SlideShare ist ein Scribd-Unternehmen logo
1 von 17
Downloaden Sie, um offline zu lesen
POWERSHELL SHENANIGANS
LATERAL MOVEMENT WITH POWERSHELL
KIERAN JACOBSEN
READIFY
WHO AM I
• Kieran Jacobsen
• Technical Lead @ Readify
• Blog: poshsecurity.com
OUTLINE
• PowerShell as an attack platform
• PowerShell malware
• PowerShell Remoting
• PowerShell security features
• Defence
CHALLENGE
• Within a “corporate like” environment
• Start with an infected workstation and move to a domain
controller
• Where possible use only PowerShell code
POWERSHELL AS AN ATTACK PLATFORM
• Obvious development, integration and
execution options
• Installed by default since Windows
Vista
• PowerShell still considered harmless by
the majority of AV vendors
POWERSHELL MALWARE
• PowerWorm
• PoshKoder/PoshCoder
MY POWERSHELL MALWARE
• Single Script – SystemInformation.ps1
• Runs as a schedule task –
“WindowsUpdate”
• Collects system information
• Reports back to C2 infrastructure
• Collects list of tasks to run
DEMO: THE ENTRY
POWERSHELL REMOTING
• PowerShell Remoting is based upon WinRM, Microsoft’s WS-Management
implementation
• Supports execution in 3 ways:
• Remote enabled commands
• Remotely executed script blocks
• Remote sessions
• Simple security model
• Required for the Windows Server Manager
• Enabled by default
• Allowed through Windows Firewall
DEMO: THE DC
POWERSHELL SECURITY FEATURES
• Administrative rights
• UAC
• Code Signing
• File source identification
(zone.identifier)
• PowerShell Execution Policy
EXECUTION POLICY
There are 6 states for the execution policy
• Unrestricted
• Remote Signed
• All Signed
• Restricted
• Undefined (Default)
• Bypass
• Simply ask PowerShell
• Switch the files zone.idenfier back to local
• Read the script in and then execute it
• Encode the script and use
BYPASSING EXECUTION POLICY
DEMO: THE HASHES
DEFENCE
• Restricted/Constrained Endpoints
• Control/limit access to WinRM
LINKS
• Code on GitHub:
http://j.mp/1i33Zrk
• QuarksPWDump:
http://j.mp/1kF30e9
• PowerWorm Analysis:
http://j.mp/RzgsHb
• Microsoft PowerShell/Security
Series:
• http://j.mp/OOyftt
• http://j.mp/1eDYvA4
• http://j.mp/1kF3z7T
• http://j.mp/NhSC0X
• http://j.mp/NhSEpy
Q AND A
@kjacobsen
Poshsecurity.com

Weitere ähnliche Inhalte

Was ist angesagt?

The Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaThe Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaEC-Council
 
Continuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friendsContinuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friendsNikhil Mittal
 
Secure360 - Extracting Password from Windows
Secure360 - Extracting Password from WindowsSecure360 - Extracting Password from Windows
Secure360 - Extracting Password from WindowsScott Sutherland
 
RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceNikhil Mittal
 
Client side attacks using PowerShell
Client side attacks using PowerShellClient side attacks using PowerShell
Client side attacks using PowerShellNikhil Mittal
 
Mitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint SecurityMitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint SecurityCsaba Fitzl
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMIJoe Slowik
 
Forging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryForging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryNikhil Mittal
 
Ultimate pen test compromising a highly secure environment (nikhil)
Ultimate pen test   compromising a highly secure environment (nikhil)Ultimate pen test   compromising a highly secure environment (nikhil)
Ultimate pen test compromising a highly secure environment (nikhil)ClubHack
 
05 security automationwithansible
05 security automationwithansible05 security automationwithansible
05 security automationwithansibleKhairul Zebua
 
Kautilya: Teensy beyond shell
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shellNikhil Mittal
 
Exploiting XPC in AntiVirus
Exploiting XPC in AntiVirusExploiting XPC in AntiVirus
Exploiting XPC in AntiVirusCsaba Fitzl
 
BlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat v18 || Massive scale usb device driver fuzz without deviceBlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat v18 || Massive scale usb device driver fuzz without deviceBlueHat Security Conference
 
InSpec - June 2018 at Open28.be
InSpec - June 2018 at Open28.beInSpec - June 2018 at Open28.be
InSpec - June 2018 at Open28.beMandi Walls
 
Inspec: Turn your compliance, security, and other policy requirements into au...
Inspec: Turn your compliance, security, and other policy requirements into au...Inspec: Turn your compliance, security, and other policy requirements into au...
Inspec: Turn your compliance, security, and other policy requirements into au...Kangaroot
 
Google chrome sandbox
Google chrome sandboxGoogle chrome sandbox
Google chrome sandboxNephi Johnson
 
06 network automationwithansible
06 network automationwithansible06 network automationwithansible
06 network automationwithansibleKhairul Zebua
 
Csaba fitzl - Mount(ain) of Bugs
Csaba fitzl - Mount(ain) of BugsCsaba fitzl - Mount(ain) of Bugs
Csaba fitzl - Mount(ain) of BugsCsaba Fitzl
 
Adding Security and Compliance to Your Workflow with InSpec
Adding Security and Compliance to Your Workflow with InSpecAdding Security and Compliance to Your Workflow with InSpec
Adding Security and Compliance to Your Workflow with InSpecMandi Walls
 

