Catch Me If You CanPowerShell Red vs.

Blue

Will Schroeder, Specter Ops

A Survey of PowerShell Security

Agenda

• Setting the Stage: Offensive Philosophy

• Infancy: from Monad to PowerSyringe

• Primary School: PowerSploit

• Adolescence: PEs, Mimikatz, Kansa, andmore

• Parental Guidance: PowerShell <3 the Blue Team

• Teenage Rebellion: PowerShell Empire

• Defense Grows Up: CimSweep, BloodHound, and more

• Towards the Future: Obfuscation, Device

Our Offensive Philosophy

• “Assume breach” approach, focus on post-exploitation• “Fundamentally, if someone wants to get in, they’re

getting in…accept that. What we tell clients is: Number one, you’re in fight, whether you thought you were or not. Number two, you almost certainly are penetrated.” - Michael Hayden, Former Director of NSA & CIA

• “Living off the Land”

• Focus on blending with normal host and network options

• Led us to focus on built-in capabilities, most importantly PowerShell!

In the Beginning (2002)…

…Then There Was Light! (2009)

Offensive Infancy (2010)

From the Tree of Knowledge (2011)…

Sidenote: (2017)

Learning to Walk (2011)

• Defenses:

• Execution policy? Profiles?

• Basic transcription (Version 2)

• The True Offensive Start:

• PowerSyringe (2011) became PowerSploit (2012)

• Injects shellcode into the current or arbitrary process

• One of the most common components reused malware

• Common post-exploitation features added logging, screen shot collection, etc.)

• PowerShell Version 3 (Sept 2012)

• Module logging introduced - first logging of PS commands

Primary School

• Invoke-ReflectivePEInjection (2013)

• Allows for the loading of arbitrary .EXEs/.DLLs into the current process or a foreign process

• The big one… Invoke-Mimikatz (2013)

• Dumps plaintext passwords from memory! (Amongst *many* other tasty things )

Adolescence

Invoke-Mimikatz

Demo

• PowerView (March 2014)

• Network/Active Directory situational awareness tool

• Fun features ruined by Microsoft -hunting (NetCease in Oct 2016) and remote enumeration (SAMRi10 - Dec 2016)

• Kansa (March 2014)

• Incident response framework

• Uproot (Oct 2014)

• WMI based IDS with PowerShell deployment

• PowerShellArsenal (Nov 2014)

• PowerShell reverse engineering toolkit

Adolescence

• PSReflect (Sep 2014) is “a series of helper functions designed to make defining in-memory enums, structs, and Win32 functions extremely easy”

• This project immensely simplifies the usage of Win32 API calls/associated structures versus manual reflection

• Really was a big “missing link” from our perspective

• It can be used offensively defensively (Get-InjectedThread)

Adolescence

• SharpPick (Dec. 2014)

• PowerShell without PowerShell.exe!

• Bypassed weak AppLocker configs/command logging

• UnmanagedPowerShell (Dec 2014)

• Inject PowerShell scripts into any process!

• Loads .NET 2.0 runtime (if available) to bypass logging

• PowerForensics (Mar 2015)

• Live disk forensics with PowerShell!

Adolescence

UnmanagedPowerShell

Demo

Sidenote: Lee vs. Lee

Some Parental Guidance (2015)

AMSI

https://blogs.technet.microsoft.com/mmpc/2015/06/09/windows-10-to-offer-application-developers-new-malware-defenses/

Bypasses Will Always Exist!

• Transcription (v2, improved in v5)

• Ability to record the contents of a PowerShell session

• Module Logging (v3)

• Captures good execution details, but tons data

• Deep Script Block Logging (v5)

• Records code blocks as they’re executed

• Default: logs suspicious looking scripts

Logs on Logs

The Rebellious Teenager (Aug 2015)

Lee Fires Back (2015/2017)

Invoke-Mimikatz vs. Defender/AMSI

Demo

• CimSweep (Jan 2016)

• C-based defensive sweeping tool

• BloodHound (April 2016)

• Active Directory attack path analysis

• A modified version of PowerView is used the data ingestion

• WMI load events (~2016)• SELECT * FROM Win32_ModuleLoadTrace WHERE FileName"%System.Management .Automation%.dll%"

• https://gist.github.com/mattifestation/7fe1df7ca2fa3d067def00c01af

• Take memory dump each time a PS process closes

Defense Grows Up

• Invoke-Obfuscation (Sep 2016)

