PowerShell Security at DerbyCon

PowerShell Team

September 27th, 2016

Many people have commented over the past couple of years that they’d love to see a PowerShell Security conference. Well, that conference arrived: DerbyCon 2016.

DerbyCon is an incredible security conference, held in Louisville Kentucky each year. Despite the calibre of all that attend, the humbleness and approachability of everyone there is outstanding. Perhaps to a fault. It’s only after talking to somebody and looking them up on Twitter do you realize it’s THAT person, and openly wonder if asking for an autograph would have been too awkward.

It’s probably best to stop talking about how great of a conference is, given that registration filled up in 12 hours this year and it’d be nice to have a fighting chance to get in next year 🙂

As with system administrators, security professionals (pen testers, consultants, incident responders, and more) have quickly realized how amazing PowerShell is for automation. When security researchers leverage PowerShell, it is always in a “post-compromise” context. They have compromised a machine through some other avenue (phishing, SQL injection, etc.), and ultimately have the choice of any number of tools on the system. They were able to accomplish their goals before PowerShell, and will be able to accomplish their goals without PowerShell.

At some point, they decide that job satisfaction is important – and pass the IQ test by selecting PowerShell.

DerbyCon recorded almost all of the sessions this year (like every year), so I’d like to call out ones that had a strong PowerShell focus to them so you can enjoy what could easily be considered PowerShell Security Con 2016.

Keynote

Jeffrey Snover and Lee Holmes @jsnover , @Lee_Holmes

Vulnerability disclosure, cloudy clouds, and million-dollar shopping trips. This industry sucks. And is awesome. Our beloved security industry is a complicated beast. Companies are collaborating with researchers more now than they have ever, but it’s still easy to walk away feeling frustrated by an encounter with an otherwise seemingly responsive vendor. Microsoft’s Technical Fellow Jeffrey Snover and Security Architect Lee Holmes share their unique perspectives on this relationship and shed some light the corporate behaviors that might otherwise feel out of touch, and share their perspectives on getting on a solid path to more secure systems. This collaboration is making the world a safer place, however, and we now find ourselves at the cusp of another major industry shift. What does security look like in a world that’s becoming increasingly cloud-connected? With the vast majority of cloud capacity coming from two companies in Seattle, what chance do you possibly have to keep yourself secure? In addition to the torrid pace of change in our industry, there’s still a lot of regular ol’ security going on. New threats, new exploits, an ever changing attack surface. How do you keep YOUR companies secure in a world like this? It’s tempting to throw your hands up, get a money order for a million dollars, and just go shopping at RSA. That may eventually be part of the solution but it rarely the most effective path forward. So what is?

Thinking Purple Carlos Perez @carlos_perez

Breaking with the adversarial approach of Red vs Blue, look at how the current system and approaches may be broken in some organizations and provide recommendation not only for the mature organization with a large structure but also how small businesses can take a more purple strategy in the way they operate their teams including how they acquire pentest services. Presentation will cover an approach beyond the red and blue team and more of a organizational and strategic approach to change the paradigm of thinking and action to more symbiotic approach to security.

A Year in the Empire Will Schroeder, Matt Nelson @harmj0y, @enigma0x3

PowerShell is an ideal platform for building a new class of offensive toolsets and parties on both sides of the red and blue divide have begun to take notice. Driving some of this newfound awareness is the Empire project – a pure PowerShell post-exploitation agent that packages together the wealth of new and existing offensive PowerShell tech into a single weaponized framework. Since its release a year ago, the Empire project has garnered dozens of additional modules from the offensive community in addition to signatures and mitigations on the defensive side. This presentation will take you through the design considerations for Empire, the community contributions, its enhanced capabilities, its redesigned C2 system, and the new RESTful API. Welcome to the Empire.

PowerShell Secrets and Tactics Ben0xA @ben0xa

It used to be that most people were just starting to hear about PowerShell. Over the last 3 years, this has changed dramatically. We now see Offensive and Defensive PowerShell tools, exploits specifically leveraging PowerShell and WMI, and more organizations are starting to be intentional for detection and monitoring of PowerShell scripts and commands. With this visibility, it is becoming a game of cat and mouse to leverage and detect PowerShell. In this talk, I will highlight some secrets I use to ensure my PowerShell exploits are successful and some unique tactics which will bypass common defensive controls. I will also walk you through the creation of a custom PowerShell C# DLL which you can use to compromise your target. If you want to code with me, be sure to bring a laptop with Visual Studio 2013 or later installed.

