Gray Hat PowerShell

Ben Ten(@Ben0xA)

Slides: http://www.slideshare.net/BenTen0xA

ShowMeCon 2015

About Me

Ben Ten (0xA)@Ben0xA - twitter

Chicago - #burbsecSecurity Consultant at DeveloperPoshSec Framework CreatorGamerGeek

Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)

Thank You!

About Me

About This Talk

DISCLAIMER!

About This Talk

DISCLAIMER!Lorem ipsum dolor sit amet, consectetur adipiscing elit. Donec a diam lectus. Sed sit amet ipsum mauris. Maecenas congue ligula ac quam viverra nec consectetur ante hendrerit. Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Aenean ut gravida lorem. Ut turpis felis, pulvinar a semper sed, adipiscing id dolor. Pellentesque auctor nisi id magna consequat sagittis. Curabitur dapibus enim sit amet elit pharetra tincidunt feugiat nisl imperdiet. Ut convallis libero in urna ultrices accumsan. Donec sed odio eros. Donec viverra mi quis quam pulvinar at malesuada arcu rhoncus. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. In rutrum accumsan ultricies. Mauris vitae nisi at sem facilisis semper ac in est.

Vivamus fermentum semper porta. Nunc diam velit, adipiscing ut tristique vitae, sagittis vel odio. Maecenas convallis ullamcorper ultricies. Curabitur ornare, ligula semper consectetur sagittis, nisi diam iaculis velit, id fringilla sem nunc vel mi. Nam dictum, odio nec pretium volutpat, arcu ante placerat erat, non tristique elit urna et turpis. Quisque mi metus, ornare sit amet fermentum et, tincidunt et orci. Fusce eget orci a orci congue vestibulum. Ut dolor diam, elementum et vestibulum eu, porttitor vel elit. Curabitur venenatis pulvinar tellus gravida ornare. Sed et erat faucibus nunc euismod ultricies ut id justo. Nullam cursus suscipit nisi, et ultrices justo sodales nec. Fusce venenatis facilisis lectus ac semper. Aliquam at massa ipsum. Quisque bibendum purus convallis nulla ultrices ultricies. Nullam aliquam, mi eu aliquam tincidunt, purus velit laoreet tortor, viverra pretium nisi quam vitae mi. Fusce vel volutpat elit. Nam sagittis nisi dui.

Yes, I know it's Lorem Ipsum….

About This Talk

DISCLAIMER!● Please do not use any of these tools, techniques, or code on any system that you do not own or otherwise have permission to use.

● Some of these things can damage systems!

About This Talk

This Talk is Not:

● An introduction to PowerShell

● Able to cover the wide array of techniques and code available in 45 minutes

About This Talk

Practical PowerShell Programming for Professional People

http://ben0xa.com

https://youtube.com/watch?v=4X_uBL2YpmA

Overview

● Under the .NET Hood● Offense Tools● Defense Tools● Resources● Q&A● Hugs – if you want them!

Under the .NET Framework Hood

Before you create any tool, regardless of your intent, you need to understand what

you are building your tool upon.

PowerShell sits directly on Microsoft .NET Framework

PowerShell is NOT powershell.exe

powershell.exe is just a host application.

It hosts the assembly that contains PowerShell and handles I/O.

System.Management.Automation.dll

The Code

$ps = [powershell]::Create()$ps.AddCommand("Get-ChildItem")$ps.Invoke()

$ps.Commands.Clear()$ps.AddScript("Write-Output `"Hey there ShowMeCon!`"; Get-ChildItem;")$ps.Invoke()

Demo #2

The Code

The AwesomerShell code is available on ben0xa.com

Offense Tools

● PowerSploitMatt Graeber (@mattifestation)Chris Campbell (@obscuresec)

● Veil-PowerView / PowerUpWill Shroeder (@harmj0y)

● Posh-SecModCarlos Perez (@darkoperator)

Offense Tools

● PowerSploitMatt Graeber (@mattifestation)Chris Campbell (@obscuresec)

● Veil-PowerViewWill Shroeder (@harmj0y)

● Posh-SecModCarlos Perez (@darkoperator)

PowerSploit

Add-PersistenceFind-4624LogonsFind-4648LogonsFind-AppLockerLogsFind-AVSignatureFind-PSScriptsInPSAppLogFind-RDPClientConnectionsGet-ComputerDetailsGet-GPPPasswordGet-HttpStatusGet-KeystrokesGet-SecurityPackagesGet-TimedScreenshotGet-VaultCredentialGet-VolumeShadowCopyInstall-SSPInvoke-CredentialInjectionInvoke-DllInjectionInvoke-MimikatzInvoke-NinjaCopy

