#Powershell - The enemy you are already losing the battle against

Powershell, and the attacks it is capable of is not a new concept. The number of publically available frameworks are growing exponentially. It's a trusted method of attack and one that is gaining more and more focus from those capable of leveraging its Power.

Why should you fear PowerShell leveraged attacks? Well, for a number of reasons:

  1. It's probably present on every single machine in your enterprise. 
  2. It's a native tool which is difficult to detect if used in an attack.
  3. It leaves very, very little in terms of forensic evidence on either endpoint, or if moving laterally across a network.
  4. Malware is already using it during attacks
  5. The namespaces it's capable of 'plugging' into are terrifying 

https://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectory(v=vs.110).aspx

There are probably 10 more reasons to worry about Powershell, these are just ones i'm familiar with. 

I first begun using PowerShell to perform very mundane tasks that should be automated such as the creation of user accounts, the deletion of user accounts etc. I then found out that Microsoft was releasing a version of Windows which was a command line with no GUI. This effectively means you can manage it via command line and subsequently remotely. This did exist before, but the functionality used in R2 was far greater than it was.


No. There is nobody here.


Server Core, the version which i begun to use in place of the full blown GUI version was easy, i was able to configure Windows RM using sconfig. I then begun to use Powershell in a way which made me understand just how powerful it was. I'm no script ninja, i am able to write scripts which help me do work in a faster, more agile way. 

Then i discovered this Get-wmiobject i realised was able to use WMI classes which as far as i remember was the single most dangerous thing i'd seen on a network, barring physical access to a comms room. Why? Well, WMI is essentially a remote management framework, you can do the worst thing possible on an endpoint - Execute code.  I hope this sufficiently conveys the capability of it?

Further to this, a lot of very smart people are already doing fantastic work in this place. In no order whatsoever. I would recommend following, and keeping an eye on their work very closely.

  • Matt Graeber - https://twitter.com/mattifestation
  • Will - https://twitter.com/harmj0y
  • Sean Metcalf - https://twitter.com/PyroTek3
  • Chris Campbell ( Great surname by the way ) https://twitter.com/obscuresec

Some of the frameworks currently undergoing contined development

  • http://www.powershellempire.com/
  • https://github.com/PowerShellMafia/PowerSploit
  • https://github.com/samratashok/nishang

Sean presented probably the most important talk on Active Directory attacks in a very long time and thankfully the ability to detect them at Blackhat 2015 - Slides here i have watched this video more times than i remember. The stats included from this are from the DBR 2015



'' Its way to easy to get someone to someone to click on a link '' Sean Metcalf 2015

If you need to defend against these kinds of attacks, the work done by Sean is available here.

Recommended reading

  • https://www.nsa.gov/ia/_files/app/spotting_the_adversary_with_windows_event_log_monitoring.pdf
  • https://mva.microsoft.com/en-US/training-courses/using-powershell-for-active-directory-8397
  • https://technet.microsoft.com/en-gb/library/cc995228.aspx

Some very public breaches have contained links to the potential usage of these tools if you still needed convincing.



The hackers behind the attack on infidelity website Ashley Madison alerted staff to the breach by setting their laptops to play AC/DC song 'Thunderstruck'.

The following is a code snippet available from Powershell Empire..

import base64
from lib.common import helpers

class Module:

def __init__(self, mainMenu, params=[]):

self.info = {
'Name': 'Invoke-Thunderstruck',

'Author': ['@obscuresec'],

'Description': ("Play's a hidden version of AC/DC's Thunderstruck video while "
"maxing out a computer's volume."),

'Background' : True,

'OutputExtension' : None,

'NeedsAdmin' : False,

'OpsecSafe' : False,

'MinPSVersion' : '2',

'Comments': [
'https://github.com/obscuresec/shmoocon/blob/master/Invoke-TwitterBot'
]
}

It may be completely unrelated, but it's an interesting thought to link the two together...

Thanks to all those named above for the work they are doing in this area.