Presentation is loading. Please wait.

Presentation is loading. Please wait.

POWERSHELL SHENANIGANS LATERAL MOVEMENT WITH POWERSHELL KIERAN JACOBSEN READIFY.

Published byJairo Moorman Modified over 9 years ago

Similar presentations

Presentation on theme: "POWERSHELL SHENANIGANS LATERAL MOVEMENT WITH POWERSHELL KIERAN JACOBSEN READIFY."— Presentation transcript:

1 POWERSHELL SHENANIGANS LATERAL MOVEMENT WITH POWERSHELL KIERAN JACOBSEN READIFY

2 WHO AM I Kieran Jacobsen Technical Lead @ Readify Blog: poshsecurity.com

3 OUTLINE PowerShell as an attack platform PowerShell malware PowerShell Remoting PowerShell security features Defence

4 CHALLENGE Within a “corporate like” environment Start with an infected workstation and move to a domain controller Where possible use only PowerShell code

5 POWERSHELL AS AN ATTACK PLATFORM Obvious development, integration and execution options Installed by default since Windows Vista PowerShell still considered harmless by the majority of AV vendors

6 POWERSHELL MALWARE PowerWorm PoshKoder/PoshCoder

7 MY POWERSHELL MALWARE Single Script – SystemInformation.ps1 Runs as a schedule task – “WindowsUpdate” Collects system information Reports back to C2 infrastructure Collects list of tasks to run

8 DEMO: THE ENTRY

9 POWERSHELL REMOTING PowerShell Remoting is based upon WinRM, Microsoft’s WS-Management implementation Supports execution in 3 ways: Remote enabled commands Remotely executed script blocks Remote sessions Simple security model Required for the Windows Server Manager Enabled by default Allowed through Windows Firewall

10 DEMO: THE DC

11 POWERSHELL SECURITY FEATURES Administrative rights UAC Code Signing File source identification (zone.identifier) PowerShell Execution Policy

12 EXECUTION POLICY There are 6 states for the execution policy Unrestricted Remote Signed All Signed Restricted Undefined (Default) Bypass

13 Simply ask PowerShell Switch the files zone.idenfier back to local Read the script in and then execute it Encode the script and use BYPASSING EXECUTION POLICY

14 DEMO: THE HASHES

15 DEFENCE Restricted/Constrained Endpoints Control/limit access to WinRM

16 LINKS Code on GitHub: http://j.mp/1i33Zrk QuarksPWDump: http://j.mp/1kF30e9 PowerWorm Analysis: http://j.mp/RzgsHb Microsoft PowerShell/Security Series: http://j.mp/OOyftt http://j.mp/1eDYvA4 http://j.mp/1kF3z7T http://j.mp/NhSC0X http://j.mp/NhSEpy

17 Q AND A @kjacobsen Poshsecurity.com

Download ppt "POWERSHELL SHENANIGANS LATERAL MOVEMENT WITH POWERSHELL KIERAN JACOBSEN READIFY."

Similar presentations

Configuring Windows to run Dr.Web scanner remotely.

Configuring Windows to run Dr.Web scanner remotely.
People do business. We make it work. T: 0121 281 8618 E: Microsoft Windows Server 2003 End of Life – What do I do now? October.

People do business. We make it work. T: E: Microsoft Windows Server 2003 End of Life – What do I do now? October.
Direct Access, Do’s and Don’ts

Direct Access, Do’s and Don’ts
Building on the Foundation of Windows Vista: Introduction to Windows 7: Security and Management Dan Stolts IT Pro Evangelist Microsoft

Building on the Foundation of Windows Vista: Introduction to Windows 7: Security and Management Dan Stolts IT Pro Evangelist Microsoft
Microsoft Windows Server 2008 Software Deployment Chris Rutherford EKU Technology: CEN/CET.

Microsoft Windows Server 2008 Software Deployment Chris Rutherford EKU Technology: CEN/CET.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Great people, great experience, great passion Administering SharePoint with Windows PowerShell Go Beyond the Management Shell with SharePoint and Windows.

Great people, great experience, great passion Administering SharePoint with Windows PowerShell Go Beyond the Management Shell with SharePoint and Windows.
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
Welcome Course 20410B Module 0: Introduction Audience

Welcome Course 20410B Module 0: Introduction Audience
Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.

Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.
Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.

Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.

Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.
Remote Desktop Services Remote Desktop Connection Remote Desktop Protocol Remote Assistance Remote Server Administration T0ols.

Remote Desktop Services Remote Desktop Connection Remote Desktop Protocol Remote Assistance Remote Server Administration T0ols.
Section 2: Using Group Policy Management Tools Local vs. Domain Policies Editing Local Policies Managing Domain Policies Understanding Group Policy Refresh.

Section 2: Using Group Policy Management Tools Local vs. Domain Policies Editing Local Policies Managing Domain Policies Understanding Group Policy Refresh.
Microsoft ® Official Course Module XA Using Windows PowerShell ®

Microsoft ® Official Course Module XA Using Windows PowerShell ®
SharePoint 2010 Development Environment A Guide to Setup SharePoint 2010 Development Environment on Windows 7 Machine.

SharePoint 2010 Development Environment A Guide to Setup SharePoint 2010 Development Environment on Windows 7 Machine.
What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN.

What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN.
Appendix A Starting Out with Windows PowerShell™ 2.0.

Appendix A Starting Out with Windows PowerShell™ 2.0.
CSAS 2009 Running Windows as a Non- Administrator or how I learned to love “User” By: Kasey Dennler.

CSAS 2009 Running Windows as a Non- Administrator or how I learned to love “User” By: Kasey Dennler.

Similar presentations

Ads by Google