Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

https://www.vmware.com/security/advisories/VMSA-2018-0031.html New VMWare Security Advisory: VMSA-2018-0031

Restricting PowerShell Capabilities with NetSh

Published: 2018-12-19
Last Updated: 2018-12-19 10:27:14 UTC
by Xavier Mertens (Version: 1)
2 comment(s)

The Christmas break is coming for most of us, let's take some time to share some tips to better protect our computers. The Microsoft Windows OS has plenty of tools that, when properly used, can reduce risks to be infected by a malware. As best practices, we must have antivirus enabled, we can deploy AppLocker to allow only authorized applications to be launched, we can restrict applications to be executed from locations like %APPDATA% or %TEMP% but they are tools that are much more difficult to restrict on a regular host like... Powershell! If you uninstall Powershell from a modern Windows version, you’ll simply miss nice features. That's why, in many cases, a simple uninstall is not possible. That’s also the reason why Powershell remains a nice first stage infection method:

  • It is installed by default
  • Its code is easy to obfuscate
  • It uses the complete Microsoft API to download files, execute them or perform injection or more low level operations.

Windows has a built-in firewall that provides interesting features. You can not only restrict traffic based at layer 3: from <ip>:<port> to <ip>:<port> but you can also restrict traffic based on application. Microsoft recommands to enable this firewall (and you receive continuous notifications when it's not).

Let’s create two rules. The first one allow Powershell to access our local subnet and the second one drops any traffic

C:\> netsh advfirewall firewall add rule name=“PS-Allow-LAN" dir=out \
     remoteip=localsubnet action=allow program="c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe" \
     enable=yes
C:\> netsh advfirewall firewall add rule name=“PS-Deny-All" dir=out \
     action=block program="c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe" \
     enable=yes

Of course, we can have multiple Powershell binaries spread across the file system. Let’s add the above rules for all of them:

C:\> for /R %f in (powershell*.exe) do (
netsh advfirewall firewall add rule name=“PS-Allow-LAN (%f)" dir=out remoteip=localsubnet action=allow program=“%f" enable=yes
netsh advfirewall firewall add rule name=“PS-Deny-All (%f)" dir=out action=block program=“%f" enable=yes
)

Note that this technique does not block nasty malware like the one which was reported by Didier in a recent diary[1]. In this case, a copy of Powershell was used with a random name. If you use a proxy to access Internet resources, it could also be a good idea to restrict access to its IP address.

Finally, Powershell (if run with enough privileges) can disable the local firewall:

Set-NetFirewallProfile -Profiel Domain,Public,Private -Enabled False

You can apply the same kind of control to other tools that should not access Internet resources.

[1] https://isc.sans.edu/forums/diary/Maldoc+Duplicating+PowerShell+Prior+to+Use/24254

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

2 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Malspam links to password-protected Word docs that push IcedID (Bokbot)
Dec 18th 2018
1 day ago by Brad (1 comment)

Password Protected ZIP with Maldoc
Dec 17th 2018
1 day ago by DidierStevens (1 comment)

Random Port Scan for Open RDP Backdoor
Dec 16th 2018
2 days ago by Guy (1 comment)

De-DOSfuscation Example
Dec 15th 2018
3 days ago by DidierStevens (2 comments)

Bombstortion?? Boomstortion??
Dec 14th 2018
5 days ago by Rick (2 comments)

Phishing Attack Through Non-Delivery Notification
Dec 13th 2018
6 days ago by Xme (0 comments)

Yet Another DOSfuscation Sample
Dec 12th 2018
6 days ago by DidierStevens (0 comments)

View All Diaries →

Latest Discussions

PDF vs. DOCX in phishing mails
created Dec 14th 2018
4 days ago by sciurium (0 replies)

Securing AV/IoT best practice question
created Dec 10th 2018
1 week ago by Anonymous (0 replies)

virtual server design
created Nov 28th 2018
2 weeks ago by Anonymous (0 replies)

Intern needs help
created Nov 23rd 2018
3 weeks ago by Anonymous (0 replies)

CVE Links Are Broken
created Nov 17th 2018
1 month ago by George (1 reply)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
1 year ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
1 year ago by Johannes (16 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
1 year ago by Russ McRee (2 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
1 year ago by Renato (0 comments)

Maldoc with auto-updated link
Aug 17th 2017
1 year ago by Xme (2 comments)