Uploaded bykieranjacobsen
PPTX, PDF7,244 views

Lateral Movement with PowerShell

The document discusses the use of PowerShell as an attack platform, detailing its advantages for lateral movement and remote execution in corporate environments. It covers real-world PowerShell malware examples, such as 'Powerworm' and 'Poshcoder', and describes techniques for bypassing PowerShell security features like execution policies. The presentation also highlights defense mechanisms against PowerShell-based attacks, including application whitelisting and changes to Windows Firewall settings.

Embed presentation

Downloaded 44 times
POWERSHELL SHENANIGANS LATERAL MOVEMENT WITH POWERSHELL KIERAN JACOBSEN HP ENTERPRISE SERVICES
ABOUT:ME • Kieran Jacobsen • HP Enterprise Services – Engineer/Architect • Microsoft/Automation/Security focus • Twitter: @Kjacobsen • Blog: Aperturescience.su
OUTLINE • PowerShell as an attack platform • PowerShell malware • PowerShell Remoting & WinRM • PowerShell security, and bypassing that security • Defence
CHALLENGE • Move from social engineered workstation to domain controller • Where possible use only PowerShell code • Demo environment will be a “corporate like” environment
ADVANTAGES AS AN ATTACK PLATFORM • Code is very easy to develop • Windows integration • Plenty of remote execution options • Designed for automation against 1 – 10000000 devices • Limited security model • Antivirus products are no real concern/limitation • Scripts can be easily hidden from administrators • Installed by DEFAULT
REAL WORLD POWERSHELL MALWARE • Prior to March 2014, only a few minor instances • PowerWorm: • Infect’s Word and Excel documents, initial infection via macro in .doc/.xls • First spotted by TrendMicro, analysis and rewrite by Matt Graeber (@Mattifestation) • PoshKoder/PoshCoder: • PowerWorm crossed with CryptoLocker • Bitcoin ransom
MY POWERSHELL MALWARE • Single Script – SystemInformation.ps1 • Runs as a schedule task, every 5 minutes • Script: • Collects system information and more • Connects to C2 infrastructure, downloads a task list and executes tasks • Executes each task, if successful, task will not be rerun • Tasks can be restricted to individual computers
DEMO: THE ENTRY
WINDOWS POWERSHELL REMOTING AND WINRM • PowerShell Remoting is based upon WinRM, Microsoft’s WS-Management implementation • Supports execution in 3 ways: • Remote enabled commands • Remotely executed script blocks • Remote sessions • Security Model = Trusted Devices + User Credentials • WinRM is required for the Windows Server Manager • WinRM is enabled by DEFAULT on Windows 2012(R2) Server • WinRM is allowed through Windows Firewall on all network profiles!
DEMO: THE DC
POWERSHELL SECURITY FEATURES • Administrative rights • UAC • Code Signing • Local or Remote source using zone.identifier alternate data stream • PowerShell Execution Policy
EXECUTION POLICY There are 6 states for the execution policy • Unrestricted All scripts can run • Remote Signed No unsigned scripts from the Internet can run • All Signed No unsigned scripts can run • Restricted No scripts are allowed to run • Undefined (Default) If no policy defined, then default to restricted • Bypass Policy processor is bypassed
BYPASSING EXECUTION POLICY • Simply ask PowerShell: powershell.exe –executionpolicy unrestricted • Switch the files zone.idenfier back to local: unblock- file yourscript.ps1 • Read the script in and then execute it (may fail depending on script) • Encode the script and use –encodedcommand  always works!!!!! • Get/Steal a certificate, sign script, run script
DEMO: THE HASHES
DEFENCE OF THE DARK ARTS • Restricted/Constrained Endpoints • Change WinRM Listener • Change Windows Firewall settings • Turn it off WinRM • Application whitelisting
WINRM, NOT JUST AN INTERNAL ISSUE By default, Microsoft Azure virtual machines expose HTTPS listener to the Internet.
LINKS • Twitter: @kjacobsen • Blog:http://aperturescience.su • Code on GitHub: http://j.mp/1i33Zrk • QuarksPWDump: http://j.mp/1kF30e9 • PowerSploit: http://j.mp/1gJORtF • PowerWorm Analysis: http://j.mp/RzgsHb • PowerBleed: http://j.mp/1jfyILK
MORE LINKS • Microsoft PowerShell/Security Series: • http://j.mp/OOyftt • http://j.mp/1eDYvA4 • http://j.mp/1kF3z7T • http://j.mp/NhSC0X • http://j.mp/NhSEpy • Practical Persistence in PowerShell: http://j.mp/1mU6fQq • Bruteforcing WinRM with PowerShell: http://j.mp/1nBlwX2

