Gray Hat PowerShell

Ben Ten(@Ben0xA)

Slides: http://www.slideshare.net/BenTen0xA

ShowMeCon 2015

About Me

Ben Ten (0xA)@Ben0xA - twitter

Chicago - #burbsecSecurity Consultant at DeveloperPoshSec Framework CreatorGamerGeek

Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)

Thank You!

Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)

Thank You!

Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)

About Me

Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)

About Me

Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)

About This Talk

Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)

DISCLAIMER!

About This Talk

Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)

DISCLAIMER!Lorem ipsum dolor sit amet, consectetur adipiscing elit. Donec a diam lectus. Sed sit amet ipsum mauris. Maecenas congue ligula ac quam viverra nec consectetur ante hendrerit. Donec et mollis dolor. Praesent et diam eget libero egestas mattis sit amet vitae augue. Nam tincidunt congue enim, ut porta lorem lacinia consectetur. Donec ut libero sed arcu vehicula ultricies a non tortor. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Aenean ut gravida lorem. Ut turpis felis, pulvinar a semper sed, adipiscing id dolor. Pellentesque auctor nisi id magna consequat sagittis. Curabitur dapibus enim sit amet elit pharetra tincidunt feugiat nisl imperdiet. Ut convallis libero in urna ultrices accumsan. Donec sed odio eros. Donec viverra mi quis quam pulvinar at malesuada arcu rhoncus. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. In rutrum accumsan ultricies. Mauris vitae nisi at sem facilisis semper ac in est.

Vivamus fermentum semper porta. Nunc diam velit, adipiscing ut tristique vitae, sagittis vel odio. Maecenas convallis ullamcorper ultricies. Curabitur ornare, ligula semper consectetur sagittis, nisi diam iaculis velit, id fringilla sem nunc vel mi. Nam dictum, odio nec pretium volutpat, arcu ante placerat erat, non tristique elit urna et turpis. Quisque mi metus, ornare sit amet fermentum et, tincidunt et orci. Fusce eget orci a orci congue vestibulum. Ut dolor diam, elementum et vestibulum eu, porttitor vel elit. Curabitur venenatis pulvinar tellus gravida ornare. Sed et erat faucibus nunc euismod ultricies ut id justo. Nullam cursus suscipit nisi, et ultrices justo sodales nec. Fusce venenatis facilisis lectus ac semper. Aliquam at massa ipsum. Quisque bibendum purus convallis nulla ultrices ultricies. Nullam aliquam, mi eu aliquam tincidunt, purus velit laoreet tortor, viverra pretium nisi quam vitae mi. Fusce vel volutpat elit. Nam sagittis nisi dui.

Yes, I know it's Lorem Ipsum….

About This Talk

Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)

DISCLAIMER!● Please do not use any of these tools, techniques, or code on any system that you do not own or otherwise have permission to use.

● Some of these things can damage systems!

About This Talk

Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)

This Talk is Not:

● An introduction to PowerShell

● Able to cover the wide array of techniques and code available in 45 minutes

About This Talk

Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)

About This Talk

Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)

Practical PowerShell Programming for Professional People

http://ben0xa.com

-or-

https://youtube.com/watch?v=4X_uBL2YpmA

Overview

Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)

● Under the .NET Hood● Offense Tools● Defense Tools● Resources● Q&A● Hugs – if you want them!

Under the .NET Framework Hood

Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)

Under the .NET Framework Hood

Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)

Before you create any tool, regardless of your intent, you need to understand what

you are building your tool upon.

Under the .NET Framework Hood

Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)

PowerShell sits directly on Microsoft .NET Framework

Under the .NET Framework Hood

Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)

PowerShell is NOT powershell.exe

Under the .NET Framework Hood

Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)

powershell.exe is just a host application.

It hosts the assembly that contains PowerShell and handles I/O.

