Abstract image of a woman sitting on books and studying on a laptop

Catch Me If You Can: PowerShell Red vs Blue

Download as PPTX, PDF
Will Schroeder, profile picture
Will Schroeder

The document discusses the evolution of PowerShell from an offensive and defensive perspective, detailing various tools and phases in its development from its inception to recent advancements. It highlights the ongoing 'cat and mouse' game between offensive techniques and defensive measures in the use of PowerShell. Notably, the shift towards improved defensive strategies and the vulnerabilities associated with older versions of PowerShell are emphasized.

Technology
1 of 39
Downloaded 194 times
1
2
Most read
3
Most read
4
5
6
7
8
9
10
11
12
13
14
15
Most read
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
Catch Me If You Can PowerShell Red vs. Blue Will Schroeder, Specter Ops A Survey of PowerShell Security
Agenda • Setting the Stage: Offensive Philosophy • Infancy: from Monad to PowerSyringe • Primary School: PowerSploit • Adolescence: PEs, Mimikatz, Kansa, and more • Parental Guidance: PowerShell <3 the Blue Team • Teenage Rebellion: PowerShell Empire • Defense Grows Up: CimSweep, BloodHound, and more
Our Offensive Philosophy • “Assume breach” approach, focus on post- exploitation • “Fundamentally, if someone wants to get in, they’re getting in…accept that. What we tell clients is: Number one, you’re in fight, whether you thought you were or not. Number two, you almost certainly are penetrated.” - Michael Hayden, Former Director of NSA & CIA • “Living off the Land” • Focus on blending with normal host and network options • Led us to focus on built-in capabilities, most importantly PowerShell!
In the Beginning (2002)…
…Then There Was Light! (2009)
Offensive Infancy (2010)
From the Tree of Knowledge (2011)…
Sidenote: (2017)
Learning to Walk (2011) • Defenses: • Execution policy? Profiles? • Basic transcription (Version 2) • The True Offensive Start:
• PowerSyringe (2011) became PowerSploit (2012) • Injects shellcode into the current or arbitrary process • One of the most common components reused malware • Common post-exploitation features added logging, screen shot collection, etc.) • PowerShell Version 3 (Sept 2012) • Module logging introduced - first logging of PS commands Primary School
• Invoke-ReflectivePEInjection (2013) • Allows for the loading of arbitrary .EXEs/.DLLs into the current process or a foreign process • The big one… Invoke-Mimikatz (2013) • Dumps plaintext passwords from memory! (Amongst *many* other tasty things  ) Adolescence
Invoke-Mimikatz Demo
• PowerView (March 2014) • Network/Active Directory situational awareness tool • Fun features ruined by Microsoft  - hunting (NetCease in Oct 2016) and remote enumeration (SAMRi10 - Dec 2016) • Kansa (March 2014) • Incident response framework • Uproot (Oct 2014) • WMI based IDS with PowerShell deployment • PowerShellArsenal (Nov 2014) • PowerShell reverse engineering toolkit Adolescence
• PSReflect (Sep 2014) is “a series of helper functions designed to make defining in-memory enums, structs, and Win32 functions extremely easy” • This project immensely simplifies the usage of Win32 API calls/associated structures versus manual reflection • Really was a big “missing link” from our perspective • It can be used offensively defensively (Get-InjectedThread) Adolescence
• SharpPick (Dec. 2014) • PowerShell without PowerShell.exe! • Bypassed weak AppLocker configs/command logging • UnmanagedPowerShell (Dec 2014) • Inject PowerShell scripts into any process! • Loads .NET 2.0 runtime (if available) to bypass logging • PowerForensics (Mar 2015) • Live disk forensics with PowerShell! Adolescence
UnmanagedPowerShell Demo
Sidenote: Lee vs. Lee
Some Parental Guidance (2015)
AMSI https://blogs.technet.microsoft.com/mmpc/2015/06/09/windows-10-to-offer-application- developers-new-malware-defenses/
Bypasses Will Always Exist!
• Transcription (v2, improved in v5) • Ability to record the contents of a PowerShell session • Module Logging (v3) • Captures good execution details, but tons data • Deep Script Block Logging (v5) • Records code blocks as they’re executed • Default: logs suspicious looking scripts Logs on Logs
The Rebellious Teenager (Aug 2015)
Lee Fires Back (2015/2017)
Invoke-Mimikatz vs. Defender/AMSI Demo