More Related Content

PDF
Hunting for Privilege Escalation in Windows Environment
byTeymur Kheirkhabarov
 
PDF
Bypass_AV-EDR.pdf
byFarouk2nd
 
PDF
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
byMichael Gough
 
PDF
eBPF Trace from Kernel to Userspace
bySUSE Labs Taipei
 
PDF
Thick Client Penetration Testing.pdf
bySouvikRoy114738
 
PPTX
(Ab)Using GPOs for Active Directory Pwnage
byPetros Koutroumpis
 
PPTX
Thick client pentesting_the-hackers_meetup_version1.0pptx
byAnurag Srivastava
 
PDF
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
byMITRE ATT&CK
 
Hunting for Privilege Escalation in Windows Environment
byTeymur Kheirkhabarov
 
Bypass_AV-EDR.pdf
byFarouk2nd
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
byMichael Gough
 
eBPF Trace from Kernel to Userspace
bySUSE Labs Taipei
 
Thick Client Penetration Testing.pdf
bySouvikRoy114738
 
(Ab)Using GPOs for Active Directory Pwnage
byPetros Koutroumpis
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
byAnurag Srivastava
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
byMITRE ATT&CK
 

What's hot

PPTX
Penetration Testing
byRomSoft SRL
 
PPTX
Overview of Vulnerability Scanning.pptx
byAjayKumar73315
 
PDF
Hunting for Credentials Dumping in Windows Environment
byTeymur Kheirkhabarov
 
PPTX
Ddos attacks
bycommunication-eg
 
PDF
Exploits Attack on Windows Vulnerabilities
byAmit Kumbhar
 
PPT
Windows internals
byPiyush Jain
 
PDF
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
byNowSecure
 
PPTX
User authentication
byCAS
 
PPTX
History of Computer Virus
byAmmy Vijay
 
PDF
Introduction to red team operations
bySunny Neo
 
PPTX
Wireshark
byantivirusspam
 
PDF
Introduction to Software Security and Best Practices
byMaxime ALAY-EDDINE
 
PPT
Sql injection
byPallavi Biswas
 
PDF
Ceh v5 module 04 enumeration
byVi Tính Hoàng Nam
 
PDF
Aircrack
byNithin Sathees
 
PPT
Basic Linux kernel
byMorteza Nourelahi Alamdari
 
PPTX
Cyber Security 101: Training, awareness, strategies for small to medium sized...
byStephen Cobb
 
PDF
Network Programming: Data Plane Development Kit (DPDK)
byAndriy Berestovskyy
 
PPTX
WiFi Secuiry: Attack & Defence
byPrakashchand Suthar
 
PDF
Metasploitable
bySri Manakula Vinayagar Engineering College
 
Penetration Testing
byRomSoft SRL
 
Overview of Vulnerability Scanning.pptx
byAjayKumar73315
 
Hunting for Credentials Dumping in Windows Environment
byTeymur Kheirkhabarov
 
Ddos attacks
bycommunication-eg
 
Exploits Attack on Windows Vulnerabilities
byAmit Kumbhar
 
Windows internals
byPiyush Jain
 
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
byNowSecure
 
User authentication
byCAS
 
History of Computer Virus
byAmmy Vijay
 
Introduction to red team operations
bySunny Neo
 
Wireshark
byantivirusspam
 
Introduction to Software Security and Best Practices
byMaxime ALAY-EDDINE
 
Sql injection
byPallavi Biswas
 
Ceh v5 module 04 enumeration
byVi Tính Hoàng Nam
 
Aircrack
byNithin Sathees
 
Basic Linux kernel
byMorteza Nourelahi Alamdari
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
byStephen Cobb
 
