Responding to PowerShell attacks

Abstract

PowerShell has become such a ubiquitous tool, it is found in all Windows environments spanning from personal computers to large corporate networks. It offers an interactive, object oriented shell ported to the .NET Framework which makes it different from other text-based shells. It facilitates the administration of very large corporate networks, allowing administrators to issue commands remotely on other computers seamlessly. Complemented with Windows Management Instrumentation (WMI), PowerShell is an even greater asset; it gives access to every imaginable resource on a device and across the network. Having become such an established tool, it is installed by default on all modern operating systems. Just as PowerShell gained its popularity, fileless malware has become a trend in modern day cyber attacks. Unlike traditional malware which requires that malicious programs are installed on the target machine prior to execution, fileless malware often exploits already installed tools. Furthermore, payloads are directly loaded and directly executed into memory and never touch disk. Hence the only evidence lives for a very short time in memory. This project focuses on investigating WMI attacks through PowerShell in an incident response scenario. PowerShell and WMI being both whitelisted by conventional antimalware tools, and also promoting stealth, have become an attacker’s favourite. PSInvestigate, the designed memory forensics solution, is based on the study of the underlying Component Object Model (COM) objects produced by the WMI activity. It provides an acquisition solution which dumps a sample of PowerShell’s memory containing the studied artifacts. The dumping is narrowed by first locating the sections in memory where the said objects reside, and then using two specific trigger points to invoke the dumping procedure. This also helps in keeping the dump size as small as possible. The analysis stage then makes use of an observed pattern to extract the useful information. The results returned by PS-Investigate are comparable to the results obtained by the Event Tracing for Windows (ETW). PS-Investigate though enjoys a reduced Trusted Computing Base (TCB), making it more secure and reliable. Although some overhead is introduced, its results provided a good level of information, even when compared to ETW.