More PowerShell Remoting Artifacts
In Part 1 of this series, we looked at PowerShell remoting artifacts under various Event IDs and ways to gather more information from those events and relate it to the investigation context. In this part, we will take a look at some other interesting artifacts like registry settings, prefetch files, networking artifacts, memory artifacts, etc.
Before we look at the registry settings related to PowerShell execution of scripts, let us take a look at the different types of possible execution policy settings that can be applied:
- Restricted: Default setting and this restricts any script to run. PowerShell can only be used in an interactive mode.
- AllSigned: With this setting only, only scripts by a trusted publisher can run
- RemoteSigned: Under this setting, downloaded scripts must be signed by trusted publisher before they can run
- Unrestricted: Any PowerShell script can run without any restrictions
Since PowerShell Execution Policy plays a big role in running remote scripts, it is worth to now the related registry key settings which are located at HKEY_LOCAL_MACHINESOFTWAREMicrosoftPowerShell1ShellIdsMicrosoft.PowerShell
However, attackers normally bypass the ExecutionPolicy setting on an ad-hoc basis, i.e., during remoting session only and do not usually change the registry key directly.
Also with the help of registry keys persistence can also be achieved with the use of famous locations like Run keys at HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun and with below value in the respective key.
Here for malicious script test.ps1, execution policy is bypassed and is non-interactive.
Prefetch files though built for improving performance (by shortening load times) are helpful during investigations as they contain very useful information like initial execution time, when it last ran, how many times it ran etc. For PowerShell also, prefetch file is created, but the respective script should be loaded in 10 seconds within PowerShell execution context. For example, below is an example of a PowerShell prefetch file which gets created using the command line.
From above screenshot, there is a lot of information that will be beneficial to build a context. Run counter will keep on increasing with subsequent commands.
Also, I have also noticed that a separate prefetch file for wsmprovhost.exe is also created for interactive sessions. Since PowerShell uses WinRM to invoke a command on the remote system, WinRM, in turn, launches a non-interactive process on the remote machine to execute the command.
PowerShell remoting uses port 5985(http) and 5986(https) and uses NTLMSSP auth mechanism. Below are some of the screenshots for the networking artifacts:
After searching the remote computer, above we can see that SYN-ACK completed over port 5985.
Below we can see that NTLMSSP challenge response packets sequence. Client from source system would be WinRM, and we could also see below information during negotiation
- PowerShell version. 5.0 in this case
- User making request.
Thus activities happening over 5985 and 5986 and then the negotiation can also provide great context during the investigation.
As described in the previous article, PowerShell remoting uses WinRM service, and upon receiving a command svchost.exe will launch a new process named wsmprovhost.exe. I have tried different ad-hoc PowerShell cmdlets and noticed that the wsmprovhost.exe process terminates after providing the output. Maybe it needs a session to stay alive, and indeed it is what it needs to stay alive(I entered command under a session, Enter-PSSession) and this new session executes within the Session of wsmprovhost.exe.
As explained earlier, we can see that wsmprovhost.exe is a child of svchost.exe Dumping the content so of this process, we can even see the commands executed and their output.
However as you might have guessed that the artifacts that can be recovered from wsmprovhost are good only till the session is active, so mostly this is not a good or reliable artifact from memory.
There is another good area to look for is WinRM service under svchost.exe which contains reliable data even after the session is terminated. WinRM will contain WSMAN soap messages which will include all the cmdlets and command executed during an interactive session. Some of the good strings to look out for in the WSMAN soap messages are:
Some common PowerShell Persistence mechanisms in use:
- Embed the malicious ps1 script under Run registry key and bypass security policy. This will achieve persistence for the malicious script.
- Loading malicious code into already existing binaries in the profiles (per user or system wide).
Malicious Scheduled ps1 tasks.
So, in this article, we have seen prefetch files, memory artifacts, network artifacts, registry facts about PowerShell remoting. Combining this part with Part 1 can form a good cheat-sheet for the analyst to look out for PowerShell Remoting based attacks.