One of the techniques used
by attackers to evade some endpoint-based detections is renaming
Powershell binary
before running the malicious command. For example, according to Black Hills Information Security, on 2017 they were able to bypass Cylance using this technique
https://www.blackhillsinfosec.com/bypassing-cylance-part-4-metasploit-meterpreter-powershell-empire-agent/
https://www.blackhillsinfosec.com/bypassing-cylance-part-4-metasploit-meterpreter-powershell-empire-agent/
In this blog post we
are going to evaluate if it is possible to bypass a Sysmon based Powershell detection
search by renaming Powershell binary to something else before running the
malicious Powershell command.
Let’s assume that for
whatever reason we were not able to detect the attack on the delivery phase and
the attacker is able to rename the native Powershell program and run the
malicious command using the renamed copy, as shown in the following image.
When looking at Sysmon
event id 1, we see that the Description is unchanged, despite being renamed.
If the detection search
is looking for “powershell” in the Image or CommandLine and the hunter is
looking for “powershell”, the detection is going to be evaded. However, as
previously shown the description is not altered when the file is renamed,
therefore this field can be used to resist the “renaming evasion technique”, as
demonstrated in the following image.
Even if PowerShell is
renamed, it retains its Description “Windows PowerShell”, which is tracked by
Sysmon. If the search is using this
field, it will not be evaded by the file renaming technique. It will require
extra steps from the attacker to bypass this search.
Defenders should have
multiple detections for the various phases of the kill chain, to detect
delivery, exploitation, command and control and actions on objectives. Even if
the attackers would had been able to bypass an exploitation-based search, we should
had detected them on the other stages, hopefully as early as possible. Also it is necessary to complement endpoint based detection with network visibility.