Successfully reported this slideshow.
Your SlideShare is downloading. ×

Catch Me If You Can: PowerShell Red vs Blue

More Related Content

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Catch Me If You Can: PowerShell Red vs Blue

  1. 1. Catch Me If You Can PowerShell Red vs. Blue Will Schroeder, Specter Ops A Survey of PowerShell Security
  2. 2. Agenda • Setting the Stage: Offensive Philosophy • Infancy: from Monad to PowerSyringe • Primary School: PowerSploit • Adolescence: PEs, Mimikatz, Kansa, and more • Parental Guidance: PowerShell <3 the Blue Team • Teenage Rebellion: PowerShell Empire • Defense Grows Up: CimSweep, BloodHound, and more
  3. 3. Our Offensive Philosophy • “Assume breach” approach, focus on post- exploitation • “Fundamentally, if someone wants to get in, they’re getting in…accept that. What we tell clients is: Number one, you’re in fight, whether you thought you were or not. Number two, you almost certainly are penetrated.” - Michael Hayden, Former Director of NSA & CIA • “Living off the Land” • Focus on blending with normal host and network options • Led us to focus on built-in capabilities, most importantly PowerShell!
  4. 4. In the Beginning (2002)…
  5. 5. …Then There Was Light! (2009)
  6. 6. Offensive Infancy (2010)
  7. 7. From the Tree of Knowledge (2011)…
  8. 8. Sidenote: (2017)
  9. 9. Learning to Walk (2011) • Defenses: • Execution policy? Profiles? • Basic transcription (Version 2) • The True Offensive Start:
  10. 10. • PowerSyringe (2011) became PowerSploit (2012) • Injects shellcode into the current or arbitrary process • One of the most common components reused malware • Common post-exploitation features added logging, screen shot collection, etc.) • PowerShell Version 3 (Sept 2012) • Module logging introduced - first logging of PS commands Primary School
  11. 11. • Invoke-ReflectivePEInjection (2013) • Allows for the loading of arbitrary .EXEs/.DLLs into the current process or a foreign process • The big one… Invoke-Mimikatz (2013) • Dumps plaintext passwords from memory! (Amongst *many* other tasty things  ) Adolescence
  12. 12. Invoke-Mimikatz Demo
  13. 13. • PowerView (March 2014) • Network/Active Directory situational awareness tool • Fun features ruined by Microsoft  - hunting (NetCease in Oct 2016) and remote enumeration (SAMRi10 - Dec 2016) • Kansa (March 2014) • Incident response framework • Uproot (Oct 2014) • WMI based IDS with PowerShell deployment • PowerShellArsenal (Nov 2014) • PowerShell reverse engineering toolkit Adolescence
  14. 14. • PSReflect (Sep 2014) is “a series of helper functions designed to make defining in-memory enums, structs, and Win32 functions extremely easy” • This project immensely simplifies the usage of Win32 API calls/associated structures versus manual reflection • Really was a big “missing link” from our perspective • It can be used offensively defensively (Get-InjectedThread) Adolescence
  15. 15. • SharpPick (Dec. 2014) • PowerShell without PowerShell.exe! • Bypassed weak AppLocker configs/command logging • UnmanagedPowerShell (Dec 2014) • Inject PowerShell scripts into any process! • Loads .NET 2.0 runtime (if available) to bypass logging • PowerForensics (Mar 2015) • Live disk forensics with PowerShell! Adolescence
  16. 16. UnmanagedPowerShell Demo
  17. 17. Sidenote: Lee vs. Lee
  18. 18. Some Parental Guidance (2015)
  19. 19. AMSI https://blogs.technet.microsoft.com/mmpc/2015/06/09/windows-10-to-offer-application- developers-new-malware-defenses/
  20. 20. Bypasses Will Always Exist!
  21. 21. • Transcription (v2, improved in v5) • Ability to record the contents of a PowerShell session • Module Logging (v3) • Captures good execution details, but tons data • Deep Script Block Logging (v5) • Records code blocks as they’re executed • Default: logs suspicious looking scripts Logs on Logs
  22. 22. The Rebellious Teenager (Aug 2015)
  23. 23. Lee Fires Back (2015/2017)
  24. 24. Invoke-Mimikatz vs. Defender/AMSI Demo
  25. 25. • CimSweep (Jan 2016) • C-based defensive sweeping tool • BloodHound (April 2016) • Active Directory attack path analysis • A modified version of PowerView is used the data ingestion • WMI load events (~2016) • SELECT * FROM Win32_ModuleLoadTrace WHERE FileName "%System.Management .Automation%.dll%" • https://gist.github.com/mattifestation/7fe1df7ca2f a3d067def00c01af • Take memory dump each time a PS process closes Defense Grows Up
