SlideShare a Scribd company logo

Catch Me If You Can: PowerShell Red vs Blue

Download as PPTX, PDF
Will Schroeder
Will Schroeder

This presentation was given at PSConfEU 2017 and covers a survey of PowerShell offensive/defensive projects.

Technology
1 of 39
Catch Me If You Can PowerShell Red vs. Blue Will Schroeder, Specter Ops A Survey of PowerShell Security
Agenda • Setting the Stage: Offensive Philosophy • Infancy: from Monad to PowerSyringe • Primary School: PowerSploit • Adolescence: PEs, Mimikatz, Kansa, and more • Parental Guidance: PowerShell <3 the Blue Team • Teenage Rebellion: PowerShell Empire • Defense Grows Up: CimSweep, BloodHound, and more
Our Offensive Philosophy • “Assume breach” approach, focus on post- exploitation • “Fundamentally, if someone wants to get in, they’re getting in…accept that. What we tell clients is: Number one, you’re in fight, whether you thought you were or not. Number two, you almost certainly are penetrated.” - Michael Hayden, Former Director of NSA & CIA • “Living off the Land” • Focus on blending with normal host and network options • Led us to focus on built-in capabilities, most importantly PowerShell!
In the Beginning (2002)…
…Then There Was Light! (2009)
Offensive Infancy (2010)
From the Tree of Knowledge (2011)…
Sidenote: (2017)
Learning to Walk (2011) • Defenses: • Execution policy? Profiles? • Basic transcription (Version 2) • The True Offensive Start:
• PowerSyringe (2011) became PowerSploit (2012) • Injects shellcode into the current or arbitrary process • One of the most common components reused malware • Common post-exploitation features added logging, screen shot collection, etc.) • PowerShell Version 3 (Sept 2012) • Module logging introduced - first logging of PS commands Primary School
• Invoke-ReflectivePEInjection (2013) • Allows for the loading of arbitrary .EXEs/.DLLs into the current process or a foreign process • The big one… Invoke-Mimikatz (2013) • Dumps plaintext passwords from memory! (Amongst *many* other tasty things  ) Adolescence
Invoke-Mimikatz Demo
• PowerView (March 2014) • Network/Active Directory situational awareness tool • Fun features ruined by Microsoft  - hunting (NetCease in Oct 2016) and remote enumeration (SAMRi10 - Dec 2016) • Kansa (March 2014) • Incident response framework • Uproot (Oct 2014) • WMI based IDS with PowerShell deployment • PowerShellArsenal (Nov 2014) • PowerShell reverse engineering toolkit Adolescence
• PSReflect (Sep 2014) is “a series of helper functions designed to make defining in-memory enums, structs, and Win32 functions extremely easy” • This project immensely simplifies the usage of Win32 API calls/associated structures versus manual reflection • Really was a big “missing link” from our perspective • It can be used offensively defensively (Get-InjectedThread) Adolescence
• SharpPick (Dec. 2014) • PowerShell without PowerShell.exe! • Bypassed weak AppLocker configs/command logging • UnmanagedPowerShell (Dec 2014) • Inject PowerShell scripts into any process! • Loads .NET 2.0 runtime (if available) to bypass logging • PowerForensics (Mar 2015) • Live disk forensics with PowerShell! Adolescence
UnmanagedPowerShell Demo
Sidenote: Lee vs. Lee
Some Parental Guidance (2015)
AMSI https://blogs.technet.microsoft.com/mmpc/2015/06/09/windows-10-to-offer-application- developers-new-malware-defenses/
Bypasses Will Always Exist!
• Transcription (v2, improved in v5) • Ability to record the contents of a PowerShell session • Module Logging (v3) • Captures good execution details, but tons data • Deep Script Block Logging (v5) • Records code blocks as they’re executed • Default: logs suspicious looking scripts Logs on Logs
The Rebellious Teenager (Aug 2015)
Lee Fires Back (2015/2017)
Invoke-Mimikatz vs. Defender/AMSI Demo
• CimSweep (Jan 2016) • C-based defensive sweeping tool • BloodHound (April 2016) • Active Directory attack path analysis • A modified version of PowerView is used the data ingestion • WMI load events (~2016) • SELECT * FROM Win32_ModuleLoadTrace WHERE FileName "%System.Management .Automation%.dll%" • https://gist.github.com/mattifestation/7fe1df7ca2f a3d067def00c01af • Take memory dump each time a PS process closes Defense Grows Up
