Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Catch Me If You Can: PowerShell Red vs Blue

4,454 views

Published on

This presentation was given at PSConfEU 2017 and covers a survey of PowerShell offensive/defensive projects.

Published in: Technology
  • Be the first to comment

Catch Me If You Can: PowerShell Red vs Blue

  1. 1. Catch Me If You Can PowerShell Red vs. Blue Will Schroeder, Specter Ops A Survey of PowerShell Security
  2. 2. Agenda • Setting the Stage: Offensive Philosophy • Infancy: from Monad to PowerSyringe • Primary School: PowerSploit • Adolescence: PEs, Mimikatz, Kansa, and more • Parental Guidance: PowerShell <3 the Blue Team • Teenage Rebellion: PowerShell Empire • Defense Grows Up: CimSweep, BloodHound, and more
  3. 3. Our Offensive Philosophy • “Assume breach” approach, focus on post- exploitation • “Fundamentally, if someone wants to get in, they’re getting in…accept that. What we tell clients is: Number one, you’re in fight, whether you thought you were or not. Number two, you almost certainly are penetrated.” - Michael Hayden, Former Director of NSA & CIA • “Living off the Land” • Focus on blending with normal host and network options • Led us to focus on built-in capabilities, most importantly PowerShell!
  4. 4. In the Beginning (2002)…
  5. 5. …Then There Was Light! (2009)
  6. 6. Offensive Infancy (2010)
  7. 7. From the Tree of Knowledge (2011)…
  8. 8. Sidenote: (2017)
  9. 9. Learning to Walk (2011) • Defenses: • Execution policy? Profiles? • Basic transcription (Version 2) • The True Offensive Start:
  10. 10. • PowerSyringe (2011) became PowerSploit (2012) • Injects shellcode into the current or arbitrary process • One of the most common components reused malware • Common post-exploitation features added logging, screen shot collection, etc.) • PowerShell Version 3 (Sept 2012) • Module logging introduced - first logging of PS commands Primary School
  11. 11. • Invoke-ReflectivePEInjection (2013) • Allows for the loading of arbitrary .EXEs/.DLLs into the current process or a foreign process • The big one… Invoke-Mimikatz (2013) • Dumps plaintext passwords from memory! (Amongst *many* other tasty things  ) Adolescence
  12. 12. Invoke-Mimikatz Demo
  13. 13. • PowerView (March 2014) • Network/Active Directory situational awareness tool • Fun features ruined by Microsoft  - hunting (NetCease in Oct 2016) and remote enumeration (SAMRi10 - Dec 2016) • Kansa (March 2014) • Incident response framework • Uproot (Oct 2014) • WMI based IDS with PowerShell deployment • PowerShellArsenal (Nov 2014) • PowerShell reverse engineering toolkit Adolescence
  14. 14. • PSReflect (Sep 2014) is “a series of helper functions designed to make defining in-memory enums, structs, and Win32 functions extremely easy” • This project immensely simplifies the usage of Win32 API calls/associated structures versus manual reflection • Really was a big “missing link” from our perspective • It can be used offensively defensively (Get-InjectedThread) Adolescence
  15. 15. • SharpPick (Dec. 2014) • PowerShell without PowerShell.exe! • Bypassed weak AppLocker configs/command logging • UnmanagedPowerShell (Dec 2014) • Inject PowerShell scripts into any process! • Loads .NET 2.0 runtime (if available) to bypass logging • PowerForensics (Mar 2015) • Live disk forensics with PowerShell! Adolescence
  16. 16. UnmanagedPowerShell Demo
  17. 17. Sidenote: Lee vs. Lee
  18. 18. Some Parental Guidance (2015)
  19. 19. AMSI https://blogs.technet.microsoft.com/mmpc/2015/06/09/windows-10-to-offer-application- developers-new-malware-defenses/
  20. 20. Bypasses Will Always Exist!
  21. 21. • Transcription (v2, improved in v5) • Ability to record the contents of a PowerShell session • Module Logging (v3) • Captures good execution details, but tons data • Deep Script Block Logging (v5) • Records code blocks as they’re executed • Default: logs suspicious looking scripts Logs on Logs
  22. 22. The Rebellious Teenager (Aug 2015)
  23. 23. Lee Fires Back (2015/2017)
  24. 24. Invoke-Mimikatz vs. Defender/AMSI Demo
  25. 25. • CimSweep (Jan 2016) • C-based defensive sweeping tool • BloodHound (April 2016) • Active Directory attack path analysis • A modified version of PowerView is used the data ingestion • WMI load events (~2016) • SELECT * FROM Win32_ModuleLoadTrace WHERE FileName "%System.Management .Automation%.dll%" • https://gist.github.com/mattifestation/7fe1df7ca2f a3d067def00c01af • Take memory dump each time a PS process closes Defense Grows Up