• CimSweep (Jan 2016) • C-based defensive sweeping tool • BloodHound (April 2016) • Active Directory attack path analysis • A modified version of PowerView is used the data ingestion • WMI load events (~2016) • SELECT * FROM Win32_ModuleLoadTrace WHERE FileName "%System.Management .Automation%.dll%" • https://gist.github.com/mattifestation/7fe1df7ca2f a3d067def00c01af • Take memory dump each time a PS process closes Defense Grows Up
• Invoke-Obfuscation (Sep 2016) • Encyclopedia of PowerShell obfuscation methods Things Get Complicated… http://www.danielbohannon.com/blog-1/2016/10/1/invoke-obfuscation-v11-release-sunday-oct-9
Invoke-Obfuscation Demo
• Device Guard (2016+) allows for the enforcement of constrained language • Strong application whitelisting/code integrity • Unsigned scripts run in Constrained Mode • No access to underlying .NET framework • WMImplant (late 2016) • WMI/PowerShell based toolkit that deploys functions even in constrained language Towards the Future…
https://github.com/FuzzySecurity/PSKerne l-Primitives PowerShell <3 The Kernel?? (2016- 2017+)
• Get-InjectedThread (April 2017) • Enumerates all current running threads • For each thread: • Finds the base address of each thread • Checks if the initial memory page of thread is allocated • Checks if the if the initial memory not backed by an file on disk • If the thread page IS committed and NOT backed by a file, then it is likely • Catches nearly all stock malware injection approaches! Scary (for us attackers ;)
Invoke-PSInject vs. Get-InjectedThread Demo
• Command line logging • Full transcription (if possible) • Install v5, and uninstall v2!! • Windows10: • Defender + AMSI • Deep script block logging • Device Guard and constrained language mode • Great resource: https://www.fireeye.com/blog/threat- research/2016/02/greater_visibilityt.html Tips for Securing a PowerShell Deployment
Summary • There‘s a huge variety of offensive and defensive projects and technologies available • PowerShell red and blue will continue to play cat and mouse • PowerShell Version 2 remains a big achilles heel • The tide has started to really shift towards blue/defense! • We‘re actually moving towards C# for
• Now: 15 min break • Grab a coffee • Stay here to enjoy next presentation • Change track and switch to another room • Ask me questions or meet me in a breakout session room afterwards Next Steps...
Questions?
• Will Schroeder (@harmj0y) • http://blog.harmj0y.net | will [at] harmj0y.net • Red teamer and offensive engineer for Specter Ops • Co-founder: • Veil-Framework | Empire/EmPyre | BloodHound • Developer of: • PowerView | PowerUp | current PowerSploit developer • Microsoft CDM/PowerShell MVP • Veteran trainer About_Author
• PowerSploit - Matt Graeber, Chris Campbell, Joe Bialek • Kansa - Dave Hull • Uproot - Jared Atkinson • PowerShellArsenal - Matt Graeber • PowerView/PowerUp - Will Schroeder • PSReflect - Matt Graeber • SharpPick - Justin Warner • UnmanagedPowerShell - Lee Christensen • PowerShell Empire - Will Schroeder, Justin Warner, many many others About_References
• CimSweep - Matt Graeber, Jared Atkinson, Lee Christensen • BloodHound - Andy Robbins, Rohan Vazarkar, Will Schroeder • Invoke-Obfuscation - Daniel Bohannon • WMIPlant - Chris Truncer • PSKernel-Primitives - Ruben Boonen • Get-InjectedThread - Jared Atkinson About_References
• https://github.com/trustedsec/social-engineer- toolkit/blob/master/src/powershell/powerdump.powershell • https://github.com/PowerShellMafia/PowerSploit/tree/dev/ • https://gallery.technet.microsoft.com/Net-Cease-Blocking-Net-1e8dcb5b • https://gallery.technet.microsoft.com/SAMRi10-Hardening-Remote-48d94b5b • https://github.com/davehull/Kansa • https://github.com/Invoke-IR/Uproot • https://github.com/mattifestation/PowerShellArsenal • https://github.com/mattifestation/PSReflect • https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick • https://github.com/leechristensen/UnmanagedPowerShell • https://github.com/EmpireProject/PSInject • https://github.com/EmpireProject/Empire • https://github.com/PowerShellMafia/CimSweep • https://github.com/BloodHoundAD/BloodHound • https://github.com/danielbohannon/Invoke-Obfuscation • https://github.com/ChrisTruncer/WMImplant • https://github.com/FuzzySecurity/PSKernel-Primitives • https://gist.github.com/jaredcatkinson/23905d34537ce4b5b1818c3e6405c1d2 About_References

More Related Content

PDF
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
PDF
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
PPTX
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
 
