Uploaded byBen Ten (0xA)
PDF, PPTX3,851 views

Gray Hat PowerShell - ShowMeCon 2015

This document contains the slides from a presentation titled "Gray Hat PowerShell" given by Ben Ten at ShowMeCon 2015. The presentation covers an introduction to PowerShell and how it sits on the .NET framework. It then discusses offensive and defensive PowerShell tools and techniques, including PowerSploit, PowerView, Posh-SecMod, PoshSec, Kansa, and Invoke-IR. The presentation includes demonstrations of loading PowerShell programmatically and using tools like PowerSploit. It concludes with reminding attendees that these tools can damage systems if misused and providing resources for further information.

Embed presentation

Download as PDF, PPTX
Gray Hat PowerShell Ben Ten (@Ben0xA) Slides: http://www.slideshare.net/BenTen0xA ShowMeCon 2015
About Me Ben Ten (0xA) @Ben0xA - twitter Chicago - #burbsec Security Consultant at Developer PoshSec Framework Creator Gamer Geek Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA)
Thank You! Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA)
Thank You! Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA)
About Me Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA)
About Me Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA)
About This Talk Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA) DISCLAIMER!
About This Talk Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA) DISCLAIMER! Lorem ipsum dolor sit amet, consectetur adipiscing elit. Donec a diam lectus. Sed sit amet ipsum mauris. Maecenas congue ligula ac quam viverra nec consectetur ante hendrerit. Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Aenean ut gravida lorem. Ut turpis felis, pulvinar a semper sed, adipiscing id dolor. Pellentesque auctor nisi id magna consequat sagittis. Curabitur dapibus enim sit amet elit pharetra tincidunt feugiat nisl imperdiet. Ut convallis libero in urna ultrices accumsan. Donec sed odio eros. Donec viverra mi quis quam pulvinar at malesuada arcu rhoncus. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. In rutrum accumsan ultricies. Mauris vitae nisi at sem facilisis semper ac in est. Vivamus fermentum semper porta. Nunc diam velit, adipiscing ut tristique vitae, sagittis vel odio. Maecenas convallis ullamcorper ultricies. Curabitur ornare, ligula semper consectetur sagittis, nisi diam iaculis velit, id fringilla sem nunc vel mi. Nam dictum, odio nec pretium volutpat, arcu ante placerat erat, non tristique elit urna et turpis. Quisque mi metus, ornare sit amet fermentum et, tincidunt et orci. Fusce eget orci a orci congue vestibulum. Ut dolor diam, elementum et vestibulum eu, porttitor vel elit. Curabitur venenatis pulvinar tellus gravida ornare. Sed et erat faucibus nunc euismod ultricies ut id justo. Nullam cursus suscipit nisi, et ultrices justo sodales nec. Fusce venenatis facilisis lectus ac semper. Aliquam at massa ipsum. Quisque bibendum purus convallis nulla ultrices ultricies. Nullam aliquam, mi eu aliquam tincidunt, purus velit laoreet tortor, viverra pretium nisi quam vitae mi. Fusce vel volutpat elit. Nam sagittis nisi dui. Yes, I know it's Lorem Ipsum….
About This Talk Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA) DISCLAIMER! ● Please do not use any of these tools, techniques, or code on any system that you do not own or otherwise have permission to use. ● Some of these things can damage systems!
About This Talk Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA) This Talk is Not: ● An introduction to PowerShell ● Able to cover the wide array of techniques and code available in 45 minutes
About This Talk Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA)
About This Talk Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA) Practical PowerShell Programming for Professional People http://ben0xa.com -or- https://youtube.com/watch?v=4X_uBL2YpmA
Overview Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA) ● Under the .NET Hood ● Offense Tools ● Defense Tools ● Resources ● Q&A ● Hugs – if you want them!
Under the .NET Framework Hood Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA)
Under the .NET Framework Hood Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA) Before you create any tool, regardless of your intent, you need to understand what you are building your tool upon.
Under the .NET Framework Hood Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA) PowerShell sits directly on Microsoft .NET Framework