Network Programming: Data Plane Development Kit (DPDK)
byAndriy Berestovskyy
 
WiFi Secuiry: Attack & Defence
byPrakashchand Suthar
 
Metasploitable
bySri Manakula Vinayagar Engineering College
 

Viewers also liked

PPTX
Lateral Movement with PowerShell
bykieranjacobsen
 
PPTX
Exploiting MS15-034 In PowerShell
bykieranjacobsen
 
PDF
The Dark Side of PowerShell by George Dobrea
byEC-Council
 
PPTX
Advanced PowerShell Automation
bykieranjacobsen
 
PPTX
Evolving your automation with hybrid workers
bykieranjacobsen
 
PPTX
DevSecOps in 10 minutes
bykieranjacobsen
 
PPTX
Chef Hack Day Denver
byChef
 
PPTX
Lateral Movement by Default
byInnoTech
 
PDF
Deception Driven Defense - Infragard 2016
byGreg Foss
 
PDF
Ansible for the Impatient Devops
byRick. Bahague
 
PDF
Puppetconf2016 Puppet on Windows
byNicolas Corrarello
 
PDF
Lateral Movement: How attackers quietly traverse your Network
byEC-Council
 
PPTX
Building Windows Images with Packer
byMatt Wrock
 
PPTX
Compliance as Code: Velocity with Security - Fraser Pollock, Chef
byAlert Logic
 
PPTX
Lateral Movement - Phreaknik 2016
byXavier Ashe
 
PPTX
Fun with the Hak5 Rubber Ducky
bykieranjacobsen
 
PPTX
Enabling Enterprise Mobility
bykieranjacobsen
 
PDF
Advanced Threats and Lateral Movement Detection
byGreg Foss
 
PPTX
Global Azure Bootcamp 2016 - Azure Automation Invades Your Data Centre
bykieranjacobsen
 
PPTX
DirectAccess, do’s and don’ts
bykieranjacobsen
 
Lateral Movement with PowerShell
bykieranjacobsen
 
Exploiting MS15-034 In PowerShell
bykieranjacobsen
 
The Dark Side of PowerShell by George Dobrea
byEC-Council
 
Advanced PowerShell Automation
bykieranjacobsen
 
Evolving your automation with hybrid workers
bykieranjacobsen
 
DevSecOps in 10 minutes
bykieranjacobsen
 
Chef Hack Day Denver
byChef
 
Lateral Movement by Default
byInnoTech
 
Deception Driven Defense - Infragard 2016
byGreg Foss
 
Ansible for the Impatient Devops
byRick. Bahague
 
Puppetconf2016 Puppet on Windows
byNicolas Corrarello
 
Lateral Movement: How attackers quietly traverse your Network
byEC-Council
 
Building Windows Images with Packer
byMatt Wrock
 
Compliance as Code: Velocity with Security - Fraser Pollock, Chef
byAlert Logic
 
Lateral Movement - Phreaknik 2016
byXavier Ashe
 
Fun with the Hak5 Rubber Ducky
bykieranjacobsen
 
Enabling Enterprise Mobility
bykieranjacobsen
 
Advanced Threats and Lateral Movement Detection
byGreg Foss
 
Global Azure Bootcamp 2016 - Azure Automation Invades Your Data Centre
bykieranjacobsen
 
DirectAccess, do’s and don’ts
bykieranjacobsen
 

Similar to Lateral Movement with PowerShell

PDF
Powering up on PowerShell - BSides Charleston - Nov 2018
byFernando Tomlinson, CISSP, MBA
 
PPTX
Powering up on power shell avengercon - 2018
byFernando Tomlinson, CISSP, MBA
 
PPTX
Powering up on PowerShell - BSides Greenville 2019
byFernando Tomlinson, CISSP, MBA
 
PDF
Who Should Use Powershell? You Should Use Powershell!
byBen Finke
 
PPTX
Building an Empire with PowerShell
byWill Schroeder
 
PPTX
Drilling deeper with Veil's PowerTools
byWill Schroeder
 
PPTX
Enterprise PowerShell for Remote Security Assessments
byEnclaveSecurity
 
PDF
PowerShell Defcon for Cybersecurity Topics
byDev 010101
 
PPTX
Client side attacks using PowerShell
byNikhil Mittal
 
PDF
Empire Work shop
byHaydn Johnson
 
PPT
PowerShell Remoting
byConcentrated Technology
 
PDF
DEF CON 23 - Rich Kelley - harness powershell weaponization made easy
byFelipe Prado
 