PDF
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
Will Schroeder
 
PDF
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
PDF
A Threat Hunter Himself
Sergey Soldatov
 
PPTX
Windows privilege escalation by Dhruv Shah
OWASP Delhi
 
PPTX
I hunt sys admins 2.0
Will Schroeder
 
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
Will Schroeder
 
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
A Threat Hunter Himself
Sergey Soldatov
 
Windows privilege escalation by Dhruv Shah
OWASP Delhi
 
I hunt sys admins 2.0
Will Schroeder
 

What's hot (20)

PDF
SpecterOps Webinar Week - Kerberoasting Revisisted
Will Schroeder
 
PDF
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 
PDF
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
PDF
ReCertifying Active Directory
Will Schroeder
 
PDF
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder
 
PPTX
(Ab)Using GPOs for Active Directory Pwnage
Petros Koutroumpis
 
PDF
Windows Threat Hunting
GIBIN JOHN
 
PPTX
Troopers 19 - I am AD FS and So Can You
Douglas Bienstock
 
PPTX
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Andy Robbins
 
PDF
A Year in the Empire
Will Schroeder
 
PDF
Windows attacks - AT is the new black
Chris Gates
 
PDF
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
PPTX
Waf bypassing Techniques
Avinash Thapa
 
PDF
Introduction to red team operations
Sunny Neo
 
PDF
Hunting for security bugs in AEM webapps
Mikhail Egorov
 
PDF
I Have the Power(View)
Will Schroeder
 
PPTX
Abusing Microsoft Kerberos - Sorry you guys don't get it
Benjamin Delpy
 
PPTX
Kheirkhabarov24052017_phdays7
Teymur Kheirkhabarov
 
PPTX
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Andy Robbins
 
PDF
Red Team Methodology - A Naked Look
Jason Lang
 
SpecterOps Webinar Week - Kerberoasting Revisisted
Will Schroeder
 
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
ReCertifying Active Directory
Will Schroeder
 
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder
 
(Ab)Using GPOs for Active Directory Pwnage
Petros Koutroumpis
 
Windows Threat Hunting
GIBIN JOHN
 
Troopers 19 - I am AD FS and So Can You
Douglas Bienstock
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Andy Robbins
 
A Year in the Empire
Will Schroeder
 
Windows attacks - AT is the new black
Chris Gates
 
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
Waf bypassing Techniques
Avinash Thapa
 
Introduction to red team operations
Sunny Neo
 
Hunting for security bugs in AEM webapps
Mikhail Egorov
 
I Have the Power(View)
Will Schroeder
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Benjamin Delpy
 
Kheirkhabarov24052017_phdays7
Teymur Kheirkhabarov
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Andy Robbins
 
Red Team Methodology - A Naked Look
Jason Lang
 
Ad

Viewers also liked (16)

PPTX
Obfuscating The Empire
Ryan Cobb
 
PPTX
PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...
Puppet
 
PDF
Ace Up the Sleeve
Will Schroeder
 
PDF
A Case Study in Attacking KeePass
Will Schroeder
 
PPTX
BSides London 2017 - Hunt Or Be Hunted
Alex Davies
 
PPTX
Invoke-Obfuscation nullcon 2017
Daniel Bohannon
 
PPTX
WMI for Penetration Testers - Arcticcon 2017
Alexander Polce Leary
 
PDF
SANS DFIR Prague: PowerShell & WMI
Joe Slowik
 
PPTX
Building Better Backdoors with WMI - DerbyCon 2017
Alexander Polce Leary
 
PPTX
Pwning the Enterprise With PowerShell
Beau Bullock
 
PPTX
Taking the Attacker Eviction Red Pill (v2.0)
Frode Hommedal
 
PDF
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
Chris Thompson
 
PDF
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
Priyanka Aash
 
PPTX
Living off the land and fileless attack techniques
Symantec Security Response
 
PPTX
Catching fileless attacks
Balaji Rajasekaran
 
PDF
Kavya racharla ndh-naropanth_fin_jp-final
PacSecJP
 
Obfuscating The Empire
Ryan Cobb
 
PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...
Puppet
 
Ace Up the Sleeve
Will Schroeder
 
A Case Study in Attacking KeePass
Will Schroeder
 
BSides London 2017 - Hunt Or Be Hunted
Alex Davies
 
Invoke-Obfuscation nullcon 2017
Daniel Bohannon
 
WMI for Penetration Testers - Arcticcon 2017
Alexander Polce Leary
 
SANS DFIR Prague: PowerShell & WMI
Joe Slowik
 
Building Better Backdoors with WMI - DerbyCon 2017
Alexander Polce Leary
 
Pwning the Enterprise With PowerShell
Beau Bullock
 
Taking the Attacker Eviction Red Pill (v2.0)
Frode Hommedal
 
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
Chris Thompson
 
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
Priyanka Aash
 
Living off the land and fileless attack techniques
Symantec Security Response
 
Catching fileless attacks
Balaji Rajasekaran
 
Kavya racharla ndh-naropanth_fin_jp-final
PacSecJP
 
Ad

Similar to Catch Me If You Can: PowerShell Red vs Blue (20)

