PowerShell Logging and Security

PowerShell Logging and Security

source: https://www.secjuice.com/enterprise-powershell-protection-logging/

This tutorial will help you to gather PowerShell logs from Windows endpoints in the name of security. PowerShell exploits can be found in malware droppers and exploit kits all over the internet. PowerSploitCobaltStrikeMetasploit and of course Empire to name a few. Taking the time to enable this protection is worth its weight in gold and should be considered by everyone with a windows domain small or large.

Introduction To PowerShell

PowerShell is a powerful scripting and administration language that comes baked into Windows. ‌‌The bad guys are increasingly using PoweShell because by default it leaves little trace when used. The language is often abused to load malware into memory instead of writing to disk, meaning less breadcrumbs and detection opportunities for the good guys. This attack methodology is know as  “Living Off The Land”

There are already some great guides out there (here and here) for PowerShell logging written by people better qualified than me but those guides seem to miss real world implementation scenarios and the issues that come with it. I hope to iron out some of those misses and give a more detailed set of instructions.

This  guide assumes you are in a Windows domain and have a SIEM already setup that can accept Windows logs.

What you will need:

  • Basic knowledge of Windows Group Policy
  • Basic knowledge of your SIEM
  • A workstation or server to act as the log collector

Step 1 — Group Policies

For this protection to work we need to enable some Group Policies:

  • Computer Configuration > Policies > Administrative Templates > Windows Components > Powershell > Turn on Module Logging (Tells Windows to log Powershell activity to disk)

    Be sure to add a * in the Module Names section as shown below. The * (aka wildcard) tells Windows to log all PowerShell modules.

  • Computer Configuration > Policies > Administrative Templates > Windows Components > Powershell > Turn on PowerShell Script Block Logging (Makes the above logs more verbose)
  • Computer Configuration > Policies > Administrative Templates > Windows Components/Windows Remote Management (WinRM)/WinRM Service (Allows remote collection of the above Powershell logs we just created)‌‌‌‌

    Be sure to add the IP address of your Log Collector to the WinRM Service GPO.‌‌
    This setting allows the collector server to connect to your machines and grab the PowerShell logs remotely.

Apply all of these group policies to a OU of your choosing for testing.

Step 2 — Log Collector

Some folks like to use their SIEM to collect logs directly from endpoints. I prefer to cache workstation logs with Windows Log Subscription mostly because it works better in my SIEM. If you don’t require a Windows Log Subscription, skip to step four.

  • On the server you have for log collection, open Event Manager and then click Subscriptions
  • Next we need to configure our log subscription. Click Create Subscription on the right side of the Event Viewer window:

‌‌Fill in subscription name and add a target for collection. I have added Domain Computers to my collection so logs are collected from all hosts. You can specify and regular group of computer accounts or groups of computer accounts.


Set the subscription to collect all PowerShell events:

‌‌
Have you completed these tasks?

-Enabled and applied TWO Powershell GPOs

-Enabled and applied WINRM Service GPO

-Created your Event Log Subscription and added Powershell to it

If you have passed the above checklist there should be some PowerShell logs cached on your collector.
Open Event Viewer and click Forwarded Events

‌‌

Now configure your SIEM to ingest the Forwarded Events log file‌‌:
“%SystemRoot%\System32\Winevt\Logs\ForwardedEvents.evtx”

Step 4 -What to alarm on

Now that your Powershell logs are being ingested we need to build some alarms to detect malicious activity. ‌
‌We should use our SIEM to compare the Powershell logs to a list of suspicious commands and alarm if there is a match.
For example strings like net.webclient and encodedcommand are great indicators of a PowerShell drive by download.

You can fin‌‌‌‌d a comprehensive list of malicious commands here.
Load these into your SIEM for matching and configure alarms accordingly.

I hope you found this guide helpful, if you do have any more questions or suggestions please reach out to me on Twitter using @Secprentice.

OpenStack / DevStack Install

OpenStack / DevStack Install

  • Install a version of supported linux distros with two NICs – http://devstack.org/
  • Prepare the OS

sudo passwd root
su
apt-get update; apt-get upgrade

apt-get purge network-manager

  • Configure Networking
Edit your networking to reflect what is below.

#nano /etc/network/interfaces
(beginning)
#Primary interface NAT interface
auto eth0
iface eth0 inet dhcp

#public interface – The API village
auto eth1
iface eth1 inet static
address 172.16.0.1
netmask 255.255.0.0
network 172.16.0.0
broadcast 172.16.255.255

  • Install Openstack using Devstack script

apt-get install git
git clone https://github.com/openstack-dev/devstack.git
cd devstack; ./stack.sh
  • Set Permission to the directory
sudo chown -R username:username devstack/

  • Run the installer

sudo ./devstack/stack.sh

  • Enter passwords for hashing
  • Access the UI

Horizon is now available at http://10.1.1.16/
Keystone is serving at http://10.1.1.16:5000/v2.0/
Examples on using novaclient command line is in exercise.sh
The default users are: admin and demo
The password: password
This is your host ip: 10.1.1.16
stack.sh completed in 345 seconds.

NB:
I got allot of errors and after looking at the errors closely it was due to low memory, give the test VM more RAM fixed the problem and the stack script completed.

  • Create Instance
  • Setup Compute Node
  • Setup Storage Node
  • Download some images from Rackspace
  • Setup Windows 2012 R2 Image

Research