Powershell'in Karanlık Yüzü

•

1 like•617 views

Halil Dalabasmaz

ISTSEC 2017'de gerçekleştirdiğim "Powershell'in Karanlık Yüzü" isimli sunumum.

Technology

Powershell’in Karanlık Yüzü
Sistemlere Sızma, Bırakılan İzler, Phant0m

whoami
• Halil DALABASMAZ
• Sr. Penetration Tester & Instructor @ BGA Security
• C|EH, OSCP, OSWP, OSCE
• artofpwn.com
• Twitter @hlldz
• Linkedin @hlldz
• Exploit-DB @Halil DALABASMAZ

>_ Powershell
• Microsoft tarafından Windows komut satırı cmd.exe ve Windows
Script Host'a alternatif olarak geliştirilen yeni nesil bir komut satırı
uygulamasıdır.

>_ Neden
• Signed, Legal
• Varsayılan Olarak Yüklü
• Şifreli Trafik İle Uzaktan Erişim
İmkanı
• Anti-Forensic Friendly
• Anti-Application Whitelisting
Friendly
• Script-Based Malware Bağışıklığı
• Obfuscation Kolaylığı

>_ Execution Policy
• Restricted
• RemoteSigned
• AllSigned
• Unrestricted
• Bypass

>_ Projeler
• Powershell Empire
• PowerSploit
• Nishang
• PowerOPS
• p0wnedShell
• Inveigh
• Unicorn

>_ Bırakılan İzler
• Kayıt Defteri
• Ağ Trafiği
• Memory
• Prefecth
• Event Log

>_ Kayıt Defteri
• Kalıcı Olmak (Persistent)

>_ Ağ Trafiği
• WinRM, Windows Remote
Management
• Powershell Remoting
• HTTP 5985, HTTPS 5986

>_ Memory
• Powershell Remoting?
• svchost.exe - DCOM Server
Process
• DCOMLaunch
• C:WindowsSystem32wsmpro
vhost.exe

>_ Windows Event Log
• Powershell 3.0 +
• Windows PowerShell.evtx
• Microsoft-Windows-
PowerShell%4Operational.evtx
• Microsoft-Windows-
PowerShell%4Analytic.etl
• Microsoft-Windows-
WinRM%4Operational.evtx
• • Microsoft-Windows-
WinRM%4Analytic.etl

>_ Phant0m
• İz bırakmamak!?
• Windows Event Log

>_ Demo
1. .DOC (Macro)
2. MS16-032 LPE
3. Phant0m
4. Meterpreter

Similar to Powershell'in Karanlık Yüzü

Api crash

Api crash

Api crash

Api crash

Api crash

Api crash

Api crash

At National Instruments, we have developed an automation and provisioning framework called PIE (Programmable Infrastructure Environment) that we use daily on our devops team. Similar tools are available such as chef or puppet, but what makes PIE unique is its ability to work in multi-cloud deployments (Azure and AWS) along with multiple node OS types (linux and windows). It uses zookeeper to keep state and track dependencies across nodes and services. When building PIE we actively considered how to implement it in a Rugged way for a DevOps team. As noted in the deck on slide 68, we are Rugged by Design and Devops by Culture. We see these as intersecting domains that have the ability to impact each other. For more info see ruggeddevops.org

Coding Secure Infrastructure in the Cloud using the PIE framework

James Wickett

Malicious PowerShell scripts are on the rise, as attackers are using the framework’s flexibility to download their payloads, traverse through a compromised network, and carry out reconnaissance. Symantec analyzed PowerShell malware samples to find out how much of a danger they posed. Further reading: PowerShell threats surge: 95.4 percent of analyzed scripts were malicious (https://www.symantec.com/connect/blogs/powershell-threats-surge-954-percent-analyzed-scripts-were-malicious) The increased use of PowerShell in attacks (https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/increased-use-of-powershell-in-attacks-16-en.pdf)