PPTX
Building an Empire with PowerShell
Will Schroeder
 
PPTX
Drilling deeper with Veil's PowerTools
Will Schroeder
 
PDF
Who Should Use Powershell? You Should Use Powershell!
Ben Finke
 
PDF
Power on, Powershell
Roo7break
 
PPTX
Bsides tampa
Octavio Paguaga
 
PPTX
Incorporating PowerShell into your Arsenal with PS>Attack
jaredhaight
 
PPTX
PowerShell - Be A Cool Blue Kid
Matthew Johnson
 
PDF
2017-BSidesCharm-DetectingtheElusive-ActiveDirectoryThreatHunting-Final.pdf
khalil511890
 
PPTX
PSConfEU - Building an Empire with PowerShell
Will Schroeder
 
PDF
Powershell-hacking-1nTh35h311-BSidesTLV2019
Yossi Sassi
 
PPTX
Bridging the Gap: Lessons in Adversarial Tradecraft
enigma0x3
 
PPTX
An Introduction to PowerShell for Security Assessments
EnclaveSecurity
 
PPTX
Pwning with powershell
jaredhaight
 
PPTX
PowerShell for Cyber Warriors - Bsides Knoxville 2016
Russel Van Tuyl
 
PPTX
Top 10 PowerShell Features in Server 2012
Thomas Lee
 
PPTX
Hacked? Pray that the Attacker used PowerShell
Nikhil Mittal
 
PPTX
Client side attacks using PowerShell
Nikhil Mittal
 
PDF
The Dark Side of PowerShell by George Dobrea
EC-Council
 
PDF
Powering up on PowerShell - BSides Charleston - Nov 2018
Fernando Tomlinson, CISSP, MBA
 
PPTX
PowerShell: The increased use of PowerShell in cyber attacks
Symantec Security Response
 
Building an Empire with PowerShell
Will Schroeder
 
Drilling deeper with Veil's PowerTools
Will Schroeder
 
Who Should Use Powershell? You Should Use Powershell!
Ben Finke
 
Power on, Powershell
Roo7break
 
Bsides tampa
Octavio Paguaga
 
Incorporating PowerShell into your Arsenal with PS>Attack
jaredhaight
 
PowerShell - Be A Cool Blue Kid
Matthew Johnson
 
2017-BSidesCharm-DetectingtheElusive-ActiveDirectoryThreatHunting-Final.pdf
khalil511890
 
PSConfEU - Building an Empire with PowerShell
Will Schroeder
 
Powershell-hacking-1nTh35h311-BSidesTLV2019
Yossi Sassi
 
Bridging the Gap: Lessons in Adversarial Tradecraft
enigma0x3
 
An Introduction to PowerShell for Security Assessments
EnclaveSecurity
 
Pwning with powershell
jaredhaight
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
Russel Van Tuyl
 
Top 10 PowerShell Features in Server 2012
Thomas Lee
 
Hacked? Pray that the Attacker used PowerShell
Nikhil Mittal
 
Client side attacks using PowerShell
Nikhil Mittal
 
The Dark Side of PowerShell by George Dobrea
EC-Council
 
Powering up on PowerShell - BSides Charleston - Nov 2018
Fernando Tomlinson, CISSP, MBA
 
PowerShell: The increased use of PowerShell in cyber attacks
Symantec Security Response
 

More from Will Schroeder (16)

PDF
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Will Schroeder
 
PDF
Nemesis - SAINTCON.pdf
Will Schroeder
 
PDF
Certified Pre-Owned
Will Schroeder
 
PDF
Not a Security Boundary
Will Schroeder
 
PDF
The Unintended Risks of Trusting Active Directory
Will Schroeder
 
PPTX
Defending Your "Gold"
Will Schroeder
 
PPTX
The Travelling Pentester: Diaries of the Shortest Path to Compromise
Will Schroeder
 
