SlideShare a Scribd company logo

PSConfEU - Building an Empire with PowerShell

Download as PPTX, PDF
Will Schroeder
Will Schroeder

This talk covers building a pure-PowerShell malware agent (Empire). It was given on April 20, 2016 at the PowerShell Conference EU 2016.

Internet
1 of 14
Building an Empire With PowerShell Will Schroeder (@harmj0y)
Agenda • Our Offensive Philosophy • Why build this? • Empire • Existing Offensive PowerShell • Architecture • Core agent • Modules • Detection
Our Offensive Philosophy “Fundamentally, if somebody wants to get in, they're getting in...Accept that...What we tell clients is: Number one, you're in the fight, whether you thought you were or not. Number two, you're almost certainly penetrated. “ Michael Hayden Former Director of CIA & NSA
Empire Motivations
• We want to help secure companies against the level of threat that they’ve been unknowingly facing for over a decade • we need to be able to simulate at least some of the actions of these advanced groups • There is a balance between making tools that help simulate threats and providing help to the ‘real’ bad guys In Defense of Offense
• PowerSploit (the ‘gold’ offensive standard): • Invoke-Mimikatz • Invoke-TokenManipulation • Invoke-Shellcode • Get-KeyStrokes • Get-TimedScreenshot • PowerView (advanced AD recon, see *tomorrow) • PowerUp (automated Windows privilege escalation) • Various persistence options (including WMI) Existing Offensive PowerShell
Empire • Empire is a richly featured, pure- PowerShell post-exploitation agent (or ‘RAT’/remote access tool) • It aims to solve the offensive ‘weaponization problem’ and integrates a large chunk of already existing offensive PowerShell work • An attempt to train defenders on how to stop and respond to PowerShell “attacks”
The Empire Staging Process Control Server Client 2. return key negotiation stager.ps1 w/ shared AES staging key 3. gen priv/pub keys, post ENCstaging(PUB) to /<stage1> 5. decrypt session key, post ENCsession(sysinfo) to /<stage2> 6. return ENCsession(agent.ps1) patched with key/delay/etc. and register agent. Agent starts beaconing. 1. GET /<stage0> 4. return ENCpub(epoch + AES session key)
PowerShell Without powershell.exe *.exe into process Invoke-PSInject ReflectivePick .NET Assembly “Download Cradle”
Detection • Network detection: • High entropy byte strings in HTTP POSTs • Standard set of default request URIs- rules exist in Sourcefire/Snort • Netflow/heuristic analysis • Host: • Command line logging! –enc is weird • .NET Assemblies loaded into odd processes • WMF 5’s script block logging! • The new AMSI interface has us hackers worried a bit
Summary • PowerShell is Turing-complete • you can write fully functioning malware in it • ‘real’ bad guys have been using these techniques for years • There is a wealth of *public* offensive PowerShell already out there • Empire functions as a weaponization vector • You can run PowerShell WITHOUT powershell.exe • Windows 10/WMF 5 provides a number of protections against these types of
Questions?
• Will Schroeder (@harmj0y) • http://blog.harmj0y.net | will [at] harmj0y.net • Security researcher and red teamer for Veris Group‘s Adaptive Threat Division • Offensive open-source developer: • Veil-Evasion, Empire, PowerSploit • Recent Microsoft CDM/PowerShell MVP About_Author
• Mimikatz (https://github.com/gentilkiwi/mimikatz) • By Benjamin Delpy (@gentilkiwi) • DCSync co-written by Vincent LE TOUX • PowerSploit (https://github.com/powershellmafia/power sploit) • Founded by Matt Graeber (@mattifestation) and Chris Campbell (@obscuresec) • Invoke-Mimikatz by Joe Bialek (@josephbialek) • UnmanagedPowerShell by Lee Christensen About_References

Recommended

Pwnstaller
PwnstallerPwnstaller
Pwnstaller
Will Schroeder
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
Will Schroeder
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
Will Schroeder
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
Will Schroeder
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to Compromise
Will Schroeder
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
Will Schroeder
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016
Russel Van Tuyl
 
Client side attacks using PowerShell
Client side attacks using PowerShellClient side attacks using PowerShell
Client side attacks using PowerShell
Nikhil Mittal
 