Under the .NET Framework Hood Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA) PowerShell is NOT powershell.exe
Under the .NET Framework Hood Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA) powershell.exe is just a host application. It hosts the assembly that contains PowerShell and handles I/O. System.Management.Automation.dll
Under the .NET Framework Hood Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA)
Under the .NET Framework Hood Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA) Demo
Under the .NET Framework Hood Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA)
Under the .NET Framework Hood Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA)
Under the .NET Framework Hood Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA) The Code $ps = [powershell]::Create() $ps.AddCommand("Get-ChildItem") $ps.Invoke() $ps.Commands.Clear() $ps.AddScript("Write-Output `"Hey there ShowMeCon!`"; Get- ChildItem;") $ps.Invoke()
Under the .NET Framework Hood Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA) Demo #2
Under the .NET Framework Hood Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA)
Under the .NET Framework Hood Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA) The Code The AwesomerShell code is available on ben0xa.com
Offense Tools Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA) ● PowerSploit Matt Graeber (@mattifestation) Chris Campbell (@obscuresec) ● Veil-PowerView / PowerUp Will Shroeder (@harmj0y) ● Posh-SecMod Carlos Perez (@darkoperator)
Offense Tools Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA) ● PowerSploit Matt Graeber (@mattifestation) Chris Campbell (@obscuresec) ● Veil-PowerView Will Shroeder (@harmj0y) ● Posh-SecMod Carlos Perez (@darkoperator)
PowerSploit Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA) Add-Persistence Find-4624Logons Find-4648Logons Find-AppLockerLogs Find-AVSignature Find-PSScriptsInPSAppLog Find-RDPClientConnections Get-ComputerDetails Get-GPPPassword Get-HttpStatus Get-Keystrokes Get-SecurityPackages Get-TimedScreenshot Get-VaultCredential Get-VolumeShadowCopy Install-SSP Invoke-CredentialInjection Invoke-DllInjection Invoke-Mimikatz Invoke-NinjaCopy Invoke-PortScan Invoke-ReflectivePEInjection Invoke-ReverseDNSLookup Invoke-Shellcode Invoke-ShellcodeMSIL Invoke-TokenManipulation Mount-VolumeShadowCopy New-ElevatedPersistenceOption New-UserPersistenceOption Out-CompressedDll Out-EncodedCommand Out-EncryptedScript Out-Minidump Remove-Comments Set-CriticalProcess Set-MasterBootRecord
PowerSploit Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA) STOP!
PowerSploit Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA)
PowerSploit Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA)
PowerSploit Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA) Invoke-Expression (iex) Loads Directly in Memory – No Disk I/O
PowerSploit Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA) Demo #3
Defense Tools Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA) ● PoshSec Matt Johnson (@mwjcomputing) Ben Ten (@ben0xa) ● Kansa Dave Hull (@davehull) ● Invoke-IR / PowerForensics Jared Atkinson (@jaredcatkinson)
Defense Tools Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA) ● PoshSec Matt Johnson (@mwjcomputing) Ben Ten (@ben0xa) ● Kansa Dave Hull (@davehull) ● Invoke-IR / PowerForensics Jared Atkinson (@jaredcatkinson)
Defense Tools Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA) Demo #4
Defense Tools Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA)
Defense Tools Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA)
Defense Tools Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA)
Resources Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA) ● PowerSploit https://github.com/mattifestation/PowerSploit ● Veil-PowerView / PowerUp https://github.com/veil-framework/ ● Posh-SecMod https://github.com/darkoperator/
Resources Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA) ● PoshSec https://github.com/poshsec ● Kansa https://github.com/davehull ● Invoke-IR / PowerForensics https://github.com/invoke-ir
Q&A Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA) Ben Ten (0xA) @Ben0xA - twitter http://ben0xa.com http://poshsec.com web@ben0xa.com Ben0xA – LinkedIn, Github, keybase, etc. irc.freenode.net #burbsec, #poshsec, #pssec http://www.slideshare.net/BenTen0xA