Invoke-PortScanInvoke-ReflectivePEInjectionInvoke-ReverseDNSLookupInvoke-ShellcodeInvoke-ShellcodeMSILInvoke-TokenManipulationMount-VolumeShadowCopyNew-ElevatedPersistenceOptionNew-UserPersistenceOptionOut-CompressedDllOut-EncodedCommandOut-EncryptedScriptOut-MinidumpRemove-CommentsSet-CriticalProcessSet-MasterBootRecord

PowerSploit

Invoke-Expression (iex)

Loads Directly in Memory – No Disk I/O

PowerSploit

Demo #3

Defense Tools

● PoshSecMatt Johnson (@mwjcomputing)Ben Ten (@ben0xa)

● KansaDave Hull (@davehull)

● Invoke-IR / PowerForensicsJared Atkinson (@jaredcatkinson)

Defense Tools

● PoshSecMatt Johnson (@mwjcomputing)Ben Ten (@ben0xa)

● KansaDave Hull (@davehull)

● Invoke-IR / PowerForensicsJared Atkinson (@jaredcatkinson)

Defense Tools

Demo #4

Defense Tools

Resources

● PowerSploithttps://github.com/mattifestation/PowerSploit

● Veil-PowerView / PowerUphttps://github.com/veil-framework/

● Posh-SecModhttps://github.com/darkoperator/

Resources

● PoshSechttps://github.com/poshsec

● Kansahttps://github.com/davehull

● Invoke-IR / PowerForensicshttps://github.com/invoke-ir

Ben Ten (0xA)@Ben0xA - twitterhttp://ben0xa.comhttp://poshsec.comweb@ben0xa.comBen0xA – LinkedIn, Github, keybase, etc.

irc.freenode.net#burbsec, #poshsec, #pssec

http://www.slideshare.net/BenTen0xA

Gray Hat PowerShell - ShowMeCon 2015

Technology

Fundamentals of Leveraging PowerShell - DEF CON CON 25/DEF CON 25... · Fundamentals of Leveraging PowerShell -DEFCON Executing PowerShell •Windows PowerShell typically is not the

PowerShell let's talk about automation - Microsoft€¦ · Automation? PowerShell: Desired State Configuration PowerShell: Workflows Service Management Automation Agenda PowerShell

Sparked People | Sparked Customers Powershell. Agenda 2 Wat is Powershell Wat betekent Powershell voor Sharepoint Powershell Basics Collecties en objecten,

Who Should Use Powershell? You Should Use Powershell!

Dell Command | PowerShell Provider Version 1.3 … · Installing Windows PowerShell.....7 Configuring Windows PowerShell

Automation Using PowerShell - cdn.ttgtmedia.com · 328 CHAPTER 8 AUTOMATION USING POWERSHELL Installing the VMM PowerShell Cmdlets Even though the VMM PowerShell interface does not

[Webinar] PowerShell series part 3 – PowerShell and WMI

Gray Hat SEO

Revoke-Obfuscation - Black Hat€¦ · Revoke-Obfuscation > PowerShell Obfuscation Detection Using Science Daniel Bohannon - @danielhbohannon ... •cmd.exe /c "echo Write-Host SUCCESS

Gray Hat - PDF Archive

infecting the enterprise: abusing office365 ... - Black Hat · PDF fileinfecting the enterprise: abusing office365+powershell for covert c2 craig dods chief architect –security @ccma40

Gray hat hacking, second edition

PowerShell Security Settings and Configurations · PowerShell Security Settings and Configurations. Table of Contents . PowerShell Security Settings

PowerShell Notes for Professionalsebook.daehub.com/Tutorials/PowerShellNotesFor...PowerShell PowerShell Notes for Professionals ® Notes for Professionals GoalKicker.com Free Programming

Black Hat python python Hackers and Pentestersthe-eye.eu/public/Books/humble_books_20180509/blackhatpython.pdf · coding Python. He is the author of Gray Hat Python, the first book

Automation Azure with PowerShell - files.informatandm.comfiles.informatandm.com/...with_PowerShell_Beyond_the_Azure_PowerShell... · #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM PowerShell

Dell Command | PowerShell Provider Version 1.0 …topics-cdn.dell.com/pdf/dell-command-powershell-provider-v1.0_User... · 1 Introduction Dell Command | PowerShell Provider is a PowerShell

Agenda for Powershell (Level:200) Powershell Introduction Variable & Object Powershell Operator Loop and Flow Control Function and Debug Powershell

PowerShell Studio 2020 is the premier Windows PowerShell ... · PowerShell Studio 2020 is the premier Windows PowerShell integrated scripting and tool-making environment. v Fully-featured

My neighbor-totoro-large-and-small-optional-gray-plush-hat-cos-hat