Presentation is loading. Please wait.

Presentation is loading. Please wait.

POWERSHELL SHENANIGANS KIERAN JACOBSEN HP ENTERPRISE SERVICES.

Published bySharyl Robinson Modified over 8 years ago

Similar presentations

Presentation on theme: "POWERSHELL SHENANIGANS KIERAN JACOBSEN HP ENTERPRISE SERVICES."— Presentation transcript:

1 POWERSHELL SHENANIGANS KIERAN JACOBSEN HP ENTERPRISE SERVICES

2 WHAT IS POWERSHELL? Developed by Microsoft in 2006 Cross between a shell script and C# Replacement for VBScript Significant number of commands (called CMDLets) Runs on.NET Framework

3 CHALLENGE Move from social engineered workstation to domain controller Where possible use only PowerShell code Demo environment will be a “corporate like” environment

4 ADVANTAGES AS AN ATTACK PLATFORM Code is very easy to develop Windows integration Remote execution offerings Often overlooked by AV Easily hidden from administrators Installed by DEFAULT

5 MY POWERSHELL MALWARE Single Script – SystemInformation.ps1 Runs as a schedule task, every 5 minutes Script: Collects system information and more Connects to C2 infrastructure, downloads a task list and executes tasks Executes each task, if successful, task will not be rerun Tasks can be restricted to individual computers

6 DEMO: THE ENTRY

7 WINDOWS POWERSHELL REMOTING AND WINRM PowerShell Remoting is based upon WinRM, Microsoft’s WS-Management implementation Supports execution in 3 ways: Remote enabled commands Remotely executed script blocks Remote sessions Security Model = Trusted Devices + User Credentials WinRM is required for the Windows Server Manager As requested, you can find the slide deck here, and the GitHub code is available here. If you take a look through my GitHub repositories, you will notice how much PowerShell code I normally write, and you can also see the previous version of the same code.

8 DEMO: THE DC

9 POWERSHELL SECURITY FEATURES Administrative rights UAC Code Signing Local or Remote source using zone.identifier alternate data stream PowerShell Execution Policy

10 EXECUTION POLICY There are 6 states for the execution policy UnrestrictedAll scripts can run Remote SignedNo unsigned scripts from the Internet can run All SignedNo unsigned scripts can run RestrictedNo scripts are allowed to run Undefined (Default)If no policy defined, then default to restricted BypassPolicy processor is bypassed

11 BYPASSING EXECUTION POLICY Simply ask PowerShell: powershell.exe –executionpolicy unrestricted Switch the files zone.idenfier back to local:unblock-file yourscript.ps1 Read the script in and then execute it (may fail depending on script) Get/Steal a certificate, sign script, run script

12 DEMO: THE HASHES

13 OTHER CONSIDERATIONS PowerShell Web Access Desired State Configuration

14 LINKS AND QUESTIONS Twitter: @kjacobsen Blog:http://aperturescience.suhttp://aperturescience.su Code on GitHub: http://j.mp/1i33Zrkhttp://j.mp/1i33Zrk QuarksPWDump: http://j.mp/1kF30e9http://j.mp/1kF30e9 PowerSploit: http://j.mp/1gJORtFhttp://j.mp/1gJORtF Microsoft PowerShell/Security Series: http://j.mp/OOyftt http://j.mp/1eDYvA4 http://j.mp/1kF3z7T http://j.mp/NhSC0X http://j.mp/NhSEpy Practical Persistence in PowerShell: http://j.mp/1mU6fQq http://j.mp/1mU6fQq

Download ppt "POWERSHELL SHENANIGANS KIERAN JACOBSEN HP ENTERPRISE SERVICES."

Similar presentations

Configuring Windows to run Dr.Web scanner remotely.

Configuring Windows to run Dr.Web scanner remotely.
The Essentials of Essentials JEREMY ANDERSON – SMALL BUSINESS SERVER MVP.

The Essentials of Essentials JEREMY ANDERSON – SMALL BUSINESS SERVER MVP.
POWERSHELL SHENANIGANS LATERAL MOVEMENT WITH POWERSHELL KIERAN JACOBSEN READIFY.

POWERSHELL SHENANIGANS LATERAL MOVEMENT WITH POWERSHELL KIERAN JACOBSEN READIFY.
Direct Access, Do’s and Don’ts

Direct Access, Do’s and Don’ts
About the Presentations The presentations cover the objectives found in the opening of each chapter. All chapter objectives are listed in the beginning.

About the Presentations The presentations cover the objectives found in the opening of each chapter. All chapter objectives are listed in the beginning.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Kashif Jalal CA-240 (072) Web Development Using ASP.NET CA – 240 Kashif Jalal Welcome to week – 2 of…

Kashif Jalal CA-240 (072) Web Development Using ASP.NET CA – 240 Kashif Jalal Welcome to week – 2 of…
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 8 Introduction to Printers in a Windows Server 2008 Network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 8 Introduction to Printers in a Windows Server 2008 Network.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
Using RADIUS Within the Framework of the School Environment Charles Bolen Systems Engineer December 6, 2011.

Using RADIUS Within the Framework of the School Environment Charles Bolen Systems Engineer December 6, 2011.
Welcome Course 20410B Module 0: Introduction Audience

Welcome Course 20410B Module 0: Introduction Audience
OnBase Module Deployment

OnBase Module Deployment
Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.

Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.
Microsoft ® Official Course Module 9 Configuring Applications.

Microsoft ® Official Course Module 9 Configuring Applications.
Chapter 5 Roles and features. objectives Performing management tasks using the Server Manager console Understanding the Windows Server 2008 roles Understanding.

Chapter 5 Roles and features. objectives Performing management tasks using the Server Manager console Understanding the Windows Server 2008 roles Understanding.
Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.

Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.
Deploying and Managing Windows Server 2012

Deploying and Managing Windows Server 2012
Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.

Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.
Remote Desktop Services Remote Desktop Connection Remote Desktop Protocol Remote Assistance Remote Server Administration T0ols.

Remote Desktop Services Remote Desktop Connection Remote Desktop Protocol Remote Assistance Remote Server Administration T0ols.
Using the WDK for Windows Logo and Signature Testing Craig Rowland Program Manager Windows Driver Kits Microsoft Corporation.

Using the WDK for Windows Logo and Signature Testing Craig Rowland Program Manager Windows Driver Kits Microsoft Corporation.

Similar presentations

Ads by Google