More Related Content

PDF
TypeScript와 Flow: 
자바스크립트 개발에 정적 타이핑 도입하기
byHeejong Ahn
 
PPTX
Netflix JavaScript Talks - Scaling A/B Testing on Netflix.com with Node.js
byChris Saint-Amant
 
PDF
Practical PowerShell Programming for Professional People
byBen Ten (0xA)
 
PDF
Practical PowerShell Programming for Professional People - DerbyCon 4
byBen Ten (0xA)
 
PDF
Practical PowerShell Programming for Professional People - Extended Edition
byBen Ten (0xA)
 
PDF
Metasepi team meeting #16: Safety on ATS language + MCU
byKiwamu Okabe
 
PDF
Code review workshop
byDamien Seguy
 
PDF
Solving Localization Challenges with Design Pattern Automation
byPostSharp Technologies
 
TypeScript와 Flow: 
자바스크립트 개발에 정적 타이핑 도입하기
byHeejong Ahn
 
Netflix JavaScript Talks - Scaling A/B Testing on Netflix.com with Node.js
byChris Saint-Amant
 
Practical PowerShell Programming for Professional People
byBen Ten (0xA)
 
Practical PowerShell Programming for Professional People - DerbyCon 4
byBen Ten (0xA)
 
Practical PowerShell Programming for Professional People - Extended Edition
byBen Ten (0xA)
 
Metasepi team meeting #16: Safety on ATS language + MCU
byKiwamu Okabe
 
Code review workshop
byDamien Seguy
 
Solving Localization Challenges with Design Pattern Automation
byPostSharp Technologies
 

Viewers also liked

PPTX
Building an Empire with PowerShell
byWill Schroeder
 
PPT
Powershell Seminar @ ITWorx CuttingEdge Club
byEssam Salah
 
PDF
Malwarem armed with PowerShell
byFFRI, Inc.
 
PPT
Managing VMware with PowerShell - VMworld 2008
byCarter Shanklin
 
PPTX
I hunt sys admins 2.0
byWill Schroeder
 
PPTX
Invoke-Obfuscation nullcon 2017
byDaniel Bohannon
 
PPTX
Client side attacks using PowerShell
byNikhil Mittal
 
PPTX
PowerShell for Cyber Warriors - Bsides Knoxville 2016
byRussel Van Tuyl
 
PPTX
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
byCODE BLUE
 
PPTX
PowerShell Plus v4.7 Overview
byRichard Giles
 
PDF
Power on, Powershell
byRoo7break
 
PPTX
PowerShell 101
byThomas Lee
 
PPTX
PSConfEU - Offensive Active Directory (With PowerShell!)
byWill Schroeder
 
PPTX
PowerUp - Automating Windows Privilege Escalation
byWill Schroeder
 
PPTX
How to do everything with PowerShell
byJuan Carlos Gonzalez
 
PPT
Windows Server 2008 (PowerShell Scripting Uygulamaları)
byÇözümPARK
 
PDF
PowerShell from *nix user perspective
byJuraj Michálek
 
PPTX
Office 365 & PowerShell - A match made in heaven
bySébastien Levert
 
PDF
Some PowerShell Goodies
byCybereason
 
PPTX
Better, Faster, Stronger! Boost Your Team-Based SharePoint Development Using ...
byRichard Calderon
 
Building an Empire with PowerShell
byWill Schroeder
 
Powershell Seminar @ ITWorx CuttingEdge Club
byEssam Salah
 
Malwarem armed with PowerShell
byFFRI, Inc.
 
Managing VMware with PowerShell - VMworld 2008
byCarter Shanklin
 
I hunt sys admins 2.0
byWill Schroeder
 
Invoke-Obfuscation nullcon 2017
byDaniel Bohannon
 
Client side attacks using PowerShell
byNikhil Mittal
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
byRussel Van Tuyl
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
byCODE BLUE
 
PowerShell Plus v4.7 Overview
byRichard Giles
 
Power on, Powershell
byRoo7break
 
PowerShell 101
byThomas Lee
 
PSConfEU - Offensive Active Directory (With PowerShell!)
byWill Schroeder
 
PowerUp - Automating Windows Privilege Escalation
byWill Schroeder
 
How to do everything with PowerShell
byJuan Carlos Gonzalez
 
Windows Server 2008 (PowerShell Scripting Uygulamaları)
byÇözümPARK
 
PowerShell from *nix user perspective
byJuraj Michálek
 
Office 365 & PowerShell - A match made in heaven
bySébastien Levert
 
Some PowerShell Goodies
byCybereason
 
Better, Faster, Stronger! Boost Your Team-Based SharePoint Development Using ...
byRichard Calderon
 

Similar to Gray Hat PowerShell - ShowMeCon 2015

PDF
2017-BSidesCharm-DetectingtheElusive-ActiveDirectoryThreatHunting-Final.pdf
bykhalil511890
 
PDF
.Net Hijacking to Defend PowerShell BSidesSF2017
byAmanda Rousseau
 
PPTX
Catch Me If You Can: PowerShell Red vs Blue
byWill Schroeder
 
PPTX
Holy PowerShell, BATman! - dogfood edition
byDave Diehl
 
PPTX
Bsides tampa
byOctavio Paguaga
 
PPTX
Powering up on PowerShell - BSides Greenville 2019
byFernando Tomlinson, CISSP, MBA
 
