In my last post, I mapped controls to stop a malicious doc calling out via Powershell. I’m now going to cover how using the Windows firewall can stop the attack chain. Windows firewall can be used to limit the application from making connections. In the attack chain, this means that the user got the malicious document, opened it, the macro ran, and the Powershell script failed to pull down additional malware.
If you block all network connections for Powershell, it should look like this
Powershell All Yes Block No %SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Any Any Any Any Any Any Any Any Any
Powershell2 All Yes Block No %SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe Any Any Any Any Any Any Any Any Any
To test, I tried downloading Wireshark using PowerShell with the same call the malware used
>cmd /c PowerShell (New-Object System.Net.Webclient).DownloadFile('http://2.na.dl.wireshark.org/win64/Wireshark-win64-2.2.2.exe','%TMP%\tom.exe');
Exception calling "DownloadFile" with "2" argument(s): "Unable to connect to the remote server"
At line:1 char:1
+ (New-Object System.Net.Webclient).DownloadFile('http://2.na.dl.wiresh ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : WebException
If you want to allow local communication for these, then you have to turn on the Default Outgoing Policy and create Allow rules. The windows firewall always processes the Deny first. A kind of work around is to block specific outbound ports. So you could block 80,443,and 8080 (see Below). Or better yet, you could block everything except the couple of ports you need (135,139,445). If you use Powershell just to call another application that then makes the connection, then you should be able to block everything.
Powershell2 All Yes Block No %SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe Any Any TCP Any 443, 80, 8080 Any Any Any Any
This process should work for wscript and cscript also.
'security_downloads' 카테고리의 다른 글
워너크라이 랜섬웨어 감염 예방방법 (0) | 2017.06.15 |
---|---|
QnA 형식으로 알아보는 WannaCry 랜섬웨어 대응 가이드 (0) | 2017.06.13 |
2017년 7대 사이버 공격 전망 보고서 (0) | 2016.12.05 |
POS 악성 코드에 의한 정보 유출 사례에서 재고 데이터 보호 대책 (0) | 2016.09.01 |
일본 내에서 사상 최대의 랜섬웨어 피해 2016 년 상반기 위협 동향을 분석(트렌트 마이크로 분석) (0) | 2016.09.01 |