No Easy Breach: Challenges and Lessons from an Epic Investigation Matthew Dunwoody, Nick Carr @matthewdunwoody, @itsreallynick

Every IR presents unique challenges. But – when an attacker uses PowerShell, WMI, Kerberos attacks, novel persistence mechanisms, seemingly unlimited C2 infrastructure and half-a-dozen rapidly-evolving malware families across a 100k node network to compromise the environment at a rate of 10 systems per day ? the cumulative challenges can become overwhelming. This talk will showcase the obstacles overcome during one of the largest and most advanced breaches Mandiant has ever responded to, the novel investigative techniques employed, and the lessons learned that allowed us to help remediate it.

Living Off the Land 2: A Minimalist’s Guide to Windows Defense Matt Graeber, Jared Atkinson @mattifestation, @jaredcatkinson

The “living off the land” philosophy, as applied to InfoSec, is the idea that one can thrive using mostly the tools present in a target environment in an effort to remain hidden from an adversary. While historically this philosophy has been applied to offense, it is equally applicable to defense. A capable defender, ideally, should introduce a minimal forensic footprint into an environment suspected to be compromised. Additionally, informed defenders should have an awareness of attacker objectives which includes performing reconnaissance against common security products, most of which consume a substantial OS fingerprint. This talk aims to introduce defenders to defensive capabilities built-in to all versions of Windows which are likely to leave adversaries in dark as to what defensive mechanisms are in place. Expensive defensive products are not always the solution when you’re already sitting on a goldmine of free, unexploited capabilities.

Attacking EvilCorp: Anatomy of a Corporate Hack Sean Metcalf & Will Schroeder @PyroTek3, @harmj0y

With the millions of dollars invested in defensive solutions, how are attackers still effective? Why do defensive techniques seem to rarely stop or slow down even mid-tier adversaries? And is there anything the underfunded admin can do to stop the carnage? Join us in a shift to “assume breach” and see how an attacker can easily move from a single machine compromise to a complete domain take over. Instead of “death by PowerPoint,” see first-hand how a fictional corporation suffers “death by a thousand cuts.” The fictional EvilCorp presents their top defensive tools and practically dares someone to attack the network. The battle of Red vs. Blue unfolds showing EvilCorp’s network submit to the unrelenting attacks by an experienced adversary. When the dust settles, the Red Team looks victorious. But what, if anything, could have tipped the scales in the other direction? In this demo-heavy session (several demos are shown to demonstrate modern attack effectiveness), we showcase the latest attack techniques and ineffective defenses still used to protect companies. Defense evasion tools and techniques are detailed as well as attack detection methods. Effective mitigation strategies are highlighted and the Blue Team is provided a roadmap to properly shore up defenses that can stop all but the most determined attacker.

Introducing DeepBlueCLI, a PowerShell module for hunt teaming via Windows event logs Eric Conrad @eric_conrad

A number of events are triggered in Windows environments during virtually every successful breach, these include: service creation events and errors, user creation events, extremely long command lines, compressed and base64 encoded PowerShell functions, and more. Microsoft has added a wealth of blue team tools to its operating systems, including native support of logging the full command line used to launch all processes, without requiring 3rd party tools (or Sysmon). KB3004375 adds this feature to Windows 7 and Server 2008R2. DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell.

SQL Server Hacking on Scale using PowerShell Scott Sutherland @_nullbind

This presentation will provide an overview of common SQL Server discovery, privilege escalation, persistence, and data targeting techniques. Techniques will be shared for escalating privileges on SQL Server and associated Active Directory domains. Finally we?ll show how PowerShell automation can be used to execute the SQL Server attacks on scale. All scripts created and demonstrated during the presentation will be open sourced. This should be useful to penetration testers and system administrators trying to gain a better understanding of their SQL Server attack surface and how it can be exploited.

Attackers Hunt Sysadmins – It’s time to fight back Lee Holmes @Lee_Holmes

What do the NSA, APT groups, and run-of-the-mill attackers have in common? They. Hunt. Sysadmins. After all, what?s a better way to compromise an entire infrastructure than to target the folks with complete and unconstrained access to it? It’s time to fight back. In this talk, we introduce PowerShell Just Enough Administration, a powerful platform capability that lets you add role-based access controls to your existing PowerShell-based remote management infrastructure.