Was ist angesagt? (20)

The Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaThe Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George Dobrea
 
Continuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friendsContinuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friends
 
Secure360 - Extracting Password from Windows
Secure360 - Extracting Password from WindowsSecure360 - Extracting Password from Windows
Secure360 - Extracting Password from Windows
 
RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory Dominance
 
Client side attacks using PowerShell
Client side attacks using PowerShellClient side attacks using PowerShell
Client side attacks using PowerShell
 
Mitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint SecurityMitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint Security
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMI
 
Forging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryForging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active Directory
 
Kali Linux Installation - VMware
Kali Linux Installation - VMwareKali Linux Installation - VMware
Kali Linux Installation - VMware
 
Ultimate pen test compromising a highly secure environment (nikhil)
Ultimate pen test   compromising a highly secure environment (nikhil)Ultimate pen test   compromising a highly secure environment (nikhil)
Ultimate pen test compromising a highly secure environment (nikhil)
 
05 security automationwithansible
05 security automationwithansible05 security automationwithansible
05 security automationwithansible
 
Kautilya: Teensy beyond shell
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shell
 
Exploiting XPC in AntiVirus
Exploiting XPC in AntiVirusExploiting XPC in AntiVirus
Exploiting XPC in AntiVirus
 
BlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat v18 || Massive scale usb device driver fuzz without deviceBlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat v18 || Massive scale usb device driver fuzz without device
 
InSpec - June 2018 at Open28.be
InSpec - June 2018 at Open28.beInSpec - June 2018 at Open28.be
InSpec - June 2018 at Open28.be
 
Inspec: Turn your compliance, security, and other policy requirements into au...
Inspec: Turn your compliance, security, and other policy requirements into au...Inspec: Turn your compliance, security, and other policy requirements into au...
Inspec: Turn your compliance, security, and other policy requirements into au...
 
Google chrome sandbox
Google chrome sandboxGoogle chrome sandbox
Google chrome sandbox
 
06 network automationwithansible
06 network automationwithansible06 network automationwithansible
06 network automationwithansible
 
Csaba fitzl - Mount(ain) of Bugs
Csaba fitzl - Mount(ain) of BugsCsaba fitzl - Mount(ain) of Bugs
Csaba fitzl - Mount(ain) of Bugs
 
Adding Security and Compliance to Your Workflow with InSpec
Adding Security and Compliance to Your Workflow with InSpecAdding Security and Compliance to Your Workflow with InSpec
Adding Security and Compliance to Your Workflow with InSpec
 

Andere mochten auch

Exploiting MS15-034 In PowerShell
Exploiting MS15-034 In PowerShellExploiting MS15-034 In PowerShell
Exploiting MS15-034 In PowerShellkieranjacobsen
 
BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)
BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)
BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)Jared Atkinson
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
44CON London 2015: NTFS Analysis with PowerForensics
44CON London 2015: NTFS Analysis with PowerForensics44CON London 2015: NTFS Analysis with PowerForensics
44CON London 2015: NTFS Analysis with PowerForensicsJared Atkinson
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016Russel Van Tuyl
 
Fun with the Hak5 Rubber Ducky
Fun with the Hak5 Rubber DuckyFun with the Hak5 Rubber Ducky
Fun with the Hak5 Rubber Duckykieranjacobsen
 
Azure automation invades your data centre
Azure automation invades your data centreAzure automation invades your data centre
Azure automation invades your data centrekieranjacobsen
 
Advanced PowerShell Automation
Advanced PowerShell AutomationAdvanced PowerShell Automation
Advanced PowerShell Automationkieranjacobsen
 
Pwning with powershell
Pwning with powershellPwning with powershell
Pwning with powershelljaredhaight
 
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Rod Soto
 
Evolving your automation with hybrid workers
Evolving your automation with hybrid workersEvolving your automation with hybrid workers
Evolving your automation with hybrid workerskieranjacobsen
 
(160820) #fitalk fileless malware forensics
(160820) #fitalk    fileless malware forensics(160820) #fitalk    fileless malware forensics
(160820) #fitalk fileless malware forensicsINSIGHT FORENSIC
 
Gray Hat PowerShell - ShowMeCon 2015
Gray Hat PowerShell - ShowMeCon 2015Gray Hat PowerShell - ShowMeCon 2015
Gray Hat PowerShell - ShowMeCon 2015Ben Ten (0xA)
 
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell44CON
 
Some PowerShell Goodies
Some PowerShell GoodiesSome PowerShell Goodies
Some PowerShell GoodiesCybereason
 
How to do everything with PowerShell
How to do everything with PowerShellHow to do everything with PowerShell
How to do everything with PowerShellJuan Carlos Gonzalez
 

Andere mochten auch (20)

PowerShell - PowerForensics
PowerShell - PowerForensicsPowerShell - PowerForensics
PowerShell - PowerForensics
 
Exploiting MS15-034 In PowerShell
Exploiting MS15-034 In PowerShellExploiting MS15-034 In PowerShell
Exploiting MS15-034 In PowerShell
 
BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)
BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)
BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
 