PDF
Trusts You Might Have Missed - 44con
Will Schroeder
 
PDF
Building an EmPyre with Python
Will Schroeder
 
PPTX
Bridging the Gap
Will Schroeder
 
PPTX
Trusts You Might Have Missed
Will Schroeder
 
PPTX
I Hunt Sys Admins
Will Schroeder
 
PPTX
Derbycon - Passing the Torch
Will Schroeder
 
PPTX
Adventures in Asymmetric Warfare
Will Schroeder
 
PPTX
Pwnstaller
Will Schroeder
 
PPTX
PowerUp - Automating Windows Privilege Escalation
Will Schroeder
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Will Schroeder
 
Nemesis - SAINTCON.pdf
Will Schroeder
 
Certified Pre-Owned
Will Schroeder
 
Not a Security Boundary
Will Schroeder
 
The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Defending Your "Gold"
Will Schroeder
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
Will Schroeder
 
Trusts You Might Have Missed - 44con
Will Schroeder
 
Building an EmPyre with Python
Will Schroeder
 
Bridging the Gap
Will Schroeder
 
Trusts You Might Have Missed
Will Schroeder
 
I Hunt Sys Admins
Will Schroeder
 
Derbycon - Passing the Torch
Will Schroeder
 
Adventures in Asymmetric Warfare
Will Schroeder
 
Pwnstaller
Will Schroeder
 
PowerUp - Automating Windows Privilege Escalation
Will Schroeder
 

Recently uploaded (20)

PPTX
Presentation - Principles of Instructional Design.pptx
Ntokozo Mhlongo
 
PDF
giants, standing on the shoulders of - by Daniel Stenberg
Daniel Stenberg
 
PPTX
How to Convert Tickets Into Sales Opportunity in Odoo 18
Celine George
 
PDF
Build Real-Time ML Apps with Python, Feast & NoSQL
ScyllaDB
 
PDF
substrate PowerPoint Presentation basic one
jwaite4
 
PPTX
Report in SIP_Distance_Learning_Technology_Impact.pptx
KahelCaponesPamitang
 
PPTX
Build automations faster and more reliably with UiPath ScreenPlay
AndreeaTom
 
PDF
Altius execution marketplace concept.pdf
Wandor
 
PPTX
Blending method and technology for hydrogen.pptx
PradipChanda5
 
PDF
CEH Module 2 Footprinting CEH V13, concepts
ammarhassan185568
 
PDF
A symptom-driven medical diagnosis support model based on machine learning te...
IAESIJAI
 
PDF
Connector Corner: Transform Unstructured Documents with Agentic Automation
DianaGray10
 
PDF
Streamline Vulnerability Management From Minimal Images to SBOMs
Anchore
 
PPTX
AQUEEL MUSHTAQUE FAKIH COMPUTER CENTER .
nachanmasarrat13
 
PDF
A hybrid framework for wild animal classification using fine-tuned DenseNet12...
IAESIJAI
 
PPTX
How to use fields_get method in Odoo 18
Celine George
 
PDF
CCUS-as-the-Missing-Link-to-Net-Zero_AksCurious.pdf
AkarshaSrivastava1
 
PDF
Decision Optimization - From Theory to Practice
Eray Cakici
 
PDF
Early detection and classification of bone marrow changes in lumbar vertebrae...
IAESIJAI
 
PDF
EIS-Webinar-Regulated-Industries-2025-08.pdf
Earley Information Science
 
Presentation - Principles of Instructional Design.pptx
Ntokozo Mhlongo
 
giants, standing on the shoulders of - by Daniel Stenberg
Daniel Stenberg
 
How to Convert Tickets Into Sales Opportunity in Odoo 18
Celine George
 
Build Real-Time ML Apps with Python, Feast & NoSQL
ScyllaDB
 
substrate PowerPoint Presentation basic one
jwaite4
 
Report in SIP_Distance_Learning_Technology_Impact.pptx
KahelCaponesPamitang
 
Build automations faster and more reliably with UiPath ScreenPlay
AndreeaTom
 
Altius execution marketplace concept.pdf
Wandor
 
Blending method and technology for hydrogen.pptx
PradipChanda5
 
CEH Module 2 Footprinting CEH V13, concepts
ammarhassan185568
 
A symptom-driven medical diagnosis support model based on machine learning te...
IAESIJAI
 
Connector Corner: Transform Unstructured Documents with Agentic Automation
DianaGray10
 
Streamline Vulnerability Management From Minimal Images to SBOMs
Anchore
 
AQUEEL MUSHTAQUE FAKIH COMPUTER CENTER .
nachanmasarrat13
 
A hybrid framework for wild animal classification using fine-tuned DenseNet12...
IAESIJAI
 
