
day exploits, and gives you centralized management for your
end-to-end security lifecycle.

You can review more information about the product here.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Advanced Threat Protection

Windows Defender ATP is agentless and built into the

operating system.

ATP can adapt to changing threats, deploy new defenses, and

orchestrate remediation.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Advanced Threat Protection

ATP uses the following to protect you from advanced threats:

• Windows Defender System Guard

• Windows Defender Application Guard

• Windows Defender Exploit Guard

• Windows Defender Antivirus

• Windows Defender Application Control

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved
Advanced Threat Protection

Microsoft is also showcasing that this tool is great for threat

hunting: “Instantaneously search and explore 6 months of
historical data across your endpoints.”

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Advanced Threat Protection

To obtain a trial copy of Windows Defender ATP you must agree to

the Trial Online Service Terms and register for the product.

If you’re approved then you will be given a 90 day trial to test-drive

ATP.

Visit this link here to begin the process.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Advanced Threat Protection
ATP Dashboard

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Advanced Threat Protection

In the previous screenshot, ATP successfully detected

Mimikatz simply being dropped onto the machine, without
being executed.

When we click on the alert we’re presented with another

window which provides more information.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Advanced Threat Protection

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Advanced Threat Protection
From the previous screenshot we see that it gives us a severity
level, in this case its low.

It tells us the type of malware this would fall under, in this case it
would be credential stealing.

We also see the machine that was affected along with date &
timestamps.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Advanced Threat Protection

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Advanced Threat Protection

The alert also gives us a brief description of the malware,

recommended actions, an alert process tree, and an incident
graph.

From the incident graph we can see what was dropped onto
the machine. In this case a zip file containing Mimikatz and a
PowerShell-based Mimikatz script.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Advanced Threat Protection

Now, let’s look at one of the high alerts on the dashboard

which seems also relates to Mimikatz.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Advanced Threat Protection

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Advanced Threat Protection

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Advanced Threat Protection

This alerts us that

this file was
created or
copied/pasted
into notepad and
called Invoke-
Mimikatz.ps1

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Advanced Threat Protection

The PS1 file is

called Invoke-
Mimikatz.ps1
and then it was
renamed to
Invoke-MMK.ps1

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Advanced Threat Protection
ATP gives us the file location as well as its hash.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Advanced Threat Protection

Part of the demo Microsoft provides a benign Microsoft Word

document that will simulate an attack on your test machine.

We will get an idea as to what this simulated attack will do

and how ATP detected the ‘attack’.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Advanced Threat Protection

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Advanced Threat Protection

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Advanced Threat Protection

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Advanced Threat Protection

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Advanced Threat Protection

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Advanced Threat Protection

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Advanced Threat Protection
The previous screenshots gave us a bit of information as to what
took place on the machine.

Basically Microsoft Word launched PowerShell and PowerShell

created a file that seems like a JPG file.

Let’s look at a few more alerts to see what ATP detected regarding
this JPG file.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Advanced Threat Protection

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Advanced Threat Protection

Under Description we see a snippet of the PowerShell which was executed from the
Word document.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Advanced Threat Protection

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Advanced Threat Protection

Here we see RuntimeBroker.exe making an outbound connection on port 80.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Advanced Threat Protection

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Advanced Threat Protection

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Advanced Threat Protection

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Advanced Threat Protection

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Advanced Threat Protection

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Advanced Threat Protection

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Advanced Threat Protection

When we click on the JPG file, we’re presented with another

window showing various information specific to the analysis
of the file.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Advanced Threat Protection

We see ATP gives us the file’s hashes. It also submits the file to VirusTotal for analysis.
ATP tells us how many other endpoints globally reported as infected with this file.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Advanced Threat Protection

Here we see what

malicious actions the
file took while on the
machine. What
quickly stands out is
that this file
communicated
outbound to and
external IP address.
Which we already saw
in another alert.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Advanced Threat Protection

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Advanced Threat Protection

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Advanced Threat Protection

Windows Advanced Threat Protection is definitely a tool you

should test out.