44CON London 2015: NTFS Analysis with PowerForensics
44CON London 2015: NTFS Analysis with PowerForensics44CON London 2015: NTFS Analysis with PowerForensics
44CON London 2015: NTFS Analysis with PowerForensics
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016
 
Fun with the Hak5 Rubber Ducky
Fun with the Hak5 Rubber DuckyFun with the Hak5 Rubber Ducky
Fun with the Hak5 Rubber Ducky
 
Azure automation invades your data centre
Azure automation invades your data centreAzure automation invades your data centre
Azure automation invades your data centre
 
Advanced PowerShell Automation
Advanced PowerShell AutomationAdvanced PowerShell Automation
Advanced PowerShell Automation
 
Pwning with powershell
Pwning with powershellPwning with powershell
Pwning with powershell
 
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
 
Evolving your automation with hybrid workers
Evolving your automation with hybrid workersEvolving your automation with hybrid workers
Evolving your automation with hybrid workers
 
A Year in the Empire
A Year in the EmpireA Year in the Empire
A Year in the Empire
 
(160820) #fitalk fileless malware forensics
(160820) #fitalk    fileless malware forensics(160820) #fitalk    fileless malware forensics
(160820) #fitalk fileless malware forensics
 
Gray Hat PowerShell - ShowMeCon 2015
Gray Hat PowerShell - ShowMeCon 2015Gray Hat PowerShell - ShowMeCon 2015
Gray Hat PowerShell - ShowMeCon 2015
 
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
 
Some PowerShell Goodies
Some PowerShell GoodiesSome PowerShell Goodies
Some PowerShell Goodies
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
How to do everything with PowerShell
How to do everything with PowerShellHow to do everything with PowerShell
How to do everything with PowerShell
 

Ähnlich wie Lateral Movement with PowerShell

VMworld 2016: Getting Started with PowerShell and PowerCLI for Your VMware En...
VMworld 2016: Getting Started with PowerShell and PowerCLI for Your VMware En...VMworld 2016: Getting Started with PowerShell and PowerCLI for Your VMware En...
VMworld 2016: Getting Started with PowerShell and PowerCLI for Your VMware En...VMworld
 
VMware Automation, PowerCLI presented at the Northern California PSUG
VMware Automation, PowerCLI presented at the Northern California PSUGVMware Automation, PowerCLI presented at the Northern California PSUG
VMware Automation, PowerCLI presented at the Northern California PSUGAlan Renouf
 
2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQLScott Sutherland
 
Easy Cross-Platform PowerShell Automation with Puppet Bolt
Easy Cross-Platform PowerShell Automation with Puppet BoltEasy Cross-Platform PowerShell Automation with Puppet Bolt
Easy Cross-Platform PowerShell Automation with Puppet BoltPuppet
 
Open Audit
Open AuditOpen Audit
Open Auditncspa
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Xavier Ashe
 
Supercharge PBCS with PowerShell
Supercharge PBCS with PowerShellSupercharge PBCS with PowerShell
Supercharge PBCS with PowerShellKyle Goodfriend
 
PowerShell Defcon for Cybersecurity Topics
PowerShell Defcon for Cybersecurity TopicsPowerShell Defcon for Cybersecurity Topics
PowerShell Defcon for Cybersecurity TopicsDev 010101
 
Windows 2012 R2 Multi Server Management
Windows 2012 R2 Multi Server ManagementWindows 2012 R2 Multi Server Management
Windows 2012 R2 Multi Server ManagementSharkrit JOBBO
 
A Lap Around PowerShell 3.0
A Lap Around PowerShell 3.0A Lap Around PowerShell 3.0
A Lap Around PowerShell 3.0Sarah Dutkiewicz
 
Unleashing the Power: A Lap Around PowerShell 3.0
Unleashing the Power: A Lap Around PowerShell 3.0Unleashing the Power: A Lap Around PowerShell 3.0
Unleashing the Power: A Lap Around PowerShell 3.0Sarah Dutkiewicz
 
PowerShellForDBDevelopers
PowerShellForDBDevelopersPowerShellForDBDevelopers
PowerShellForDBDevelopersBryan Cafferky
 
Delivery Pipeline for Windows Machines
Delivery Pipeline for Windows MachinesDelivery Pipeline for Windows Machines
Delivery Pipeline for Windows MachinesDmitry Buzdin
 
DevOpsDaysRiga 2017: Dmitry Buzdin - Delivery Pipeline for Windows Machines
DevOpsDaysRiga 2017: Dmitry Buzdin - Delivery Pipeline for Windows MachinesDevOpsDaysRiga 2017: Dmitry Buzdin - Delivery Pipeline for Windows Machines
DevOpsDaysRiga 2017: Dmitry Buzdin - Delivery Pipeline for Windows MachinesDevOpsDays Riga
 
Version Control and Continuous Integration
Version Control and Continuous IntegrationVersion Control and Continuous Integration
Version Control and Continuous IntegrationGeff Henderson Chang
 
Xpirit MeetUp: Docker Windows Workshop
Xpirit MeetUp: Docker Windows WorkshopXpirit MeetUp: Docker Windows Workshop
Xpirit MeetUp: Docker Windows WorkshopElton Stoneman
 
Docker on Windows - 101 to Production (half-day workshop)
Docker on Windows - 101 to Production (half-day workshop)Docker on Windows - 101 to Production (half-day workshop)
Docker on Windows - 101 to Production (half-day workshop)Elton Stoneman
 
