How to connect to an Ubuntu VM via SSH with PowerShell

This blog entry shows how to connect to a Ubuntu VM via SSH from PowerShell with Windows 10 as a host.

Are you running Windows 10 as a host and want to connect to your Ubuntu VM? Are you using VirtualBox as a hosted hypervisor? If the answers to these questions are two yes, keep reading!

As you will see below, this technique is especially useful if you are using Ubuntu Server – which comes without a GUI – and want to avoid the pains of working on that terminal. For example, Page Up and Page Down didn’t work and the screen was too small. Even VirtualBox Guest Additions didn’t help solve the problem.

Here you find the list of steps from the creation of the VM to the SSH connection via PowerShell (the relative screenshots are under the list):

  1. Create a Ubuntu VM on VirtualBox (I’m using VirtualBox 6.1.26).
  2. Install Ubuntu Server 18.04.6 LTS in it (download the ISO from here by selecting “Server install image”).
  3. Start the VM and logon.
  4. Make sure that process sshd is running and listening on port 22 (s. Screenshot 1):
    • ps aux | grep sshd
    • sudo netstat -plant | grep :22
  5. Power off the VM.
  6. Open VirtualBox Manager, select the Ubuntu VM, and click on Settings. Click on Network, click on Advanced, click on Port Forwarding. Add a new port forwarding rule and click OK (s. Screenshot 2).
    • PS: The Guest IP field is empty. With Guest IP = 10.0.2.15 (find yours by typing ifconfig in the terminal of the VM), the connection didn’t work.
  7. Start the VM again.
  8. Launch PowerShell on your host and type: ssh pb@127.0.0.1 -p 10022
  9. The first time you connect, PowerShell will ask if you are sure that you want to connect and show you the ECDSA key fingerprint. You can double check it by typing this in the VM terminal: ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key.pub (s. Screenshot 3).
  10. Enter yes.
  11. Type again: ssh pb@127.0.0.1 -p 10022 (if it does not work, restart PowerShell).
  12. Enter you Ubuntu password. You will now see the Ubuntu welcome message (s. Screenshot 4). Now you are connected to your Ubuntu VM via PowerShell from your Windows 10 host. Congratulations! 🙂
Screenshot 1: Check if process sshd is running and listening on port 22.
Screenshot 2: Set up port forwarding.
Screenshot 3: Check if the ECDSA key fingerprint matches.
Screenshot 4: This message means victory 🙂

I hope you liked this post. If you have any questions, feel free to leave a comment in the comment section. Never stop learning!

Threat Hunting via Windows Event Logs with DeepBlueCLI

In this blog post, I will use the PowerShell module DeepBlueCLI to quickly discover suspicious account and command line behavior by parsing some sample evtx files from DeepBlueCLI GitHub page.

In this blog post, I will use the PowerShell module DeepBlueCLI to quickly discover suspicious account and command line behavior by parsing some sample evtx files1 from DeepBlueCLI GitHub page. This blog post is heavily inspired by the 16-hour seminar “SOC Core Skills” by John Strand (Black Hills Information Security).

New user is created and immediately added to the local Administrators group

In this section, we will analyze new-user-security.evtx with DeepBlueCLI. In the output, we see that a new user with username “IEUser” was created at 10:22:39 AM and then added to the local Administrators group at 10:22:40 AM, that is, one second after creation. This is suspicious as threat actors often create new users in order to gain a level of persistence in the network that they would not otherwise gain with malware.

Two security events from the log file were connected together by DeepBlueCLI and presented back to us with an intuitive summary.

Password spraying

In this section, we will analyze password-spray.evtx with DeepBlueCLI. Password spray attacks are those attacks where a threat actor targets a list of usernames on a domain and sprays them with the same password, like Winter2020. This attack is often successful because many companies do not implement a strong password policy. Moreover, such technique doesn’t often get picked up because accounts don’t get locked out, as the attacker keeps the attempted logon count below the lockout threshold defined in the lockout policy. In this instance, we see that DeepBlueCLI detects the attack and summarizes it for humans to read. Concretely, we see that a password spray attack was launched by user jwrig from machine DESKTOP-JR78RLP. Moreover, we see a list of the target usernames as well.

The DeepBlueCLI summary of a password spraying attack.

Password guessing

In this section, we will analyze smb-password-guessing-security.evtx with DeepBlueCLI. Password guessing attacks are those where the threat actor tries to login as a single user by trying out different passwords. In this instance, DeepBlueCLI detects such an attack against the Administrator account. The DeepBlueCLI summary shows that 3560 login attempts were made for this account.

The DeepBlueCLI summary of a password guessing attack.

Suspicious command line (attack with obfuscation)

In this last section, we will analyze Powershell-Invoke-Obfuscation-encoding-menu.evtx with DeepBlueCLI. This file contains logs of commands run from Powershell that are suspicious because they contain a lot of not common symbols. Attackers often use a number of encoding techniques to bypass signature detection2. Concretely, this means that threat actors rewrite malicious commands using not common symbols. For example, they could build the commands a character at a time, like in the screenshot below. Fortunately, this kind of activity often gets logged by Windows Defender because non-malicious scripts do not use so many uncommon characters. As you can see below, DeepBlueCLI runs a statistic on this specific command line invocation and shows that only 58% alphanumeric and common symbols were used in this example, thus indicating malicious activity.

This Powershell command was written character by character, that is, using the data type char. This is an example of obfuscation, a technique typically used by attackers to bypass signature detection.

All in all, DeepBlueCLI enables fast discovery of specific events detected in Windows Security. In this post, we only looked at detections of suspicious account and command line activities. However, DeepBlueCLI can do much more. Check out its page on GitHub!

I hope you liked this post. If you have any question, feel free to leave a comment in the comment section. Never stop learning!