BlackHat资料us-14-Kazanciyan-Investigating-Powershell-Attacks-WP.pdfVIP

Investigating PowerShell Attacks Ryan Kazanciyan, Matt Hastings Black Hat USA 2014 PRE-CONFERENCE DRAFT July 1, 2014 TABLE OF CONTENTS Introduction and Prior Research 2 Assumptions 3 Testing Methodology 4 Findings and Sources of Evidence 4 Registry 4 Prefetch 5 Network Traffic 6 Memory 6 Event Logs 10 Persistent PowerShell 16 Acknowledgements 20 Appendix: PowerShell Version Table 21 © 2014 Mandiant, A FireEye Company. All rights reserved. Page 1 INTRODUCTION AND PRIOR RESEARCH Microsoft Windows PowerShell has finally hit the mainstream for system administrators, defenders, and attackers. Though nearly ten years old as of 2014, PowerShell has only recently become ubiquitous across both user endpoints and servers in most enterprise environments. Microsoft Windows 7 SP1 and Windows Server 2008 R2 were the first versions of the operating system to include PowerShell (version 2.0) installed by default. Since then, updated versions of PowerShell have been included in every subsequent release of Windows, through PowerShell 4.0 on Windows Server 1 2012 R2 and on Windows 8.1 . As is often the case, the increased availability of PowerShell has paralleled the development of research on ways attackers can take advantage of it. David Kennedy and Josh Kelley were among the 2 first to present on this topic at Black Hat 2010 , demonstrating code execution, password dumping, and creation of reverse shells via PowerShell. Chris Gates and Rob Fuller cited WinRM as a means of remote command execution during penetration tests at DerbyCon 20123 and in subsequent blog posts; this technique quickly gained traction among