Devnet 1005 Getting Started with OpenStack
Devnet 1005 Getting Started with OpenStackDevnet 1005 Getting Started with OpenStack
Devnet 1005 Getting Started with OpenStackCisco DevNet
 
Openwhisk - Colorado Meetups
Openwhisk - Colorado MeetupsOpenwhisk - Colorado Meetups
Openwhisk - Colorado MeetupsUpkar Lidder
 

Ähnlich wie Lateral Movement with PowerShell (20)

VMworld 2016: Getting Started with PowerShell and PowerCLI for Your VMware En...
VMworld 2016: Getting Started with PowerShell and PowerCLI for Your VMware En...VMworld 2016: Getting Started with PowerShell and PowerCLI for Your VMware En...
VMworld 2016: Getting Started with PowerShell and PowerCLI for Your VMware En...
 
VMware Automation, PowerCLI presented at the Northern California PSUG
VMware Automation, PowerCLI presented at the Northern California PSUGVMware Automation, PowerCLI presented at the Northern California PSUG
VMware Automation, PowerCLI presented at the Northern California PSUG
 
2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL
 
Easy Cross-Platform PowerShell Automation with Puppet Bolt
Easy Cross-Platform PowerShell Automation with Puppet BoltEasy Cross-Platform PowerShell Automation with Puppet Bolt
Easy Cross-Platform PowerShell Automation with Puppet Bolt
 
Open Audit
Open AuditOpen Audit
Open Audit
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016
 
Supercharge PBCS with PowerShell
Supercharge PBCS with PowerShellSupercharge PBCS with PowerShell
Supercharge PBCS with PowerShell
 
PowerShell Defcon for Cybersecurity Topics
PowerShell Defcon for Cybersecurity TopicsPowerShell Defcon for Cybersecurity Topics
PowerShell Defcon for Cybersecurity Topics
 
Windows 2012 R2 Multi Server Management
Windows 2012 R2 Multi Server ManagementWindows 2012 R2 Multi Server Management
Windows 2012 R2 Multi Server Management
 
A Lap Around PowerShell 3.0
A Lap Around PowerShell 3.0A Lap Around PowerShell 3.0
A Lap Around PowerShell 3.0
 
Unleashing the Power: A Lap Around PowerShell 3.0
Unleashing the Power: A Lap Around PowerShell 3.0Unleashing the Power: A Lap Around PowerShell 3.0
Unleashing the Power: A Lap Around PowerShell 3.0
 
PowerShellForDBDevelopers
PowerShellForDBDevelopersPowerShellForDBDevelopers
PowerShellForDBDevelopers
 
Delivery Pipeline for Windows Machines
Delivery Pipeline for Windows MachinesDelivery Pipeline for Windows Machines
Delivery Pipeline for Windows Machines
 
DevOpsDaysRiga 2017: Dmitry Buzdin - Delivery Pipeline for Windows Machines
DevOpsDaysRiga 2017: Dmitry Buzdin - Delivery Pipeline for Windows MachinesDevOpsDaysRiga 2017: Dmitry Buzdin - Delivery Pipeline for Windows Machines
DevOpsDaysRiga 2017: Dmitry Buzdin - Delivery Pipeline for Windows Machines
 
Bsides tampa
Bsides tampaBsides tampa
Bsides tampa
 
Version Control and Continuous Integration
Version Control and Continuous IntegrationVersion Control and Continuous Integration
Version Control and Continuous Integration
 
Xpirit MeetUp: Docker Windows Workshop
Xpirit MeetUp: Docker Windows WorkshopXpirit MeetUp: Docker Windows Workshop
Xpirit MeetUp: Docker Windows Workshop
 
Docker on Windows - 101 to Production (half-day workshop)
Docker on Windows - 101 to Production (half-day workshop)Docker on Windows - 101 to Production (half-day workshop)
Docker on Windows - 101 to Production (half-day workshop)
 
Devnet 1005 Getting Started with OpenStack
Devnet 1005 Getting Started with OpenStackDevnet 1005 Getting Started with OpenStack
Devnet 1005 Getting Started with OpenStack
 
Openwhisk - Colorado Meetups
Openwhisk - Colorado MeetupsOpenwhisk - Colorado Meetups
Openwhisk - Colorado Meetups
 

Mehr von kieranjacobsen

The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019kieranjacobsen
 
CrikeyCon VI - The Boring Security Talk
CrikeyCon VI - The Boring Security TalkCrikeyCon VI - The Boring Security Talk
CrikeyCon VI - The Boring Security Talkkieranjacobsen
 
The Boring Security Talk
The Boring Security TalkThe Boring Security Talk
The Boring Security Talkkieranjacobsen
 
The Boring Security Talk
The Boring Security TalkThe Boring Security Talk
The Boring Security Talkkieranjacobsen
 
Secure Azure Deployment Patterns
Secure Azure Deployment PatternsSecure Azure Deployment Patterns
Secure Azure Deployment Patternskieranjacobsen
 
Ransomware 0, Admins 1
Ransomware 0, Admins 1Ransomware 0, Admins 1
Ransomware 0, Admins 1kieranjacobsen
 
DecSecOps in 10 minutes
DecSecOps in 10 minutesDecSecOps in 10 minutes
DecSecOps in 10 minuteskieranjacobsen
 
