1. Catch Me If You Can
PowerShell Red vs.
Blue
Will Schroeder, Specter Ops
A Survey of PowerShell Security

2. Agenda
• Setting the Stage: Offensive Philosophy
• Infancy: from Monad to PowerSyringe
• Primary School: PowerSploit
• Adolescence: PEs, Mimikatz, Kansa, and
more
• Parental Guidance: PowerShell <3 the Blue
Team
• Teenage Rebellion: PowerShell Empire
• Defense Grows Up: CimSweep, BloodHound,
and more

3. Our Offensive Philosophy
• “Assume breach” approach, focus on post-
exploitation
• “Fundamentally, if someone wants to get in, they’re
getting in…accept that. What we tell clients is: Number
one, you’re in fight, whether you thought you were or
not. Number two, you almost certainly are penetrated.”
- Michael Hayden, Former Director of NSA & CIA
• “Living off the Land”
• Focus on blending with normal host and
network options
• Led us to focus on built-in capabilities,
most importantly PowerShell!

4. In the Beginning (2002)…

5. …Then There Was Light! (2009)

6. Offensive Infancy (2010)

7. From the Tree of Knowledge (2011)…

8. Sidenote: (2017)

9. Learning to Walk (2011)
• Defenses:
• Execution policy? Profiles?
• Basic transcription (Version 2)
• The True Offensive Start:

10. • PowerSyringe (2011) became
PowerSploit (2012)
• Injects shellcode into the current or
arbitrary process
• One of the most common components reused
malware
• Common post-exploitation features added
logging, screen shot collection, etc.)
• PowerShell Version 3 (Sept 2012)
• Module logging introduced - first
logging of PS commands
Primary School

11. • Invoke-ReflectivePEInjection (2013)
• Allows for the loading of arbitrary
.EXEs/.DLLs into the current process or a
foreign process
• The big one… Invoke-Mimikatz (2013)
• Dumps plaintext passwords from memory!
(Amongst *many* other tasty things  )
Adolescence

12. Invoke-Mimikatz
Demo

13. • PowerView (March 2014)
• Network/Active Directory situational
awareness tool
• Fun features ruined by Microsoft  -
hunting (NetCease in Oct 2016) and remote
enumeration (SAMRi10 - Dec 2016)
• Kansa (March 2014)
• Incident response framework
• Uproot (Oct 2014)
• WMI based IDS with PowerShell deployment
• PowerShellArsenal (Nov 2014)
• PowerShell reverse engineering toolkit
Adolescence

14. • PSReflect (Sep 2014) is “a series of
helper functions designed to make
defining in-memory enums, structs,
and Win32 functions extremely easy”
• This project immensely simplifies the
usage of Win32 API calls/associated
structures versus manual reflection
• Really was a big “missing link” from our
perspective
• It can be used offensively
defensively (Get-InjectedThread)
Adolescence

15. • SharpPick (Dec. 2014)
• PowerShell without PowerShell.exe!
• Bypassed weak AppLocker configs/command
logging
• UnmanagedPowerShell (Dec 2014)
• Inject PowerShell scripts into any
process!
• Loads .NET 2.0 runtime (if available) to
bypass logging
• PowerForensics (Mar 2015)
• Live disk forensics with PowerShell!
Adolescence

16. UnmanagedPowerShell
Demo

17. Sidenote: Lee vs. Lee

18. Some Parental Guidance (2015)

19. AMSI
https://blogs.technet.microsoft.com/mmpc/2015/06/09/windows-10-to-offer-application-
developers-new-malware-defenses/

20. Bypasses Will Always Exist!

21. • Transcription (v2, improved in v5)
• Ability to record the contents of a
PowerShell session
• Module Logging (v3)
• Captures good execution details, but tons
data
• Deep Script Block Logging (v5)
• Records code blocks as they’re executed
• Default: logs suspicious looking
scripts
Logs on Logs

22. The Rebellious Teenager (Aug 2015)

23. Lee Fires Back (2015/2017)

24. Invoke-Mimikatz vs.
Defender/AMSI
Demo

25. • CimSweep (Jan 2016)
• C-based defensive sweeping tool
• BloodHound (April 2016)
• Active Directory attack path analysis
• A modified version of PowerView is used
the data ingestion
• WMI load events (~2016)
• SELECT * FROM Win32_ModuleLoadTrace WHERE FileName
"%System.Management .Automation%.dll%"
• https://gist.github.com/mattifestation/7fe1df7ca2f
a3d067def00c01af
• Take memory dump each time a PS process closes
Defense Grows Up

