Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Blocking Powershell Connection via Windows Firewall.

Published: 2016-12-18
Last Updated: 2016-12-18 01:12:22 UTC
by Tom Webb (Version: 1)
2 comment(s)

In my last post, I mapped controls to stop a malicious doc calling out via Powershell.  I’m now going to cover how using the Windows firewall can stop the attack chain. Windows firewall can be used to limit the application from making connections. In the attack chain, this means that the user got the malicious document, opened it, the macro ran, and the Powershell script failed to pull down additional malware.

 

If you block all network connections for Powershell, it should look like this

Powershell        All    Yes    Block    No    %SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe    Any    Any    Any    Any    Any    Any    Any    Any    Any    

Powershell2        All    Yes    Block    No    %SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe    Any    Any    Any    Any    Any    Any    Any    Any    Any    


To test, I tried downloading Wireshark using PowerShell with the same call the malware used

>cmd /c PowerShell (New-Object System.Net.Webclient).DownloadFile('http://2.na.dl.wireshark.org/win64/Wireshark-win64-2.2.2.exe','%TMP%\tom.exe');

Exception calling "DownloadFile" with "2" argument(s): "Unable to connect to the remote server"

At line:1 char:1

+ (New-Object System.Net.Webclient).DownloadFile('http://2.na.dl.wiresh ...

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

   + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException

   + FullyQualifiedErrorId : WebException


If you want to allow local communication for these, then you have to turn on the Default Outgoing Policy and create Allow rules.  The windows firewall always processes the Deny first. A kind of work around is to block specific outbound ports.  So you could block 80,443,and 8080 (see Below). Or better yet, you could block everything except the couple of ports you need (135,139,445).  If you use Powershell just to call another application that then makes the connection, then you should be able to block everything.

 

Powershell2        All    Yes    Block    No    %SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe    Any    Any    TCP    Any    443, 80, 8080    Any    Any    Any    Any    

 

This process should work for wscript and cscript also.

 

--

Tom Webb

@twsecblog

Keywords:
2 comment(s)
Diary Archives