17
POWERSHELL SHENANIGANS LATERAL MOVEMENT WITH POWERSHELL KIERAN JACOBSEN READIFY

Lateral Movement with PowerShell

Embed Size (px)

Citation preview

Page 1: Lateral Movement with PowerShell

POWERSHELL SHENANIGANSLATERAL MOVEMENT WITH POWERSHELL

KIERAN JACOBSEN

READIFY

Page 2: Lateral Movement with PowerShell

WHO AM I

• Kieran Jacobsen

• Technical Lead @ Readify

• Blog: poshsecurity.com

Page 3: Lateral Movement with PowerShell

OUTLINE

• PowerShell as an attack platform

• PowerShell malware

• PowerShell Remoting

• PowerShell security features

• Defence

Page 4: Lateral Movement with PowerShell

CHALLENGE

• Within a “corporate like” environment

• Start with an infected workstation and move to a domain

controller

• Where possible use only PowerShell code

Page 5: Lateral Movement with PowerShell

POWERSHELL AS AN ATTACK PLATFORM

• Obvious development, integration and

execution options

• Installed by default since Windows

Vista

• PowerShell still considered harmless by

the majority of AV vendors

Page 6: Lateral Movement with PowerShell

POWERSHELL MALWARE

• PowerWorm

• PoshKoder/PoshCoder

Page 7: Lateral Movement with PowerShell

MY POWERSHELL MALWARE

• Single Script – SystemInformation.ps1

• Runs as a schedule task –

“WindowsUpdate”

• Collects system information

• Reports back to C2 infrastructure

• Collects list of tasks to run

Page 8: Lateral Movement with PowerShell

DEMO: THE ENTRY

Page 9: Lateral Movement with PowerShell

POWERSHELL REMOTING

• PowerShell Remoting is based upon WinRM, Microsoft’s WS-Management implementation

• Supports execution in 3 ways:

• Remote enabled commands

• Remotely executed script blocks

• Remote sessions

• Simple security model

• Required for the Windows Server Manager

• Enabled by default

• Allowed through Windows Firewall

Page 10: Lateral Movement with PowerShell

DEMO: THE DC

Page 11: Lateral Movement with PowerShell

POWERSHELL SECURITY FEATURES

• Administrative rights

• UAC

• Code Signing

• File source identification

(zone.identifier)

• PowerShell Execution Policy

Page 12: Lateral Movement with PowerShell

EXECUTION POLICY

There are 6 states for the execution policy

• Unrestricted

• Remote Signed

• All Signed

• Restricted

• Undefined (Default)

• Bypass

Page 13: Lateral Movement with PowerShell

• Simply ask PowerShell

• Switch the files zone.idenfier back to local

• Read the script in and then execute it

• Encode the script and use

BYPASSING EXECUTION POLICY

Page 14: Lateral Movement with PowerShell

DEMO: THE HASHES

Page 15: Lateral Movement with PowerShell

DEFENCE

• Restricted/Constrained Endpoints

• Control/limit access to WinRM

Page 16: Lateral Movement with PowerShell

LINKS

• Code on GitHub:

http://j.mp/1i33Zrk

• QuarksPWDump:

http://j.mp/1kF30e9

• PowerWorm Analysis:

http://j.mp/RzgsHb

• Microsoft PowerShell/Security

Series:

• http://j.mp/OOyftt

• http://j.mp/1eDYvA4

• http://j.mp/1kF3z7T

• http://j.mp/NhSC0X

• http://j.mp/NhSEpy

Page 17: Lateral Movement with PowerShell

Q AND A

@kjacobsen

Poshsecurity.com


LATERAL MOVEMENT AND STABILITY OF CHANNEL BANKS … · crossing of the Leaf River near McLain, Miss. (fig. 1). Because lateral movement ... digitally simulate the defined past channel

LATERAL MOVEMENT AND STABILITY OF CHANNEL BANKS … · crossing of the Leaf River near McLain, Miss. (fig. 1). Because lateral movement ... digitally simulate the defined past channel

Documents
ShadowMove: A Stealthy Lateral Movement Strategy · lateral movement framework on top of this technique. We demonstrate the feasibility of our idea by building a prototype system

ShadowMove: A Stealthy Lateral Movement Strategy · lateral movement framework on top of this technique. We demonstrate the feasibility of our idea by building a prototype system

Documents
Lateral pressure on piles due to horizontal soil movement ... · PDF filePile for slope stabilization Figure 1. Lateral pressure on piles due to horizontal soil movement (after Chen

Lateral pressure on piles due to horizontal soil movement ... · PDF filePile for slope stabilization Figure 1. Lateral pressure on piles due to horizontal soil movement (after Chen

Documents
Lateral Movement by Default

Lateral Movement by Default

Technology
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)

Dynamic Population Discovery for Lateral Movement (Using Machine Learning)

Technology
Effect of vacuum pumping on lateral movement of sap in the

Effect of vacuum pumping on lateral movement of sap in the

Documents
Lateral Movement - Phreaknik 2016

Lateral Movement - Phreaknik 2016

Documents
Account jumping post infection persistency and lateral movement in AWS

Account jumping post infection persistency and lateral movement in AWS

Technology
Lateral Movement Detection - Assured Cloud Computingassured-cloud-computing.illinois.edu/files/2016/10/... · 2016-10-03 · Lateral Movement Detection Using Distributed Data Fusion

Lateral Movement Detection - Assured Cloud Computingassured-cloud-computing.illinois.edu/files/2016/10/... · 2016-10-03 · Lateral Movement Detection Using Distributed Data Fusion