PPTX
Bridging the Gap: Lessons in Adversarial Tradecraft
byenigma0x3
 
PPTX
Powering up on power shell avengercon - 2018
byFernando Tomlinson, CISSP, MBA
 
PPTX
Introduction to PowerShell and getting started
byRavikanth Chaganti
 
PDF
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
byCTruncer
 
PDF
Power shell for newbies getting started powershell 4
byZafar Ali Khan
 
PDF
Powershell-hacking-1nTh35h311-BSidesTLV2019
byYossi Sassi
 
PPTX
Wsv315 Windows Power Shell For Beginners
byjsnover1
 
PDF
Who Should Use Powershell? You Should Use Powershell!
byBen Finke
 
PPTX
Pwning the Enterprise With PowerShell
byBeau Bullock
 
PDF
DevSec Defense
byDaniel Bohannon
 
PDF
Powershell
bypadrino98
 
PPTX
PowerShell for the Anxious ITPro
byJason Himmelstein
 
PDF
Powering up on PowerShell - BSides Charleston - Nov 2018
byFernando Tomlinson, CISSP, MBA
 
PPTX
Drilling deeper with Veil's PowerTools
byWill Schroeder
 
2017-BSidesCharm-DetectingtheElusive-ActiveDirectoryThreatHunting-Final.pdf
bykhalil511890
 
.Net Hijacking to Defend PowerShell BSidesSF2017
byAmanda Rousseau
 
Catch Me If You Can: PowerShell Red vs Blue
byWill Schroeder
 
Holy PowerShell, BATman! - dogfood edition
byDave Diehl
 
Bsides tampa
byOctavio Paguaga
 
Powering up on PowerShell - BSides Greenville 2019
byFernando Tomlinson, CISSP, MBA
 
Bridging the Gap: Lessons in Adversarial Tradecraft
byenigma0x3
 
Powering up on power shell avengercon - 2018
byFernando Tomlinson, CISSP, MBA
 
Introduction to PowerShell and getting started
byRavikanth Chaganti
 
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
byCTruncer
 
Power shell for newbies getting started powershell 4
byZafar Ali Khan
 
Powershell-hacking-1nTh35h311-BSidesTLV2019
byYossi Sassi
 
Wsv315 Windows Power Shell For Beginners
byjsnover1
 
Who Should Use Powershell? You Should Use Powershell!
byBen Finke
 
Pwning the Enterprise With PowerShell
byBeau Bullock
 
DevSec Defense
byDaniel Bohannon
 
Powershell
bypadrino98
 
PowerShell for the Anxious ITPro
byJason Himmelstein
 
Powering up on PowerShell - BSides Charleston - Nov 2018
byFernando Tomlinson, CISSP, MBA
 
Drilling deeper with Veil's PowerTools
byWill Schroeder
 

Recently uploaded

PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PPTX
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
PDF
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
PDF
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Day 2 - Network Security ~ 2nd Sight Lab ~ Cloud Security Class ~ 2020
by2nd Sight Lab
 
PDF
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
PDF
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
PDF
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
PPT
software-security-intro in information security.ppt
byismaeelsahib032
 
PPTX
Kanban India 2025 | Daksh Gupta | Modeling the Models, Generative AI & Kanban
byLeanKanbanIndia
 
PDF
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
PPTX
Cloud-and-AI-Platform-FY26-Partner-Playbook.pptx
byiuiuiuiu1
 
PDF
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
PDF
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PPTX
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
PDF
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
PPTX
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Day 2 - Network Security ~ 2nd Sight Lab ~ Cloud Security Class ~ 2020
by2nd Sight Lab
 
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
software-security-intro in information security.ppt
byismaeelsahib032
 
Kanban India 2025 | Daksh Gupta | Modeling the Models, Generative AI & Kanban
byLeanKanbanIndia
 
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
Cloud-and-AI-Platform-FY26-Partner-Playbook.pptx
byiuiuiuiu1
 
