Fax Electronically Signed Termination with airSlate SignNow

Fax electronically signed termination

today I'm going to show you how you can terminate potentially malicious PowerShell scripts with events entry now why would we want to terminate PowerShell scripts a lot of system administrators use PowerShell of course for various tasks and partial is great and it's got a lot of functionality but it's unfortunately also increasingly used by attacker not because PowerShell is sped or insecure but because it's very powerful and because it's the stalled and most Windows system and especially newer ones like Windows 8 and Windows 10 and of course all the server operating systems where it's installed by default so this is sort of an attack as paradise were you essentially have an entire tool kits available at your disposal on the target machine the good thing is that most malicious or potentially malicious and questionable PowerShell activity can be identified because the attacker will pass certain command-line arguments to the powershell process and if we detect those arguments then we can terminate that instance of powershell while at the same time leaving authorized and normal powershell scripts alone since the vent sentry is agent based it has a distinct advantage because it can detect events in real time and react on the target machine in near real-time so not only can you collect logs with a bin sentry and you know send them to a central location for compliance and security purposes or detect failed logins and issuer alerts but you can also take reactive steps to mitigate potential threats so I'm going to show you this in action on this test machine here which is a 2012 r2 machine now PowerShell uses an execution policy to determine which scripts are allowed to run on a system and by default the execution policy set to restricted which means no scripts are allowed to run on this system the execution policy set to remote sign which means that all scripts and configuration files downloaded from the internet and Kronus from microsoft's website have to be signed the problem with the execution policy is that you can bypass it with a simple command-line argument so it's really a sort of toothless protection here most attackers are always going to automatically pass the to command that one command-line argument to the powershell process called xxxx bypass which essentially means just run the script i don't care what the execution policy is so I'm going to demonstrate that here so here I have a script test appears one that essentially just outputs a string so when I run this there's a small delay built-in as well for about 800 milliseconds and it says hello I'm Ryan now I'm going to run that same script with the command line argument that bypasses the execution policy and that's simply executed by pass and we'll see that while the powershell process obviously was started and the script was passed to it it wasn't actually able to complete the script because the events that your agent terminated it let's look at our example so here I have a script that was actually downloaded from the internet I'm going to try and run the script the show CPU H dot ps1 so that's just a script that uses Toby miter query some CPU information now any time I involve WMI it's gonna take some time at least a second or so so let's try to run this regularly so we can assume that this is a malicious PowerShell script that was downloaded shouldn't be wrong but here I am running the script and the first message I'm getting here is the script is not digitally signed ok well because I know that this doesn't really matter very much I'm just going to do the exit bypass and execute the script and now we can see that the script is running here we're getting the header but doesn't really do anything what this script should do is generate an HTML page and open that HTML page in the default browser so you can see that bypassing specific strings to the powershell process event search you can evaluate those strings match them against the rule set which I will show you in a few moments and then essentially terminate that process before it can fully execute so you can see the partial scripted start but as soon as it exceeded a certain amount of time events entry terminated it and that's a disclaimer here so if you have a PowerShell script that is extremely fast and the measurement really depends on the system it's running on but as a rule of thumb I would say anything that takes less than a second will likely run and likely execute before events entry has a chance to terminate it please keep in mind events entry has to essentially get the notification about this event happening so you know that so the process starts it's being audited it's being sent to event century event century evaluates it against its filter rules ament's entries then goes to windows and says ok let's trim it at this process and all that takes a little bit of time usually around seven eight hundred milliseconds so if the process is faster than that event since you will not be able to terminate it but in most cases any sort of malicious process is likely going to take longer than that because they usually download malicious payload from the internet or they'll do other things in the system that will take some time so just keep that in mind and another factor of course is the initialization of PowerShell itself so the first time you're gonna run the PowerShell script after not having run any scripts for a while the engine itself needs time to initialize so even though I can often take two or three seconds the first time you run a script on the system so I think it's generally safe to say that the majority of scripts will take more in a second and then sports will be able to be terminated by event century so what do those rules look like so it's look and of course thank you to rob Fanta Buddha who is makes a lot of useful PowerShell Perl cakes and so forth scripts available on its website so this is the events ng management console all of our rules are here under packages so if you click on packages here event log we can see all of our packages here I'm going to scroll down and we have the PowerShell security package expanding that shows us all the rules inside that package and the rule that was just utilized to terminate the script is actually inside this is suspicious command param rule and if you look here we can see that the string number 9 which is the command line parameter here we're looking for XA bypass and if that matches it terminates the process and that's really as simple it is this this package is included with the vents entry so as soon as you in Sullivan since you have that at your disposal all you have to do is activate it and link it to a termination action which is really as simple as one dialog here with the dollar STR five which is the process identifier and that's how easy it is to secure in your network and essentially protect yourself against the majority of malicious PowerShell scripts out there so if you don't have anything she installed head to events which that calm without a lot of trial it's free for 30-days and give it a shot thanks for watching