Attacking ADFS Endpoints with PowerShell Karl Fosaaen @kfosaaen

Active Directory Federation Services (ADFS) has become increasingly popular in the last few years. As a penetration tester, I’m seeing organizations opening themselves up to attacks on ADFS endpoints across the Internet. Manually completing attacks against these endpoints can be tedious. The current native Microsoft management tools are handy, but what if we weaponized them. During this talk, I will show you how to identify domains that support ADFS, confirm email addresses for users of the domain, and help you guess passwords for those users. We’ll cover how you can set up your own hosted ADFS domain (on the cheap), and use it to attack other federated domains. On top of that, we’ll show you how you can wrap all of the native functionality with PowerShell to automate your attacks. This talk should give penetration testers an overview on how they can start leveraging ADFS endpoints during a penetration test.

Introducing PowerShell into your Arsenal with PS>Attack Jared Haight @jaredhaight

PS>Attack is a custom tool that was created to make it easier for Penetration Testers to incorporate PowerShell into their bag of tricks. It combines a lot of the best offensive tools from the offensive PowerShell community into a custom, encrypted console that emulates a PowerShell environment. It also includes a custom command, “Get-Attack” to act a search engine for attacks making it easy to find the right attack for any situation. In this presentation we will cover how PowerShell can be used during every part of a penetration test and how PS>Attack can help make the whole process a lot easier.

The Advanced Persistent Pentester (All Your Networks Are Belong 2 Us) Beau Bullock, Derek Banks, Joff Thyer @dafthack, @0xderuke, @joff_thyer

An Advanced Persistent Pentester is always willing to go the extra mile, working smarter, and harder to achieve success. An Advanced Persistent Pentester is always willing to go off script, creatively inventing new concepts, new tools, and techniques to get the job done. We all use automated tools and techniques to construct advanced malware which allows for expeditious entry, escalation, persistence and post exploitation during engagements. What happens when the standard tools, and techniques are just not good enough? This talk will examine several different escalation, lateral movement, and post exploitation case studies talking about the various creative approaches in solving problems along the way, capturing the flag(s), and pushing to the extremes of threat modeling the real world information security environment. It was reported that in 2015 it took an average of 146 days to detect an attacker. How can successfully mimic the impact of having that much time to pillage a network in less than a week?

Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To) D””e`Tec`T ‘Th’+’em’ Daniel Bohannon @danielhbohannon

The very best attackers hide their commands from A/V and application whitelisting technologies using encoded commands and memory-only payloads to evade detection. These techniques thwart Blue Teams from determining what was executed on a target system. However, network defenders are catching on, and state-of-the-art detection tools now monitor the command line arguments for powershell.exe either in real-time or from event logs. We need new avenues to remain stealthy in a target environment. So, this talk will highlight a dozen never-before-seen techniques for obfuscating PowerShell command line arguments.

As an incident responder at Mandiant, I have seen attackers use a handful of these methods to evade basic command line detection mechanisms. I will share these techniques already being used in the wild so you can understand the value each technique provides the attacker. Next, I will introduce three new layers of obfuscation that can be applied to any PowerShell command. You can use each layer independently, or stack them together to prevent any one technique becoming an easy signature for defenders. The first layer directly manipulates PowerShell and .Net cmdlets, functions and arguments. The second string manipulation layer can then be applied to a single command or an entire script. Finally, I will demonstrate several techniques for content execution using PowerShell command input parameters that hide command line arguments from appearing for powershell.exe. Attempting to detect every possible obfuscated version of particular commands is not an efficient means of detection. Updated PowerShell event logging mitigates many of the detection challenges that obfuscation introduces. However, many organizations do not enable this PowerShell logging and rely primarily on command line logging. Therefore, I will provide techniques that the Blue Team can use to detect the presence of these obfuscation methods in command line arguments. I will also highlight methods using C# within powershell.exe that enable the attacker to execute .Net functions without being recorded in PowerShell event logs. Attackers and popular frameworks like Metasploit, PowerSploit, and Empire use PowerShell’s remote download cradle to execute remote scripts on a target system entirely in memory.

This capability is typically used to avoid A/V and many application whitelisting products. I will give particular focus to the numerous ways within PowerShell, .Net, and native Windows applications that this remote download functionality can be accomplished without using .Net?s popular Net.WebClient class. I will also explore a half dozen functions that attackers can use to encode and decode PowerShell commands, including .Net?s SecureString functions. I will conclude this talk by highlighting the public release of Invoke-Obfuscation.ps1. This tool applies the aforementioned obfuscation techniques to user-provided commands and scripts to evade command line argument detection mechanisms. These techniques are available as miniature plug-n-play versions to be easily added to existing PowerShell frameworks in an effort to promote more wide-scale adoption.

Lee Holmes [MSFT]