bsides tampa
TRANSCRIPT
About Me•Octavio/@oaktree__•Washington DC •Penetration tester working for Oaktree Security•“Woodworker”
3
What I hope you takeaway with
•Excite you to learn more about PowerShell and encourage you go out and learn more.
•Utilize PowerShell no matter what your role
•Upgrade and monitor PowerShell usage in your environment.
If you are absolutely new to PowerShell
• Videos• https://www.youtube.com/watch?v=4X_uBL2YpmA • https://www.youtube.com/watch?v=3vJvkANKVWA
• Books• PowerShell in a month of lunches• Windows Powershell Programming for the absolute beginner
Overview•Demo how PS can be used to attack
• PowerView and Invoke-Mimikatz
•Methods to detect PS activity
•Methods to limit PS activity• Constrained Language Mode• AppLocker• NetCease
•Valuable references
What is Powershell•Object oriented programming language for Windows
•Uses CMDLETS structured as verb-noun◦ Get-help◦ Get-command◦ Invoke-command
Powerview & Invoke-Mimikatz•Powerview is for reconnaissance
• Written by Will Schroeder (Harmj0y)• Power to domain users
•Mimikatz steals passwords
HTTPS://GITHUB.COM/HARMJ0Y/CHEATSHEETS/BLOB/MASTER/POWERVIEW.PDF
List of Commands
used on oaktreelab
1
Start Powershell with execution policy set to bypass◦ Powershell.exe –exec bypass
Import powerview module◦ Import-module powerview.ps1
Identify all groups with the word admin in the name◦ Get-netgroups –groupname “*admin*”
Get members of domain admin group◦ Get-netgroupmemeber –groupname “domain admins”
List of Commands
used on oaktreelab
1(cont.)
Determine where user oaktree_dadm is located◦ Invoke-UserHunter –username “oaktree_dadm”
Connect to oaktreelab03◦ New-pssession –computername “oaktreelab03”◦ Enter-PsSession –id 1
Import mimikatz◦ Import-module invoke-mimikatz.ps1
Run Mimikatz◦ Invoke-Mimikatz
Addition from Presentation: The regular user used, has administrator privileges on the oaktreelab3 system. My original intention was to show how one could use powerview to also enumerate local groups as well.
Powershell Desktop OS Server OS
Version 2 Windows 7 Windows 2008 R2
Version 3 Windows 8 Windows 2012
Version 4 Windows 8.1 Windows 2012 R2
Version 5 Windows 10 Windows 2016
Deep Module logging
Command ran: Add-Member –membertype NoteProperty –Name memcpy –Value MyDelegateType –InputObject system.object
Transcription•Saves all output to Windows event logs.
•Can do this with PS2 as well! • Use modules start-transcription and stop-transcription
Countermeasures + or how could I made it harder for the attacker.
“Nobody made a greater mistake than he who did nothing because he could do only a little.” –Edmund Burke.
Constrained Language Mode•Constrained language removes support for .Net & Windows API calls and COM access.
•How to enable• [environment]::SetEnvironmentVariable(‘__PSLockdownPolicy’,’4’,’Machine’)
•Confirm it is configured• $ExecutionContext.SessionState.LanguageMode
•How to disable• Remove-item env:\__PSLockdownPolicy• Through System Properties Environment variables.
What is AppLocker•Allows policies to be created based on:
• Executables• Windows Installer Rules• Script Rules• Package App Rules
Not all Windows 7 versions are created equal
HTTPS://TECHNET.MICROSOFT.COM/EN-US/LIBRARY/DD759131(V=WS.11).ASPX
Sample applocker Rules These rules are courtesy of Microsoft
◦ New-AppLockerPolicy -RuleType Path -FileInformation "c:\trusted\*.ps1" ◦ Open Secpol.msc Application control policies AppLocker script rules right click and select
“Automatically Generate Rules”◦ Allow all scripts for administrators◦ Allow all scripts to be run from the Program Files folder ◦ Allow all scripts to be run from the Windows Folder
Create a file in C:\trusted named math.ps1◦ Contents of file [math]::sqrt(64)
Applocker implementation considerations
•Ensure whitelisted folders have appropriate permissions set
•If the attacker has admin, applocker is defeated.
•Applocker evaluates deny rules first.• Use cmdlet test-applockerpolicy to confirm rules
Block powershell.exe•Powershell.exe is not an executable rather a wrapper for the dll. I don’t need to use powershell.exe.
•Search for ben0xa talk: Powershell Secrets and Tactics
Anti-malware scanning interface•AMSI allows us to do:
• evaluate code just prior to execution by the script host• evaluate code after all the obfuscation has been stripped away
HTTPS://BLOGS.TECHNET.MICROSOFT.COM/POSHCHAP/2015/10/16/SECURITY-FOCUS-DEFENDING-POWERSHELL-WITH-THE-ANTI-MALWARE-SCAN-INTERFACE-AMSI/HTTPS://WWW.BLACKHAT.COM/DOCS/US-16/MATERIALS/US-16-MITTAL-AMSI-HOW-WINDOWS-10-PLANS-TO-STOP-SCRIPT-BASED-ATTACKS-AND-HOW-WELL-IT-DOES-IT.PDF
NetCease•Written by Itai Grady the goal of this script increase the security of the netsessionenum api
HTTPS://GALLERY.TECHNET.MICROSOFT.COM/NET-CEASE-BLOCKING-NET-1E8DCB5BHTTP://WWW.HARMJ0Y.NET/BLOG/CATEGORY/PENETESTING/HTTPS://ADSECURITY.ORG/?P=3299
05/03/2023 35
On the Shoulder of Giants•@Ben0xA•Carlos Perez @darkoperator•Jared Haight @jaredhaight•Sean Metcalf @pyrotek3
THANKS TO EVERYONE THAT INSPIRED US TO GET STARTED
36
On the Shoulder of Giants•Jared Atkinson @jaredcatkinson•Matt Graber @mattifestation •Will Shroeder @harmJoy
05/03/2023 37
On the Shoulder of Giants
•Lee Holmes @lee_holmes •Jessica Payne @jepayneMSFT•@enigma0x3•Casey Smith @subtee•Chris Cambell @obscuresec
THANKS TO EVERYONE THAT INSPIRED US TO GET STARTED
Questions/Comments Slides available on my github page
Octavio Paguaga
@oaktree__ <----- Two underscores