Detecting remote powershell

James_Lay · February 14, 2018, 1:03pm

Hey All,

Topic really…has anyone put some work/sigs into detecting remote powershell? Figured I’d start here first…thank you.

James

James_Dickenson · February 16, 2018, 6:32pm

I don’t believe I’ve seen any work in this regard for Bro, it would be great if someone invested the time to build something. I do know that there is the Attack Detection team that have been submitting a lot of powershell,empire,etc based rules to the ET ruleset for Snort/Suricata.

-James D.

James_Lay · March 9, 2018, 8:54pm

So at the end of the day, unencrypted remote powershell goes over tcp port 5985, WinRMI style:

POST /wsman?PSVersion=5.1.14393.1944 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/soap+xml;charset=UTF-8
Authorization: Kerberos
User-Agent: Microsoft WinRM Client
Content-Length: 0
Host: bleh:5985

HTTP/1.1 401
Server: Microsoft-HTTPAPI/2.0
WWW-Authenticate: Negotiate
WWW-Authenticate: Kerberos
Connection: close
Content-Length: 0

So any chance we can get 5985 added to the list of “http” ports to parse, thank you.

James

Patrick_Kelley · March 9, 2018, 9:27pm

I’d like to see this as well. Though most of the data we observe is encrypted, previously I’ve created events or pushing to a new log where observed.

Such as…

Neslog · March 9, 2018, 9:28pm

We have had good success combining ja 3 TLS fingerprinting with server certificate information to identify anomalous traffic.

Seth_Hall2 · March 15, 2018, 3:41pm

No need. Bro should automatically detect HTTP and add the analyzer. If it isn't working correctly then I think we can view that as a bug.

.Seth

James_Lay · March 16, 2018, 4:52pm

Ah...ok well there it is...I'll get a bug report going as I see the connection in conn.log, but nothing in http.log...thanks Seth!

James

James_Lay · March 16, 2018, 5:46pm

And disregard Totally seeing this:

2018-02-16T11:19:09-0700 CUve5yhDRpb6vE7u3 x.x.x.x 58754 x.x.x.x 5985 tcp http 109.998204 407 616 SF T T 0 ShADadFf 7 699 4 788 (empty) - -mac mac

2018-02-16T11:19:09-0700 FMF4K53EV8nQTRfKuh x.x.x.x x.x.x.x CUve5yhDRpb6vE7u3 HTTP 0 SHA1,MD5 text/plain - 0.000000 T T 198 198 0 0 F - d34f7af5e7fd60da9b7eee0fa1f7a569 87c8ce87b9efa3f2e02f9327adc38e0fe25fcc49 - - -

Seth_Hall2 · March 16, 2018, 7:46pm

Whew. Everytime I see stuff like that I start getting nervous.

.Seth

anthony_kasza1 · March 16, 2018, 11:03pm

If you do some baselining in your environment, JA3 can be very successful at detecting Powershell.

-AK

James_Lay · March 16, 2018, 11:05pm

Thanks Anthony…as luck would have it I’d already installed it on all my sensors so I’ll dig a little deeper into leveraging JA3 on the detection side…thanks again.

James

Topic		Replies	Views
RMCP+ / IPMI Zeek	1	44	May 6, 2022
Bro behind a TLS reverse proxy Zeek	1	79	May 6, 2022
Bro behind a TLS reverse proxy Zeek	2	67	May 6, 2022
Quick smtp-url-extraction question Zeek	13	90	May 6, 2022
Bluegate DOS/RCE Zeek	1	95	May 6, 2022

Detecting remote powershell

Related Topics