How to use fields_get method in Odoo 18
Celine George
 
CCUS-as-the-Missing-Link-to-Net-Zero_AksCurious.pdf
AkarshaSrivastava1
 
Decision Optimization - From Theory to Practice
Eray Cakici
 
Early detection and classification of bone marrow changes in lumbar vertebrae...
IAESIJAI
 
EIS-Webinar-Regulated-Industries-2025-08.pdf
Earley Information Science
 

Catch Me If You Can: PowerShell Red vs Blue

  • 1. Catch Me If You Can PowerShell Red vs. Blue Will Schroeder, Specter Ops A Survey of PowerShell Security
  • 2. Agenda • Setting the Stage: Offensive Philosophy • Infancy: from Monad to PowerSyringe • Primary School: PowerSploit • Adolescence: PEs, Mimikatz, Kansa, and more • Parental Guidance: PowerShell <3 the Blue Team • Teenage Rebellion: PowerShell Empire • Defense Grows Up: CimSweep, BloodHound, and more
  • 3. Our Offensive Philosophy • “Assume breach” approach, focus on post- exploitation • “Fundamentally, if someone wants to get in, they’re getting in…accept that. What we tell clients is: Number one, you’re in fight, whether you thought you were or not. Number two, you almost certainly are penetrated.” - Michael Hayden, Former Director of NSA & CIA • “Living off the Land” • Focus on blending with normal host and network options • Led us to focus on built-in capabilities, most importantly PowerShell!
  • 4. In the Beginning (2002)…
  • 5. …Then There Was Light! (2009)
  • 7. From the Tree of Knowledge (2011)…
  • 9. Learning to Walk (2011) • Defenses: • Execution policy? Profiles? • Basic transcription (Version 2) • The True Offensive Start:
  • 10. • PowerSyringe (2011) became PowerSploit (2012) • Injects shellcode into the current or arbitrary process • One of the most common components reused malware • Common post-exploitation features added logging, screen shot collection, etc.) • PowerShell Version 3 (Sept 2012) • Module logging introduced - first logging of PS commands Primary School
  • 11. • Invoke-ReflectivePEInjection (2013) • Allows for the loading of arbitrary .EXEs/.DLLs into the current process or a foreign process • The big one… Invoke-Mimikatz (2013) • Dumps plaintext passwords from memory! (Amongst *many* other tasty things  ) Adolescence
  • 13. • PowerView (March 2014) • Network/Active Directory situational awareness tool • Fun features ruined by Microsoft  - hunting (NetCease in Oct 2016) and remote enumeration (SAMRi10 - Dec 2016) • Kansa (March 2014) • Incident response framework • Uproot (Oct 2014) • WMI based IDS with PowerShell deployment • PowerShellArsenal (Nov 2014) • PowerShell reverse engineering toolkit Adolescence
  • 14. • PSReflect (Sep 2014) is “a series of helper functions designed to make defining in-memory enums, structs, and Win32 functions extremely easy” • This project immensely simplifies the usage of Win32 API calls/associated structures versus manual reflection • Really was a big “missing link” from our perspective • It can be used offensively defensively (Get-InjectedThread) Adolescence
  • 15. • SharpPick (Dec. 2014) • PowerShell without PowerShell.exe! • Bypassed weak AppLocker configs/command logging • UnmanagedPowerShell (Dec 2014) • Inject PowerShell scripts into any process! • Loads .NET 2.0 runtime (if available) to bypass logging • PowerForensics (Mar 2015) • Live disk forensics with PowerShell! Adolescence
  • 21. • Transcription (v2, improved in v5) • Ability to record the contents of a PowerShell session • Module Logging (v3) • Captures good execution details, but tons data • Deep Script Block Logging (v5) • Records code blocks as they’re executed • Default: logs suspicious looking scripts Logs on Logs
  • 23. Lee Fires Back (2015/2017)
  • 25. • CimSweep (Jan 2016) • C-based defensive sweeping tool • BloodHound (April 2016) • Active Directory attack path analysis • A modified version of PowerView is used the data ingestion • WMI load events (~2016) • SELECT * FROM Win32_ModuleLoadTrace WHERE FileName "%System.Management .Automation%.dll%" • https://gist.github.com/mattifestation/7fe1df7ca2f a3d067def00c01af • Take memory dump each time a PS process closes Defense Grows Up
