Current state of malicious Powershell script blocking

The current state of malicious Powershell script blocking is bad, very bad. There is room for improvement …

Only two products (among the tested ones) can protect against an obfuscated malicious Powershell stealing the passwords and hashes from memory: AVG/Avast Antivirus and Hitmanpro.Alert Beta/Sophos Intercept X.

Update 2017-08-10: Latest KIS2017 blocks the attacks as well.

Introduction

When I watched this great presentation from Will Schroeder (@harmj0y) it made me thinking. How about doing a quick and dirty Powershell test. For this exercise, I choose Invoke-Mimikatz.

Mimikatz (Benjamin Delpy – @gentilkiwi) is the gold standard when it comes to lateral movement or grabbing passwords/hashes. Invoke-Mimikatz is a Powershell version of Mimikatz, where the Mimikatz executable is not written to the disk.

AMSI is Microsoft’s “Antimalware Scan Interface”, which can be used to detect malicious Powershell code – even in-memory, at execution time. Let’s see what AMSI is capable of, and what can we expect if AMSI is not used.

MS AMSI

The contenders

For this quick test, I choose the following vendors. I used the home/Internet security version. Windows 10 x64 version 1511 was used for this test.

All test was done with latest version, in the past 10 days.

  • AVG/Avast
  • Avira
  • Bitdefender
  • Microsoft Defender
  • ESET
  • F-Secure
  • GData
  • Hitmanpro.Alert Beta*
  • Kaspersky Lab (KIS 2017)
  • McAfee
  • Norton
  • Trend Micro

Test results

The basic test

Let’s start with a quick test. I just downloaded the Invoke-Mimikatz.ps1 to the disk, and I executed it. In all Powershell tests, Powershell was started with admin privileges, and ExecutionPolicy was set to Bypass.

These vendors blocked the attack:

  • AVG/Avast
  • Microsoft Defender (AMSI)
  • ESET
  • GData
  • Hitmanpro.Alert Beta*
  • Kaspersky Lab
  • Norton

These vendors failed to block this basic attack:

  • Avira
  • Bitdefender
  • F-Secure
  • McAfee
  • Trend Micro

Well, not good, but not that bad. So far.

A bit advanced test

OK, now let’s see what happens if I don’t write the Invoke-Mimikatz.ps1 to the disk. Let’s just download it to the memory, and execute from there (using Invoke-Execution or IEX) – this is the test shown in @harmj0y’s presentation.

These vendors blocked the attack:

  • AVG/Avast
  • Microsoft Defender (AMSI)
  • ESET
  • Hitmanpro.Alert Beta* (blocked the password hash stealing)
  • Update 2017-08-10: Latest Kaspersky Internet Security 2017 blocks the attack from an active Powershell session as well.

MS Defender + AMSI blocking Mimikatz in-memory

AVAST blocking in-memory Powershell

ESET blocking in-memory Powershell

Hitmanpro Alert Beta blocking in-memory powershell password stealing

These vendors failed to block this attack and Mimikatz was able to steal password hashes:

  • Avira
  • Bitdefender
  • F-Secure
  • GData
  • Kaspersky Lab – although Kaspersky Internet Security 2017 can block the DumpCreds attack if Powershell and Mimikatz is started from the command line.
  • McAfee
  • Norton
  • Trend Micro

Things are not that nice anymore. But let’s try harder to bypass the AVs.

Try harder test

Now, let’s use Invoke-Obfuscation developed by Daniel Bohannon – @danielhbohannon on Invoke-Mimikatz, and use IEX for in-memory execution.

 

Invoke-Obfuscation

These vendors blocked the attack:

  • AVG/Avast (blocked the password stealing)
  • Hitmanpro.Alert Beta* (blocked the password stealing)
  • Update 2017-08-10: Latest Kaspersky Internet Security 2017 blocks the attack (blocked the password stealing)

Interestingly, none of these vendors alerted about the attack, both allowed the Powershell Mimikatz to run, but blocked the password hash stealing. But it was blocked so kudos for them!

These vendors failed to block this attack and Mimikatz was able to steal password hashes:

  • Avira
  • Bitdefender
  • ESET
  • F-Secure
  • GData
  • Kaspersky Lab
  • McAfee
  • Microsoft Defender (AMSI)
  • Norton
  • Trend Micro

Conclusion

I am a bit of disappointed at AMSI, I expected that it will block all three attacks.

It is also interesting to see that probably none of the 3rd party vendors implement AMSI. I have no idea why. It seems like either Avast/AVG or ESET is using AMSI. I will try to get confirmation on that.

Got confirmation on AVG/Avast: https://www.blackhat.com/docs/us-16/materials/us-16-Mittal-AMSI-How-Windows-10-Plans-To-Stop-Script-Based-Attacks-And-How-Well-It-Does-It.pdf

Any more conclusion is left to the reader as an exercise.

A friendly message to the AV developers. Please Try Harder.

FAQ

Q: Mimikatz is used against systems in enterprises, and in this test home / Internet Security Solutions are tested. Why?

A: First of all, I had these systems in our environment up and running and updated. Also, installing the enterprise versions is a pain in the … You can count with 4 hour / product in average. And last but not least there is not much difference between the enterprise and home versions. Probably most enterprise products can be configured to block all powershell script, and only allow script execution from a white-listed directory. But I fail to see how it protects against in-memory Powershell attacks.

Q: Why is no next-gen/ machine-learning product in test?

A: Most machine learning products are used to learn how a malicious EXE/DLL looks like. They can’t detect malicious Powershell pre-execution. Some next-gen/ machine-learning can block or detect the Mimikatz password hash stealing via behavior detection/block, same way the two finalists blocked the attack. And last but not least as long as these products are not available as free trials, testing these is a pain.

* The new technology in the Sophos’ HitmanPro.Alert beta is set to be included in Sophos Intercept X and is currently available to Intercept X customers as part of the early access program.