Documents
POWERSHELL SHENANIGANS LATERAL MOVEMENT WITH POWERSHELL KIERAN JACOBSEN HP ENTERPRISE SERVICES

POWERSHELL SHENANIGANS LATERAL MOVEMENT WITH POWERSHELL KIERAN JACOBSEN HP ENTERPRISE SERVICES

Documents
Lateral Movement Detection Using Distributed Data Fusion · lasting targeted attacks such as Advanced Persistent Threats (APTs), lateral movement is the phase of an attack in which

Lateral Movement Detection Using Distributed Data Fusion · lasting targeted attacks such as Advanced Persistent Threats (APTs), lateral movement is the phase of an attack in which

Documents
Strata 2015 Presentation -- Detecting Lateral Movement

Strata 2015 Presentation -- Detecting Lateral Movement

Engineering
LATERAL CHANNEL MIGRATION AND GRAVEL BAR MOVEMENT IN THE OZARK

LATERAL CHANNEL MIGRATION AND GRAVEL BAR MOVEMENT IN THE OZARK

Documents
Dell Command | PowerShell Provider Version 1.3 … · Installing Windows PowerShell.....7 Configuring Windows PowerShell

Dell Command | PowerShell Provider Version 1.3 … · Installing Windows PowerShell.....7 Configuring Windows PowerShell

Documents
Lateral Movement Analysis

Lateral Movement Analysis

Documents
Detecting Lateral Movement Attacks through SMB using BRO

Detecting Lateral Movement Attacks through SMB using BRO

Documents
Evaluating a lateral move irrigation system · EVALUATING A LATERAL MOVE IRRIGATION SYSTEM 3 | 4. ... dry movement of lateral move, refuelling, ... – loss of water between the nozzle

Evaluating a lateral move irrigation system · EVALUATING A LATERAL MOVE IRRIGATION SYSTEM 3 | 4. ... dry movement of lateral move, refuelling, ... – loss of water between the nozzle

Documents
Lateral movement detection using ELK stack

Lateral movement detection using ELK stack

Documents
Agenda for Powershell (Level:200) Powershell Introduction Variable & Object Powershell Operator Loop and Flow Control Function and Debug Powershell

Agenda for Powershell (Level:200) Powershell Introduction Variable & Object Powershell Operator Loop and Flow Control Function and Debug Powershell

Documents
Lateral movement in undergraduate research: case studies

Lateral movement in undergraduate research: case studies

Documents
piles subjected to lateral soil movement

piles subjected to lateral soil movement

Documents
POWERSHELL SHENANIGANS LATERAL MOVEMENT WITH POWERSHELL KIERAN JACOBSEN READIFY

POWERSHELL SHENANIGANS LATERAL MOVEMENT WITH POWERSHELL KIERAN JACOBSEN READIFY

Documents
Real Time Lateral Movement Detection based on …Real Time Lateral Movement Detection based on Evidence Reasoning Network for Edge Computing Environment Zhihong Tiany, Wei Shiz, Yuhang

Real Time Lateral Movement Detection based on …Real Time Lateral Movement Detection based on Evidence Reasoning Network for Edge Computing Environment Zhihong Tiany, Wei Shiz, Yuhang

Documents
Lateral Movement Detection and Responsepublish.illinois.edu/.../files/2017/07/06142017-Fawaz.pdf · 2017. 7. 18. · Response to Lateral Movement • Achieve resiliency against lateral

Lateral Movement Detection and Responsepublish.illinois.edu/.../files/2017/07/06142017-Fawaz.pdf · 2017. 7. 18. · Response to Lateral Movement • Achieve resiliency against lateral

Documents
Detecting Lateral Movement through Tracking Event Logs · PDF fileDetecting Lateral Movement through Tracking Event Logs . JPCERT Coordination Center June 12, 2017

Detecting Lateral Movement through Tracking Event Logs · PDF fileDetecting Lateral Movement through Tracking Event Logs . JPCERT Coordination Center June 12, 2017

Documents
PowerShell Saturday #009 (Singapore) - Azure + PowerShell

PowerShell Saturday #009 (Singapore) - Azure + PowerShell

Technology
PowerShell let's talk about automation - Microsoft€¦ · Automation? PowerShell: Desired State Configuration PowerShell: Workflows Service Management Automation Agenda PowerShell

PowerShell let's talk about automation - Microsoft€¦ · Automation? PowerShell: Desired State Configuration PowerShell: Workflows Service Management Automation Agenda PowerShell

Documents
This document downloaded from … · Lecture 14 Retaining Walls Lateral Earth Pressure Theory. Retaining Walls ... lateral earth pressure. Effect of Wall Movement. At Rest Lateral

This document downloaded from … · Lecture 14 Retaining Walls Lateral Earth Pressure Theory. Retaining Walls ... lateral earth pressure. Effect of Wall Movement. At Rest Lateral

Documents
Iron Cross: Using Forward movement, Lateral Movements ... · Iron Cross: Goaltender starts at bottom of circle. Using Forward movement, Lateral Movements (Shuffle and T-Push) and

Iron Cross: Using Forward movement, Lateral Movements ... · Iron Cross: Goaltender starts at bottom of circle. Using Forward movement, Lateral Movements (Shuffle and T-Push) and

Documents
The Industrial Revolution of Lateral Movement...Tal Be’ery, Independent Tal Maor, Microsoft ATA The Industrial Revolution of Lateral Movement

The Industrial Revolution of Lateral Movement...Tal Be’ery, Independent Tal Maor, Microsoft ATA The Industrial Revolution of Lateral Movement

Documents