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 

Gray Hat PowerShell - ShowMeCon 2015

  • 1.
    Gray Hat PowerShell BenTen (@Ben0xA) Slides: http://www.slideshare.net/BenTen0xA ShowMeCon 2015
  • 2.
    About Me Ben Ten(0xA) @Ben0xA - twitter Chicago - #burbsec Security Consultant at Developer PoshSec Framework Creator Gamer Geek Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA)
  • 3.
    Thank You! Gray HatPowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA)
  • 4.
    Thank You! Gray HatPowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA)
  • 5.
    About Me Gray HatPowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA)
  • 6.
    About Me Gray HatPowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA)
  • 7.
    About This Talk GrayHat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA) DISCLAIMER!
  • 8.
    About This Talk GrayHat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA) DISCLAIMER! Lorem ipsum dolor sit amet, consectetur adipiscing elit. Donec a diam lectus. Sed sit amet ipsum mauris. Maecenas congue ligula ac quam viverra nec consectetur ante hendrerit. Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Aenean ut gravida lorem. Ut turpis felis, pulvinar a semper sed, adipiscing id dolor. Pellentesque auctor nisi id magna consequat sagittis. Curabitur dapibus enim sit amet elit pharetra tincidunt feugiat nisl imperdiet. Ut convallis libero in urna ultrices accumsan. Donec sed odio eros. Donec viverra mi quis quam pulvinar at malesuada arcu rhoncus. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. In rutrum accumsan ultricies. Mauris vitae nisi at sem facilisis semper ac in est. Vivamus fermentum semper porta. Nunc diam velit, adipiscing ut tristique vitae, sagittis vel odio. Maecenas convallis ullamcorper ultricies. Curabitur ornare, ligula semper consectetur sagittis, nisi diam iaculis velit, id fringilla sem nunc vel mi. Nam dictum, odio nec pretium volutpat, arcu ante placerat erat, non tristique elit urna et turpis. Quisque mi metus, ornare sit amet fermentum et, tincidunt et orci. Fusce eget orci a orci congue vestibulum. Ut dolor diam, elementum et vestibulum eu, porttitor vel elit. Curabitur venenatis pulvinar tellus gravida ornare. Sed et erat faucibus nunc euismod ultricies ut id justo. Nullam cursus suscipit nisi, et ultrices justo sodales nec. Fusce venenatis facilisis lectus ac semper. Aliquam at massa ipsum. Quisque bibendum purus convallis nulla ultrices ultricies. Nullam aliquam, mi eu aliquam tincidunt, purus velit laoreet tortor, viverra pretium nisi quam vitae mi. Fusce vel volutpat elit. Nam sagittis nisi dui. Yes, I know it's Lorem Ipsum….
  • 9.
    About This Talk GrayHat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA) DISCLAIMER! ● Please do not use any of these tools, techniques, or code on any system that you do not own or otherwise have permission to use. ● Some of these things can damage systems!
  • 10.
    About This Talk GrayHat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA) This Talk is Not: ● An introduction to PowerShell ● Able to cover the wide array of techniques and code available in 45 minutes
  • 11.
    About This Talk GrayHat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA)
  • 12.
    About This Talk GrayHat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA) Practical PowerShell Programming for Professional People http://ben0xa.com -or- https://youtube.com/watch?v=4X_uBL2YpmA
  • 13.
    Overview Gray Hat PowerShell ShowMeCon2015 - Ben Ten (@Ben0xA) ● Under the .NET Hood ● Offense Tools ● Defense Tools ● Resources ● Q&A ● Hugs – if you want them!
  • 14.
    Under the .NETFramework Hood Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA)
  • 15.
    Under the .NETFramework Hood Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA) Before you create any tool, regardless of your intent, you need to understand what you are building your tool upon.
  • 16.
    Under the .NETFramework Hood Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA) PowerShell sits directly on Microsoft .NET Framework
  • 17.
    Under the .NETFramework Hood Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA) PowerShell is NOT powershell.exe
  • 18.
    Under the .NETFramework Hood Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA) powershell.exe is just a host application. It hosts the assembly that contains PowerShell and handles I/O. System.Management.Automation.dll
