In my last post, I mapped controls to stop a malicious doc calling out via Powershell. I’m now going to cover how using the Windows firewall can stop the attack chain. Windows firewall can be used to limit the application from making connections. In the attack chain, this means that the user got the malicious document, opened it, the macro ran, and the Powershell script failed to pull down additional malware.
If you block all network connections for Powershell, it should look like this Powershell All Yes Block No %SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Any Any Any Any Any Any Any Any Any Powershell2 All Yes Block No %SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe Any Any Any Any Any Any Any Any Any
>cmd /c PowerShell (New-Object System.Net.Webclient).DownloadFile('http://2.na.dl.wireshark.org/win64/Wireshark-win64-2.2.2.exe','%TMP%\tom.exe'); Exception calling "DownloadFile" with "2" argument(s): "Unable to connect to the remote server" At line:1 char:1 + (New-Object System.Net.Webclient).DownloadFile('http://2.na.dl.wiresh ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : WebException
Powershell2 All Yes Block No %SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe Any Any TCP Any 443, 80, 8080 Any Any Any Any
This process should work for wscript and cscript also. -- Tom Webb @twsecblog |
Tom 59 Posts ISC Handler Dec 18th 2016 |
Thread locked Subscribe |
Dec 18th 2016 5 years ago |
In regard to Tom Webb's posting "Blocking Powershell Connection via Windows Firewall" - there are many versions of windows and personally I'm unable to find any of the firewall interfaces that align with the options shown in Tom's examples. Please consider adding a screenshot or additional information.
|
Anonymous |
Quote |
Dec 19th 2016 5 years ago |
Tom,
Glad to see your post, I have been doing a lot of work with Windows Firewall to block malicious behavior and found it to be very effective. Limiting PowerShell is probably the biggest one, but an issue we ran into was that we had PowerShell traffic that needed to be allowed and we wanted to block all other. We didn't have enough data to go full white list with the Windows Firewall, but we ended up using "inverse ranges" to configure a blacklist of what was blocked (essentially all of the IP space that we didn't want to allow) and that allowed us to have approved access while blocking all else for just this application. If anyone is interested, I started a blog with lots of details. Here is the link: https://limpidwebblog.blogspot.com/2016/10/a-shower-leads-to-powershell-puking.html |
limpidweb 1 Posts |
Quote |
Dec 19th 2016 5 years ago |
Sign Up for Free or Log In to start participating in the conversation!