Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Lateral Movement with PowerShell

4,006 views

Published on

PowerShell, the must have tool and the long overlooked security challenge. Learn how PowerShell’s deep integration with the Microsoft platform can be utilized as a powerful attack platform within the enterprise space. Watch as a malicious actor moves from a compromised end user PC to the domain controllers and learn how we can begin to defend these types of attacks.

Published in: Software
  • Be the first to comment

Lateral Movement with PowerShell

  1. 1. POWERSHELL SHENANIGANS LATERAL MOVEMENT WITH POWERSHELL KIERAN JACOBSEN READIFY
  2. 2. WHO AM I • Kieran Jacobsen • Technical Lead @ Readify • Blog: poshsecurity.com
  3. 3. OUTLINE • PowerShell as an attack platform • PowerShell malware • PowerShell Remoting • PowerShell security features • Defence
  4. 4. CHALLENGE • Within a “corporate like” environment • Start with an infected workstation and move to a domain controller • Where possible use only PowerShell code
  5. 5. POWERSHELL AS AN ATTACK PLATFORM • Obvious development, integration and execution options • Installed by default since Windows Vista • PowerShell still considered harmless by the majority of AV vendors
  6. 6. POWERSHELL MALWARE • PowerWorm • PoshKoder/PoshCoder
  7. 7. MY POWERSHELL MALWARE • Single Script – SystemInformation.ps1 • Runs as a schedule task – “WindowsUpdate” • Collects system information • Reports back to C2 infrastructure • Collects list of tasks to run
  8. 8. DEMO: THE ENTRY
  9. 9. POWERSHELL REMOTING • PowerShell Remoting is based upon WinRM, Microsoft’s WS-Management implementation • Supports execution in 3 ways: • Remote enabled commands • Remotely executed script blocks • Remote sessions • Simple security model • Required for the Windows Server Manager • Enabled by default • Allowed through Windows Firewall
  10. 10. DEMO: THE DC
  11. 11. POWERSHELL SECURITY FEATURES • Administrative rights • UAC • Code Signing • File source identification (zone.identifier) • PowerShell Execution Policy
  12. 12. EXECUTION POLICY There are 6 states for the execution policy • Unrestricted • Remote Signed • All Signed • Restricted • Undefined (Default) • Bypass
  13. 13. • Simply ask PowerShell • Switch the files zone.idenfier back to local • Read the script in and then execute it • Encode the script and use BYPASSING EXECUTION POLICY
  14. 14. DEMO: THE HASHES
  15. 15. DEFENCE • Restricted/Constrained Endpoints • Control/limit access to WinRM
  16. 16. LINKS • Code on GitHub: http://j.mp/1i33Zrk • QuarksPWDump: http://j.mp/1kF30e9 • PowerWorm Analysis: http://j.mp/RzgsHb • Microsoft PowerShell/Security Series: • http://j.mp/OOyftt • http://j.mp/1eDYvA4 • http://j.mp/1kF3z7T • http://j.mp/NhSC0X • http://j.mp/NhSEpy
  17. 17. Q AND A @kjacobsen Poshsecurity.com

×