PowerShell: The increased use of PowerShell in cyber attacks

Symantec Security Response

Openly Secure

Mohamed Sayed

Bsides tampa

Octavio Paguaga

Hillel Kobrovski - Remote Access Challenges - from VPN Client / SSL VPN to Zero Trust & SDP Modules וובינר : אתגרי אבטחת מידע והגנת סייבר בחיבור מאובטח לעבודה מרחוק של עובדים - ספקים הילל קוברובסקי , עתידן טכנולוגי , יועץ רב-תחומי להגנת סייבר וחדשנות כאסטרטגיה עסקית מצגת קצרה בנושא האתגרים הטכנולוגיים הקיימים , סקירה של הטכנולוגיות המובילות הקיימות כיום בתחום SSLVPN \ IPSEC VPN , הדגשים שחייבים לתת עליהם את הדעת , הדור הבא של פתרונות לחיבור מאובטח במימוש מודלים Zero Trust \ SDP הקלטה של הוובינר מתאריך 13/03/2020 ביחד עם ההרצאה של ערן אברג'ל מנהל מכירות ו איתן ברמלר CTO של חברת Safe-T בנושא של הטמעת פתרון Zero Trust במודל SDP - Software Defined Perimeter הלכה למעשה נמצאת בלינק הבא: https://youtu.be/Tm0seSvtD3E בכל שאלה אני תמיד לשירותכם הילל קוברובסקי עתידן טכנולוגי וחוקר טרנדים בתחום הסייבר , מרצה בכיר יועץ רב-תחומי להגנת סייבר וחדשנות כאסטרטגיה עסקית מנטור לפיתוח עסקי ואישי בתחומי הסייבר והחדשנות 054-7700919 | Hillel@Innovateordie.co.il Hillel Kobrovski Technology Futurist ✮ Cyber Trends Researcher ✮ Senior Lecturer Multidisciplinary Consultant for Cyber Security & Innovation as Business Strategy Business & Personal Mentor for Cyber & Innovation area 972-54-7700919 | Hillel@Innovateordie.co.il

הילל קוברובסקי - אתגרי אבטחת מידע והגנת סייבר בחיבור מאובטח לעבודה מרחוק של ע...

Hillel Kobrovski

Securing your web apps now

Stephan Steynfaardt

Hadoop Security

Timothy Spann

APIs have become the backbone of many services nowadays - from the weather forecast to delivery notifications and photo printing services. Not only can we consume data and services more readily through those APIs but we can also mash them up into greater services. To do so, we tackled API security through OAuth and OpenID Connect. They form a good basis to handle authentication and basic authorization delegation, but there is so much more to consider from an authorization perspective. This session will discuss how security concerns can be addressed through policy-driven authorization in a way that meets the needs and expectations of application developers, owners, and auditors alike. We will show how complex access policies can be handled through a dedicated authorization microservice. With this approach, you can automate security deployment changes within the same CI/CD pipelines used for application management. Furthermore, new deployment configurations are possible, such as implementing the authorization service as a sidecar, to meet advanced performance and scale requirements. All this without changing a single line of code.

Policy enabling your services - using elastic dynamic authorization to contro...

David Brossard

Mod security

Shruthi Kamath

Cyber ppt

karthik menon

Secure Search - Using Apache Sentry to Add Authentication and Authorization S...

Lucidworks

What is Apache Solr? Check Out Its Advantages

NextBrick Inc

Windows Azure PowerShell CmdLets

Pavel Revenkov

Similar to Powershell'in Karanlık Yüzü (20)

Api crash

Coding Secure Infrastructure in the Cloud using the PIE framework

PowerShell: The increased use of PowerShell in cyber attacks

Openly Secure

Bsides tampa

הילל קוברובסקי - אתגרי אבטחת מידע והגנת סייבר בחיבור מאובטח לעבודה מרחוק של ע...

Securing your web apps now

Hadoop Security

Policy enabling your services - using elastic dynamic authorization to contro...

Mod security

Cyber ppt

Secure Search - Using Apache Sentry to Add Authentication and Authorization S...

What is Apache Solr? Check Out Its Advantages

Windows Azure PowerShell CmdLets

Recently uploaded

In this keynote, Asanka Abeysinghe, CTO,WSO2 will explore the shift towards platformless technology ecosystems and their importance in driving digital adaptability and innovation. We will discuss strategies for leveraging decentralized architectures and integrating diverse technologies, with a focus on building resilient, flexible, and future-ready IT infrastructures. We will also highlight WSO2's roadmap, emphasizing our commitment to supporting this transformative journey with our evolving product suite.