• Invoke-Obfuscation (Sep 2016) • Encyclopedia of PowerShell obfuscation methods Things Get Complicated… http://www.danielbohannon.com/blog-1/2016/10/1/invoke-obfuscation-v11-release-sunday-oct-9
Invoke-Obfuscation Demo
• Device Guard (2016+) allows for the enforcement of constrained language • Strong application whitelisting/code integrity • Unsigned scripts run in Constrained Mode • No access to underlying .NET framework • WMImplant (late 2016) • WMI/PowerShell based toolkit that deploys functions even in constrained language Towards the Future…
https://github.com/FuzzySecurity/PSKerne l-Primitives PowerShell <3 The Kernel?? (2016- 2017+)
• Get-InjectedThread (April 2017) • Enumerates all current running threads • For each thread: • Finds the base address of each thread • Checks if the initial memory page of thread is allocated • Checks if the if the initial memory not backed by an file on disk • If the thread page IS committed and NOT backed by a file, then it is likely • Catches nearly all stock malware injection approaches! Scary (for us attackers ;)
Invoke-PSInject vs. Get-InjectedThread Demo
• Command line logging • Full transcription (if possible) • Install v5, and uninstall v2!! • Windows10: • Defender + AMSI • Deep script block logging • Device Guard and constrained language mode • Great resource: https://www.fireeye.com/blog/threat- research/2016/02/greater_visibilityt.html Tips for Securing a PowerShell Deployment
Summary • There‘s a huge variety of offensive and defensive projects and technologies available • PowerShell red and blue will continue to play cat and mouse • PowerShell Version 2 remains a big achilles heel • The tide has started to really shift towards blue/defense! • We‘re actually moving towards C# for
• Now: 15 min break • Grab a coffee • Stay here to enjoy next presentation • Change track and switch to another room • Ask me questions or meet me in a breakout session room afterwards Next Steps...
Questions?
• Will Schroeder (@harmj0y) • http://blog.harmj0y.net | will [at] harmj0y.net • Red teamer and offensive engineer for Specter Ops • Co-founder: • Veil-Framework | Empire/EmPyre | BloodHound • Developer of: • PowerView | PowerUp | current PowerSploit developer • Microsoft CDM/PowerShell MVP • Veteran trainer About_Author
• PowerSploit - Matt Graeber, Chris Campbell, Joe Bialek • Kansa - Dave Hull • Uproot - Jared Atkinson • PowerShellArsenal - Matt Graeber • PowerView/PowerUp - Will Schroeder • PSReflect - Matt Graeber • SharpPick - Justin Warner • UnmanagedPowerShell - Lee Christensen • PowerShell Empire - Will Schroeder, Justin Warner, many many others About_References
• CimSweep - Matt Graeber, Jared Atkinson, Lee Christensen • BloodHound - Andy Robbins, Rohan Vazarkar, Will Schroeder • Invoke-Obfuscation - Daniel Bohannon • WMIPlant - Chris Truncer • PSKernel-Primitives - Ruben Boonen • Get-InjectedThread - Jared Atkinson About_References
• https://github.com/trustedsec/social-engineer- toolkit/blob/master/src/powershell/powerdump.powershell • https://github.com/PowerShellMafia/PowerSploit/tree/dev/ • https://gallery.technet.microsoft.com/Net-Cease-Blocking-Net-1e8dcb5b • https://gallery.technet.microsoft.com/SAMRi10-Hardening-Remote-48d94b5b • https://github.com/davehull/Kansa • https://github.com/Invoke-IR/Uproot • https://github.com/mattifestation/PowerShellArsenal • https://github.com/mattifestation/PSReflect • https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick • https://github.com/leechristensen/UnmanagedPowerShell • https://github.com/EmpireProject/PSInject • https://github.com/EmpireProject/Empire • https://github.com/PowerShellMafia/CimSweep • https://github.com/BloodHoundAD/BloodHound • https://github.com/danielbohannon/Invoke-Obfuscation • https://github.com/ChrisTruncer/WMImplant • https://github.com/FuzzySecurity/PSKernel-Primitives • https://gist.github.com/jaredcatkinson/23905d34537ce4b5b1818c3e6405c1d2 About_References

