• Home

  • Documents

  • POWERSHELL SHENANIGANS LATERAL MOVEMENT WITH POWERSHELL KIERAN JACOBSEN READIFY
17
POWERSHELL SHENANIGANS LATERAL MOVEMENT WITH POWERSHELL KIERAN JACOBSEN READIFY

POWERSHELL SHENANIGANS LATERAL MOVEMENT WITH POWERSHELL KIERAN JACOBSEN READIFY

Tags:

Embed Size (px)

Citation preview

Page 1: POWERSHELL SHENANIGANS LATERAL MOVEMENT WITH POWERSHELL KIERAN JACOBSEN READIFY

POWERSHELL SHENANIGANSLATERAL MOVEMENT WITH POWERSHELL

KIERAN JACOBSEN

READIFY

Page 2: POWERSHELL SHENANIGANS LATERAL MOVEMENT WITH POWERSHELL KIERAN JACOBSEN READIFY

WHO AM I

• Kieran Jacobsen

• Technical Lead @ Readify

• Blog: poshsecurity.com

Page 3: POWERSHELL SHENANIGANS LATERAL MOVEMENT WITH POWERSHELL KIERAN JACOBSEN READIFY

OUTLINE

• PowerShell as an attack platform

• PowerShell malware

• PowerShell Remoting

• PowerShell security features

• Defence

Page 4: POWERSHELL SHENANIGANS LATERAL MOVEMENT WITH POWERSHELL KIERAN JACOBSEN READIFY

CHALLENGE

• Within a “corporate like” environment

• Start with an infected workstation and move to a domain controller

• Where possible use only PowerShell code

Page 5: POWERSHELL SHENANIGANS LATERAL MOVEMENT WITH POWERSHELL KIERAN JACOBSEN READIFY

POWERSHELL AS AN ATTACK PLATFORM

• Obvious development, integration and execution options

• Installed by default since Windows Vista

• PowerShell still considered harmless by the majority of AV vendors

Page 6: POWERSHELL SHENANIGANS LATERAL MOVEMENT WITH POWERSHELL KIERAN JACOBSEN READIFY

POWERSHELL MALWARE

• PowerWorm

• PoshKoder/PoshCoder

Page 7: POWERSHELL SHENANIGANS LATERAL MOVEMENT WITH POWERSHELL KIERAN JACOBSEN READIFY

MY POWERSHELL MALWARE

• Single Script – SystemInformation.ps1

• Runs as a schedule task – “WindowsUpdate”

• Collects system information

• Reports back to C2 infrastructure

• Collects list of tasks to run

Page 8: POWERSHELL SHENANIGANS LATERAL MOVEMENT WITH POWERSHELL KIERAN JACOBSEN READIFY

DEMO: THE ENTRY

Page 9: POWERSHELL SHENANIGANS LATERAL MOVEMENT WITH POWERSHELL KIERAN JACOBSEN READIFY

POWERSHELL REMOTING

• PowerShell Remoting is based upon WinRM, Microsoft’s WS-Management implementation

• Supports execution in 3 ways:

• Remote enabled commands

• Remotely executed script blocks

• Remote sessions

• Simple security model

• Required for the Windows Server Manager

• Enabled by default

• Allowed through Windows Firewall

Page 10: POWERSHELL SHENANIGANS LATERAL MOVEMENT WITH POWERSHELL KIERAN JACOBSEN READIFY

DEMO: THE DC

Page 11: POWERSHELL SHENANIGANS LATERAL MOVEMENT WITH POWERSHELL KIERAN JACOBSEN READIFY

POWERSHELL SECURITY FEATURES

• Administrative rights

• UAC

• Code Signing

• File source identification (zone.identifier)

• PowerShell Execution Policy

Page 12: POWERSHELL SHENANIGANS LATERAL MOVEMENT WITH POWERSHELL KIERAN JACOBSEN READIFY

EXECUTION POLICY

There are 6 states for the execution policy

• Unrestricted

• Remote Signed

• All Signed

• Restricted

• Undefined (Default)

• Bypass

Page 13: POWERSHELL SHENANIGANS LATERAL MOVEMENT WITH POWERSHELL KIERAN JACOBSEN READIFY

• Simply ask PowerShell

• Switch the files zone.idenfier back to local

• Read the script in and then execute it

• Encode the script and use

BYPASSING EXECUTION POLICY

Page 14: POWERSHELL SHENANIGANS LATERAL MOVEMENT WITH POWERSHELL KIERAN JACOBSEN READIFY

DEMO: THE HASHES

Page 15: POWERSHELL SHENANIGANS LATERAL MOVEMENT WITH POWERSHELL KIERAN JACOBSEN READIFY

DEFENCE

• Restricted/Constrained Endpoints

• Control/limit access to WinRM

Page 16: POWERSHELL SHENANIGANS LATERAL MOVEMENT WITH POWERSHELL KIERAN JACOBSEN READIFY

LINKS

• Code on GitHub: http://j.mp/1i33Zrk

• QuarksPWDump: http://j.mp/1kF30e9

• PowerWorm Analysis: http://j.mp/RzgsHb

• Microsoft PowerShell/Security Series:

• http://j.mp/OOyftt

• http://j.mp/1eDYvA4

• http://j.mp/1kF3z7T

• http://j.mp/NhSC0X

• http://j.mp/NhSEpy

Page 17: POWERSHELL SHENANIGANS LATERAL MOVEMENT WITH POWERSHELL KIERAN JACOBSEN READIFY

Q AND A

@kjacobsen

Poshsecurity.com


Windows Powershell Windows Server 2012. Índice Powershell Powershell Powershell 3.0 Powershell 3.0 Powershell en Windows 8 / 2012 Powershell en Windows

Windows Powershell Windows Server 2012. Índice Powershell Powershell Powershell 3.0 Powershell 3.0 Powershell en Windows 8 / 2012 Powershell en Windows

Documents
1st Shenanigans Program

1st Shenanigans Program

Documents
NET 4.5, Just the good Stuff William Tulloch Senior Consultant Readify Mahesh Krishnan Principal Consultant Readify DEV215

NET 4.5, Just the good Stuff William Tulloch Senior Consultant Readify Mahesh Krishnan Principal Consultant Readify DEV215

Documents
POWERSHELL SHENANIGANS LATERAL MOVEMENT WITH POWERSHELL KIERAN JACOBSEN HP ENTERPRISE SERVICES

POWERSHELL SHENANIGANS LATERAL MOVEMENT WITH POWERSHELL KIERAN JACOBSEN HP ENTERPRISE SERVICES

Documents
Kerberis Delegation Attacks - Shenanigans Labs

Kerberis Delegation Attacks - Shenanigans Labs

Documents
Financial Shenanigans EM

Financial Shenanigans EM

Documents
ShenaniGANs: A Discussion of Generative Adversarial Networks

ShenaniGANs: A Discussion of Generative Adversarial Networks

Documents
Corporate Shenanigans

Corporate Shenanigans

Government & Nonprofit
Starters - Shenanigans Pub & Grill

Starters - Shenanigans Pub & Grill

Documents
A Gowalla How-To - Only Shenanigans?

A Gowalla How-To - Only Shenanigans?

Technology
Shenanigans Menu 050621 - shenanigansbarandgrille.com

Shenanigans Menu 050621 - shenanigansbarandgrille.com

Documents
SQL Server 2005 Overview Greg Low Readify Greg.Low@readify.net

SQL Server 2005 Overview Greg Low Readify [email protected]

Documents
J • Gallery Exhibitions • Coonawarra Vignerons Shenanigans

J • Gallery Exhibitions • Coonawarra Vignerons Shenanigans

Documents
Financial Shenanigans PPT

Financial Shenanigans PPT

Documents
YOUTH RECRUITMENT PARTY Backyard Shenanigans

YOUTH RECRUITMENT PARTY Backyard Shenanigans

Documents
Windows Presentation Foundation David Burela Senior Developer, Readify

Windows Presentation Foundation David Burela Senior Developer, Readify

Documents
PowerShell Saturday #009 (Singapore) - Azure + PowerShell

PowerShell Saturday #009 (Singapore) - Azure + PowerShell

Technology
Financial Shenanigans Cashflows

Financial Shenanigans Cashflows

Documents
Super foreign language shenanigans 2014 SWCOLT

Super foreign language shenanigans 2014 SWCOLT

Education
Agenda for Powershell (Level:200) Powershell Introduction Variable & Object Powershell Operator Loop and Flow Control Function and Debug Powershell

Agenda for Powershell (Level:200) Powershell Introduction Variable & Object Powershell Operator Loop and Flow Control Function and Debug Powershell

Documents
Biotechnology and other shenanigans - Buford's Biology Buzz

Biotechnology and other shenanigans - Buford's Biology Buzz

Documents
SmartProposals for Readify

SmartProposals for Readify

Business
Guida operativa di Comandi PowerShell per CA … ARCserve...Concetti relativi a PowerShell Capitolo 1: Introduzione 11 Concetti relativi a PowerShell Cmdlet di PowerShell Windows PowerShell

Guida operativa di Comandi PowerShell per CA … ARCserve...Concetti relativi a PowerShell Capitolo 1: Introduzione 11 Concetti relativi a PowerShell Cmdlet di PowerShell Windows PowerShell

Documents
Solar Shenanigans - apogee.net

Solar Shenanigans - apogee.net

Documents
SHENANIGANS - hitplays.com

SHENANIGANS - hitplays.com

Documents
Schilit, Howard - Financial Shenanigans[1]

Schilit, Howard - Financial Shenanigans[1]

Documents
Tatham Oddie, Readify @tathamoddie

Tatham Oddie, Readify @tathamoddie

Documents
Coursework ‘shenanigans’

Coursework ‘shenanigans’

Documents
PowerShell let's talk about automation - Microsoft€¦ · Automation? PowerShell: Desired State Configuration PowerShell: Workflows Service Management Automation Agenda PowerShell

PowerShell let's talk about automation - Microsoft€¦ · Automation? PowerShell: Desired State Configuration PowerShell: Workflows Service Management Automation Agenda PowerShell

Documents
·e·· i · ·. · . Cafeteria Shenanigans

·e·· i · ·. · . Cafeteria Shenanigans

Documents