POWERSHELL SHENANIGANS LATERAL MOVEMENT WITH POWERSHELL KIERAN JACOBSEN
POWERSHELL SHENANIGANS LATERAL MOVEMENT WITH POWERSHELL KIERAN JACOBSEN HP ENTERPRISE SERVICES
ABOUT: ME • Kieran Jacobsen • HP Enterprise Services – Engineer/Architect • Microsoft/Automation/Security focus • Twitter: @Kjacobsen • Blog: Aperturescience. su
OUTLINE • Power. Shell as an attack platform • Power. Shell malware • Power. Shell Remoting & Win. RM • Power. Shell security, and bypassing that security • Defence
CHALLENGE • Move from social engineered workstation to domain controller • Where possible use only Power. Shell code • Demo environment will be a “corporate like” environment
ADVANTAGES AS AN ATTACK PLATFORM • • Code is very easy to develop • Installed by DEFAULT Windows integration Plenty of remote execution options Designed for automation against 1 – 10000000 devices Limited security model Antivirus products are no real concern/limitation Scripts can be easily hidden from administrators
REAL WORLD POWERSHELL MALWARE • Prior to March 2014, only a few minor instances • Power. Worm: • • Infect’s Word and Excel documents, initial infection via macro in. doc/. xls First spotted by Trend. Micro, analysis and rewrite by Matt Graeber (@Mattifestation) • Posh. Koder/Posh. Coder: • • Power. Worm crossed with Crypto. Locker Bitcoin ransom
MY POWERSHELL MALWARE • Single Script – System. Information. ps 1 • Runs as a schedule task, every 5 minutes • Script: • • Collects system information and more Connects to C 2 infrastructure, downloads a task list and executes tasks Executes each task, if successful, task will not be rerun Tasks can be restricted to individual computers
DEMO: THE ENTRY
WINDOWS POWERSHELL REMOTING AND WINRM • • Power. Shell Remoting is based upon Win. RM, Microsoft’s WS-Management implementation Supports execution in 3 ways: • • • Remote enabled commands Remotely executed script blocks Remote sessions • • Security Model = Trusted Devices + User Credentials • Win. RM is enabled by DEFAULT • Win. RM is allowed through Windows Firewall on all network profiles! Win. RM is required for the Windows Server Manager on Windows 2012(R 2) Server
DEMO: THE DC
POWERSHELL SECURITY FEATURES • Administrative rights • UAC • Code Signing • Local or Remote source using zone. identifier alternate data stream • Power. Shell Execution Policy
EXECUTION POLICY There are 6 states for the execution policy • Unrestricted • Remote Signed All scripts can run No unsigned scripts from the Internet can run • All Signed • Restricted • Undefined (Default) No unsigned scripts can run No scripts are allowed to run If no policy defined, then default to restricted • Bypass Policy processor is bypassed
BYPASSING EXECUTION POLICY • Simply ask Power. Shell: powershell. exe –executionpolicy unrestricted • Switch the files zone. idenfier back to local: unblock-file yourscript. ps 1 • Read the script in and then execute it (may fail depending on script) • Encode the script and use –encodedcommand always works!!!!! • Get/Steal a certificate, sign script, run script
DEMO: THE HASHES
DEFENCE OF THE DARK ARTS • Restricted/Constrained Endpoints • Change Win. RM Listener • Change Windows Firewall settings • Turn it off Win. RM • Application whitelisting
WINRM, NOT JUST AN INTERNAL ISSUE By default, Microsoft Azure virtual machines expose HTTPS listener to the Internet.
LINKS • Twitter: @kjacobsen • Blog: http: //aperturescience. su • Code on Git. Hub: http: //j. mp/1 i 33 Zrk • Quarks. PWDump: http: //j. mp/1 k. F 30 e 9 • Power. Sploit: http: //j. mp/1 g. JORt. F • Power. Worm Analysis: http: //j. mp/Rzgs. Hb • Power. Bleed: http: //j. mp/1 jfy. ILK
MORE LINKS • Microsoft Power. Shell/Security Series: • • • http: //j. mp/OOyftt http: //j. mp/1 e. DYv. A 4 http: //j. mp/1 k. F 3 z 7 T http: //j. mp/Nh. SC 0 X http: //j. mp/Nh. SEpy • Practical Persistence in Power. Shell: http: //j. mp/1 m. U 6 f. Qq • Bruteforcing Win. RM with Power. Shell: http: //j. mp/1 n. Blw. X 2
- Slides: 18