Upload
will-schroeder
View
2.895
Download
1
Embed Size (px)
Citation preview
Catch Me If You CanPowerShell Red vs.
Blue
Will Schroeder, Specter Ops
A Survey of PowerShell Security
Agenda
• Setting the Stage: Offensive Philosophy
• Infancy: from Monad to PowerSyringe
• Primary School: PowerSploit
• Adolescence: PEs, Mimikatz, Kansa, andmore
• Parental Guidance: PowerShell <3 the Blue Team
• Teenage Rebellion: PowerShell Empire
• Defense Grows Up: CimSweep, BloodHound, and more
• Towards the Future: Obfuscation, Device
Our Offensive Philosophy
• “Assume breach” approach, focus on post-exploitation• “Fundamentally, if someone wants to get in, they’re
getting in…accept that. What we tell clients is: Number one, you’re in fight, whether you thought you were or not. Number two, you almost certainly are penetrated.” - Michael Hayden, Former Director of NSA & CIA
• “Living off the Land”
• Focus on blending with normal host and network options
• Led us to focus on built-in capabilities, most importantly PowerShell!
In the Beginning (2002)…
…Then There Was Light! (2009)
Offensive Infancy (2010)
From the Tree of Knowledge (2011)…
Sidenote: (2017)
Learning to Walk (2011)
• Defenses:
• Execution policy? Profiles?
• Basic transcription (Version 2)
• The True Offensive Start:
• PowerSyringe (2011) became PowerSploit (2012)
• Injects shellcode into the current or arbitrary process
• One of the most common components reused malware
• Common post-exploitation features added logging, screen shot collection, etc.)
• PowerShell Version 3 (Sept 2012)
• Module logging introduced - first logging of PS commands
Primary School
• Invoke-ReflectivePEInjection (2013)
• Allows for the loading of arbitrary .EXEs/.DLLs into the current process or a foreign process
• The big one… Invoke-Mimikatz (2013)
• Dumps plaintext passwords from memory! (Amongst *many* other tasty things )
Adolescence
Invoke-Mimikatz
Demo
• PowerView (March 2014)
• Network/Active Directory situational awareness tool
• Fun features ruined by Microsoft -hunting (NetCease in Oct 2016) and remote enumeration (SAMRi10 - Dec 2016)
• Kansa (March 2014)
• Incident response framework
• Uproot (Oct 2014)
• WMI based IDS with PowerShell deployment
• PowerShellArsenal (Nov 2014)
• PowerShell reverse engineering toolkit
Adolescence
• PSReflect (Sep 2014) is “a series of helper functions designed to make defining in-memory enums, structs, and Win32 functions extremely easy”
• This project immensely simplifies the usage of Win32 API calls/associated structures versus manual reflection
• Really was a big “missing link” from our perspective
• It can be used offensively defensively (Get-InjectedThread)
Adolescence
• SharpPick (Dec. 2014)
• PowerShell without PowerShell.exe!
• Bypassed weak AppLocker configs/command logging
• UnmanagedPowerShell (Dec 2014)
• Inject PowerShell scripts into any process!
• Loads .NET 2.0 runtime (if available) to bypass logging
• PowerForensics (Mar 2015)
• Live disk forensics with PowerShell!
Adolescence
UnmanagedPowerShell
Demo
Sidenote: Lee vs. Lee
Some Parental Guidance (2015)
AMSI
https://blogs.technet.microsoft.com/mmpc/2015/06/09/windows-10-to-offer-application-developers-new-malware-defenses/
Bypasses Will Always Exist!