DevSecOps in 10 minutes
DevSecOps in 10 minutesDevSecOps in 10 minutes
DevSecOps in 10 minuteskieranjacobsen
 
Infrastructure Saturday - Level Up to DevSecOps
Infrastructure Saturday - Level Up to DevSecOpsInfrastructure Saturday - Level Up to DevSecOps
Infrastructure Saturday - Level Up to DevSecOpskieranjacobsen
 
Dev Breakfast: Level up to DevSecOps
Dev Breakfast: Level up to DevSecOpsDev Breakfast: Level up to DevSecOps
Dev Breakfast: Level up to DevSecOpskieranjacobsen
 
DevSecOps - CrikeyCon 2017
DevSecOps - CrikeyCon 2017DevSecOps - CrikeyCon 2017
DevSecOps - CrikeyCon 2017kieranjacobsen
 
Global Azure Bootcamp 2016 - Azure Automation Invades Your Data Centre
Global Azure Bootcamp 2016 - Azure Automation Invades Your Data CentreGlobal Azure Bootcamp 2016 - Azure Automation Invades Your Data Centre
Global Azure Bootcamp 2016 - Azure Automation Invades Your Data Centrekieranjacobsen
 
Enabling Enterprise Mobility
Enabling Enterprise MobilityEnabling Enterprise Mobility
Enabling Enterprise Mobilitykieranjacobsen
 
Infrastructure Saturday 2011 - Understanding PKI and Certificate Services
Infrastructure Saturday 2011 - Understanding PKI and Certificate ServicesInfrastructure Saturday 2011 - Understanding PKI and Certificate Services
Infrastructure Saturday 2011 - Understanding PKI and Certificate Serviceskieranjacobsen
 
DirectAccess, do’s and don’ts
DirectAccess, do’s and don’tsDirectAccess, do’s and don’ts
DirectAccess, do’s and don’tskieranjacobsen
 

Mehr von kieranjacobsen (16)

The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
 
CrikeyCon VI - The Boring Security Talk
CrikeyCon VI - The Boring Security TalkCrikeyCon VI - The Boring Security Talk
CrikeyCon VI - The Boring Security Talk
 
The Boring Security Talk
The Boring Security TalkThe Boring Security Talk
The Boring Security Talk
 
The Boring Security Talk
The Boring Security TalkThe Boring Security Talk
The Boring Security Talk
 
Secure Azure Deployment Patterns
Secure Azure Deployment PatternsSecure Azure Deployment Patterns
Secure Azure Deployment Patterns
 
Ransomware 0, Admins 1
Ransomware 0, Admins 1Ransomware 0, Admins 1
Ransomware 0, Admins 1
 
Ransomware 0 admins 1
Ransomware 0 admins 1Ransomware 0 admins 1
Ransomware 0 admins 1
 
DecSecOps in 10 minutes
DecSecOps in 10 minutesDecSecOps in 10 minutes
DecSecOps in 10 minutes
 
DevSecOps in 10 minutes
DevSecOps in 10 minutesDevSecOps in 10 minutes
DevSecOps in 10 minutes
 
Infrastructure Saturday - Level Up to DevSecOps
Infrastructure Saturday - Level Up to DevSecOpsInfrastructure Saturday - Level Up to DevSecOps
Infrastructure Saturday - Level Up to DevSecOps
 
Dev Breakfast: Level up to DevSecOps
Dev Breakfast: Level up to DevSecOpsDev Breakfast: Level up to DevSecOps
Dev Breakfast: Level up to DevSecOps
 
DevSecOps - CrikeyCon 2017
DevSecOps - CrikeyCon 2017DevSecOps - CrikeyCon 2017
DevSecOps - CrikeyCon 2017
 
Global Azure Bootcamp 2016 - Azure Automation Invades Your Data Centre
Global Azure Bootcamp 2016 - Azure Automation Invades Your Data CentreGlobal Azure Bootcamp 2016 - Azure Automation Invades Your Data Centre
Global Azure Bootcamp 2016 - Azure Automation Invades Your Data Centre
 
Enabling Enterprise Mobility
Enabling Enterprise MobilityEnabling Enterprise Mobility
Enabling Enterprise Mobility
 
Infrastructure Saturday 2011 - Understanding PKI and Certificate Services
Infrastructure Saturday 2011 - Understanding PKI and Certificate ServicesInfrastructure Saturday 2011 - Understanding PKI and Certificate Services
Infrastructure Saturday 2011 - Understanding PKI and Certificate Services
 
DirectAccess, do’s and don’ts
DirectAccess, do’s and don’tsDirectAccess, do’s and don’ts
DirectAccess, do’s and don’ts
 

Kürzlich hochgeladen

Introduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntroduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntelliSource Technologies
 
Streamlining Your Application Builds with Cloud Native Buildpacks
Streamlining Your Application Builds  with Cloud Native BuildpacksStreamlining Your Application Builds  with Cloud Native Buildpacks
Streamlining Your Application Builds with Cloud Native BuildpacksVish Abrams
 
Fields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptxFields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptxJoão Esperancinha
 
Kawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies
 
IA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeIA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeNeo4j
 