Recommended

Pwnstaller
PwnstallerPwnstaller
Pwnstaller
Will Schroeder
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
Will Schroeder
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
Will Schroeder
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
Will Schroeder
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to Compromise
Will Schroeder
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
Will Schroeder
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016
Russel Van Tuyl
 
Client side attacks using PowerShell
Client side attacks using PowerShellClient side attacks using PowerShell
Client side attacks using PowerShell
Nikhil Mittal
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMI
Joe Slowik
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys Admins
Will Schroeder
 
Powerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a BossPowerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a Boss
Nikhil Mittal
 
Wielding a cortana
Wielding a cortanaWielding a cortana
Wielding a cortana
Will Schroeder
 
Workshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersWorkshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration Testers
Nikhil Mittal
 
Obfuscating The Empire
Obfuscating The EmpireObfuscating The Empire
Obfuscating The Empire
Ryan Cobb
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
 
A Year in the Empire
A Year in the EmpireA Year in the Empire
A Year in the Empire
Will Schroeder
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePass
Will Schroeder
 
More fun using Kautilya
More fun using KautilyaMore fun using Kautilya
More fun using Kautilya
Nikhil Mittal
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
Will Schroeder
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
Nikhil Mittal
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, PowershellRoo7break
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege Escalation
Will Schroeder
 
Kautilya: Teensy beyond shell
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shell
Nikhil Mittal
 
BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo
BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, OsloBloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo
BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo
Andy Robbins
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Evil
jaredhaight
 
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Daniel Bohannon
 
Pwning with powershell
Pwning with powershellPwning with powershell
Pwning with powershell
jaredhaight
 
Automating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellAutomating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShell
EnclaveSecurity
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)
Will Schroeder
 
Bridging the Gap
Bridging the GapBridging the Gap
Bridging the Gap
Will Schroeder
 

More Related Content

What's hot

SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMI
Joe Slowik
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys Admins
Will Schroeder
 
Powerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a BossPowerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a Boss
Nikhil Mittal
 
Wielding a cortana
Wielding a cortanaWielding a cortana
Wielding a cortana
Will Schroeder
 
Workshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersWorkshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration Testers
Nikhil Mittal
 
Obfuscating The Empire
Obfuscating The EmpireObfuscating The Empire
Obfuscating The Empire
Ryan Cobb
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
 
A Year in the Empire
A Year in the EmpireA Year in the Empire
A Year in the Empire
Will Schroeder
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePass
Will Schroeder
 
More fun using Kautilya
More fun using KautilyaMore fun using Kautilya
More fun using Kautilya
Nikhil Mittal
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
Will Schroeder
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
Nikhil Mittal
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, PowershellRoo7break
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege Escalation
Will Schroeder
 
Kautilya: Teensy beyond shell
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shell
Nikhil Mittal
 
BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo
BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, OsloBloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo
BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo
Andy Robbins
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Evil
jaredhaight
 
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Daniel Bohannon
 
Pwning with powershell
Pwning with powershellPwning with powershell
Pwning with powershell
jaredhaight
 
Automating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellAutomating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShell
EnclaveSecurity
 

What's hot (20)

SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMI
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys Admins
 
Powerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a BossPowerpreter: Post Exploitation like a Boss
Powerpreter: Post Exploitation like a Boss
 
Wielding a cortana
Wielding a cortanaWielding a cortana
Wielding a cortana
 
Workshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersWorkshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration Testers
 
Obfuscating The Empire
Obfuscating The EmpireObfuscating The Empire
Obfuscating The Empire
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
 
A Year in the Empire
A Year in the EmpireA Year in the Empire
A Year in the Empire
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePass
 
More fun using Kautilya
More fun using KautilyaMore fun using Kautilya
More fun using Kautilya
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, Powershell
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege Escalation
 
Kautilya: Teensy beyond shell
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shell
 
BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo
BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, OsloBloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo
BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Evil
 
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
 
Pwning with powershell
Pwning with powershellPwning with powershell
Pwning with powershell
 
Automating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellAutomating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShell
 

Viewers also liked

I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)
Will Schroeder
 
Bridging the Gap
Bridging the GapBridging the Gap
Bridging the Gap
Will Schroeder
 
Trusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44conTrusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44con
Will Schroeder
 
Building an EmPyre with Python
Building an EmPyre with PythonBuilding an EmPyre with Python
Building an EmPyre with Python
Will Schroeder
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the Torch
Will Schroeder
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
Nikhil Mittal
 
Trusts You Might Have Missed
Trusts You Might Have MissedTrusts You Might Have Missed
Trusts You Might Have Missed
Will Schroeder
 
Windows PowerShell
Windows PowerShellWindows PowerShell
Windows PowerShell
Sandun Perera
 
Up is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and RightUp is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and Right
enigma0x3
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Andy Robbins
 
Malwarem armed with PowerShell
Malwarem armed with PowerShellMalwarem armed with PowerShell
Malwarem armed with PowerShellFFRI, Inc.
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Xavier Ashe
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for Dummies
Atif Ghauri
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoS
Michael Gough
 
Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Xavier Ashe
 
Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch them
Michael Gough
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware Archaeologist
Michael Gough
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerTools
Will Schroeder
 

Viewers also liked (18)

I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)
 
Bridging the Gap
Bridging the GapBridging the Gap
Bridging the Gap
 
Trusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44conTrusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44con
 
Building an EmPyre with Python
Building an EmPyre with PythonBuilding an EmPyre with Python
Building an EmPyre with Python
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the Torch
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
 
Trusts You Might Have Missed
Trusts You Might Have MissedTrusts You Might Have Missed
Trusts You Might Have Missed
 
Windows PowerShell
Windows PowerShellWindows PowerShell
Windows PowerShell
 
Up is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and RightUp is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and Right
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24
 
Malwarem armed with PowerShell
Malwarem armed with PowerShellMalwarem armed with PowerShell
Malwarem armed with PowerShell
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for Dummies
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoS
 
Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016
 
Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch them
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware Archaeologist
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerTools
 

Similar to PSConfEU - Building an Empire with PowerShell

PowerShell Defcon for Cybersecurity Topics
PowerShell Defcon for Cybersecurity TopicsPowerShell Defcon for Cybersecurity Topics
PowerShell Defcon for Cybersecurity Topics
Dev 010101
 
DEF CON 23 - Rich Kelley - harness powershell weaponization made easy
DEF CON 23 - Rich Kelley - harness powershell weaponization made easyDEF CON 23 - Rich Kelley - harness powershell weaponization made easy
DEF CON 23 - Rich Kelley - harness powershell weaponization made easy
Felipe Prado
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
Tiago Henriques
 
Harness: PowerShell Weaponization Made Easy (or at least easier)
Harness: PowerShell Weaponization Made Easy (or at least easier)Harness: PowerShell Weaponization Made Easy (or at least easier)
Harness: PowerShell Weaponization Made Easy (or at least easier)
RGKelley5
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface DevicePositive Hack Days
 
Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0
Michael Gough
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...Andrew Morris
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode review
Anant Shrivastava
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
Larry Cashdollar
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
CODE BLUE
 
Securing the continuous integration
Securing the continuous integrationSecuring the continuous integration
Securing the continuous integration
Irene Michlin
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
Web-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting EnginesWeb-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting Engines
c0c0n - International Cyber Security and Policing Conference
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
Daniel Bohannon
 
BSides Algiers - Metasploit framework - Oussama Elhamer
BSides Algiers - Metasploit framework - Oussama ElhamerBSides Algiers - Metasploit framework - Oussama Elhamer
BSides Algiers - Metasploit framework - Oussama ElhamerShellmates
 
FUEL_USERS_GROUP
FUEL_USERS_GROUPFUEL_USERS_GROUP
FUEL_USERS_GROUPWill Pearce
 
Messing around avs
Messing around avsMessing around avs
Messing around avs
Shubham Mittal
 
From P0W3R to SH3LL
From P0W3R to SH3LLFrom P0W3R to SH3LL
From P0W3R to SH3LL
Arthur Paixão
 
Un) fucking forensics
Un) fucking forensicsUn) fucking forensics
Un) fucking forensics
Shane Macaulay
 

Similar to PSConfEU - Building an Empire with PowerShell (20)

PowerShell Defcon for Cybersecurity Topics
PowerShell Defcon for Cybersecurity TopicsPowerShell Defcon for Cybersecurity Topics
PowerShell Defcon for Cybersecurity Topics
 