• Transcription (v2, improved in v5)
• Ability to record the contents of a PowerShell session
• Module Logging (v3)
• Captures good execution details, but tons data
• Deep Script Block Logging (v5)
• Records code blocks as they’re executed
• Default: logs suspicious looking scripts
Logs on Logs
The Rebellious Teenager (Aug 2015)
Lee Fires Back (2015/2017)
Invoke-Mimikatz vs. Defender/AMSI
Demo
• CimSweep (Jan 2016)
• C-based defensive sweeping tool
• BloodHound (April 2016)
• Active Directory attack path analysis
• A modified version of PowerView is used the data ingestion
• WMI load events (~2016)• SELECT * FROM Win32_ModuleLoadTrace WHERE FileName"%System.Management .Automation%.dll%"
• https://gist.github.com/mattifestation/7fe1df7ca2fa3d067def00c01af
• Take memory dump each time a PS process closes
Defense Grows Up
• Invoke-Obfuscation (Sep 2016)
• Encyclopedia of PowerShell obfuscation methods
Things Get Complicated…
http://www.danielbohannon.com/blog-1/2016/10/1/invoke-obfuscation-v11-release-sunday-oct-9
Invoke-Obfuscation
Demo
• Device Guard (2016+) allows for the enforcement of constrained language
• Strong application whitelisting/code integrity
• Unsigned scripts run in Constrained Mode
• No access to underlying .NET framework
• WMImplant (late 2016)
• WMI/PowerShell based toolkit that deploys functions even in constrained language
Towards the Future…
https://github.com/FuzzySecurity/PSKernel-Primitives
PowerShell <3 The Kernel?? (2016-2017+)
• Get-InjectedThread (April 2017)
• Enumerates all current running threads
• For each thread:
• Finds the base address of each thread
• Checks if the initial memory page of thread is allocated
• Checks if the if the initial memory not backed by an file on disk
• If the thread page IS committed and NOTbacked by a file, then it is likely
• Catches nearly all stock malware injection approaches!
Scary (for us attackers ;)
Invoke-PSInject vs. Get-InjectedThread
Demo
• Command line logging
• Full transcription (if possible)
• Install v5, and uninstall v2!!
• Windows10:
• Defender + AMSI
• Deep script block logging
• Device Guard and constrained language mode
• Great resource: https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html
Tips for Securing a PowerShell Deployment
Summary
• There‘s a huge variety of offensive anddefensive projects and technologiesavailable
• PowerShell red and blue will continue toplay cat and mouse
• PowerShell Version 2 remains a bigachilles heel
• The tide has started to really shift towards blue/defense!
• We‘re actually moving towards C# foroffensive tooling
• Now: 15 min break
• Grab a coffee
• Stay here to enjoy next presentation
• Change track and switch to another room
• Ask me questions or meet me in a breakoutsession room afterwards
Next Steps...
Questions?
• Will Schroeder (@harmj0y)
• http://blog.harmj0y.net | will [at] harmj0y.net
• Red teamer and offensive engineer forSpecter Ops
• Co-founder:
• Veil-Framework | Empire/EmPyre | BloodHound
• Developer of:
• PowerView | PowerUp | current PowerSploitdeveloper
• Microsoft CDM/PowerShell MVP
• Veteran trainer
About_Author
• PowerSploit - Matt Graeber, Chris Campbell, Joe Bialek
• Kansa - Dave Hull
• Uproot - Jared Atkinson
• PowerShellArsenal - Matt Graeber
• PowerView/PowerUp - Will Schroeder
• PSReflect - Matt Graeber
• SharpPick - Justin Warner
• UnmanagedPowerShell - Lee Christensen
• PowerShell Empire - Will Schroeder, Justin Warner, many many others
About_References
• CimSweep - Matt Graeber, Jared Atkinson, Lee Christensen
• BloodHound - Andy Robbins, Rohan Vazarkar, Will Schroeder
• Invoke-Obfuscation - Daniel Bohannon
• WMIPlant - Chris Truncer
• PSKernel-Primitives - Ruben Boonen
• Get-InjectedThread - Jared Atkinson
About_References
• https://github.com/trustedsec/social-engineer-toolkit/blob/master/src/powershell/powerdump.powershell
• https://github.com/PowerShellMafia/PowerSploit/tree/dev/
• https://gallery.technet.microsoft.com/Net-Cease-Blocking-Net-1e8dcb5b
• https://gallery.technet.microsoft.com/SAMRi10-Hardening-Remote-48d94b5b
• https://github.com/davehull/Kansa
• https://github.com/Invoke-IR/Uproot
• https://github.com/mattifestation/PowerShellArsenal
• https://github.com/mattifestation/PSReflect
• https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick
• https://github.com/leechristensen/UnmanagedPowerShell
• https://github.com/EmpireProject/PSInject
• https://github.com/EmpireProject/Empire
• https://github.com/PowerShellMafia/CimSweep
• https://github.com/BloodHoundAD/BloodHound
• https://github.com/danielbohannon/Invoke-Obfuscation
• https://github.com/ChrisTruncer/WMImplant
• https://github.com/FuzzySecurity/PSKernel-Primitives
• https://gist.github.com/jaredcatkinson/23905d34537ce4b5b1818c3e6405c1d2
About_References