System.Management.Automation.dll

Under the .NET Framework Hood

Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)

Under the .NET Framework Hood

Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)

Demo

Under the .NET Framework Hood

Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)

Under the .NET Framework Hood

Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)

Under the .NET Framework Hood

Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)

The Code

$ps = [powershell]::Create()$ps.AddCommand("Get-ChildItem")$ps.Invoke()

$ps.Commands.Clear()$ps.AddScript("Write-Output `"Hey there ShowMeCon!`"; Get-ChildItem;")$ps.Invoke()

Under the .NET Framework Hood

Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)

Demo #2

Under the .NET Framework Hood

Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)

Under the .NET Framework Hood

Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)

The Code

The AwesomerShell code is available on ben0xa.com

Offense Tools

Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)

● PowerSploitMatt Graeber (@mattifestation)Chris Campbell (@obscuresec)

● Veil-PowerView / PowerUpWill Shroeder (@harmj0y)

● Posh-SecModCarlos Perez (@darkoperator)

Offense Tools

Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)

● PowerSploitMatt Graeber (@mattifestation)Chris Campbell (@obscuresec)

● Veil-PowerViewWill Shroeder (@harmj0y)

● Posh-SecModCarlos Perez (@darkoperator)

PowerSploit

Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)

Add-PersistenceFind-4624LogonsFind-4648LogonsFind-AppLockerLogsFind-AVSignatureFind-PSScriptsInPSAppLogFind-RDPClientConnectionsGet-ComputerDetailsGet-GPPPasswordGet-HttpStatusGet-KeystrokesGet-SecurityPackagesGet-TimedScreenshotGet-VaultCredentialGet-VolumeShadowCopyInstall-SSPInvoke-CredentialInjectionInvoke-DllInjectionInvoke-MimikatzInvoke-NinjaCopy

Invoke-PortScanInvoke-ReflectivePEInjectionInvoke-ReverseDNSLookupInvoke-ShellcodeInvoke-ShellcodeMSILInvoke-TokenManipulationMount-VolumeShadowCopyNew-ElevatedPersistenceOptionNew-UserPersistenceOptionOut-CompressedDllOut-EncodedCommandOut-EncryptedScriptOut-MinidumpRemove-CommentsSet-CriticalProcessSet-MasterBootRecord

PowerSploit

Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)

STOP!

PowerSploit

Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)

PowerSploit

Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)

PowerSploit

Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)

Invoke-Expression (iex)

Loads Directly in Memory – No Disk I/O

PowerSploit

Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)

Demo #3

Defense Tools

Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)

● PoshSecMatt Johnson (@mwjcomputing)Ben Ten (@ben0xa)

● KansaDave Hull (@davehull)

● Invoke-IR / PowerForensicsJared Atkinson (@jaredcatkinson)

Defense Tools

Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)

● PoshSecMatt Johnson (@mwjcomputing)Ben Ten (@ben0xa)

● KansaDave Hull (@davehull)

● Invoke-IR / PowerForensicsJared Atkinson (@jaredcatkinson)

Defense Tools

Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)

Demo #4

Defense Tools

Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)

Defense Tools

Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)

Defense Tools

Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)

Resources

Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)

● PowerSploithttps://github.com/mattifestation/PowerSploit

● Veil-PowerView / PowerUphttps://github.com/veil-framework/

● Posh-SecModhttps://github.com/darkoperator/

Resources

Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)

● PoshSechttps://github.com/poshsec

● Kansahttps://github.com/davehull

● Invoke-IR / PowerForensicshttps://github.com/invoke-ir

Q&A

Gray Hat PowerShellShowMeCon 2015 - Ben Ten (@Ben0xA)

Ben Ten (0xA)@Ben0xA - twitterhttp://ben0xa.comhttp://poshsec.comweb@ben0xa.comBen0xA – LinkedIn, Github, keybase, etc.

irc.freenode.net#burbsec, #poshsec, #pssec

http://www.slideshare.net/BenTen0xA