lateral movement with powershell
TRANSCRIPT
![Page 1: Lateral Movement with PowerShell](https://reader034.vdocuments.us/reader034/viewer/2022050808/55ac54d11a28ab736e8b45fb/html5/thumbnails/1.jpg)
POWERSHELL SHENANIGANSLATERAL MOVEMENT WITH POWERSHELL
KIERAN JACOBSEN
READIFY
![Page 2: Lateral Movement with PowerShell](https://reader034.vdocuments.us/reader034/viewer/2022050808/55ac54d11a28ab736e8b45fb/html5/thumbnails/2.jpg)
WHO AM I
• Kieran Jacobsen
• Technical Lead @ Readify
• Blog: poshsecurity.com
![Page 3: Lateral Movement with PowerShell](https://reader034.vdocuments.us/reader034/viewer/2022050808/55ac54d11a28ab736e8b45fb/html5/thumbnails/3.jpg)
OUTLINE
• PowerShell as an attack platform
• PowerShell malware
• PowerShell Remoting
• PowerShell security features
• Defence
![Page 4: Lateral Movement with PowerShell](https://reader034.vdocuments.us/reader034/viewer/2022050808/55ac54d11a28ab736e8b45fb/html5/thumbnails/4.jpg)
CHALLENGE
• Within a “corporate like” environment
• Start with an infected workstation and move to a domain
controller
• Where possible use only PowerShell code
![Page 5: Lateral Movement with PowerShell](https://reader034.vdocuments.us/reader034/viewer/2022050808/55ac54d11a28ab736e8b45fb/html5/thumbnails/5.jpg)
POWERSHELL AS AN ATTACK PLATFORM
• Obvious development, integration and
execution options
• Installed by default since Windows
Vista
• PowerShell still considered harmless by
the majority of AV vendors
![Page 6: Lateral Movement with PowerShell](https://reader034.vdocuments.us/reader034/viewer/2022050808/55ac54d11a28ab736e8b45fb/html5/thumbnails/6.jpg)
POWERSHELL MALWARE
• PowerWorm
• PoshKoder/PoshCoder
![Page 7: Lateral Movement with PowerShell](https://reader034.vdocuments.us/reader034/viewer/2022050808/55ac54d11a28ab736e8b45fb/html5/thumbnails/7.jpg)
MY POWERSHELL MALWARE
• Single Script – SystemInformation.ps1
• Runs as a schedule task –
“WindowsUpdate”
• Collects system information
• Reports back to C2 infrastructure
• Collects list of tasks to run
![Page 8: Lateral Movement with PowerShell](https://reader034.vdocuments.us/reader034/viewer/2022050808/55ac54d11a28ab736e8b45fb/html5/thumbnails/8.jpg)
DEMO: THE ENTRY
![Page 9: Lateral Movement with PowerShell](https://reader034.vdocuments.us/reader034/viewer/2022050808/55ac54d11a28ab736e8b45fb/html5/thumbnails/9.jpg)
POWERSHELL REMOTING
• PowerShell Remoting is based upon WinRM, Microsoft’s WS-Management implementation
• Supports execution in 3 ways:
• Remote enabled commands
• Remotely executed script blocks
• Remote sessions
• Simple security model
• Required for the Windows Server Manager
• Enabled by default
• Allowed through Windows Firewall
![Page 10: Lateral Movement with PowerShell](https://reader034.vdocuments.us/reader034/viewer/2022050808/55ac54d11a28ab736e8b45fb/html5/thumbnails/10.jpg)
DEMO: THE DC
![Page 11: Lateral Movement with PowerShell](https://reader034.vdocuments.us/reader034/viewer/2022050808/55ac54d11a28ab736e8b45fb/html5/thumbnails/11.jpg)
POWERSHELL SECURITY FEATURES
• Administrative rights
• UAC
• Code Signing
• File source identification
(zone.identifier)
• PowerShell Execution Policy
![Page 12: Lateral Movement with PowerShell](https://reader034.vdocuments.us/reader034/viewer/2022050808/55ac54d11a28ab736e8b45fb/html5/thumbnails/12.jpg)
EXECUTION POLICY
There are 6 states for the execution policy
• Unrestricted
• Remote Signed
• All Signed
• Restricted
• Undefined (Default)
• Bypass
![Page 13: Lateral Movement with PowerShell](https://reader034.vdocuments.us/reader034/viewer/2022050808/55ac54d11a28ab736e8b45fb/html5/thumbnails/13.jpg)
• Simply ask PowerShell
• Switch the files zone.idenfier back to local
• Read the script in and then execute it
• Encode the script and use
BYPASSING EXECUTION POLICY
![Page 14: Lateral Movement with PowerShell](https://reader034.vdocuments.us/reader034/viewer/2022050808/55ac54d11a28ab736e8b45fb/html5/thumbnails/14.jpg)
DEMO: THE HASHES
![Page 15: Lateral Movement with PowerShell](https://reader034.vdocuments.us/reader034/viewer/2022050808/55ac54d11a28ab736e8b45fb/html5/thumbnails/15.jpg)
DEFENCE
• Restricted/Constrained Endpoints
• Control/limit access to WinRM
![Page 16: Lateral Movement with PowerShell](https://reader034.vdocuments.us/reader034/viewer/2022050808/55ac54d11a28ab736e8b45fb/html5/thumbnails/16.jpg)
LINKS
• Code on GitHub:
http://j.mp/1i33Zrk
• QuarksPWDump:
http://j.mp/1kF30e9
• PowerWorm Analysis:
http://j.mp/RzgsHb
• Microsoft PowerShell/Security
Series:
• http://j.mp/OOyftt
• http://j.mp/1eDYvA4
• http://j.mp/1kF3z7T
• http://j.mp/NhSC0X
• http://j.mp/NhSEpy
![Page 17: Lateral Movement with PowerShell](https://reader034.vdocuments.us/reader034/viewer/2022050808/55ac54d11a28ab736e8b45fb/html5/thumbnails/17.jpg)
Q AND A
@kjacobsen
Poshsecurity.com