1. Catch Me If You Can
PowerShell Red vs.
Blue
Will Schroeder, Specter Ops
A Survey of PowerShell Security
2. Agenda
• Setting the Stage: Offensive Philosophy
• Infancy: from Monad to PowerSyringe
• Primary School: PowerSploit
• Adolescence: PEs, Mimikatz, Kansa, and
more
• Parental Guidance: PowerShell <3 the Blue
Team
• Teenage Rebellion: PowerShell Empire
• Defense Grows Up: CimSweep, BloodHound,
and more
3. Our Offensive Philosophy
• “Assume breach” approach, focus on post-
exploitation
• “Fundamentally, if someone wants to get in, they’re
getting in…accept that. What we tell clients is: Number
one, you’re in fight, whether you thought you were or
not. Number two, you almost certainly are penetrated.”
- Michael Hayden, Former Director of NSA & CIA
• “Living off the Land”
• Focus on blending with normal host and
network options
• Led us to focus on built-in capabilities,
most importantly PowerShell!
9. Learning to Walk (2011)
• Defenses:
• Execution policy? Profiles?
• Basic transcription (Version 2)
• The True Offensive Start:
10. • PowerSyringe (2011) became
PowerSploit (2012)
• Injects shellcode into the current or
arbitrary process
• One of the most common components reused
malware
• Common post-exploitation features added
logging, screen shot collection, etc.)
• PowerShell Version 3 (Sept 2012)
• Module logging introduced - first
logging of PS commands
Primary School
11. • Invoke-ReflectivePEInjection (2013)
• Allows for the loading of arbitrary
.EXEs/.DLLs into the current process or a
foreign process
• The big one… Invoke-Mimikatz (2013)
• Dumps plaintext passwords from memory!
(Amongst *many* other tasty things )
Adolescence
13. • PowerView (March 2014)
• Network/Active Directory situational
awareness tool
• Fun features ruined by Microsoft -
hunting (NetCease in Oct 2016) and remote
enumeration (SAMRi10 - Dec 2016)
• Kansa (March 2014)
• Incident response framework
• Uproot (Oct 2014)
• WMI based IDS with PowerShell deployment
• PowerShellArsenal (Nov 2014)
• PowerShell reverse engineering toolkit
Adolescence
14. • PSReflect (Sep 2014) is “a series of
helper functions designed to make
defining in-memory enums, structs,
and Win32 functions extremely easy”
• This project immensely simplifies the
usage of Win32 API calls/associated
structures versus manual reflection
• Really was a big “missing link” from our
perspective
• It can be used offensively
defensively (Get-InjectedThread)
Adolescence
15. • SharpPick (Dec. 2014)
• PowerShell without PowerShell.exe!
• Bypassed weak AppLocker configs/command
logging
• UnmanagedPowerShell (Dec 2014)
• Inject PowerShell scripts into any
process!
• Loads .NET 2.0 runtime (if available) to
bypass logging
• PowerForensics (Mar 2015)
• Live disk forensics with PowerShell!
Adolescence
21. • Transcription (v2, improved in v5)
• Ability to record the contents of a
PowerShell session
• Module Logging (v3)
• Captures good execution details, but tons
data
• Deep Script Block Logging (v5)
• Records code blocks as they’re executed
• Default: logs suspicious looking
scripts
Logs on Logs
25. • CimSweep (Jan 2016)
• C-based defensive sweeping tool
• BloodHound (April 2016)
• Active Directory attack path analysis
• A modified version of PowerView is used
the data ingestion
• WMI load events (~2016)
• SELECT * FROM Win32_ModuleLoadTrace WHERE FileName
"%System.Management .Automation%.dll%"
• https://gist.github.com/mattifestation/7fe1df7ca2f
a3d067def00c01af
• Take memory dump each time a PS process closes
Defense Grows Up
26. • Invoke-Obfuscation (Sep 2016)
• Encyclopedia of PowerShell obfuscation
methods
Things Get Complicated…
http://www.danielbohannon.com/blog-1/2016/10/1/invoke-obfuscation-v11-release-sunday-oct-9
28. • Device Guard (2016+) allows for the
enforcement of constrained language
• Strong application whitelisting/code
integrity
• Unsigned scripts run in Constrained
Mode
• No access to underlying .NET framework
• WMImplant (late 2016)
• WMI/PowerShell based toolkit that deploys
functions even in constrained language
Towards the Future…
30. • Get-InjectedThread (April 2017)
• Enumerates all current running threads
• For each thread:
• Finds the base address of each thread
• Checks if the initial memory page of
thread is allocated
• Checks if the if the initial memory
not backed by an file on disk
• If the thread page IS committed and NOT
backed by a file, then it is likely
• Catches nearly all stock malware
injection approaches!
Scary (for us attackers ;)
32. • Command line logging
• Full transcription (if possible)
• Install v5, and uninstall v2!!
• Windows10:
• Defender + AMSI
• Deep script block logging
• Device Guard and constrained language mode
• Great resource:
https://www.fireeye.com/blog/threat-
research/2016/02/greater_visibilityt.html
Tips for Securing a PowerShell
Deployment
33. Summary
• There‘s a huge variety of offensive and
defensive projects and technologies
available
• PowerShell red and blue will continue to
play cat and mouse
• PowerShell Version 2 remains a big
achilles heel
• The tide has started to really shift
towards blue/defense!
• We‘re actually moving towards C# for
34. • Now: 15 min break
• Grab a coffee
• Stay here to enjoy next presentation
• Change track and switch to another room
• Ask me questions or meet me in a breakout
session room afterwards
Next Steps...