  • 26. • Invoke-Obfuscation (Sep 2016) • Encyclopedia of PowerShell obfuscation methods Things Get Complicated… http://www.danielbohannon.com/blog-1/2016/10/1/invoke-obfuscation-v11-release-sunday-oct-9
  • 28. • Device Guard (2016+) allows for the enforcement of constrained language • Strong application whitelisting/code integrity • Unsigned scripts run in Constrained Mode • No access to underlying .NET framework • WMImplant (late 2016) • WMI/PowerShell based toolkit that deploys functions even in constrained language Towards the Future…
  • 30. • Get-InjectedThread (April 2017) • Enumerates all current running threads • For each thread: • Finds the base address of each thread • Checks if the initial memory page of thread is allocated • Checks if the if the initial memory not backed by an file on disk • If the thread page IS committed and NOT backed by a file, then it is likely • Catches nearly all stock malware injection approaches! Scary (for us attackers ;)
  • 32. • Command line logging • Full transcription (if possible) • Install v5, and uninstall v2!! • Windows10: • Defender + AMSI • Deep script block logging • Device Guard and constrained language mode • Great resource: https://www.fireeye.com/blog/threat- research/2016/02/greater_visibilityt.html Tips for Securing a PowerShell Deployment
  • 33. Summary • There‘s a huge variety of offensive and defensive projects and technologies available • PowerShell red and blue will continue to play cat and mouse • PowerShell Version 2 remains a big achilles heel • The tide has started to really shift towards blue/defense! • We‘re actually moving towards C# for
  • 34. • Now: 15 min break • Grab a coffee • Stay here to enjoy next presentation • Change track and switch to another room • Ask me questions or meet me in a breakout session room afterwards Next Steps...
  • 36. • Will Schroeder (@harmj0y) • http://blog.harmj0y.net | will [at] harmj0y.net • Red teamer and offensive engineer for Specter Ops • Co-founder: • Veil-Framework | Empire/EmPyre | BloodHound • Developer of: • PowerView | PowerUp | current PowerSploit developer • Microsoft CDM/PowerShell MVP • Veteran trainer About_Author
  • 37. • PowerSploit - Matt Graeber, Chris Campbell, Joe Bialek • Kansa - Dave Hull • Uproot - Jared Atkinson • PowerShellArsenal - Matt Graeber • PowerView/PowerUp - Will Schroeder • PSReflect - Matt Graeber • SharpPick - Justin Warner • UnmanagedPowerShell - Lee Christensen • PowerShell Empire - Will Schroeder, Justin Warner, many many others About_References
  • 38. • CimSweep - Matt Graeber, Jared Atkinson, Lee Christensen • BloodHound - Andy Robbins, Rohan Vazarkar, Will Schroeder • Invoke-Obfuscation - Daniel Bohannon • WMIPlant - Chris Truncer • PSKernel-Primitives - Ruben Boonen • Get-InjectedThread - Jared Atkinson About_References
  • 39. • https://github.com/trustedsec/social-engineer- toolkit/blob/master/src/powershell/powerdump.powershell • https://github.com/PowerShellMafia/PowerSploit/tree/dev/ • https://gallery.technet.microsoft.com/Net-Cease-Blocking-Net-1e8dcb5b • https://gallery.technet.microsoft.com/SAMRi10-Hardening-Remote-48d94b5b • https://github.com/davehull/Kansa • https://github.com/Invoke-IR/Uproot • https://github.com/mattifestation/PowerShellArsenal • https://github.com/mattifestation/PSReflect • https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick • https://github.com/leechristensen/UnmanagedPowerShell • https://github.com/EmpireProject/PSInject • https://github.com/EmpireProject/Empire • https://github.com/PowerShellMafia/CimSweep • https://github.com/BloodHoundAD/BloodHound • https://github.com/danielbohannon/Invoke-Obfuscation • https://github.com/ChrisTruncer/WMImplant • https://github.com/FuzzySecurity/PSKernel-Primitives • https://gist.github.com/jaredcatkinson/23905d34537ce4b5b1818c3e6405c1d2 About_References