PPTX
Pwning the Enterprise With PowerShell
byBeau Bullock
 
PPTX
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
byChristopher Gerritz
 
PPTX
Incorporating PowerShell into your Arsenal with PS>Attack
byjaredhaight
 
PPTX
Harness: PowerShell Weaponization Made Easy (or at least easier)
byRGKelley5
 
PPTX
Kheirkhabarov24052017_phdays7
byTeymur Kheirkhabarov
 
PPTX
Горизонтальные перемещения в инфраструктуре Windows
byPositive Hack Days
 
PDF
Windows PowerShell Remoting Presentation.pdf
bySyahri Ramadhan
 
PPTX
Managing enterprise with PowerShell remoting
byConcentrated Technology
 
Powering up on PowerShell - BSides Charleston - Nov 2018
byFernando Tomlinson, CISSP, MBA
 
Powering up on power shell avengercon - 2018
byFernando Tomlinson, CISSP, MBA
 
Powering up on PowerShell - BSides Greenville 2019
byFernando Tomlinson, CISSP, MBA
 
Who Should Use Powershell? You Should Use Powershell!
byBen Finke
 
Building an Empire with PowerShell
byWill Schroeder
 
Drilling deeper with Veil's PowerTools
byWill Schroeder
 
Enterprise PowerShell for Remote Security Assessments
byEnclaveSecurity
 
PowerShell Defcon for Cybersecurity Topics
byDev 010101
 
Client side attacks using PowerShell
byNikhil Mittal
 
Empire Work shop
byHaydn Johnson
 
PowerShell Remoting
byConcentrated Technology
 
DEF CON 23 - Rich Kelley - harness powershell weaponization made easy
byFelipe Prado
 
Pwning the Enterprise With PowerShell
byBeau Bullock
 
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
byChristopher Gerritz
 
Incorporating PowerShell into your Arsenal with PS>Attack
byjaredhaight
 
Harness: PowerShell Weaponization Made Easy (or at least easier)
byRGKelley5
 
Kheirkhabarov24052017_phdays7
byTeymur Kheirkhabarov
 
Горизонтальные перемещения в инфраструктуре Windows
byPositive Hack Days
 
Windows PowerShell Remoting Presentation.pdf
bySyahri Ramadhan
 
Managing enterprise with PowerShell remoting
byConcentrated Technology
 

More from kieranjacobsen

PPTX
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
bykieranjacobsen
 
PPTX
CrikeyCon VI - The Boring Security Talk
bykieranjacobsen
 
PPTX
The Boring Security Talk
bykieranjacobsen
 
PPTX
The Boring Security Talk
bykieranjacobsen
 
PPTX
Secure Azure Deployment Patterns
bykieranjacobsen
 
PPTX
Ransomware 0, Admins 1
bykieranjacobsen
 
PPTX
Ransomware 0 admins 1
bykieranjacobsen
 
PPTX
DecSecOps in 10 minutes
bykieranjacobsen
 
PPTX
Infrastructure Saturday - Level Up to DevSecOps
bykieranjacobsen
 
PPTX
Dev Breakfast: Level up to DevSecOps
bykieranjacobsen
 
PPTX
DevSecOps - CrikeyCon 2017
bykieranjacobsen
 
PPTX
Azure automation invades your data centre
bykieranjacobsen
 
PPTX
Infrastructure Saturday 2011 - Understanding PKI and Certificate Services
bykieranjacobsen
 
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
bykieranjacobsen
 
CrikeyCon VI - The Boring Security Talk
bykieranjacobsen
 
The Boring Security Talk
bykieranjacobsen
 
The Boring Security Talk
bykieranjacobsen
 
Secure Azure Deployment Patterns
bykieranjacobsen
 
Ransomware 0, Admins 1
bykieranjacobsen
 
Ransomware 0 admins 1
bykieranjacobsen
 
DecSecOps in 10 minutes
bykieranjacobsen
 
Infrastructure Saturday - Level Up to DevSecOps
bykieranjacobsen
 
Dev Breakfast: Level up to DevSecOps
bykieranjacobsen
 
DevSecOps - CrikeyCon 2017
bykieranjacobsen
 
Azure automation invades your data centre
bykieranjacobsen
 
Infrastructure Saturday 2011 - Understanding PKI and Certificate Services
bykieranjacobsen
 