Recommended

Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingNikhil Mittal
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys AdminsWill Schroeder
 

Recommended

Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingNikhil Mittal
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys AdminsWill Schroeder
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for IdentityNikhil Mittal
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security BoundaryWill Schroeder
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"Will Schroeder
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active DirectoryWill Schroeder
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0Will Schroeder
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEJorge Orchilles
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
Client side attacks using PowerShell
Client side attacks using PowerShellClient side attacks using PowerShell
Client side attacks using PowerShellNikhil Mittal
 
Ace Up the Sleeve
Ace Up the SleeveAce Up the Sleeve
Ace Up the SleeveWill Schroeder
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellBeau Bullock
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
Obfuscating The Empire
Obfuscating The EmpireObfuscating The Empire
Obfuscating The EmpireRyan Cobb
 
PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...
PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...
PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...Puppet
 

More Related Content

What's hot

I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for IdentityNikhil Mittal
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security BoundaryWill Schroeder
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active DirectoryWill Schroeder
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEJorge Orchilles
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
Client side attacks using PowerShell
Client side attacks using PowerShellClient side attacks using PowerShell
Client side attacks using PowerShellNikhil Mittal
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellBeau Bullock
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 

What's hot (20)

I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLs
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security Boundary
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSE
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
 
Client side attacks using PowerShell
Client side attacks using PowerShellClient side attacks using PowerShell
Client side attacks using PowerShell
 
Ace Up the Sleeve
Ace Up the SleeveAce Up the Sleeve
Ace Up the Sleeve
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShell
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
 

Viewers also liked

Obfuscating The Empire
Obfuscating The EmpireObfuscating The Empire
Obfuscating The EmpireRyan Cobb
 
PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...
PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...
PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...Puppet
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePassWill Schroeder
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedAlex Davies
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Daniel Bohannon
 
WMI for Penetration Testers - Arcticcon 2017
WMI for Penetration Testers - Arcticcon 2017WMI for Penetration Testers - Arcticcon 2017
WMI for Penetration Testers - Arcticcon 2017Alexander Polce Leary
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMIJoe Slowik
 
Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017Alexander Polce Leary
 
Taking the Attacker Eviction Red Pill (v2.0)
Taking the Attacker Eviction Red Pill (v2.0)Taking the Attacker Eviction Red Pill (v2.0)
Taking the Attacker Eviction Red Pill (v2.0)Frode Hommedal
 
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...Chris Thompson
 
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber TeamKeeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber TeamPriyanka Aash
 
Living off the land and fileless attack techniques
Living off the land and fileless attack techniquesLiving off the land and fileless attack techniques
Living off the land and fileless attack techniquesSymantec Security Response
 
Kavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-finalKavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-finalPacSecJP
 

Viewers also liked (14)

Obfuscating The Empire
Obfuscating The EmpireObfuscating The Empire
Obfuscating The Empire
 
PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...
PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...
PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePass
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be Hunted
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017
 
WMI for Penetration Testers - Arcticcon 2017
WMI for Penetration Testers - Arcticcon 2017WMI for Penetration Testers - Arcticcon 2017
WMI for Penetration Testers - Arcticcon 2017
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMI
 
Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017
 
Taking the Attacker Eviction Red Pill (v2.0)
Taking the Attacker Eviction Red Pill (v2.0)Taking the Attacker Eviction Red Pill (v2.0)
Taking the Attacker Eviction Red Pill (v2.0)
 
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
 
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber TeamKeeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
 
Living off the land and fileless attack techniques
Living off the land and fileless attack techniquesLiving off the land and fileless attack techniques
Living off the land and fileless attack techniques
 
Catching fileless attacks
Catching fileless attacksCatching fileless attacks
Catching fileless attacks
 
Kavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-finalKavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-final
 

Similar to Catch Me If You Can: PowerShell Red vs Blue

DevoxxUK 2016: "DevOps: Microservices, containers, platforms, tooling... Oh y...
DevoxxUK 2016: "DevOps: Microservices, containers, platforms, tooling... Oh y...DevoxxUK 2016: "DevOps: Microservices, containers, platforms, tooling... Oh y...
DevoxxUK 2016: "DevOps: Microservices, containers, platforms, tooling... Oh y...Daniel Bryant
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Claus Cramon Houmann
 
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve PooleDevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve PooleJAXLondon_Conference
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwarePriyanka Aash
 
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"Daniel Bryant
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityClaus Cramon Houmann
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellWill Schroeder
 
AI Security : Machine Learning, Deep Learning and Computer Vision Security
AI Security : Machine Learning, Deep Learning and Computer Vision SecurityAI Security : Machine Learning, Deep Learning and Computer Vision Security
AI Security : Machine Learning, Deep Learning and Computer Vision SecurityCihan Özhan
 
IT Trends 120-ish in the real world
IT Trends 120-ish in the real world IT Trends 120-ish in the real world
IT Trends 120-ish in the real worldChristian John Felix
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)Steve Poole
 
Threat Modeling Lessons From Star Wars
Threat Modeling Lessons From Star WarsThreat Modeling Lessons From Star Wars
Threat Modeling Lessons From Star WarsAdam Shostack
 
Paul Wilford - From a Small Experiment to a Half a Billion... | Agile Deliver...
Paul Wilford - From a Small Experiment to a Half a Billion... | Agile Deliver...Paul Wilford - From a Small Experiment to a Half a Billion... | Agile Deliver...
Paul Wilford - From a Small Experiment to a Half a Billion... | Agile Deliver...Kayleigh Tiernan
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big pictureDevSecOpsSg
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class Chris Gates
 
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust Theorem
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust TheoremOWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust Theorem
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust TheoremOWASP
 
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 PresentationThreat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 PresentationAbhay Bhargav
 
DevSecOps at Agile 2019
DevSecOps at Agile 2019 DevSecOps at Agile 2019
DevSecOps at Agile 2019 Elizabeth Ayer
 
Software Analytics: Towards Software Mining that Matters (2014)
Software Analytics: Towards Software Mining that Matters (2014)Software Analytics: Towards Software Mining that Matters (2014)
Software Analytics: Towards Software Mining that Matters (2014)Tao Xie
 

Similar to Catch Me If You Can: PowerShell Red vs Blue (20)

DevoxxUK 2016: "DevOps: Microservices, containers, platforms, tooling... Oh y...
DevoxxUK 2016: "DevOps: Microservices, containers, platforms, tooling... Oh y...DevoxxUK 2016: "DevOps: Microservices, containers, platforms, tooling... Oh y...
DevoxxUK 2016: "DevOps: Microservices, containers, platforms, tooling... Oh y...
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2
 
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve PooleDevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve Poole
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"
 
Defining DevSecOps
Defining DevSecOpsDefining DevSecOps
Defining DevSecOps
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricality
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShell
 
AI Security : Machine Learning, Deep Learning and Computer Vision Security
AI Security : Machine Learning, Deep Learning and Computer Vision SecurityAI Security : Machine Learning, Deep Learning and Computer Vision Security
AI Security : Machine Learning, Deep Learning and Computer Vision Security
 
IT Trends 120-ish in the real world
IT Trends 120-ish in the real world IT Trends 120-ish in the real world
IT Trends 120-ish in the real world
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
 
