miércoles, 2 de octubre de 2019

File renaming technique vs Sysmon Powershell detection

One of the techniques used by attackers to evade some endpoint-based detections is renaming
Powershell binary before running the malicious  command. For example, according to Black Hills Information Security, on 2017 they were able to bypass Cylance using this technique 

In this blog post we are going to evaluate if it is possible to bypass a Sysmon based Powershell detection search by renaming Powershell binary to something else before running the malicious Powershell command.  

Let’s assume that for whatever reason we were not able to detect the attack on the delivery phase and the attacker is able to rename the native Powershell program and run the malicious command using the renamed copy,  as shown in the following image.

When looking at Sysmon event id 1, we see that the Description is unchanged, despite being renamed.

If the detection search is looking for “powershell” in the Image or CommandLine and the hunter is looking for “powershell”, the detection is going to be evaded. However, as previously shown the description is not altered when the file is renamed, therefore this field can be used to resist the “renaming evasion technique”, as demonstrated in the following image.

Even if PowerShell is renamed, it retains its Description “Windows PowerShell”, which is tracked by Sysmon.  If the search is using this field, it will not be evaded by the file renaming technique. It will require extra steps from the attacker to bypass this search.

Defenders should have multiple detections for the various phases of the kill chain, to detect delivery, exploitation, command and control and actions on objectives. Even if the attackers would had been able to bypass an exploitation-based search, we should had detected them on the other stages, hopefully as early as possible.  Also it is necessary to complement endpoint based detection with network visibility.