This talk covers the basics of how PowerShell works and how to use it. It then goes over a lot of the interesting offensive PowerShell tools that are available and gives a demo of using PowerShell to escalate to Domain Admin privileges on a network. A video of the talk is available here: https://www.youtube.com/watch?v=YSUJNInriiY

1. GET-HELP
An intro to PowerShell and how to use it for evil

2. PS C:>WHOAMI
 Jared Haight
 Security Engineer with the CLT team at Gotham Digital Science
 Former Sysadmin
 Hobbyist Developer
 Corgi Enthusiast
 @jaredhaight

3. WHY AREWE HERE?
 I think PowerShell is pretty awesome
 I want you to think PowerShell is pretty awesome
 I’m going to give you a bunch of reasons that PowerShell is pretty
awesome

5. WHY SHOULDYOU CARE
ABOUT POWERSHELL
Or “How I justified this talk to BSides Charleston”

6. REDTEAMS
 PowerShell is what the admins use to manage their infrastructure
 Microsoft is pushing more and more tasks into PowerShell
 Standard onWindows 7 and up
 Robust, object oriented scripting language with access to a wide range of
things on the computer
 Access to entire .NET andWMI frameworks
 Lots of very interesting offensive projects going on
 BlueTeams aren’t typically looking for it

7. BLUETEAMS
 It’s what the bad guys are using.. like.. real ones.
 There’s some really cool DFIR stuff going on with Powershell

8. WHAT DO I NEED TO KNOW
TO USE POWERSHELL?
Scripting for people whose idea of server administration is next > next > finish

9. VOCABULARY
 String – Any combination of letters and numbers that are surrounded by
quotation marks (single or double). Used for printing stuff.
 Example: “a”, “abc”, “abc123”, “123”
 Integer – A number without quotes. Used for math.
 Example: 1, 2, 3, 5
 Boolean –True or False, represented in PS as $True or $False
 Variable – A reference to a value that can be assigned over the course of a
script/program. Declared in PowerShell with as $[word], ex: $foo

10. OBJECTS
 An object is a type of “something”.
 As an object of a specific type, it inherits properties and methods related to
it’s object type
 Properties – Information about the object
 Methods – Code that interacts with the object
 For example, strings have properties for length and methods to change the
case of their letters.

11. ARRAYS
 A list of objects separated by commas
 Example: “one”,”two”,”three”
 You can access specific items in the array by using index numbers
 Index starts at zero

12. CMDLETS
 Primary way of getting things done in PowerShell
 Always in a “verb-noun” format
 Examples
 write-host – print something to screen
 get-process – get running processes
 set-clipboard – copy something to clipboard
 get-eventlog – get contents of eventlog

13. POWERSHELL SPECIFICS
 Most everything is tab completable
 Cmdlets
 Parameters
 ParameterValues
 PowerShell ISE
 “Integrated Scripting Editor” installed by default with PowerShell
 IncludesVisual Studio like auto-completion (intellisense)
 Sidebar featuring all available cmdlets

14. POWERSHELL ISE

15. BUNNY BREAK

16. MAKING STUFF DO STUFF

17. FOR LOOPS
Code
1 $list = "one", "two", "three"
2 forEach ($item in $list)
3 {
4 write-host * $item
5 }
Output
* one
* two
* three

18. FOR LOOPS – PRACTICAL EXAMPLE CODE
1 $dirs = Get-ChildItem C:
2 forEach ($dir in $dirs)
3 {
4 write-host $dir.FullName
5 write-host "-----”
6 $acl = $dir.GetAccessControl()
7 write-host $acl.AccessToString
8 write-host
9 }

19. FOR LOOPS – PRACTICAL EXAMPLE OUTPUT
[...]
C:repos
-----
BUILTINAdministrators Allow FullControl
NT AUTHORITYSYSTEM Allow FullControl
BUILTINUsers Allow ReadAndExecute, Synchronize
NT AUTHORITYAuthenticated Users Allow Modify,
Synchronize
NT AUTHORITYAuthenticated Users Allow -536805376
C:Sandbox
-----
NT AUTHORITYAuthenticated Users Allow FullControl
Everyone Allow FullControl
[...]