Navigating through the tool is pretty straightforward.

The information is plain and useful.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved
Advanced Threat Analytics

Another tool by Microsoft that is making waves is called Microsoft

Advanced Threat Analytics (ATA).

As described from its website: Reduce your risk of costly damage and get
all the information you need in a succinct, real-time view of the attack
timeline with Advanced Threat Analytics. All the intelligence to learn,
analyze, and identify normal and suspicious user or device behavior is
built-in.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Advanced Threat Analytics

ATA boasts of the no need to create rules, fine-tune, or

monitor a flood of security reports.

They can say this because ATA is self-learning and advanced,

ready-to-analyze intelligence.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Advanced Threat Analytics

“ATA works by combining analysis of network

traffic, events, and pulling contextual data
about the entities from the directory, such as
group memberships, titles, and manager
information. Once ATA is deployed it begins
monitoring the activity of all the entities in the
organization, learning the normal behavior of
entities, and detecting abnormal behavior and
known techniques used by advanced attackers
and insiders.”

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Advanced Threat Analytics

Its also worth noting that ATA can integrate with your existing
SIEM and will automatically receive updates, including new
behavioral detections.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Advanced Threat Analytics

Unlike Windows Defender ATP, you don’t have to go through

an approval process to test out ATA.

You can read more information about ATA, here, or even try
it out, here.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved
In the previous module we discussed PowerShell logging and
what Event IDs to look for when hunting for PowerShell usage
in the environment.

In the next upcoming slides we’re going to:

• Look at some techniques to defend PowerShell in the
enterprise.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

System-Wide Transcript File

If the environment has “system-wide transcript file” enabled,

a share on the network will exist where everything typed in
PowerShell (transcript file) will be sent to that network share.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

System-Wide Transcript File

This means that the environment’s Blue Team will have an

over-the-shoulder transcript of everything that was typed, for
every computer/user.

Following this slide, you can see a system-wide transcript file

in action.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

System-Wide Transcript File

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Constrained Language Mode

Constrained language mode limits the capability of

PowerShell to base functionality.

.NET or COM access and Win32 API calls through PowerShell

are not possible when constrained language mode is
enforced.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Constrained Language Mode

If an environment has PowerShell version 5 and AppLocker in

allow mode, PowerShell locks down to constrained language
mode automatically.

The same will happen if Device Guard with UMCI is deployed.

Following this slide, you can see constrained language mode
in action.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Constrained Language Mode

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Anti-Malware Scan Interface

In Windows 10, it gets even more interesting due to the

introduction of the AMSI (Anti-Malware Scan Interface).

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Anti-Malware Scan Interface
On AMSI powered systems, any PowerShell or VBScript code,
before it’s executed by the PowerShell engine, is picked up by the
AMSI.

The AMSI, in turn, sends it over to the anti-malware solution.

The anti-malware solution will give a thumbs up or a thumbs down

based on its signature database.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Anti-Malware Scan Interface

If it’s a thumbs down, PowerShell will not execute that code,

whether it is downloaded from the internet and run in memory or
run from a script.

There are some vendors that support AMSI, and these are
Microsoft, ESET, and AVG.

Following this slide, you can see AMSI in action.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Anti-Malware Scan Interface

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

This concludes this module on Hunting with/for PowerShell.

We have covered:

✓ Various PowerShell tools to aid us in hunting in the enterprise.

✓ Windows Defender Advanced Threat Protection.

✓ Windows Advanced Threat Analytics.

✓ Additional techniques to defend the malicious use of PowerShell.

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved
Kansa Kansa 2

Kansa 3 PSHunt

PSHunt 2 NOAH at BH2017

NOAH 2 Windows ATP

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved

Windows ATP 2 Windows ATA

Device Guard with

App Locker
UMCI

Threat Hunting - © Caendra Inc 2017 - All Rights Reserved