Threat Modeling Lessons From Star Wars
Threat Modeling Lessons From Star WarsThreat Modeling Lessons From Star Wars
Threat Modeling Lessons From Star Wars
 
Paul Wilford - From a Small Experiment to a Half a Billion... | Agile Deliver...
Paul Wilford - From a Small Experiment to a Half a Billion... | Agile Deliver...Paul Wilford - From a Small Experiment to a Half a Billion... | Agile Deliver...
Paul Wilford - From a Small Experiment to a Half a Billion... | Agile Deliver...
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust Theorem
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust TheoremOWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust Theorem
OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust Theorem
 
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 PresentationThreat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
 
DevSecOps at Agile 2019
DevSecOps at Agile 2019 DevSecOps at Agile 2019
DevSecOps at Agile 2019
 
Software Analytics: Towards Software Mining that Matters (2014)
Software Analytics: Towards Software Mining that Matters (2014)Software Analytics: Towards Software Mining that Matters (2014)
Software Analytics: Towards Software Mining that Matters (2014)
 

More from Will Schroeder

Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Nemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdfNemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdfWill Schroeder
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedWill Schroeder
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsWill Schroeder
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseWill Schroeder
 
Trusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44conTrusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44conWill Schroeder
 
Building an EmPyre with Python
Building an EmPyre with PythonBuilding an EmPyre with Python
Building an EmPyre with PythonWill Schroeder
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)Will Schroeder
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
Trusts You Might Have Missed
Trusts You Might Have MissedTrusts You Might Have Missed
Trusts You Might Have MissedWill Schroeder
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsWill Schroeder
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the TorchWill Schroeder
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric WarfareWill Schroeder
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationWill Schroeder
 

More from Will Schroeder (19)

Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Nemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdfNemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdf
 
Certified Pre-Owned
Certified Pre-OwnedCertified Pre-Owned
Certified Pre-Owned
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting Revisisted
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to Compromise
 
A Year in the Empire
A Year in the EmpireA Year in the Empire
A Year in the Empire
 
Trusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44conTrusts You Might Have Missed - 44con
Trusts You Might Have Missed - 44con
 
Building an EmPyre with Python
Building an EmPyre with PythonBuilding an EmPyre with Python
Building an EmPyre with Python
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)
 
Bridging the Gap
Bridging the GapBridging the Gap
Bridging the Gap
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
Trusts You Might Have Missed
Trusts You Might Have MissedTrusts You Might Have Missed
Trusts You Might Have Missed
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerTools
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the Torch
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
 
Pwnstaller
PwnstallerPwnstaller
Pwnstaller
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege Escalation
 

Recently uploaded

Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 

Recently uploaded (20)

Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 

Catch Me If You Can: PowerShell Red vs Blue

  • 1. Catch Me If You Can PowerShell Red vs. Blue Will Schroeder, Specter Ops A Survey of PowerShell Security
  • 2. Agenda • Setting the Stage: Offensive Philosophy • Infancy: from Monad to PowerSyringe • Primary School: PowerSploit • Adolescence: PEs, Mimikatz, Kansa, and more • Parental Guidance: PowerShell <3 the Blue Team • Teenage Rebellion: PowerShell Empire • Defense Grows Up: CimSweep, BloodHound, and more
  • 3. Our Offensive Philosophy • “Assume breach” approach, focus on post- exploitation • “Fundamentally, if someone wants to get in, they’re getting in…accept that. What we tell clients is: Number one, you’re in fight, whether you thought you were or not. Number two, you almost certainly are penetrated.” - Michael Hayden, Former Director of NSA & CIA • “Living off the Land” • Focus on blending with normal host and network options • Led us to focus on built-in capabilities, most importantly PowerShell!
  • 4. In the Beginning (2002)…
  • 5. …Then There Was Light! (2009)
  • 7. From the Tree of Knowledge (2011)…
  • 9. Learning to Walk (2011) • Defenses: • Execution policy? Profiles? • Basic transcription (Version 2) • The True Offensive Start:
  • 10. • PowerSyringe (2011) became PowerSploit (2012) • Injects shellcode into the current or arbitrary process • One of the most common components reused malware • Common post-exploitation features added logging, screen shot collection, etc.) • PowerShell Version 3 (Sept 2012) • Module logging introduced - first logging of PS commands Primary School
  • 11. • Invoke-ReflectivePEInjection (2013) • Allows for the loading of arbitrary .EXEs/.DLLs into the current process or a foreign process • The big one… Invoke-Mimikatz (2013) • Dumps plaintext passwords from memory! (Amongst *many* other tasty things  ) Adolescence
  • 13. • PowerView (March 2014) • Network/Active Directory situational awareness tool • Fun features ruined by Microsoft  - hunting (NetCease in Oct 2016) and remote enumeration (SAMRi10 - Dec 2016) • Kansa (March 2014) • Incident response framework • Uproot (Oct 2014) • WMI based IDS with PowerShell deployment • PowerShellArsenal (Nov 2014) • PowerShell reverse engineering toolkit Adolescence
  • 14. • PSReflect (Sep 2014) is “a series of helper functions designed to make defining in-memory enums, structs, and Win32 functions extremely easy” • This project immensely simplifies the usage of Win32 API calls/associated structures versus manual reflection • Really was a big “missing link” from our perspective • It can be used offensively defensively (Get-InjectedThread) Adolescence
  • 15. • SharpPick (Dec. 2014) • PowerShell without PowerShell.exe! • Bypassed weak AppLocker configs/command logging • UnmanagedPowerShell (Dec 2014) • Inject PowerShell scripts into any process! • Loads .NET 2.0 runtime (if available) to bypass logging • PowerForensics (Mar 2015) • Live disk forensics with PowerShell! Adolescence
  • 21. • Transcription (v2, improved in v5) • Ability to record the contents of a PowerShell session • Module Logging (v3) • Captures good execution details, but tons data • Deep Script Block Logging (v5) • Records code blocks as they’re executed • Default: logs suspicious looking scripts Logs on Logs
  • 23. Lee Fires Back (2015/2017)
  • 25. • CimSweep (Jan 2016) • C-based defensive sweeping tool • BloodHound (April 2016) • Active Directory attack path analysis • A modified version of PowerView is used the data ingestion • WMI load events (~2016) • SELECT * FROM Win32_ModuleLoadTrace WHERE FileName "%System.Management .Automation%.dll%" • https://gist.github.com/mattifestation/7fe1df7ca2f a3d067def00c01af • Take memory dump each time a PS process closes Defense Grows Up
