Introduction
This particular incident was discovered a few weeks ago at my employer while we were doing some hunting. Below gives a rundown of what was done and how the sample was analyzed. The most interesting part of this one, was the use of fileless malware (well almost fileless) to evade detection.Initial Detections
Our team was looking at some new information being logged by our SCCM team. One of the new pieces being added was a historical listing of running processes. A quick peak into this data with one of our Red Team members showed some interesting results (Purple Teaming). Namely Powershell running, including some rather LONG command line options.C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\TNjWerQKhf').YRRPM))); |
In addition, the machine in question was seen contacting domains which had been reported to belong to Powershell Empire. This is getting interesting!
Powershell Registry Decoded
The script shown above loads in a registry entry under the current user profile and decodes it from base64.
Decoded it looks ALOT more interesting....
This script appears to contain ANOTHER embedded script. Geez guys can't you do it all in one script?!?! Oh well, what do we have here....
Trying to decode the base64 did not reveal anything readable... Seems the script is obfuscated somehow. Looking at the previous script, we can see where this happens....
Ok, so maybe lets run this in the Powershell_ISE and debug it. Putting a breakpoint after the inflatebin (ungzip) reveals the decoded script....
This looks very familiar. A quick google search pulled up PowerSploit. So this guy was trying to use PowerSploit eh? But there is more to the first script... Lets start looking down the lines....
Then there is an if-then-else statement. A quick check of the documentation shows that it is looking at seeing what size the pointer is. Ah, a check for 32 or 64 bit instructions.
Then there is an if-then-else statement. A quick check of the documentation shows that it is looking at seeing what size the pointer is. Ah, a check for 32 or 64 bit instructions.
The script then loads in the appropriate base64 encoded DLL and runs it through our same deobfuscator.
Lastly, this one confused me for a bit. It is obviously attempting to do a reflective injection. But when looking at the system, the network connections were just coming out of the powershell.exe. Why do this? Again, time to read the manual. Seems the default behaviour of PowerSploit is to inject into itself. This is to prevent writing to disk. Ah, ok. Still not that stealthy, but oh well. Never give too much credit, these people ARE writing malware after all... Last step is to set the code executing and we are off to the races.
Lastly, this one confused me for a bit. It is obviously attempting to do a reflective injection. But when looking at the system, the network connections were just coming out of the powershell.exe. Why do this? Again, time to read the manual. Seems the default behaviour of PowerSploit is to inject into itself. This is to prevent writing to disk. Ah, ok. Still not that stealthy, but oh well. Never give too much credit, these people ARE writing malware after all... Last step is to set the code executing and we are off to the races.
Part 1 Ending
So far this has been exciting! Malware which uses PowerShell to launch, and attempt to remain undetected by not writing anything (well, ALMOST nothing) to disk. In the next section I will attempt to describe and deconstruct the actually malware (DLL). If you have any comments (constructive feedback only), please let me know. Fairly quick and dirty, but wanted to get thoughts written out.
Derek
@dsplice
Edit:
When investigating this incident, several connections were noticed to PowerShell Empire's website. So we named it internally as such. It is not an indicator that PowerShell Empire, or the developers were involved in any way. Just sounded like a cool name at the time! :)
Edit:
When investigating this incident, several connections were noticed to PowerShell Empire's website. So we named it internally as such. It is not an indicator that PowerShell Empire, or the developers were involved in any way. Just sounded like a cool name at the time! :)
No comments:
Post a Comment