36. • Will Schroeder (@harmj0y)
• http://blog.harmj0y.net | will [at]
harmj0y.net
• Red teamer and offensive engineer for
Specter Ops
• Co-founder:
• Veil-Framework | Empire/EmPyre | BloodHound
• Developer of:
• PowerView | PowerUp | current PowerSploit
developer
• Microsoft CDM/PowerShell MVP
• Veteran trainer
About_Author
37. • PowerSploit - Matt Graeber, Chris
Campbell, Joe Bialek
• Kansa - Dave Hull
• Uproot - Jared Atkinson
• PowerShellArsenal - Matt Graeber
• PowerView/PowerUp - Will Schroeder
• PSReflect - Matt Graeber
• SharpPick - Justin Warner
• UnmanagedPowerShell - Lee Christensen
• PowerShell Empire - Will Schroeder,
Justin Warner, many many others
About_References
38. • CimSweep - Matt Graeber, Jared Atkinson,
Lee Christensen
• BloodHound - Andy Robbins, Rohan
Vazarkar, Will Schroeder
• Invoke-Obfuscation - Daniel Bohannon
• WMIPlant - Chris Truncer
• PSKernel-Primitives - Ruben Boonen
• Get-InjectedThread - Jared Atkinson
About_References
Will show the evolution of offense and the defensive projects and mitigations that have been implemented in response
Will not cover ALL tools, just ones I think are “evolutionary” relevant
Focus only on “legitimate”/open-source offensive capabilities -> won’t cover crimeware/etc.
Quote- Microsoft Office365 red teaming whitepaper
Access to .NET/the API, can stay off of disk, can reassemble malicious binaries in memory, etc.
Explain what led us to PowerShell
“The Version 2 problem” – explain why we care about it from the offensive perspective
https://www.youtube.com/watch?v=JKlVONfD53w
Talked some about execution policy
Main contribution - PowerDump
Built by Matt Graeber
Eventually repurposed into open source offensive toolsets like Metasploit
Both coded by Joe Bialek
Mainly built so every binary didn’t have to be recoded into pure PowerShell
https://github.com/PowerShellMafia/PowerSploit/blob/dev/CodeExecution/Invoke-ReflectivePEInjection.ps1
https://github.com/PowerShellMafia/PowerSploit/blob/dev/Exfiltration/Invoke-Mimikatz.ps1
Invoke-Mimikatz that creates a golden ticket for the parent domain and then DCSyncs the krbtgt of the root
https://github.com/mattifestation/PSReflect
Why not use Add-Type? Explain…
Swap over- show PowerView code before and after
Twitter thread about “can we run PowerShell without powershell.exe”
PowerForensics – explain CreateFile() approach to avoid native APIs
http://www.sixdub.net/?p=367#more-367
https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick/SharpPick
https://github.com/leechristensen/UnmanagedPowerShell
Command Line Version Parameter – “-version 2”
Hosting Applications Compiled using V2 Reference Assemblies – “the “Windows PowerShell” classic event log has event ID 400. This is the “Engine Lifecycle” event, and includes the Engine Version.”
Released a month before Empire was slated to be released – gave me an existential freakout!
-Better transcription with Start-Transcript and automatic transcription options
-Deep script block logging
-AMSI
-Transcription allows for automatic recording of PowerShell sessions
-Module logging records pipeline execution details as PowerShell executes, including variable initialization and command invocations.
-Module logging will record portions of scripts, some de-obfuscated code, and some data formatted for output.
-Script block logging records blocks of code as they are executed by the PowerShell engine, thereby capturing the full contents of code executed by an attacker, including scripts and commands.
Including code AFTER it was de-obfuscated!
These suspicious blocks are logged at the “warning” level in EID 4104, unless script block logging is explicitly disabled.
This feature ensures that some forensic data is logged for known-suspicious activity, even if logging is not enabled
https://github.com/PowerShell/PowerShell/blob/02b5f357a20e6dee9f8e60e3adb9025be3c94490/src/System.Management.Automation/engine/runtime/CompiledScriptBlock.cs#L1612-L1660
PowerShellEmpire – talked about last year
https://github.com/EmpireProject/Empire
2015- “Measure-VariableObfuscation” which relies on PowerShellArsenal to create “Obfuscation Metrics” for scripts
And system.management.automation.ni.dll – why the wildcard
https://github.com/PowerShellMafia/CimSweep
https://github.com/BloodHoundAD/BloodHound
https://gist.github.com/mattifestation/7fe1df7ca2f08cbfa3d067def00c01af
ipmo .\Invoke-Obfuscation.psd1
Invoke-Obfuscation
SET SCRIPTBLOCK function Invoke-Stuff { Get-Process }; Invoke-Stuff
token
all
1
clip
(Show you executing it in a powershell window)
back
back
STRING
3
clip
(Show you executing it in a powershell window)
back
encoding
6
clip
(Show you executing it in a powershell window)
back
launcher
rundll++
0
clip
(run in cmd.exe)
Matt Graeber will speak on this on day 3 (device guard)
Device Guard force PS into constrained language mode - https://msdn.microsoft.com/powershell/reference/5.1/Microsoft.PowerShell.Core/about/about_Language_Modes
No reflection, add-type, limits New-Object(e.g. no creating arbitrary COM objects)
https://github.com/ChrisTruncer/WMImplant
After this, you should WANT attackers to use PowerShell!
Try and block the attacker, but if he still gets in, we want to be able to detect and see what he did