Editor's Notes

  • #3: Will show the evolution of offense and the defensive projects and mitigations that have been implemented in response Will not cover ALL tools, just ones I think are “evolutionary” relevant Focus only on “legitimate”/open-source offensive capabilities -> won’t cover crimeware/etc.
  • #4: Quote- Microsoft Office365 red teaming whitepaper Access to .NET/the API, can stay off of disk, can reassemble malicious binaries in memory, etc. Explain what led us to PowerShell
  • #6: “The Version 2 problem” – explain why we care about it from the offensive perspective
  • #7: https://www.youtube.com/watch?v=JKlVONfD53w Talked some about execution policy Main contribution - PowerDump
  • #11: Built by Matt Graeber Eventually repurposed into open source offensive toolsets like Metasploit
  • #12: Both coded by Joe Bialek Mainly built so every binary didn’t have to be recoded into pure PowerShell https://github.com/PowerShellMafia/PowerSploit/blob/dev/CodeExecution/Invoke-ReflectivePEInjection.ps1 https://github.com/PowerShellMafia/PowerSploit/blob/dev/Exfiltration/Invoke-Mimikatz.ps1
  • #13: Invoke-Mimikatz that creates a golden ticket for the parent domain and then DCSyncs the krbtgt of the root
  • #14: https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 https://gallery.technet.microsoft.com/Net-Cease-Blocking-Net-1e8dcb5b https://gallery.technet.microsoft.com/SAMRi10-Hardening-Remote-48d94b5b   https://github.com/davehull/Kansa - Incident response collection cmdlets (Dave Hull) https://github.com/Invoke-IR/Uproot - IDS via WMI Event Subscriptions https://github.com/mattifestation/PowerShellArsenal - Reverse engineering
  • #15: https://github.com/mattifestation/PSReflect Why not use Add-Type? Explain… Swap over- show PowerView code before and after
  • #16: Twitter thread about “can we run PowerShell without powershell.exe” PowerForensics – explain CreateFile() approach to avoid native APIs http://www.sixdub.net/?p=367#more-367 https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick/SharpPick https://github.com/leechristensen/UnmanagedPowerShell
  • #17: https://github.com/EmpireProject/PSInject $Code = ' [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms"); [System.Windows.Forms.MessageBox]::Show("This is PS code! Current proc: $(Get-Process -Id $PID)"); ' $Encoded = [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($Code)) Start-Process notepad Invoke-PSInject -ProcName notepad -PoshCode $Encoded
  • #18: Command Line Version Parameter – “-version 2” Hosting Applications Compiled using V2 Reference Assemblies – “the “Windows PowerShell” classic event log has event ID 400. This is the “Engine Lifecycle” event, and includes the Engine Version.”
  • #19: Released a month before Empire was slated to be released – gave me an existential freakout! -Better transcription with Start-Transcript and automatic transcription options -Deep script block logging -AMSI
  • #22: -Transcription allows for automatic recording of PowerShell sessions -Module logging records pipeline execution details as PowerShell executes, including variable initialization and command invocations. -Module logging will record portions of scripts, some de-obfuscated code, and some data formatted for output.  -Script block logging records blocks of code as they are executed by the PowerShell engine, thereby capturing the full contents of code executed by an attacker, including scripts and commands. Including code AFTER it was de-obfuscated! These suspicious blocks are logged at the “warning” level in EID 4104, unless script block logging is explicitly disabled. This feature ensures that some forensic data is logged for known-suspicious activity, even if logging is not enabled https://github.com/PowerShell/PowerShell/blob/02b5f357a20e6dee9f8e60e3adb9025be3c94490/src/System.Management.Automation/engine/runtime/CompiledScriptBlock.cs#L1612-L1660
  • #23: PowerShellEmpire – talked about last year https://github.com/EmpireProject/Empire
  • #24: 2015- “Measure-VariableObfuscation” which relies on PowerShellArsenal to create “Obfuscation Metrics” for scripts
  • #26: And system.management.automation.ni.dll – why the wildcard https://github.com/PowerShellMafia/CimSweep https://github.com/BloodHoundAD/BloodHound https://gist.github.com/mattifestation/7fe1df7ca2f08cbfa3d067def00c01af
  • #28: ipmo .\Invoke-Obfuscation.psd1 Invoke-Obfuscation SET SCRIPTBLOCK function Invoke-Stuff { Get-Process }; Invoke-Stuff token all 1 clip (Show you executing it in a powershell window) back back STRING 3 clip (Show you executing it in a powershell window) back encoding 6 clip (Show you executing it in a powershell window) back launcher rundll++ 0 clip (run in cmd.exe)
  • #29: Matt Graeber will speak on this on day 3 (device guard) Device Guard force PS into constrained language mode - https://msdn.microsoft.com/powershell/reference/5.1/Microsoft.PowerShell.Core/about/about_Language_Modes No reflection, add-type, limits New-Object(e.g. no creating arbitrary COM objects) https://github.com/ChrisTruncer/WMImplant
  • #31: https://gist.github.com/jaredcatkinson/23905d34537ce4b5b1818c3e6405c1d2
  • #33: After this, you should WANT attackers to use PowerShell! Try and block the attacker, but if he still gets in, we want to be able to detect and see what he did
  • #36: 42:00