Why Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdfWhy Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdfBrain Inventory
 
online pdf editor software solutions.pdf
online pdf editor software solutions.pdfonline pdf editor software solutions.pdf
online pdf editor software solutions.pdfMeon Technology
 
Webinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.pptWebinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.pptkinjal48
 
Cybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadCybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadIvo Andreev
 
eAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspectionseAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspectionsNirav Modi
 
Top Software Development Trends in 2024
Top Software Development Trends in  2024Top Software Development Trends in  2024
Top Software Development Trends in 2024Mind IT Systems
 
How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?AmeliaSmith90
 
Sales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales CoverageSales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales CoverageDista
 
Growing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesGrowing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesSoftwareMill
 
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine HarmonyLeveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmonyelliciumsolutionspun
 
AI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyAI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyRaymond Okyere-Forson
 
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Jaydeep Chhasatia
 
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...OnePlan Solutions
 
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfTobias Schneck
 

Kürzlich hochgeladen (20)

Introduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntroduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptx
 
Streamlining Your Application Builds with Cloud Native Buildpacks
Streamlining Your Application Builds  with Cloud Native BuildpacksStreamlining Your Application Builds  with Cloud Native Buildpacks
Streamlining Your Application Builds with Cloud Native Buildpacks
 
Fields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptxFields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptx
 
Kawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in Trivandrum
 
IA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeIA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG time
 
Why Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdfWhy Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdf
 
online pdf editor software solutions.pdf
online pdf editor software solutions.pdfonline pdf editor software solutions.pdf
online pdf editor software solutions.pdf
 
Webinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.pptWebinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.ppt
 
Salesforce AI Associate Certification.pptx
Salesforce AI Associate Certification.pptxSalesforce AI Associate Certification.pptx
Salesforce AI Associate Certification.pptx
 
Cybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadCybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and Bad
 
eAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspectionseAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspections
 
Top Software Development Trends in 2024
Top Software Development Trends in  2024Top Software Development Trends in  2024
Top Software Development Trends in 2024
 
How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?
 
Sales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales CoverageSales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales Coverage
 
Growing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesGrowing Oxen: channel operators and retries
Growing Oxen: channel operators and retries
 
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine HarmonyLeveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
 
AI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyAI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human Beauty
 
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
 
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
 
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
 

Lateral Movement with PowerShell

  • 1. POWERSHELL SHENANIGANS LATERAL MOVEMENT WITH POWERSHELL KIERAN JACOBSEN READIFY
  • 2. WHO AM I • Kieran Jacobsen • Technical Lead @ Readify • Blog: poshsecurity.com
  • 3. OUTLINE • PowerShell as an attack platform • PowerShell malware • PowerShell Remoting • PowerShell security features • Defence
  • 4. CHALLENGE • Within a “corporate like” environment • Start with an infected workstation and move to a domain controller • Where possible use only PowerShell code
  • 5. POWERSHELL AS AN ATTACK PLATFORM • Obvious development, integration and execution options • Installed by default since Windows Vista • PowerShell still considered harmless by the majority of AV vendors
  • 7. MY POWERSHELL MALWARE • Single Script – SystemInformation.ps1 • Runs as a schedule task – “WindowsUpdate” • Collects system information • Reports back to C2 infrastructure • Collects list of tasks to run
  • 9. POWERSHELL REMOTING • PowerShell Remoting is based upon WinRM, Microsoft’s WS-Management implementation • Supports execution in 3 ways: • Remote enabled commands • Remotely executed script blocks • Remote sessions • Simple security model • Required for the Windows Server Manager • Enabled by default • Allowed through Windows Firewall
  • 11. POWERSHELL SECURITY FEATURES • Administrative rights • UAC • Code Signing • File source identification (zone.identifier) • PowerShell Execution Policy
  • 12. EXECUTION POLICY There are 6 states for the execution policy • Unrestricted • Remote Signed • All Signed • Restricted • Undefined (Default) • Bypass
  • 13. • Simply ask PowerShell • Switch the files zone.idenfier back to local • Read the script in and then execute it • Encode the script and use BYPASSING EXECUTION POLICY
  • 15. DEFENCE • Restricted/Constrained Endpoints • Control/limit access to WinRM
  • 16. LINKS • Code on GitHub: http://j.mp/1i33Zrk • QuarksPWDump: http://j.mp/1kF30e9 • PowerWorm Analysis: http://j.mp/RzgsHb • Microsoft PowerShell/Security Series: • http://j.mp/OOyftt • http://j.mp/1eDYvA4 • http://j.mp/1kF3z7T • http://j.mp/NhSC0X • http://j.mp/NhSEpy