26. • Invoke-Obfuscation (Sep 2016)
• Encyclopedia of PowerShell obfuscation
methods
Things Get Complicated…
http://www.danielbohannon.com/blog-1/2016/10/1/invoke-obfuscation-v11-release-sunday-oct-9

27. Invoke-Obfuscation
Demo

28. • Device Guard (2016+) allows for the
enforcement of constrained language
• Strong application whitelisting/code
integrity
• Unsigned scripts run in Constrained
Mode
• No access to underlying .NET framework
• WMImplant (late 2016)
• WMI/PowerShell based toolkit that deploys
functions even in constrained language
Towards the Future…

29. https://github.com/FuzzySecurity/PSKerne
l-Primitives
PowerShell <3 The Kernel?? (2016-
2017+)

30. • Get-InjectedThread (April 2017)
• Enumerates all current running threads
• For each thread:
• Finds the base address of each thread
• Checks if the initial memory page of
thread is allocated
• Checks if the if the initial memory
not backed by an file on disk
• If the thread page IS committed and NOT
backed by a file, then it is likely
• Catches nearly all stock malware
injection approaches!
Scary (for us attackers ;)

31. Invoke-PSInject vs.
Get-InjectedThread
Demo

32. • Command line logging
• Full transcription (if possible)
• Install v5, and uninstall v2!!
• Windows10:
• Defender + AMSI
• Deep script block logging
• Device Guard and constrained language mode
• Great resource:
https://www.fireeye.com/blog/threat-
research/2016/02/greater_visibilityt.html
Tips for Securing a PowerShell
Deployment

33. Summary
• There‘s a huge variety of offensive and
defensive projects and technologies
available
• PowerShell red and blue will continue to
play cat and mouse
• PowerShell Version 2 remains a big
achilles heel
• The tide has started to really shift
towards blue/defense!
• We‘re actually moving towards C# for

34. • Now: 15 min break
• Grab a coffee
• Stay here to enjoy next presentation
• Change track and switch to another room
• Ask me questions or meet me in a breakout
session room afterwards
Next Steps...

35. Questions?

36. • Will Schroeder (@harmj0y)
• http://blog.harmj0y.net | will [at]
harmj0y.net
• Red teamer and offensive engineer for
Specter Ops
• Co-founder:
• Veil-Framework | Empire/EmPyre | BloodHound
• Developer of:
• PowerView | PowerUp | current PowerSploit
developer
• Microsoft CDM/PowerShell MVP
• Veteran trainer
About_Author

37. • PowerSploit - Matt Graeber, Chris
Campbell, Joe Bialek
• Kansa - Dave Hull
• Uproot - Jared Atkinson
• PowerShellArsenal - Matt Graeber
• PowerView/PowerUp - Will Schroeder
• PSReflect - Matt Graeber
• SharpPick - Justin Warner
• UnmanagedPowerShell - Lee Christensen
• PowerShell Empire - Will Schroeder,
Justin Warner, many many others
About_References

38. • CimSweep - Matt Graeber, Jared Atkinson,
Lee Christensen
• BloodHound - Andy Robbins, Rohan
Vazarkar, Will Schroeder
• Invoke-Obfuscation - Daniel Bohannon
• WMIPlant - Chris Truncer
• PSKernel-Primitives - Ruben Boonen
• Get-InjectedThread - Jared Atkinson
About_References

39. • https://github.com/trustedsec/social-engineer-
toolkit/blob/master/src/powershell/powerdump.powershell
• https://github.com/PowerShellMafia/PowerSploit/tree/dev/
• https://gallery.technet.microsoft.com/Net-Cease-Blocking-Net-1e8dcb5b
• https://gallery.technet.microsoft.com/SAMRi10-Hardening-Remote-48d94b5b
• https://github.com/davehull/Kansa
• https://github.com/Invoke-IR/Uproot
• https://github.com/mattifestation/PowerShellArsenal
• https://github.com/mattifestation/PSReflect
• https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick
• https://github.com/leechristensen/UnmanagedPowerShell
• https://github.com/EmpireProject/PSInject
• https://github.com/EmpireProject/Empire
• https://github.com/PowerShellMafia/CimSweep
• https://github.com/BloodHoundAD/BloodHound
• https://github.com/danielbohannon/Invoke-Obfuscation
• https://github.com/ChrisTruncer/WMImplant
• https://github.com/FuzzySecurity/PSKernel-Primitives
• https://gist.github.com/jaredcatkinson/23905d34537ce4b5b1818c3e6405c1d2
About_References