  • 26. • Invoke-Obfuscation (Sep 2016) • Encyclopedia of PowerShell obfuscation methods Things Get Complicated… http://www.danielbohannon.com/blog-1/2016/10/1/invoke-obfuscation-v11-release-sunday-oct-9
  • 28. • Device Guard (2016+) allows for the enforcement of constrained language • Strong application whitelisting/code integrity • Unsigned scripts run in Constrained Mode • No access to underlying .NET framework • WMImplant (late 2016) • WMI/PowerShell based toolkit that deploys functions even in constrained language Towards the Future…
  • 30. • Get-InjectedThread (April 2017) • Enumerates all current running threads • For each thread: • Finds the base address of each thread • Checks if the initial memory page of thread is allocated • Checks if the if the initial memory not backed by an file on disk • If the thread page IS committed and NOT backed by a file, then it is likely • Catches nearly all stock malware injection approaches! Scary (for us attackers ;)
  • 32. • Command line logging • Full transcription (if possible) • Install v5, and uninstall v2!! • Windows10: • Defender + AMSI • Deep script block logging • Device Guard and constrained language mode • Great resource: https://www.fireeye.com/blog/threat- research/2016/02/greater_visibilityt.html Tips for Securing a PowerShell Deployment
  • 33. Summary • There‘s a huge variety of offensive and defensive projects and technologies available • PowerShell red and blue will continue to play cat and mouse • PowerShell Version 2 remains a big achilles heel • The tide has started to really shift towards blue/defense! • We‘re actually moving towards C# for
  • 34. • Now: 15 min break • Grab a coffee • Stay here to enjoy next presentation • Change track and switch to another room • Ask me questions or meet me in a breakout session room afterwards Next Steps...
  • 36. • Will Schroeder (@harmj0y) • http://blog.harmj0y.net | will [at] harmj0y.net • Red teamer and offensive engineer for Specter Ops • Co-founder: • Veil-Framework | Empire/EmPyre | BloodHound • Developer of: • PowerView | PowerUp | current PowerSploit developer • Microsoft CDM/PowerShell MVP • Veteran trainer About_Author
  • 37. • PowerSploit - Matt Graeber, Chris Campbell, Joe Bialek • Kansa - Dave Hull • Uproot - Jared Atkinson • PowerShellArsenal - Matt Graeber • PowerView/PowerUp - Will Schroeder • PSReflect - Matt Graeber • SharpPick - Justin Warner • UnmanagedPowerShell - Lee Christensen • PowerShell Empire - Will Schroeder, Justin Warner, many many others About_References
  • 38. • CimSweep - Matt Graeber, Jared Atkinson, Lee Christensen • BloodHound - Andy Robbins, Rohan Vazarkar, Will Schroeder • Invoke-Obfuscation - Daniel Bohannon • WMIPlant - Chris Truncer • PSKernel-Primitives - Ruben Boonen • Get-InjectedThread - Jared Atkinson About_References
  • 39. • https://github.com/trustedsec/social-engineer- toolkit/blob/master/src/powershell/powerdump.powershell • https://github.com/PowerShellMafia/PowerSploit/tree/dev/ • https://gallery.technet.microsoft.com/Net-Cease-Blocking-Net-1e8dcb5b • https://gallery.technet.microsoft.com/SAMRi10-Hardening-Remote-48d94b5b • https://github.com/davehull/Kansa • https://github.com/Invoke-IR/Uproot • https://github.com/mattifestation/PowerShellArsenal • https://github.com/mattifestation/PSReflect • https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick • https://github.com/leechristensen/UnmanagedPowerShell • https://github.com/EmpireProject/PSInject • https://github.com/EmpireProject/Empire • https://github.com/PowerShellMafia/CimSweep • https://github.com/BloodHoundAD/BloodHound • https://github.com/danielbohannon/Invoke-Obfuscation • https://github.com/ChrisTruncer/WMImplant • https://github.com/FuzzySecurity/PSKernel-Primitives • https://gist.github.com/jaredcatkinson/23905d34537ce4b5b1818c3e6405c1d2 About_References