Hinweis der Redaktion

  1. Welcome to PowerShell Shenanigans, or more appropriately named, lateral movement with PowerShell.
  2. So just to quickly introduce myself to you all. My name is Kieran Jacobsen, I just moved down to Melbourne from Brisbane to take up a role as a Technical Lead with Readify. Previous to this, my background was in managaged services and financial services providers where I worked in roles ranging from sys admin to solution architecture responsibilities. I have presented at several conferences and run the poshsecurity.com blog where I cover PowerShell, automation, security and architecture.
  3. So what will I be covering tonight? I will be starting with a discussion of PowerShell as an attack platform, look at some real world malware examples, discuss PowerShell Remoting, take a look at how Microsoft secures PowerShell, how we can bypass those defences and finally, how we can defend against some of the things we have seen.
  4. To see how PowerShell can be put to mischievous use, I am going to run through a simple real world example. This example is based upon a simple hacker challenge that I was given by a friend a few years ago. We have a corporate environment, with a workstation, a domain controller and a firewall, an attacker will convince an end user to open a malicious excel document, and from there, escalates privilege, takes over a domain controller and finally, extracts the password hashes from the active directory database. This corporate like environment contains many of the mistakes that you will find in any other corporate environment. Group policy has never been fully utilised, only the default policies are in place, users thankfully have UAC enabled, but they are still local administrators. We also have another common mistake, a management service which runs as a active directory user, and unfortunately, its domain admin. Before you laugh, this is a disturbingly common thing to happen. As with a lot of new environments, Windows Defender is protecting us all. The firewall is something to note, it only allows HTTP and HTTPS out, and DNS from the domain controller. The rest of its config are the defaults. One last challenge has been thrown in. Use PowerShell where possible.
  5. There are a number of incredibly obvious reasons why PowerShell makes an excellent attack platform. Code is easy to develop, modify and retarget attacks based upon changing situations. PowerShell is deeply integrated with Windows, with integration points through out the Microsoft product stack. This integration allows our malicious code to integrate with a significant portion of our corporate environment. Next, look at execution, Microsoft has developed to PowerShell as a platform to automate management tasks across an enterprise environment. The ability to run code remotely on any number of machines for system administration also gives us the ability to execute malicious code on any number of machines on your network. I hate to say it, but PowerShell has been a system default since, dear I say it, Windows Vista. PowerShell is now probably more prevalent in our enterprise environments than Java and Adobe Acrobat reader and flash, products long abused by malicious actors. If powershell is there with such a prevalence, why wouldn’t an attacker use it? What about our AV? Maybe they can protect us, well, the answer is they really don’t check for malicious PowerShell code. They are aware of a couple of malicious scripts, but they really haven’t started looking at the code like they have previously with VBScript. Symantec has stated to detect parts of the PowerSploit toolkit, but only when it is saved to the file system.
  6. I first presented on the use of PowerShell as an attack platform back in 2012, and even when I revisited this earlier last year, there hadn’t been any real world examples. Things have changed in the past 12 months. There are two notable cases, PowerWorm, and PoshCoder. Towards the end of March, TrendMicro posted up information about some PowerShell code they had discovered. It was a trivially simple worm, which just infecting Word and Excel documents. Trend didn’t post much more than that, however Matt Graber who is the lead developer of PowerSploit, managed to get a copy of the code, and has performed an amazing analysis of the code and has also rewritten portions of the code and made them available. There is a link at the end to his write up. A few weeks after the write up by Matt, there were a number of posts on BleepingComputer.com discussing a piece of code called Poshcoder. Looking at the thread, there was a number of things that sent up interesting flags. Firstly, it appeared the developer or the maintainer of the code was posting along side the victims, which is certainly something you don’t expect to see. Secondly, there were a number of elements similar to PowerWorm, including a Word and Excel propagation method. Next, PoshCoder performs a CryptoLocker style attack, encrypting user files and extorting a bitcoin out of the users if they want to see their files back. Unfortunately, whilst the worm continues to propagate, the server where their keys should be is down, so their files are gone. Finally, and this is the important bit, everything is done in PowerShell. PowerShell malware is a very real threat. Whilst right now, the recorded instances are pretty harmless, they are becoming more dangerous.
  7. So I made a little script, I suppose it could be called malware, which will run on a system and allow you to have remote control over the system. If I have time, I will show you, but I am not going to go into specifics today as the code will be put up onto GitHub for you to take a look. The script is cleverly called SystemInformation.ps1, in the hope users and administrators don’t work out what it is. The script will be setup to run as a scheduled task, running as local system, every 5 minutes. There is a number of different ways we could manage to set this up, in the demo it will be occurring through an Excel macro, however you could use almost anything, as long as the script is downloaded, and the task is created. When the script executes, it will do a few things. Firstly, it will collect system information and some poorly secured credentials, it also connects to the command and control infrastructure and downloads a list of tasks to execute. Tasks can be any valid PowerShell expression, a PowerShell expression, an executable, as long as it is a valid expression. Tasks, if successfully executed will only be run once, they can also be limited to executing on a single PC.
