1 / 14

PowerShell Shenanigans

PowerShell Shenanigans. Kieran Jacobsen HP Enterprise Services. What is PowerShell?. Developed by Microsoft in 2006 Cross between a shell script and C# Replacement for VBScript Significant number of commands (called CMDLets) Runs on .NET Framework. Challenge.

wren
Download Presentation

PowerShell Shenanigans

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PowerShell Shenanigans Kieran Jacobsen HP Enterprise Services

  2. What is PowerShell? • Developed by Microsoft in 2006 • Cross between a shell script and C# • Replacement for VBScript • Significant number of commands (called CMDLets) • Runs on .NET Framework

  3. Challenge • Move from social engineered workstation to domain controller • Where possible use only PowerShell code • Demo environment will be a “corporate like” environment

  4. Advantages as an attack platform • Code is very easy to develop • Windows integration • Remote execution offerings • Often overlooked by AV • Easily hidden from administrators • Installed by DEFAULT

  5. My PowerShell Malware • Single Script – SystemInformation.ps1 • Runs as a schedule task, every 5 minutes • Script: • Collects system information and more • Connects to C2 infrastructure, downloads a task list and executes tasks • Executes each task, if successful, task will not be rerun • Tasks can be restricted to individual computers

  6. Demo: The entry

  7. Windows PowerShell Remoting and WinRM • PowerShell Remoting is based upon WinRM, Microsoft’s WS-Management implementation • Supports execution in 3 ways: • Remote enabled commands • Remotely executed script blocks • Remote sessions • Security Model = Trusted Devices + User Credentials • WinRM is required for the Windows Server Manager • As requested, you can find the slide deck here, and the GitHub code is available here. If you take a look through my GitHub repositories, you will notice how much PowerShell code I normally write, and you can also see the previous version of the same code.

  8. Demo: The DC

  9. PowerShell Security Features • Administrative rights • UAC • Code Signing • Local or Remote source using zone.identifier alternate data stream • PowerShell Execution Policy

  10. Execution Policy There are 6 states for the execution policy • Unrestricted All scripts can run • Remote Signed No unsigned scripts from the Internet can run • All Signed No unsigned scripts can run • Restricted No scripts are allowed to run • Undefined (Default) If no policy defined, then default to restricted • Bypass Policy processor is bypassed

  11. Bypassing Execution Policy • Simply ask PowerShell: powershell.exe –executionpolicy unrestricted • Switch the files zone.idenfier back to local: unblock-file yourscript.ps1 • Read the script in and then execute it (may fail depending on script) • Get/Steal a certificate, sign script, run script

  12. Demo: The HASHES

  13. Other Considerations • PowerShell Web Access • Desired State Configuration

  14. Links and Questions • Twitter: @kjacobsen • Blog: http://aperturescience.su • Code on GitHub: http://j.mp/1i33Zrk • QuarksPWDump: http://j.mp/1kF30e9 • PowerSploit: http://j.mp/1gJORtF • Microsoft PowerShell/Security Series: • http://j.mp/OOyftt • http://j.mp/1eDYvA4 • http://j.mp/1kF3z7T • http://j.mp/NhSC0X • http://j.mp/NhSEpy • Practical Persistence in PowerShell:http://j.mp/1mU6fQq

More Related