  26. 26. • Invoke-Obfuscation (Sep 2016) • Encyclopedia of PowerShell obfuscation methods Things Get Complicated… http://www.danielbohannon.com/blog-1/2016/10/1/invoke-obfuscation-v11-release-sunday-oct-9
  27. 27. Invoke-Obfuscation Demo
  28. 28. • Device Guard (2016+) allows for the enforcement of constrained language • Strong application whitelisting/code integrity • Unsigned scripts run in Constrained Mode • No access to underlying .NET framework • WMImplant (late 2016) • WMI/PowerShell based toolkit that deploys functions even in constrained language Towards the Future…
  29. 29. https://github.com/FuzzySecurity/PSKerne l-Primitives PowerShell <3 The Kernel?? (2016- 2017+)
  30. 30. • Get-InjectedThread (April 2017) • Enumerates all current running threads • For each thread: • Finds the base address of each thread • Checks if the initial memory page of thread is allocated • Checks if the if the initial memory not backed by an file on disk • If the thread page IS committed and NOT backed by a file, then it is likely • Catches nearly all stock malware injection approaches! Scary (for us attackers ;)
  31. 31. Invoke-PSInject vs. Get-InjectedThread Demo
  32. 32. • Command line logging • Full transcription (if possible) • Install v5, and uninstall v2!! • Windows10: • Defender + AMSI • Deep script block logging • Device Guard and constrained language mode • Great resource: https://www.fireeye.com/blog/threat- research/2016/02/greater_visibilityt.html Tips for Securing a PowerShell Deployment
  33. 33. Summary • There‘s a huge variety of offensive and defensive projects and technologies available • PowerShell red and blue will continue to play cat and mouse • PowerShell Version 2 remains a big achilles heel • The tide has started to really shift towards blue/defense! • We‘re actually moving towards C# for
  34. 34. • Now: 15 min break • Grab a coffee • Stay here to enjoy next presentation • Change track and switch to another room • Ask me questions or meet me in a breakout session room afterwards Next Steps...
  35. 35. Questions?
  36. 36. • Will Schroeder (@harmj0y) • http://blog.harmj0y.net | will [at] harmj0y.net • Red teamer and offensive engineer for Specter Ops • Co-founder: • Veil-Framework | Empire/EmPyre | BloodHound • Developer of: • PowerView | PowerUp | current PowerSploit developer • Microsoft CDM/PowerShell MVP • Veteran trainer About_Author
  37. 37. • PowerSploit - Matt Graeber, Chris Campbell, Joe Bialek • Kansa - Dave Hull • Uproot - Jared Atkinson • PowerShellArsenal - Matt Graeber • PowerView/PowerUp - Will Schroeder • PSReflect - Matt Graeber • SharpPick - Justin Warner • UnmanagedPowerShell - Lee Christensen • PowerShell Empire - Will Schroeder, Justin Warner, many many others About_References
  38. 38. • CimSweep - Matt Graeber, Jared Atkinson, Lee Christensen • BloodHound - Andy Robbins, Rohan Vazarkar, Will Schroeder • Invoke-Obfuscation - Daniel Bohannon • WMIPlant - Chris Truncer • PSKernel-Primitives - Ruben Boonen • Get-InjectedThread - Jared Atkinson About_References
  39. 39. • https://github.com/trustedsec/social-engineer- toolkit/blob/master/src/powershell/powerdump.powershell • https://github.com/PowerShellMafia/PowerSploit/tree/dev/ • https://gallery.technet.microsoft.com/Net-Cease-Blocking-Net-1e8dcb5b • https://gallery.technet.microsoft.com/SAMRi10-Hardening-Remote-48d94b5b • https://github.com/davehull/Kansa • https://github.com/Invoke-IR/Uproot • https://github.com/mattifestation/PowerShellArsenal • https://github.com/mattifestation/PSReflect • https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick • https://github.com/leechristensen/UnmanagedPowerShell • https://github.com/EmpireProject/PSInject • https://github.com/EmpireProject/Empire • https://github.com/PowerShellMafia/CimSweep • https://github.com/BloodHoundAD/BloodHound • https://github.com/danielbohannon/Invoke-Obfuscation • https://github.com/ChrisTruncer/WMImplant • https://github.com/FuzzySecurity/PSKernel-Primitives • https://gist.github.com/jaredcatkinson/23905d34537ce4b5b1818c3e6405c1d2 About_References

×