20. LOGIC
 Logic in programming amounts to “if foo is true, do bar”
 You can compare things in PowerShell with:
 -lt – Less than
 -le – Less than or equal to
 -eq – Equal to
 -ne – Not equal to
 -ge – Greater than or equal to
 -gt – Greater than

21. LOGIC – IF/ELSE STATEMENTS
1 $nums = 1,2,3,4,5,6,7,8,9,10
2 forEach ($num in $nums)
3 {
4 if ($num -eq 4)
5 {
6 write-host $num is four.
7 }
8 else
9 {
10 write-host $num is not four.
11 }
12 }
Output
1 is not four.
2 is not four.
3 is not four.
4 is four.
5 is not four.
6 is not four.
7 is not four.
8 is not four.
9 is not four.
10 is not four.
Code

22. LOGIC –WHILE LOOPS
Code
1 $i = 1
2 while ($i -le 4)
3 {
4 write-host $i
5 $i = $i + 1
6 }
Output
1
2
3
4

23. FIGURING STUFF OUT
 Get-Command [Search term]
 Example: get-command “*clipboard”
 Get-Help “Command”
 It gets help.
 Example: get-help write-host
 Example: get-help write-host –examples
 Get-Member
 Pipe an object to it to find out the objects properties and methods
 Example $dir | get-member

24. GET-MEMBER OUTPUT
PS C:> $dir | Get-Member
TypeName: System.IO.FileInfo
Name MemberType
---- ---------- ----------
Mode CodeProperty System.String Mode{get=Mode;}
AppendText Method System.IO.StreamWriter[...]
CopyTo Method System.IO.FileInfo[...]
Create Method System.IO.FileStream Create()
CreateObjRef Method System.Runtime.Remoting[...]
CreateText Method System.IO.StreamWriter[...]
Decrypt Method void Decrypt()
Delete Method void Delete()
[...]

25. BUNNY BREAK

26. PUTTING IT ALL TOGETHER

27. PUTTING IT ALLTOGETHER
1 1 $dirs = Get-ChildItem C:
2 ForEach ($dir in $dirs)
3 {
4 $i = 0
5 $acl = $dir.GetAccessControl()
6 while ($acl.Access[$i] -ne $Null)
[...]

28. PUTTING IT ALLTOGETHER (BREAK DOWN)
[...]
9 $ace = $acl.Access[$i]
10 if ($ace.IdentityReference.Value.contains("Everyone"))
11 {
12 write-host $dir.FullName
13 write-host "-----“
14 write-host $ace.IdentityReference.Value:
$ace.FileSystemRights.toString()
15 write-host
16 }
17 $i = $i + 1
[...]

29. 1 $dirs = Get-ChildItem C:
2 ForEach ($dir in $dirs)
3 {
4 $i = 0
5 $acl = $dir.GetAccessControl()
6 while ($acl.Access[$i] -ne $Null)
8 {
9 $ace = $acl.Access[$i]
10 if ($ace.IdentityReference.Value.contains("Everyone"))
11 {
12 write-host $dir.FullName
13 write-host "-----“
14 write-host $ace.IdentityReference.Value:
$ace.FileSystemRights.toString()
15 write-host
16 }
17 $i = $i + 1
18 }
19 }

30. PUTTING IT ALLTOGETHER (OUTPUT)
C:Sandbox
-----
Everyone : FullControl
C:Users
-----
Everyone : ReadAndExecute, Synchronize

31. DOING FUN STUFF WITH
POWERSHELL
I may have a strange definition of “fun”

32. REGISTRY FUN – REGISTRY AS A DRIVE
PS C:> cd HKCU:
PS HKCU:> cd .SOFTWARE
PS HKCU:SOFTWARE> dir Micro*
Hive: HKEY_CURRENT_USERSOFTWARE
Name Property
---- --------
Microsoft
Microsoft Corporation
Microsoft Studios

33. REGISTRY FUN – CREATING ENTRIES
# Does the key exist?
PS HKCU:SOFTWARE> test-path "BSidesCHS"
False
# Create key
PS HKCU:SOFTWARE> new-item "BSidesCHS"
Hive: HKEY_CURRENT_USERSOFTWARE
Name Property
---- --------
BSidesCHS
# Create item in key
PS HKCU:SOFTWARE> New-ItemProperty -path .BSidesCHS -Name Demo
-PropertyType String -Value "TextGoesHere"

34. REMOTE FUN
 Most (all?) cmdlets understand UNC paths
 test-path serversharetest.txt
 A lot of cmdlets support the –ComputerName parameter.
 stop-service spooler –ComputerName demo-dc01
 WinRM makes everything better
 Microsofts Remote Management service
 enter-pssession demo-dc01
 invoke-command –ComputerName demo-dc01 “{code}”

35. PUPPY BREAK

36. EVIL

37. WHAT CAN WE BREAK?
 There is a lot of really impressive work going into offensive PowerShell
frameworks.
 Recon
 Backdoors
 Shellcode
 Exfiltration
 Privesc
 Lots of very smart and devious people working on PowerShell frameworks
 Big focus on “in memory” attacks.
 Don’t touch the disk, don’t trip AV.