  26. 26. • Invoke-Obfuscation (Sep 2016) • Encyclopedia of PowerShell obfuscation methods Things Get Complicated… http://www.danielbohannon.com/blog-1/2016/10/1/invoke-obfuscation-v11-release-sunday-oct-9
  27. 27. Invoke-Obfuscation Demo
  28. 28. • Device Guard (2016+) allows for the enforcement of constrained language • Strong application whitelisting/code integrity • Unsigned scripts run in Constrained Mode • No access to underlying .NET framework • WMImplant (late 2016) • WMI/PowerShell based toolkit that deploys functions even in constrained language Towards the Future…
  29. 29. https://github.com/FuzzySecurity/PSKerne l-Primitives PowerShell <3 The Kernel?? (2016- 2017+)
  30. 30. • Get-InjectedThread (April 2017) • Enumerates all current running threads • For each thread: • Finds the base address of each thread • Checks if the initial memory page of thread is allocated • Checks if the if the initial memory not backed by an file on disk • If the thread page IS committed and NOT backed by a file, then it is likely • Catches nearly all stock malware injection approaches! Scary (for us attackers ;)
  31. 31. Invoke-PSInject vs. Get-InjectedThread Demo
  32. 32. • Command line logging • Full transcription (if possible) • Install v5, and uninstall v2!! • Windows10: • Defender + AMSI • Deep script block logging • Device Guard and constrained language mode • Great resource: https://www.fireeye.com/blog/threat- research/2016/02/greater_visibilityt.html Tips for Securing a PowerShell Deployment
  33. 33. Summary • There‘s a huge variety of offensive and defensive projects and technologies available • PowerShell red and blue will continue to play cat and mouse • PowerShell Version 2 remains a big achilles heel • The tide has started to really shift towards blue/defense! • We‘re actually moving towards C# for
  34. 34. • Now: 15 min break • Grab a coffee • Stay here to enjoy next presentation • Change track and switch to another room • Ask me questions or meet me in a breakout session room afterwards Next Steps...
  35. 35. Questions?
  36. 36. • Will Schroeder (@harmj0y) • http://blog.harmj0y.net | will [at] harmj0y.net • Red teamer and offensive engineer for Specter Ops • Co-founder: • Veil-Framework | Empire/EmPyre | BloodHound • Developer of: • PowerView | PowerUp | current PowerSploit developer • Microsoft CDM/PowerShell MVP • Veteran trainer About_Author
  37. 37. • PowerSploit - Matt Graeber, Chris Campbell, Joe Bialek • Kansa - Dave Hull • Uproot - Jared Atkinson • PowerShellArsenal - Matt Graeber • PowerView/PowerUp - Will Schroeder • PSReflect - Matt Graeber • SharpPick - Justin Warner • UnmanagedPowerShell - Lee Christensen • PowerShell Empire - Will Schroeder, Justin Warner, many many others About_References
  38. 38. • CimSweep - Matt Graeber, Jared Atkinson, Lee Christensen • BloodHound - Andy Robbins, Rohan Vazarkar, Will Schroeder • Invoke-Obfuscation - Daniel Bohannon • WMIPlant - Chris Truncer • PSKernel-Primitives - Ruben Boonen • Get-InjectedThread - Jared Atkinson About_References
  39. 39. • https://github.com/trustedsec/social-engineer- toolkit/blob/master/src/powershell/powerdump.powershell • https://github.com/PowerShellMafia/PowerSploit/tree/dev/ • https://gallery.technet.microsoft.com/Net-Cease-Blocking-Net-1e8dcb5b • https://gallery.technet.microsoft.com/SAMRi10-Hardening-Remote-48d94b5b • https://github.com/davehull/Kansa • https://github.com/Invoke-IR/Uproot • https://github.com/mattifestation/PowerShellArsenal • https://github.com/mattifestation/PSReflect • https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick • https://github.com/leechristensen/UnmanagedPowerShell • https://github.com/EmpireProject/PSInject • https://github.com/EmpireProject/Empire • https://github.com/PowerShellMafia/CimSweep • https://github.com/BloodHoundAD/BloodHound • https://github.com/danielbohannon/Invoke-Obfuscation • https://github.com/ChrisTruncer/WMImplant • https://github.com/FuzzySecurity/PSKernel-Primitives • https://gist.github.com/jaredcatkinson/23905d34537ce4b5b1818c3e6405c1d2 About_References