  8. So there have been some interesting changes in terms of security with the introduction of Windows PowerShell Remoting, and WinRM. PowerShell remoting allows us to remotely execute PowerShell code on one or more remote systems, based upon the WinRM or Windows Remote Management Interface. WinRM is based upon the WS-Management protocol. Remoting gives administrators a number of execution options, firstly, a large number of powershell commands have been extended to allow for their execution against remote devices directly. Next administrators can also run a powershell script block remotely, in an experience much like rexec or using ssh to run a remote command. Finally, administrators could start a remote session, much like connecting into a full blown ssh session. Security for WinRM is governed by two things, firstly, clients can only connect to devices they trust, which can be manually configured in workgroups, or in domain joined environments, clients trust everything. User’s need the appropriate credentials, typically local admin. Finally there are some authentication protocol specifications, but they typically aren’t a huge issue. Now for the kicker of it all. Windows Server 2012, and 2012R2 introduces a new unified Windows Server Manager, trumpeted by Microsoft as an advancement of server administration, it introduces a critical flaw. Server Manager uses PowerShell and PowerShell Remoting. Microsoft made the wonderfully helpful decision to setup, configure WinRM for you, by default when you install Windows Server 2012 R1 and R2. That’s right, on by default. After years of them telling us, pretty much yelling off by default, something is now on by default. It gets worse folks, the windows firewall permits the incoming connections on all network profiles, even public!
  9. So what security features exist in PowerShell? Well things start with the typical Windows security design pattern. Administrative rights and UAC will govern what we can and cannot do. If we needed admin rights to right to that file or registry key, or if we needed specific active directory permissions, the same will go when we run under PowerShell. We are all aware of signing executables and Authenticode, and we can extend this to signing our scripts, CMDLets and modules. This will only allow us to validate the integrity of the these files, and the identity of those who wrote the code. If a script is signed and comes from an untrusted source, you will receive an error and it will not execute. If you try to run that script and it has been modified, the same thing will occur. Unfortunately, all the usual vulnerabilities in Windows, Authenticode, Certificates and Certificate Authorities reduce the effectiveness of these controls. I really do hope that Microsoft shows some leadership and comes up with some solutions in this space. PowerShell does have one interesting security feature, something that was picked up from Internet Explorer. PowerShell will look at the NTFS zone.identifier alternate data stream to determine the source for a script or module . This allows PowerShell to make some interesting decisions about if a script should be executed, dependant upon where it came from and leads into the next feature, the Execution Policy. The PowerShell execution policy combines the code signing support, and the zone identification information to allow an administrator to control what scripts execute. Whilst it is a common assumption that the execution policy is Microsoft’s attempt to prevent malicious code, it actually more like the safety on a loaded gun. The execution policy is there to ensure you and your users that you don’t shoot yourself in the foot. There are a number of different states to this policy, and we can control the policy at a process, user and computer level. Let’s take a quick look at the execution policy.
  10. So the execution policy consists of 6 different levels. The first is unrestricted, this is our least secure state, or as I like to call it, free for all mode. Any script, no matter where it came from. Next is remote signed, now we are becoming a bit more restrictive. If a script comes from the local pc, then we will execute it, however, a script from the internet must be signed by a trusted certificate for it to be executed. The third is all signed. With all signed, no script, no matter where it is from will be allowed to be executed, unless it has been signed by a trusted certificate. Restricted in the most, well, restrictive state. In restricted, no script, not matter where it is from, is allowed to executed, none, nothing. There are two special states, undefined, which is the policy if none has been set, this actually defaults to the restricted policy, and finally bypass, which is primarily used when calling PowerShell scripts from applications, in bypass the policy processer is, well, bypassed. This turns off a number of So, you are probably thinking, well this looks like decent security…what if I told you, I can get a script to run, no matter the execution policy specified?
  11. So how do we bypass the policy? Well according to some sources, there are 15 different ways, these can be simplified down to 5 ways which I recommend. The first way, is to ask PowerShell to use a different execution policy for a specific powershell.exe process. Next, if we can remove the zone identifier from the file in question, PowerShell includes a friendly CMDLet to do that one as well. Another effective method, read in the file and then read it in. There are a bunch of effective ways of thing this, reading the script and piping it into powershell.exe, downloading the file, etc. A surprising method is to encode the script to base64 and then use the –encodedcommand parameter. The best thing with this one, it also bypasses the execution policy! I am going to say this. Whilst administrators are probably setting one of these levels for their workstations, they probably are not doing this on their servers. Pretty much ever server I come across, will have the policy of unrestricted. I would almost bet that there is one in everyone's windows server environment.
  12. So how do we protect our environments from malicious actors? What defences against the dark arts exist? Defence has to be one of the more interesting challenges, and can create debate the likes of which I haven’t seen since watching debates over which was better, EMACS or VIM. The most effective method to restrict lateral movement and control who does what with PowerShell is the use of what is called Restricted or Constrained Endpoints. Simply put, we are creating a limited PowerShell session where we can only execute a limited number of commands. A great example of would be to create an endpoint where we can only run simple get CMDLets and ping. If an attacker were to gain access to this, we might effectively limit what an attacker could do, but you need to remember, those limiters could impact you and your fellow developers and administrators. Developing restricted endpoints can take a significant amount of time and effort, but the rewards can be significant. On the WinRM front, there are a number of ways we can control which systems are allowed to connect to it. Lets start with the simple. If you do not need WinRM, then turn it off. Remote Desktop is disabled on all systems by default and we wouldn’t turn it on unless we needed it, this goes for a bunch of other services and features. If you are not remotely managing systems with WinRM, then turn it off. If you do need it, then there are three recommendations I have for you. Firstly, you can configure WinRM to only respond to connections from a specific IP address or subnet, this is your first layer of defence. Secondly, setup the Windows Firewall to limit connections to these same subnets. Finally, configure your network segmentation to control access to WinRM as well. A multi layered approach will ensure that there is sufficient safeguards in place in case we have a misconfiguration. One thing to point out, there are a significant number of environments with WinRM using HTTP and not HTTPS. Please ensure that you use HTTPS. This is the sort of management traffic that shouldn’t be going over plain text. Lastly, Application Whitelisting is another good defence against any malicious code, I cannot emphasise the value of whitelisting.