Share this page!

SophosLabs Profile picture
Twitter logo
Mar 30 19 tweets 5 min read
NEW: Reconstructing PowerShell scripts from multiple Windows event logs

On the trail of malicious #PowerShell artifacts too large to be contained in a single log? Help is on the way.

1/19
Adversaries continue to abuse PowerShell to execute malicious commands and scripts. It's easy to understand its popularity among attackers: Not only is it present on all versions of Windows by default (and crucial to so many Windows applications that few disable it)... 2/19
... this powerful interactive CLI and scripting environment can execute code in-memory without malware ever touching the disk. This poses a problem for defenders and researchers alike. 3/19
In a previous post, we explained various forensic artifacts left behind by PowerShell. With the release of PowerShell 5.0 back in 2015, Script Block Logging was enabled by default. 4/19
This feature records commands and entire scripts in event logs as they execute. If a script is very large, PowerShell breaks it into multiple parts before logging those under Event ID 4104, which will be the focus of this article. 5/19
The open-source community has a variety of effective tools to use when parsing or automatically hunting for suspicious events. In a recent post, we took a step-by-step look at decoding malicious PowerShell activity in a specific incident, using such tools. 6/19
However, the ability to extract or reconstruct (partially or in full) a very large PowerShell script from multiple event records is still lacking in most of the tools available. 7/19
When a large PowerShell script runs, it results in a number of fragmented artifacts deposited across multiple logs. Filtering for event ID 4104 returns a list of those artifacts. 8/19
The content of one of these artifacts, contained in the C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx event log, is shown in the lower portion of the Event Viewer screen in Figure 1. 9/19
The ScriptBlock ID for this fragment, 51baf005-40a5-4878-ab90-5ecc51cab9af, appears on the right in Figure 2. 10/19
To create a single PowerShell object containing all the artifacts found with this process, open PowerShell ISE, replace the location of the offline EVTX (in our example, Operational.evtx) and ScriptBlock ID (in our example, 51baf005-40a5-4878-ab90-5ecc51cab9af)... 11/19
...and execute the following to create a single PowerShell object as shown in the example below. 12/19
In Figure 3, only a portion of the script is recorded in the event logs, specifically segments 97 to 121. Due to scheduled log rotation, dozens of segments are no longer available. 13/19
However, even partial data may be helpful during an incident-response investigation, making this extraction technique useful even when the condition of the log data cannot be ascertained prior to the operation. 14/19
To attempt the Listing and Extraction process via a simple script available on GitHub, use the PowerShell script ExtractAllScripts.ps1 by giving it the -List parameter, as shown in Figure 4. (As a convenience, we link to and show the full script at the end of this post.) 15/19
To extract selected scripts, give the ExtractAllScripts.ps1 script the -ScriptBlockID [ID] parameter. An excerpt from the script shows what happens behind the scenes: 16/19
PowerShell’s popularity among attackers stems in part from its ubiquity and its ability to run malicious code in memory.

Defenders must therefore examine whatever script traces may be found in logs, even if such traces may be scattered across multiple locations. 17/19
Since log-rotation intervals and script sizes both vary, the ultimate output of the process detailed in this post may retrieve some, most, or all of the script in question. The technique itself, however, enables defenders to make the most of what is available. 18/19
See more in the full article from @vikas891...

news.sophos.com/en-us/2022/03/…

19/19

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with SophosLabs

SophosLabs Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @SophosLabs

SophosLabs Profile picture
Mar 29
NEW on #Log4Shell...

Horde of miner bots and backdoors leveraged #Log4J to attack VMware Horizon servers

1/14
In the wake of December 2021 exposure of a remote code execution vulnerability (dubbed “Log4Shell”) in the ubiquitous Log4J Java logging library, we tracked widespread attempts to scan for and exploit the weakness—particularly among cryptocurrency mining bots. 2/14
The vulnerability affected hundreds of software products, making it difficult for some organizations to assess their exposure. 3/14
Read 14 tweets
SophosLabs Profile picture
Mar 3
NEW 🧵on Conti...

We published some news this week about Conti. In brief, a #Conti affiliate infiltrated the network of a healthcare provider that a different #ransomware threat actor had already penetrated.

The technical debt in healthcare is dangerous.

1/23
But Conti, in particular, attracts a particularly aggressive group of affiliates. And we have another, previously untold, Conti-adjacent story about one of their ransomware affiliates.

It serves as a cautionary tale that not all attackers are necessarily after a ransom. 2/23
This past January we were contacted by a customer in the Middle East to investigate a malware incident that began in mid-December, 2021. The target, in the financial services industry, discovered lateral movement and backdoors in their network the week before new year's day. 3/23
Read 23 tweets
SophosLabs Profile picture
Dec 22, 2021
NEW: Avos Locker remotely accesses boxes, even running in Safe Mode

Infections involving this relatively new ransomware-as-a-service spiked in November and December...

1/16
Over the past few weeks, an up-and-coming ransomware family that calls itself Avos Locker has been ramping up attacks while making significant effort to disable endpoint security products on the systems they target. 2/16
In a recent series of ransomware incidents involving this ransomware, Sophos Rapid Response discovered that attackers had booted their target computers into Safe Mode to execute the ransomware, similar to now-defunct Snatch, REvil, and BlackMatter ransomware families. 3/16
Read 16 tweets
SophosLabs Profile picture
Dec 21, 2021
NEW: Attackers test “CAB-less 40444” exploit in a dry run

An updated exploit takes a circuitous route to trigger a Word document into delivering an infection without using macros...

1/11
In September, Microsoft published mitigation steps and released a patch to a serious bug (CVE-2021-40444) in the Office suite of products. Criminals began exploiting the Microsoft MSHTML Remote Code Execution Vulnerability at least a week before September’s Patch Tuesday... 2/11
...but the early mitigations (which involved disabling the installation of ActiveX controls), and the patch (released a week later), were mostly successful at stopping the exploits that criminals had been attempting to leverage to install malware. 3/11
Read 11 tweets
SophosLabs Profile picture
Dec 21, 2021
NEW on #Log4Shell

Logjam: #Log4j exploit attempts continue in globally distributed scans, attacks

China and Russia, Kinsing miner botnet dominate sources of exploit attempts...

1/16
Since the first vulnerability in the Apache Foundation’s Log4j logging tool was revealed on December 10, three sets of fixes to the Java library have been released as additional vulnerabilities were uncovered. 2/16
This rapid iteration of fixes has left software developers and organizations worldwide scrambling to assess and mitigate their exposure with nearly daily-changing guidance.

In the meantime, we’ve seen attempts to detect or exploit the vulnerability continue non-stop. 3/16
Read 16 tweets
SophosLabs Profile picture
Dec 17, 2021
NEW on #Log4Shell...

Inside the code: How the Log4Shell exploit works

1/21
The critical vulnerability in Apache’s #Log4j Java-based logging utility (CVE-2021-44248) has been called the “most critical vulnerability of the last decade.”

The flaw has forced developers of many software products to push out updates or mitigations to customers. 2/21
And Log4j’s maintainers have published two new versions since the bug was discovered—the second completely eliminating the feature that made the exploit possible in the first place. 3/21
Read 21 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @SophosLabs has new unrolls!

Check out other threads from @SophosLabs!

Read all threads by @SophosLabs

:(