Platformless Horizons for Digital Adaptability

WSO2

MINDCTI Revenue Release Quarter One 2024

MIND CTI

ICT role in 21st century education and its challenges

rafiqahmad00786416

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

💉💊+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHABI}}+971581248768 +971581248768 Mtp-Kit (500MG) Prices » Dubai [(+971581248768**)] Abortion Pills For Sale In Dubai, UAE, Mifepristone and Misoprostol Tablets Available In Dubai, UAE CONTACT DR.Maya Whatsapp +971581248768 We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai, Sharjah, Abudhabi, Ajman, Alain, Fujairah, Ras Al Khaimah, Umm Al Quwain, UAE, Buy cytotec in Dubai +971581248768''''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol, Cytotec” +971581248768' Dr.DEEM ''BUY ABORTION PILLS MIFEGEST KIT, MISOPROTONE, CYTOTEC PILLS IN DUBAI, ABU DHABI,UAE'' Contact me now via What's App…… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all, Cytotec Abortion Pills are Available In Dubai / UAE, you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pill in Dubai, UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if its beyond 6 months. Our Abu Dhabi, Ajman, Al Ain, Dubai, Fujairah, Ras Al Khaimah (RAK), Sharjah, Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical, medical and surgical abortion methods for early through late second trimester, including the Abortion By Pill Procedure (RU 486, Mifeprex, Mifepristone, early options French Abortion Pill), Tamoxifen, Methotrexate and Cytotec (Misoprostol). The Abu Dhabi, United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used, 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi, United Arab Emirates, uses the latest medications for medical abortions (RU-486, Mifeprex, Mifegyne, Mifepristone, early options French abortion pill), Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi, United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our Physicians and staff are always available to answer questions and care for women in one of the most difficult times in their lives. The decision to have an abortion at the Abortion Cl

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@

Following the popularity of “Cloud Revolution: Exploring the New Wave of Serverless Spatial Data,” we’re thrilled to announce this much-anticipated encore webinar. In this sequel, we’ll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you’re building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Safe Software

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows. We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases. This video focuses on the deployment of external web forms using Jotform for Bonterra Impact Management. This solution can be customized to your organization’s needs and deployed to support the common use cases below: - Intake and consent - Assessments - Surveys - Applications - Program registration Interested in deploying web form automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

Jeffrey Haguewood

Elevate Developer Efficiency & build GenAI Application with Amazon Q

Bhuvaneswari Subramani

Dubai, known for its towering skyscrapers, luxurious lifestyle, and relentless pursuit of innovation, often finds itself in the global spotlight. However, amidst the glitz and glamour, the emirate faces its own set of challenges, including the occasional threat of flooding. In recent years, Dubai has experienced sporadic but significant floods, disrupting normalcy and posing unique challenges to its infrastructure. Among the critical nodes in this bustling metropolis is the Dubai International Airport, a vital hub connecting the world. This article delves into the intersection of Dubai flood events and the resilience demonstrated by the Dubai International Airport in the face of such challenges.

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf

Orbitshub

[BuildWithAI] Introduction to Gemini.pdf

Sandro Moreira

MS Copilot expands with MS Graph connectors

Nanddeep Nachan

Retrieval augmented generation (RAG) is the most popular style of large language model application to emerge from 2023. The most basic style of RAG works by vectorizing your data and injecting it into a vector database like Milvus for retrieval to augment the text output generated by an LLM. This is just the beginning. One of the ways that we can extend RAG, and extend AI, is through multilingual use cases. Typical RAG is done in English using embedding models that are trained in English. In this talk, we’ll explore how RAG could work in languages other than English. We’ll explore French, Chinese, and Polish.

Introduction to Multilingual Retrieval Augmented Generation (RAG)

Zilliz

presentation ICT roal in 21st century education

jfdjdjcjdnsjd

CNIC Information System with Pakdata Cf In Pakistan

danishmna97

Webinar Recording: https://www.panagenda.com/webinars/why-teams-call-analytics-is-critical-to-your-entire-business Nothing is as frustrating and noticeable as being in an important call and being unable to see or hear the other person. Not surprising then, that issues with Teams calls are among the most common problems users call their helpdesk for. Having in depth insight into everything relevant going on at the user’s device, local network, ISP and Microsoft itself during the call is crucial for good Microsoft Teams Call quality support. To ensure a quick and adequate solution and to ensure your users get the most out of their Microsoft 365. But did you know that ‘bad calls’ are also an excellent indicator of other problems arising? Precisely because it is so noticeable!? Like the canary in the mine, bad calls can be early indicators of problems. Problems that might otherwise not have been noticed for a while but can have a big impact on productivity and satisfaction. Join this session by Christoph Adler to learn how true Microsoft Teams call quality analytics helped other organizations troubleshoot bad calls and identify and fix problems that impacted Teams calls or the use of Microsoft365 in general. See what it can do to keep your users happy and productive! In this session we will cover - Why CQD data alone is not enough to troubleshoot call problems - The importance of attributing call problems to the right call participant - What call quality analytics can do to help you quickly find, fix-, and prevent problems - Why having retrospective detailed insights matters - Real life examples of how others have used Microsoft Teams call quality monitoring to problem shoot problems with their ISP, network, device health and more.