Recently uploaded

DOCX
BestMaker.ai: The Complete Brand Story, Founder's Vision, and AI Creative Pla...
byssuser7381d6
 
PPTX
Dalhousie University Diploma
by文凭办理维多利亚大学购买毕业证学位认证知乎【Q微:1954292140】
 
PDF
LMS.Golconda.Vanredni.Broj.001.pdfjjjjjjj
byzoran radovic
 
PPTX
Why-Enterprises-Should-Build-Their-Own-Core-Network-and-Own-Their-ASN-and-Pub...
bybunhongkruy
 
PDF
Here are the winners of KALIDASA SAMMAN.
byglcppro
 
PPTX
Artificial Intelligence (AI) Technology Project Proposal _ by Slidesgo.pptx
byadhyaadi804
 
PPTX
Number_Guessing_Game_Dsbsbssbzboc[1].pptx
byfbinsta3426
 
PDF
Greetings All Students Update 3 by LDMMIA
by©LDMMIA, ©Reiki Yoga
 
PDF
Novi.LMS.Veseli.Cetvrtak.001 (1).pdfjjjj
byzoran radovic
 
PDF
Beacon Kit slides tech framework for world game (s) pdf
bySteven McGee
 
PPTX
tacacstrianingforwirelessnetworkengineers
byRaviTejaTammineni
 
PPTX
Lesson 5 - Cyber attack Pt 3 - Matsuhashi.pptx
byOmar Fernandez
 
PDF
Key Duties and Roles of an Ecommerce Developer Singapore
byHachi Web Solution
 
PPTX
Overview-of-Anti-DDoS-Solutions-On-Premise-vs-On-Cloud.pptx
bybunhongkruy
 
PPTX
Lesson 3 - Methodology of Green Computing - part2 - dela cruz.pptx
byOmar Fernandez
 
BestMaker.ai: The Complete Brand Story, Founder's Vision, and AI Creative Pla...
byssuser7381d6
 
Dalhousie University Diploma
by文凭办理维多利亚大学购买毕业证学位认证知乎【Q微:1954292140】
 
LMS.Golconda.Vanredni.Broj.001.pdfjjjjjjj
byzoran radovic
 
Why-Enterprises-Should-Build-Their-Own-Core-Network-and-Own-Their-ASN-and-Pub...
bybunhongkruy
 
Here are the winners of KALIDASA SAMMAN.
byglcppro
 
Artificial Intelligence (AI) Technology Project Proposal _ by Slidesgo.pptx
byadhyaadi804
 
Number_Guessing_Game_Dsbsbssbzboc[1].pptx
byfbinsta3426
 
Greetings All Students Update 3 by LDMMIA
by©LDMMIA, ©Reiki Yoga
 
Novi.LMS.Veseli.Cetvrtak.001 (1).pdfjjjj
byzoran radovic
 
Beacon Kit slides tech framework for world game (s) pdf
bySteven McGee
 
tacacstrianingforwirelessnetworkengineers
byRaviTejaTammineni
 
Lesson 5 - Cyber attack Pt 3 - Matsuhashi.pptx
byOmar Fernandez
 
Key Duties and Roles of an Ecommerce Developer Singapore
byHachi Web Solution
 
Overview-of-Anti-DDoS-Solutions-On-Premise-vs-On-Cloud.pptx
bybunhongkruy
 
Lesson 3 - Methodology of Green Computing - part2 - dela cruz.pptx
byOmar Fernandez
 
In this document
Powered by AI

Introduction to PowerShell as a lateral movement tool, the challenges faced during attacks, and the presentation outline.

PowerShell's advantages for attacks include easy code development, remote execution, and stealth. Also covers real-world malware using PowerShell.

Details on PowerShell Remoting, WinRM functionality, and security features including execution policies and bypass techniques.

Defense strategies against PowerShell attacks, including endpoint restrictions and the implications of WinRM exposure on Azure.

Links for further reading and resources related to PowerShell security and practical applications.