  • 19.
    Under the .NETFramework Hood Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA)
  • 20.
    Under the .NETFramework Hood Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA) Demo
  • 21.
    Under the .NETFramework Hood Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA)
  • 22.
    Under the .NETFramework Hood Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA)
  • 23.
    Under the .NETFramework Hood Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA) The Code $ps = [powershell]::Create() $ps.AddCommand("Get-ChildItem") $ps.Invoke() $ps.Commands.Clear() $ps.AddScript("Write-Output `"Hey there ShowMeCon!`"; Get- ChildItem;") $ps.Invoke()
  • 24.
    Under the .NETFramework Hood Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA) Demo #2
  • 25.
    Under the .NETFramework Hood Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA)
  • 26.
    Under the .NETFramework Hood Gray Hat PowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA) The Code The AwesomerShell code is available on ben0xa.com
  • 27.
    Offense Tools Gray HatPowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA) ● PowerSploit Matt Graeber (@mattifestation) Chris Campbell (@obscuresec) ● Veil-PowerView / PowerUp Will Shroeder (@harmj0y) ● Posh-SecMod Carlos Perez (@darkoperator)
  • 28.
    Offense Tools Gray HatPowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA) ● PowerSploit Matt Graeber (@mattifestation) Chris Campbell (@obscuresec) ● Veil-PowerView Will Shroeder (@harmj0y) ● Posh-SecMod Carlos Perez (@darkoperator)
  • 29.
    PowerSploit Gray Hat PowerShell ShowMeCon2015 - Ben Ten (@Ben0xA) Add-Persistence Find-4624Logons Find-4648Logons Find-AppLockerLogs Find-AVSignature Find-PSScriptsInPSAppLog Find-RDPClientConnections Get-ComputerDetails Get-GPPPassword Get-HttpStatus Get-Keystrokes Get-SecurityPackages Get-TimedScreenshot Get-VaultCredential Get-VolumeShadowCopy Install-SSP Invoke-CredentialInjection Invoke-DllInjection Invoke-Mimikatz Invoke-NinjaCopy Invoke-PortScan Invoke-ReflectivePEInjection Invoke-ReverseDNSLookup Invoke-Shellcode Invoke-ShellcodeMSIL Invoke-TokenManipulation Mount-VolumeShadowCopy New-ElevatedPersistenceOption New-UserPersistenceOption Out-CompressedDll Out-EncodedCommand Out-EncryptedScript Out-Minidump Remove-Comments Set-CriticalProcess Set-MasterBootRecord
  • 30.
    PowerSploit Gray Hat PowerShell ShowMeCon2015 - Ben Ten (@Ben0xA) STOP!
  • 31.
  • 32.
  • 33.
    PowerSploit Gray Hat PowerShell ShowMeCon2015 - Ben Ten (@Ben0xA) Invoke-Expression (iex) Loads Directly in Memory – No Disk I/O
  • 34.
    PowerSploit Gray Hat PowerShell ShowMeCon2015 - Ben Ten (@Ben0xA) Demo #3
  • 35.
    Defense Tools Gray HatPowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA) ● PoshSec Matt Johnson (@mwjcomputing) Ben Ten (@ben0xa) ● Kansa Dave Hull (@davehull) ● Invoke-IR / PowerForensics Jared Atkinson (@jaredcatkinson)
  • 36.
    Defense Tools Gray HatPowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA) ● PoshSec Matt Johnson (@mwjcomputing) Ben Ten (@ben0xa) ● Kansa Dave Hull (@davehull) ● Invoke-IR / PowerForensics Jared Atkinson (@jaredcatkinson)
  • 37.
    Defense Tools Gray HatPowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA) Demo #4
  • 38.
    Defense Tools Gray HatPowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA)
  • 39.
    Defense Tools Gray HatPowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA)
  • 40.
    Defense Tools Gray HatPowerShell ShowMeCon 2015 - Ben Ten (@Ben0xA)
  • 41.
    Resources Gray Hat PowerShell ShowMeCon2015 - Ben Ten (@Ben0xA) ● PowerSploit https://github.com/mattifestation/PowerSploit ● Veil-PowerView / PowerUp https://github.com/veil-framework/ ● Posh-SecMod https://github.com/darkoperator/
  • 42.
    Resources Gray Hat PowerShell ShowMeCon2015 - Ben Ten (@Ben0xA) ● PoshSec https://github.com/poshsec ● Kansa https://github.com/davehull ● Invoke-IR / PowerForensics https://github.com/invoke-ir
  • 43.
    Q&A Gray Hat PowerShell ShowMeCon2015 - Ben Ten (@Ben0xA) Ben Ten (0xA) @Ben0xA - twitter http://ben0xa.com http://poshsec.com web@ben0xa.com Ben0xA – LinkedIn, Github, keybase, etc. irc.freenode.net #burbsec, #poshsec, #pssec http://www.slideshare.net/BenTen0xA