DEF CON 23 - Rich Kelley - harness powershell weaponization made easy
DEF CON 23 - Rich Kelley - harness powershell weaponization made easyDEF CON 23 - Rich Kelley - harness powershell weaponization made easy
DEF CON 23 - Rich Kelley - harness powershell weaponization made easy
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
 
Harness: PowerShell Weaponization Made Easy (or at least easier)
Harness: PowerShell Weaponization Made Easy (or at least easier)Harness: PowerShell Weaponization Made Easy (or at least easier)
Harness: PowerShell Weaponization Made Easy (or at least easier)
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
 
Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode review
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
 
Securing the continuous integration
Securing the continuous integrationSecuring the continuous integration
Securing the continuous integration
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Web-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting EnginesWeb-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting Engines
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
 
BSides Algiers - Metasploit framework - Oussama Elhamer
BSides Algiers - Metasploit framework - Oussama ElhamerBSides Algiers - Metasploit framework - Oussama Elhamer
BSides Algiers - Metasploit framework - Oussama Elhamer
 
Injection flaw teaser
Injection flaw teaserInjection flaw teaser
Injection flaw teaser
 
FUEL_USERS_GROUP
FUEL_USERS_GROUPFUEL_USERS_GROUP
FUEL_USERS_GROUP
 
Messing around avs
Messing around avsMessing around avs
Messing around avs
 
From P0W3R to SH3LL
From P0W3R to SH3LLFrom P0W3R to SH3LL
From P0W3R to SH3LL
 
Un) fucking forensics
Un) fucking forensicsUn) fucking forensics
Un) fucking forensics
 

More from Will Schroeder

Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Will Schroeder
 
Nemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdfNemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdf
Will Schroeder
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
Will Schroeder
 
Certified Pre-Owned
Certified Pre-OwnedCertified Pre-Owned
Certified Pre-Owned
Will Schroeder
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting Revisisted
Will Schroeder
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security Boundary
Will Schroeder
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
Will Schroeder
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
Will Schroeder
 
Ace Up the Sleeve
Ace Up the SleeveAce Up the Sleeve
Ace Up the Sleeve
Will Schroeder
 

More from Will Schroeder (11)

Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Nemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdfNemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdf
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
 
Certified Pre-Owned
Certified Pre-OwnedCertified Pre-Owned
Certified Pre-Owned
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting Revisisted
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security Boundary
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
 
Ace Up the Sleeve
Ace Up the SleeveAce Up the Sleeve
Ace Up the Sleeve
 

Recently uploaded

How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
Gal Baras
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
3ipehhoa
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Brad Spiegel Macon GA
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
laozhuseo02
 
This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!
nirahealhty
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
ufdana
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
3ipehhoa
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
JungkooksNonexistent
 
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
Javier Lasa
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Florence Consulting
 
Bài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docxBài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docx
nhiyenphan2005
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
JeyaPerumal1
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
Arif0071
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
3ipehhoa
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
eutxy
 
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
CIOWomenMagazine
 
Comptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guideComptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guide
GTProductions1
 
Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027
harveenkaur52
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
laozhuseo02
 

Recently uploaded (20)

How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
 
This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
 
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
 
Bài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docxBài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docx
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
 
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
 
Comptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guideComptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guide
 
Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
 

PSConfEU - Building an Empire with PowerShell

  • 1. Building an Empire With PowerShell Will Schroeder (@harmj0y)
  • 2. Agenda • Our Offensive Philosophy • Why build this? • Empire • Existing Offensive PowerShell • Architecture • Core agent • Modules • Detection
  • 3. Our Offensive Philosophy “Fundamentally, if somebody wants to get in, they're getting in...Accept that...What we tell clients is: Number one, you're in the fight, whether you thought you were or not. Number two, you're almost certainly penetrated. “ Michael Hayden Former Director of CIA & NSA
  • 5. • We want to help secure companies against the level of threat that they’ve been unknowingly facing for over a decade • we need to be able to simulate at least some of the actions of these advanced groups • There is a balance between making tools that help simulate threats and providing help to the ‘real’ bad guys In Defense of Offense
  • 6. • PowerSploit (the ‘gold’ offensive standard): • Invoke-Mimikatz • Invoke-TokenManipulation • Invoke-Shellcode • Get-KeyStrokes • Get-TimedScreenshot • PowerView (advanced AD recon, see *tomorrow) • PowerUp (automated Windows privilege escalation) • Various persistence options (including WMI) Existing Offensive PowerShell
  • 7. Empire • Empire is a richly featured, pure- PowerShell post-exploitation agent (or ‘RAT’/remote access tool) • It aims to solve the offensive ‘weaponization problem’ and integrates a large chunk of already existing offensive PowerShell work • An attempt to train defenders on how to stop and respond to PowerShell “attacks”
  • 8. The Empire Staging Process Control Server Client 2. return key negotiation stager.ps1 w/ shared AES staging key 3. gen priv/pub keys, post ENCstaging(PUB) to /<stage1> 5. decrypt session key, post ENCsession(sysinfo) to /<stage2> 6. return ENCsession(agent.ps1) patched with key/delay/etc. and register agent. Agent starts beaconing. 1. GET /<stage0> 4. return ENCpub(epoch + AES session key)
  • 9. PowerShell Without powershell.exe *.exe into process Invoke-PSInject ReflectivePick .NET Assembly “Download Cradle”
  • 10. Detection • Network detection: • High entropy byte strings in HTTP POSTs • Standard set of default request URIs- rules exist in Sourcefire/Snort • Netflow/heuristic analysis • Host: • Command line logging! –enc is weird • .NET Assemblies loaded into odd processes • WMF 5’s script block logging! • The new AMSI interface has us hackers worried a bit
  • 11. Summary • PowerShell is Turing-complete • you can write fully functioning malware in it • ‘real’ bad guys have been using these techniques for years • There is a wealth of *public* offensive PowerShell already out there • Empire functions as a weaponization vector • You can run PowerShell WITHOUT powershell.exe • Windows 10/WMF 5 provides a number of protections against these types of
  • 13. • Will Schroeder (@harmj0y) • http://blog.harmj0y.net | will [at] harmj0y.net • Security researcher and red teamer for Veris Group‘s Adaptive Threat Division • Offensive open-source developer: • Veil-Evasion, Empire, PowerSploit • Recent Microsoft CDM/PowerShell MVP About_Author
  • 14. • Mimikatz (https://github.com/gentilkiwi/mimikatz) • By Benjamin Delpy (@gentilkiwi) • DCSync co-written by Vincent LE TOUX • PowerSploit (https://github.com/powershellmafia/power sploit) • Founded by Matt Graeber (@mattifestation) and Chris Campbell (@obscuresec) • Invoke-Mimikatz by Joe Bialek (@josephbialek) • UnmanagedPowerShell by Lee Christensen About_References

Editor's Notes

  1. You can write fully-functioning malware in PowerShell!
  2. Mention the “Microsoft Enterprise Cloud Red Teaming” whitepaper What I mean by “post-exploitation” and why we focus on it
  3. This is still an open question, what do you guys think?
  4. Explain genesis and background, Matt Graeber, Chris Campbell, Joe Bialek -we’ve started to build pester tests! Empire builds very heavily on existing offensive PowerShell work Google “unofficial guide to mimikatz” – on adsecurity.org Demo functionality of various components
  5. Background on RATs themselves and how we use them Explain the atomic units this is built on: -in memory IEX download cradle -secured key exchange -packetized communications -GET/POST communication structure (Net.WebClient and http[s]) -post-exploitation modules Mention reactions – SourceFire’s emerging threat rules, vendors writing detection posts, etc.
  6. the "staging problem"- somehow the code has to get to the target “EKE” -> perfect forward secrecy and its implications Demos!
  7. Based on the “UnmanagedPowerShell” project by Lee Christensen Reflective dll that loads up the .NET runtime into unmanaged code Which we use to load up an Empire stager
  8. The future- A RESTful API has been integrated into Empire 1.5 -This will open up integration into third-party projects Empire’s communications are going to be modularized -Think communications with established services Modules and functionality keep being added by the community
  9. The future- A RESTful API has been integrated into Empire 1.5 -This will open up integration into third-party projects Empire’s communications are going to be modularized -Think communications with established services Modules and functionality keep being added by the community