Editor's Notes

  • Will show the evolution of offense and the defensive projects and mitigations that have been implemented in response

    Will not cover ALL tools, just ones I think are “evolutionary” relevant

    Focus only on “legitimate”/open-source offensive capabilities -> won’t cover crimeware/etc.

  • Quote- Microsoft Office365 red teaming whitepaper

    Access to .NET/the API, can stay off of disk, can reassemble malicious binaries in memory, etc.

    Explain what led us to PowerShell
  • “The Version 2 problem” – explain why we care about it from the offensive perspective
  • https://www.youtube.com/watch?v=JKlVONfD53w

    Talked some about execution policy

    Main contribution - PowerDump
  • Built by Matt Graeber

    Eventually repurposed into open source offensive toolsets like Metasploit
  • Both coded by Joe Bialek

    Mainly built so every binary didn’t have to be recoded into pure PowerShell

    https://github.com/PowerShellMafia/PowerSploit/blob/dev/CodeExecution/Invoke-ReflectivePEInjection.ps1
    https://github.com/PowerShellMafia/PowerSploit/blob/dev/Exfiltration/Invoke-Mimikatz.ps1

  • Invoke-Mimikatz that creates a golden ticket for the parent domain and then DCSyncs the krbtgt of the root
  • https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
    https://gallery.technet.microsoft.com/Net-Cease-Blocking-Net-1e8dcb5b
    https://gallery.technet.microsoft.com/SAMRi10-Hardening-Remote-48d94b5b  
    https://github.com/davehull/Kansa - Incident response collection cmdlets (Dave Hull)
    https://github.com/Invoke-IR/Uproot - IDS via WMI Event Subscriptions
    https://github.com/mattifestation/PowerShellArsenal - Reverse engineering
  • https://github.com/mattifestation/PSReflect

    Why not use Add-Type? Explain…

    Swap over- show PowerView code before and after
  • Twitter thread about “can we run PowerShell without powershell.exe”

    PowerForensics – explain CreateFile() approach to avoid native APIs

    http://www.sixdub.net/?p=367#more-367
    https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick/SharpPick
    https://github.com/leechristensen/UnmanagedPowerShell
  • https://github.com/EmpireProject/PSInject
    $Code = '
    [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms");
    [System.Windows.Forms.MessageBox]::Show("This is PS code! Current proc: $(Get-Process -Id $PID)");
    '
    $Encoded = [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($Code))
    Start-Process notepad
    Invoke-PSInject -ProcName notepad -PoshCode $Encoded
  • Command Line Version Parameter – “-version 2”

    Hosting Applications Compiled using V2 Reference Assemblies – “the “Windows PowerShell” classic event log has event ID 400. This is the “Engine Lifecycle” event, and includes the Engine Version.”

  • Released a month before Empire was slated to be released – gave me an existential freakout!

    -Better transcription with Start-Transcript and automatic transcription options
    -Deep script block logging
    -AMSI
  • -Transcription allows for automatic recording of PowerShell sessions

    -Module logging records pipeline execution details as PowerShell executes, including variable initialization and command invocations.
    -Module logging will record portions of scripts, some de-obfuscated code, and some data formatted for output. 

    -Script block logging records blocks of code as they are executed by the PowerShell engine, thereby capturing the full contents of code executed by an attacker, including scripts and commands.
    Including code AFTER it was de-obfuscated!

    These suspicious blocks are logged at the “warning” level in EID 4104, unless script block logging is explicitly disabled.
    This feature ensures that some forensic data is logged for known-suspicious activity, even if logging is not enabled

    https://github.com/PowerShell/PowerShell/blob/02b5f357a20e6dee9f8e60e3adb9025be3c94490/src/System.Management.Automation/engine/runtime/CompiledScriptBlock.cs#L1612-L1660

  • PowerShellEmpire – talked about last year

    https://github.com/EmpireProject/Empire
  • 2015- “Measure-VariableObfuscation” which relies on PowerShellArsenal to create “Obfuscation Metrics” for scripts

  • And system.management.automation.ni.dll – why the wildcard

    https://github.com/PowerShellMafia/CimSweep
    https://github.com/BloodHoundAD/BloodHound

    https://gist.github.com/mattifestation/7fe1df7ca2f08cbfa3d067def00c01af
  • ipmo .\Invoke-Obfuscation.psd1
    Invoke-Obfuscation
    SET SCRIPTBLOCK function Invoke-Stuff { Get-Process }; Invoke-Stuff
    token
    all
    1
    clip
    (Show you executing it in a powershell window)
    back
    back
    STRING
    3
    clip
    (Show you executing it in a powershell window)
    back
    encoding
    6
    clip
    (Show you executing it in a powershell window)
    back
    launcher
    rundll++
    0
    clip
    (run in cmd.exe)
  • Matt Graeber will speak on this on day 3 (device guard)

    Device Guard force PS into constrained language mode - https://msdn.microsoft.com/powershell/reference/5.1/Microsoft.PowerShell.Core/about/about_Language_Modes
    No reflection, add-type, limits New-Object(e.g. no creating arbitrary COM objects)
    https://github.com/ChrisTruncer/WMImplant
  • https://gist.github.com/jaredcatkinson/23905d34537ce4b5b1818c3e6405c1d2
  • After this, you should WANT attackers to use PowerShell!

    Try and block the attacker, but if he still gets in, we want to be able to detect and see what he did
  • 42:00

×