• Encyclopedia of PowerShell obfuscation methods

Things Get Complicated…

http://www.danielbohannon.com/blog-1/2016/10/1/invoke-obfuscation-v11-release-sunday-oct-9

Invoke-Obfuscation

Demo

• Device Guard (2016+) allows for the enforcement of constrained language

• Strong application whitelisting/code integrity

• Unsigned scripts run in Constrained Mode

• No access to underlying .NET framework

• WMImplant (late 2016)

• WMI/PowerShell based toolkit that deploys functions even in constrained language

Towards the Future…

https://github.com/FuzzySecurity/PSKernel-Primitives

PowerShell <3 The Kernel?? (2016-2017+)

• Get-InjectedThread (April 2017)

• Enumerates all current running threads

• For each thread:

• Finds the base address of each thread

• Checks if the initial memory page of thread is allocated

• Checks if the if the initial memory not backed by an file on disk

• If the thread page IS committed and NOTbacked by a file, then it is likely

• Catches nearly all stock malware injection approaches!

Scary (for us attackers ;)

Invoke-PSInject vs. Get-InjectedThread

Demo

• Command line logging

• Full transcription (if possible)

• Install v5, and uninstall v2!!

• Windows10:

• Defender + AMSI

• Deep script block logging

• Device Guard and constrained language mode

• Great resource: https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html

Tips for Securing a PowerShell Deployment

Summary

• There‘s a huge variety of offensive anddefensive projects and technologiesavailable

• PowerShell red and blue will continue toplay cat and mouse

• PowerShell Version 2 remains a bigachilles heel

• The tide has started to really shift towards blue/defense!

• We‘re actually moving towards C# foroffensive tooling

• Now: 15 min break

• Grab a coffee

• Stay here to enjoy next presentation

• Change track and switch to another room

• Ask me questions or meet me in a breakoutsession room afterwards

Next Steps...

Questions?

• Will Schroeder (@harmj0y)

• http://blog.harmj0y.net | will [at] harmj0y.net

• Red teamer and offensive engineer forSpecter Ops

• Co-founder:

• Veil-Framework | Empire/EmPyre | BloodHound

• Developer of:

• PowerView | PowerUp | current PowerSploitdeveloper

• Microsoft CDM/PowerShell MVP

• Veteran trainer

About_Author

• PowerSploit - Matt Graeber, Chris Campbell, Joe Bialek

• Kansa - Dave Hull

• Uproot - Jared Atkinson

• PowerShellArsenal - Matt Graeber

• PowerView/PowerUp - Will Schroeder

• PSReflect - Matt Graeber

• SharpPick - Justin Warner

• UnmanagedPowerShell - Lee Christensen

• PowerShell Empire - Will Schroeder, Justin Warner, many many others

About_References

• CimSweep - Matt Graeber, Jared Atkinson, Lee Christensen

• BloodHound - Andy Robbins, Rohan Vazarkar, Will Schroeder

• Invoke-Obfuscation - Daniel Bohannon

• WMIPlant - Chris Truncer

• PSKernel-Primitives - Ruben Boonen

• Get-InjectedThread - Jared Atkinson

About_References

• https://github.com/trustedsec/social-engineer-toolkit/blob/master/src/powershell/powerdump.powershell

• https://github.com/PowerShellMafia/PowerSploit/tree/dev/

• https://gallery.technet.microsoft.com/Net-Cease-Blocking-Net-1e8dcb5b

• https://gallery.technet.microsoft.com/SAMRi10-Hardening-Remote-48d94b5b

• https://github.com/davehull/Kansa

• https://github.com/Invoke-IR/Uproot

• https://github.com/mattifestation/PowerShellArsenal

• https://github.com/mattifestation/PSReflect

• https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick

• https://github.com/leechristensen/UnmanagedPowerShell

• https://github.com/EmpireProject/PSInject

• https://github.com/EmpireProject/Empire

• https://github.com/PowerShellMafia/CimSweep

• https://github.com/BloodHoundAD/BloodHound

• https://github.com/danielbohannon/Invoke-Obfuscation

• https://github.com/ChrisTruncer/WMImplant

• https://github.com/FuzzySecurity/PSKernel-Primitives

• https://gist.github.com/jaredcatkinson/23905d34537ce4b5b1818c3e6405c1d2

About_References