Good Hunting

The personal blog of Chris Gerritz. I muse on malware, threat hunting, and security incidents. Occasionally more.

PSHunt - Powershell Threat Hunting Project

It has been a couple weeks since my talk at BSides Las Vegas where I presented the PSHunt project and have finally have it to a point where it can be further distributed and used outside of the lab. The next part is documenting everything so for now I just wanted to throw down some background and notes on how it was developed.

BSides Las Vegas Talk





Background

I have been using Powershell to hunt for 5+ years now. I regularly use these techniques at home, in lieu of antivirus*, and have scaled these techniques to 500,000+ globally distributed hosts on the world’s largest Active Directory domain while at the AFCERT.

PSHunt actually started as the Prototype or MVP for Infocyte's hunt product. Many of the concepts will be familiar with incident responders but the overall process and framework for making it scalable and usable in hunt scenarios was really solidified when we were forming the Air Force's enterprise hunt team. Having an 800,000 node network as a playground, responding to live incidents, and innovating on the fly was a regular occurrence and due to a series of successes, we were given uncharacteristically broad authority to try new things by leadership at that time. Powershell made that possible especially since we had a policy restricting us from using unapproved compiled binaries on the network.

Since leaving the AFCERT, I've continued to support smaller organizations through proactive compromise assessments and incident response using Powershell tools like PSHunt and PowerForensics through my company, Infocyte. About a year ago, Infocyte officially switched to our budding commercial product, Infocyte HUNT, which follows the same concepts but uses more advanced compiled code on the endpoints, is cross platform, and has modern visualizations and workflows. PSHunt is still in use but it's mostly used for prototyping and modeling of new collection and detection techniques before being implemented in C/C++ in our commercial product.

Why Powershell?

Powershell grants us powerful automation and methods to gain visibility into the windows operating system (and as of August 2016, Linux and OSX as well). With it we have full access to WMI, COM and .NET object models as well as native windows APIs. Combined with a few open source tools and resources, we have all we need to hunt for hidden malware and adversaries on the endpoint – no matter how advanced.

With Powershell, we won’t need 3rd party libraries or pre-installed agents1 to deploy these techniques across an enterprise as it is a default feature of every modern windows operating system (starting with Windows 7 and 2008R2). XP, Vista, 2003, and 2008 users can easily install WMF 2.0 to unlock the power on those systems as well. As of August 2016, we can also install it on linux and OSX hosts though it's still early.

  1. Technically WinRM and WMI are our agents, and they are installed/enabled by default.

Project Logistics

PSHunt will be maintained on Infocyte's Github Repo. I'll continue to manage the code base, fix bugs, and add new features as time allows. I welcome comments and suggests, bug identification, and code commits. Feel free to use the code in your own projects and cmdlets as well. Most of the code is under the Apache License 2.0 which is pretty liberal but I ask that attribution remain. Some code that was pulled from or inspired by other projects like Powersploit are under the same licenses the original code was in (mostly BSD 3-Clause).

Attributions

I have learned from and, in some cases, borrowed code from other Powershell security gurus within the community. Those individuals include the below mentioned and a few others who will have attribution within applicable function documentation:

Jared Atkinson (@jaredcatkinson)
Matt Graeber (@mattifestation)
Chris Campbell (@obscuresec)
Joe Bialek (@clymb3r)
Author image
San Antonio, TX Website
Chris Gerritz is a retired Air Force cyber warfare officer and pilot. He now hunts malware for a living as co-founder of Infocyte.