38. USING A FRAMEWORK
 Clone the repo
 Run “Import-Module $repo”

39. POWERSPLOIT
 https://github.com/PowerShellMafia/PowerSploit
 Modules
 AV Bypass
 Code Execution
 Exfiltration
 Mayhem
 Persistence
 Recon
 Script Modification

40. COOLTHINGS IN POWERSPLOIT
 Exfiltration
 Invoke-NinjaCopy – Copies a file from NTFS by reading the raw volume
and parsing NTFS structures
 Inoke-Mimikatz – Loads Mimikatz into memory and runs it. Doesn’t
touch disk when run against a remote computer.
 Get-GPPPassword – Browses Group Policy and finds passwords
 Code Execution
 Invoke-Shellcode – Inject shellcode into a specified process
 Mayhem
 Set-MasterBootRecord –Writes a string to the MBR
 Set-CriticalProcess - BSOD

41. VEIL POWERTOOLS
 https://github.com/PowerShellEmpire/PowerTools
 Part of the Empire Framework now
 Components
 PewPewPew – Run commands against a list of servers without touching
the HDD
 PowerBreach – Offers a variety of ways to trigger backdoor code
 PowerPick – Allows the execution of PS code without powershell.exe
 PowerUp – Assists with local escalation
 PowerView – Network awareness tool

42. COOL STUFF IN POWERTOOLS
 PowerView
 Invoke-StealthUserHunter – Finds Home Directory server and checks for active sessions
from specific users accounts
 Invoke-FindLocalAdminAccess – Finds machines that the current account has admins
rights on
 Get-ExploitableSystems – Cross references systems against common metasploit
payloads
 PowerBreach
 Invoke-DeadUserBackdoor –Triggers a payload if a given user account is deleted
 Invoke-EventLogBackdoor –Triggers a payload if a specific user fails an RDP login
 PewPewPew
 Invoke-MassCommand – Runs a given command against a bunch of servers
 Invoke-MassMimikatz – Runs mimikatz against all the things.

43. NISHANG
 https://github.com/samratashok/nishang
 Modules
 Backdoors
 Escalation
 Gather
 Pivot
 Scans
 Shells
 Client

44. COOLTHINGS ABOUT NISHANG
 Client
 Out-Word – Creates a word file (or infect an existing one) with a macro
that downloads and runs a PowerShell script
 Also see: Out-Excel, Out-HTA, Out-CHM, Out-Shortcut and Out-Java
 Backdoors
 DNS_Txt_Pwnage – A backdoor that receives commands through DNS
TXT queries
 Gupt-Backdoor – A backdoor that receives commands fromWLAN SSIDs
(without connecting)

45. .DESCRIPTION
Gupt looks for a specially crafted Wireless
Network Name/SSID from list of all available
networks. It matches first four characters of
each SSID with the parameter MagicString. On a
match, if the 5th character is a 'c', rest of the
SSID name is considered to be a command and
executed. If the 5th character is a 'u', rest of
the SSID is considered the id part of Google URL
Shortener and a script is downloaded and
executed in memory from the URL.

46. DEMO
Our demo gods, which art in conferences..

47. EMPIRE
A MagnumOpus of attacking with PowerShell

48. EMPIRE
 http://www.powershellempire.com/
 Pure PowerShell post-exploitation agent
 Cryptographically secure communications
 Flexible “phone-home” architecture
 Think Meterpreter, but native PowerShell
 Combines a lot of the modules present in other frameworks into an easy to
use reverse shell

49. USING EMPIRE
 Obtain a Linux server
 git clone https://github.com/powershellempire/empire && cd
empire/config && ./install.sh
 Setup listeners (HTTP/S endpoints) on the server
 Generate launchers (PowerShell code that runs on clients that makes
them phone home)
 Run launchers client side
 Receive shells

50. FURTHER INFO

51. BLUETEAMS
 PoshSecFramework (https://github.com/PoshSec/PoshSecFramework)
 PowerShell Console for Incident Response
 Invoke-IR (http://www.invoke-ir.com/)
 PowerForensics
 Uproot (IDS in Powershell)
 Kansa
 Information gathering and baseline

52. LEARNING MORE POWERSHELL
 MicrosoftVirtual Academy (https://mva.microsoft.com/)
 LearnWindows Powershell in a Month of Lunches (it’s a book)
 Google
 Get your hands dirty
 Spin up a lab and play
 Find stuff to Powershellify on the job

53. PEOPLETO FOLLOW
 @sixdub – PowerTools, Empire
 @harmj0y – PowerTools, Empire
 @enigma0x3 – Empire
 @mattifestation – PowerSploit
 @nikhil_mitt – Nishang
 @jaredcatkinson – Invoke-IR
 @ben0xa – PoshSecFramework

54. THE END

55. THE END
 Questions?
 @jaredhaight
 jhaight@gdssecurity.com
 Charlotte Hackers – http://www.charlottehackers.com
 Gotham Digital Science – http://www.gdssecurity.com