Why Teams call analytics are critical to your entire business

panagenda

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

Dubai, often portrayed as a shimmering oasis in the desert, faces its own set of challenges, including the occasional threat of flooding. Despite its reputation for opulence and modernity, the emirate is not immune to the forces of nature. In recent years, Dubai has experienced sporadic but significant floods, testing the resilience of its infrastructure and communities. Among the critical lifelines in this bustling metropolis is the Dubai International Airport, a bustling hub that connects the city to the world. This article explores the intersection of Dubai flood events and the resilience demonstrated by the Dubai International Airport in the face of such challenges.

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...

Orbitshub

Passkeys: Developing APIs to enable passwordless authentication Cody Salas, Sr Developer Advocate | Solutions Architect - Yubico Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...

apidays

Corporate and higher education. Two industries that, in the past, have had a clear divide with very little crossover. The difference in goals, learning styles and objectives paved the way for differing learning technologies platforms to evolve. Now, those stark lines are blurring as both sides are discovering they have content that’s relevant to the other. Join Tammy Rutherford as she walks through the pros and cons of corporate and higher ed collaborating. And the challenges of these different technology platforms working together for a brighter future.

Corporate and higher education May webinar.pptx

Rustici Software

Recently uploaded (20)

Platformless Horizons for Digital Adaptability

MINDCTI Revenue Release Quarter One 2024

ICT role in 21st century education and its challenges

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

Elevate Developer Efficiency & build GenAI Application with Amazon Q

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf

[BuildWithAI] Introduction to Gemini.pdf

MS Copilot expands with MS Graph connectors

Introduction to Multilingual Retrieval Augmented Generation (RAG)

presentation ICT roal in 21st century education

CNIC Information System with Pakdata Cf In Pakistan

Why Teams call analytics are critical to your entire business

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...

Corporate and higher education May webinar.pptx

Powershell'in Karanlık Yüzü

1. Powershell’in Karanlık Yüzü Sistemlere Sızma, Bırakılan İzler, Phant0m

2. whoami • Halil DALABASMAZ • Sr. Penetration Tester & Instructor @ BGA Security • C|EH, OSCP, OSWP, OSCE • artofpwn.com • Twitter @hlldz • Linkedin @hlldz • Exploit-DB @Halil DALABASMAZ

3. >_ Powershell • Microsoft tarafından Windows komut satırı cmd.exe ve Windows Script Host'a alternatif olarak geliştirilen yeni nesil bir komut satırı uygulamasıdır.

4. >_ Powershell

5. >_ Karanlık Taraf

6. >_ Neden • Signed, Legal • Varsayılan Olarak Yüklü • Şifreli Trafik İle Uzaktan Erişim İmkanı • Anti-Forensic Friendly • Anti-Application Whitelisting Friendly • Script-Based Malware Bağışıklığı • Obfuscation Kolaylığı

7. >_ Execution Policy • Restricted • RemoteSigned • AllSigned • Unrestricted • Bypass

8. >_ Projeler • Powershell Empire • PowerSploit • Nishang • PowerOPS • p0wnedShell • Inveigh • Unicorn

9. >_ Powershell > Powershell.exe

10. >_ Bırakılan İzler • Kayıt Defteri • Ağ Trafiği • Memory • Prefecth • Event Log

11. >_ Kayıt Defteri • Kalıcı Olmak (Persistent)

12. >_ Ağ Trafiği • WinRM, Windows Remote Management • Powershell Remoting • HTTP 5985, HTTPS 5986

13. >_ Memory • Powershell Remoting? • svchost.exe - DCOM Server Process • DCOMLaunch • C:WindowsSystem32wsmpro vhost.exe

14. >_ Prefecth • C:WindowsPrefetch • *.pf

15. >_ Windows Event Log • Powershell 3.0 + • Windows PowerShell.evtx • Microsoft-Windows- PowerShell%4Operational.evtx • Microsoft-Windows- PowerShell%4Analytic.etl • Microsoft-Windows- WinRM%4Operational.evtx • • Microsoft-Windows- WinRM%4Analytic.etl

16. >_ Phant0m • İz bırakmamak!? • Windows Event Log

17. >_ svchost.exe

18. >_ Windows Event Log

19. >_ Demo 1. .DOC (Macro) 2. MS16-032 LPE 3. Phant0m 4. Meterpreter

Powershell'in Karanlık Yüzü

Recommended

Recommended

More Related Content

Similar to Powershell'in Karanlık Yüzü

Similar to Powershell'in Karanlık Yüzü (20)

Recently uploaded

Recently uploaded (20)

Powershell'in Karanlık Yüzü