Lateral Movement with PowerShell

  • 1.
    POWERSHELL SHENANIGANS LATERAL MOVEMENTWITH POWERSHELL KIERAN JACOBSEN HP ENTERPRISE SERVICES
  • 2.
    ABOUT:ME • Kieran Jacobsen •HP Enterprise Services – Engineer/Architect • Microsoft/Automation/Security focus • Twitter: @Kjacobsen • Blog: Aperturescience.su
  • 3.
    OUTLINE • PowerShell asan attack platform • PowerShell malware • PowerShell Remoting & WinRM • PowerShell security, and bypassing that security • Defence
  • 4.
    CHALLENGE • Move fromsocial engineered workstation to domain controller • Where possible use only PowerShell code • Demo environment will be a “corporate like” environment
  • 5.
    ADVANTAGES AS ANATTACK PLATFORM • Code is very easy to develop • Windows integration • Plenty of remote execution options • Designed for automation against 1 – 10000000 devices • Limited security model • Antivirus products are no real concern/limitation • Scripts can be easily hidden from administrators • Installed by DEFAULT
  • 6.
    REAL WORLD POWERSHELLMALWARE • Prior to March 2014, only a few minor instances • PowerWorm: • Infect’s Word and Excel documents, initial infection via macro in .doc/.xls • First spotted by TrendMicro, analysis and rewrite by Matt Graeber (@Mattifestation) • PoshKoder/PoshCoder: • PowerWorm crossed with CryptoLocker • Bitcoin ransom
  • 7.
    MY POWERSHELL MALWARE •Single Script – SystemInformation.ps1 • Runs as a schedule task, every 5 minutes • Script: • Collects system information and more • Connects to C2 infrastructure, downloads a task list and executes tasks • Executes each task, if successful, task will not be rerun • Tasks can be restricted to individual computers
  • 8.
  • 9.
    WINDOWS POWERSHELL REMOTINGAND WINRM • PowerShell Remoting is based upon WinRM, Microsoft’s WS-Management implementation • Supports execution in 3 ways: • Remote enabled commands • Remotely executed script blocks • Remote sessions • Security Model = Trusted Devices + User Credentials • WinRM is required for the Windows Server Manager • WinRM is enabled by DEFAULT on Windows 2012(R2) Server • WinRM is allowed through Windows Firewall on all network profiles!
  • 10.
  • 11.
    POWERSHELL SECURITY FEATURES •Administrative rights • UAC • Code Signing • Local or Remote source using zone.identifier alternate data stream • PowerShell Execution Policy
  • 12.
    EXECUTION POLICY There are6 states for the execution policy • Unrestricted All scripts can run • Remote Signed No unsigned scripts from the Internet can run • All Signed No unsigned scripts can run • Restricted No scripts are allowed to run • Undefined (Default) If no policy defined, then default to restricted • Bypass Policy processor is bypassed
  • 13.
    BYPASSING EXECUTION POLICY •Simply ask PowerShell: powershell.exe –executionpolicy unrestricted • Switch the files zone.idenfier back to local: unblock- file yourscript.ps1 • Read the script in and then execute it (may fail depending on script) • Encode the script and use –encodedcommand  always works!!!!! • Get/Steal a certificate, sign script, run script
  • 14.
  • 15.
    DEFENCE OF THEDARK ARTS • Restricted/Constrained Endpoints • Change WinRM Listener • Change Windows Firewall settings • Turn it off WinRM • Application whitelisting
  • 16.
    WINRM, NOT JUSTAN INTERNAL ISSUE By default, Microsoft Azure virtual machines expose HTTPS listener to the Internet.
  • 17.
    LINKS • Twitter: @kjacobsen •Blog:http://aperturescience.su • Code on GitHub: http://j.mp/1i33Zrk • QuarksPWDump: http://j.mp/1kF30e9 • PowerSploit: http://j.mp/1gJORtF • PowerWorm Analysis: http://j.mp/RzgsHb • PowerBleed: http://j.mp/1jfyILK
  • 18.
    MORE LINKS • MicrosoftPowerShell/Security Series: • http://j.mp/OOyftt • http://j.mp/1eDYvA4 • http://j.mp/1kF3z7T • http://j.mp/NhSC0X • http://j.mp/NhSEpy • Practical Persistence in PowerShell: http://j.mp/1mU6fQq • Bruteforcing WinRM with PowerShell: http://j.mp/1nBlwX2