Editor's Notes

  1. Will show the evolution of offense and the defensive projects and mitigations that have been implemented in response Will not cover ALL tools, just ones I think are “evolutionary” relevant Focus only on “legitimate”/open-source offensive capabilities -> won’t cover crimeware/etc.
  2. Quote- Microsoft Office365 red teaming whitepaper Access to .NET/the API, can stay off of disk, can reassemble malicious binaries in memory, etc. Explain what led us to PowerShell
  3. “The Version 2 problem” – explain why we care about it from the offensive perspective
  4. https://www.youtube.com/watch?v=JKlVONfD53w Talked some about execution policy Main contribution - PowerDump
  5. Built by Matt Graeber Eventually repurposed into open source offensive toolsets like Metasploit
  6. Both coded by Joe Bialek Mainly built so every binary didn’t have to be recoded into pure PowerShell https://github.com/PowerShellMafia/PowerSploit/blob/dev/CodeExecution/Invoke-ReflectivePEInjection.ps1 https://github.com/PowerShellMafia/PowerSploit/blob/dev/Exfiltration/Invoke-Mimikatz.ps1
  7. Invoke-Mimikatz that creates a golden ticket for the parent domain and then DCSyncs the krbtgt of the root
  8. https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 https://gallery.technet.microsoft.com/Net-Cease-Blocking-Net-1e8dcb5b https://gallery.technet.microsoft.com/SAMRi10-Hardening-Remote-48d94b5b   https://github.com/davehull/Kansa - Incident response collection cmdlets (Dave Hull) https://github.com/Invoke-IR/Uproot - IDS via WMI Event Subscriptions https://github.com/mattifestation/PowerShellArsenal - Reverse engineering
  9. https://github.com/mattifestation/PSReflect Why not use Add-Type? Explain… Swap over- show PowerView code before and after
  10. Twitter thread about “can we run PowerShell without powershell.exe” PowerForensics – explain CreateFile() approach to avoid native APIs http://www.sixdub.net/?p=367#more-367 https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick/SharpPick https://github.com/leechristensen/UnmanagedPowerShell
  11. https://github.com/EmpireProject/PSInject $Code = ' [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms"); [System.Windows.Forms.MessageBox]::Show("This is PS code! Current proc: $(Get-Process -Id $PID)"); ' $Encoded = [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($Code)) Start-Process notepad Invoke-PSInject -ProcName notepad -PoshCode $Encoded
  12. Command Line Version Parameter – “-version 2” Hosting Applications Compiled using V2 Reference Assemblies – “the “Windows PowerShell” classic event log has event ID 400. This is the “Engine Lifecycle” event, and includes the Engine Version.”
  13. Released a month before Empire was slated to be released – gave me an existential freakout! -Better transcription with Start-Transcript and automatic transcription options -Deep script block logging -AMSI
  14. -Transcription allows for automatic recording of PowerShell sessions -Module logging records pipeline execution details as PowerShell executes, including variable initialization and command invocations. -Module logging will record portions of scripts, some de-obfuscated code, and some data formatted for output.  -Script block logging records blocks of code as they are executed by the PowerShell engine, thereby capturing the full contents of code executed by an attacker, including scripts and commands. Including code AFTER it was de-obfuscated! These suspicious blocks are logged at the “warning” level in EID 4104, unless script block logging is explicitly disabled. This feature ensures that some forensic data is logged for known-suspicious activity, even if logging is not enabled https://github.com/PowerShell/PowerShell/blob/02b5f357a20e6dee9f8e60e3adb9025be3c94490/src/System.Management.Automation/engine/runtime/CompiledScriptBlock.cs#L1612-L1660
  15. PowerShellEmpire – talked about last year https://github.com/EmpireProject/Empire
  16. 2015- “Measure-VariableObfuscation” which relies on PowerShellArsenal to create “Obfuscation Metrics” for scripts
  17. And system.management.automation.ni.dll – why the wildcard https://github.com/PowerShellMafia/CimSweep https://github.com/BloodHoundAD/BloodHound https://gist.github.com/mattifestation/7fe1df7ca2f08cbfa3d067def00c01af
  18. ipmo .\Invoke-Obfuscation.psd1 Invoke-Obfuscation SET SCRIPTBLOCK function Invoke-Stuff { Get-Process }; Invoke-Stuff token all 1 clip (Show you executing it in a powershell window) back back STRING 3 clip (Show you executing it in a powershell window) back encoding 6 clip (Show you executing it in a powershell window) back launcher rundll++ 0 clip (run in cmd.exe)
  19. Matt Graeber will speak on this on day 3 (device guard) Device Guard force PS into constrained language mode - https://msdn.microsoft.com/powershell/reference/5.1/Microsoft.PowerShell.Core/about/about_Language_Modes No reflection, add-type, limits New-Object(e.g. no creating arbitrary COM objects) https://github.com/ChrisTruncer/WMImplant
  20. https://gist.github.com/jaredcatkinson/23905d34537ce4b5b1818c3e6405c1d2
  21. After this, you should WANT attackers to use PowerShell! Try and block the attacker, but if he still gets in, we want to be able to detect and see what he did
  22. 42:00