POWERSHELL SHENANIGANS LATERAL MOVEMENT WITH POWERSHELL KIERAN JACOBSEN READIFY.

Slides:

Advertisements

Similar presentations

Configuring Windows to run Dr.Web scanner remotely.

Advertisements

People do business. We make it work. T: E: Microsoft Windows Server 2003 End of Life – What do I do now? October.

Direct Access, Do’s and Don’ts

Building on the Foundation of Windows Vista: Introduction to Windows 7: Security and Management Dan Stolts IT Pro Evangelist Microsoft

Microsoft Windows Server 2008 Software Deployment Chris Rutherford EKU Technology: CEN/CET.

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Great people, great experience, great passion Administering SharePoint with Windows PowerShell Go Beyond the Management Shell with SharePoint and Windows.

Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

Welcome Course 20410B Module 0: Introduction Audience

Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.

Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.

Remote Desktop Services Remote Desktop Connection Remote Desktop Protocol Remote Assistance Remote Server Administration T0ols.

Section 2: Using Group Policy Management Tools Local vs. Domain Policies Editing Local Policies Managing Domain Policies Understanding Group Policy Refresh.

Microsoft ® Official Course Module XA Using Windows PowerShell ®

SharePoint 2010 Development Environment A Guide to Setup SharePoint 2010 Development Environment on Windows 7 Machine.

What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN.

Appendix A Starting Out with Windows PowerShell™ 2.0.

CSAS 2009 Running Windows as a Non- Administrator or how I learned to love “User” By: Kasey Dennler.

CN1176 Computer Support Kemtis Kunanuraksapong MSIS with Distinction MCT, MCTS, MCDST, MCP, A+

Chapter 4 Initial Configuration Tasks. Understanding the Initial Configuration Tasks window Microsoft now provides a new feature, the Initial Configuration.

1 © 2004, Cisco Systems, Inc. All rights reserved. CISCO CONFIDENTIAL Support for Vista Unity 5.0(1)

PowerShell Shenanigans Lateral Movement with PowerShell

POWERSHELL SHENANIGANS KIERAN JACOBSEN HP ENTERPRISE SERVICES.

Remote Administration Remote Desktop Remote Desktop Gateway Remote Assistance Windows Remote Management Service Remote Server Administration Tools.

Section 11: Implementing Software Restriction Policies and AppLocker What Is a Software Restriction Policy? Creating a Software Restriction Policy Using.

Troubleshooting Security Issues Lesson 6. Skills Matrix Technology SkillObjective Domain SkillDomain # Monitoring and Troubleshooting with Event Viewer.

Terminal Services Technical Overview Olav Tvedt TVEDT.info Microsoft Speaker Community

Module 5: Designing Security for Internal Networks.

Working with Users and Groups Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Introducing User Account Control Configure and troubleshoot.

Corey Hynes HynesITe, Inc Session Code: SRV317 Objectives Let you walk out of here, being able to run a script against an OU of computers, to make some.

CNIT 124: Advanced Ethical Hacking Ch 10: Client-Side Exploitation.

© Wiley Inc All Rights Reserved. MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition.

Microsoft Windows 2008 Features and Functionality Guy Wilkin.

1 Windows 2008 Server Manager. 2 Server Manager Gives ability to perform effectively server administration without needing to launch a multitude of tools.

 It is Microsoft's new task-based command- line shell and scripting language designed especially for system administration.  It helps Information Technology.

Mark Shtern.  Our life depends on computer systems  Traffic control  Banking  Medical equipment  Internet  Social networks  Growing number of.

Module 8 Implementing Security Using Group Policy.

Application Lifecycle Management - automated builds and testing for SharePoint projects Chris O’Brien SharePoint MVP OSP432.

Boris Ulík Technology Solutions Professional Microsoft Slovakia Microsoft ® System Center 2012: System Center Endpoint Protection 2012.

Windows Certification Paths OR MCSA Windows Server 2012 Installing and Configuring Windows Server 2012 Exam (20410) Administering Windows Server.

Microsoft Installing & Configuring Windows Server Exam Questions Answers Powered By:

Windows Enterprise Services.  Introductions  UNM Directory Services  RSAT  Organizational Units (OU)  Active Directory Groups  Naming Convention.

Malware attack hardening using Software Restriction Policies

Virtual Private Network Access for Remote Networks

Windows Azure and PowerShell powered malware By Kieran Jacobsen

Microsoft Azure Deployment Planning Services

Administration Tools Cluster.exe is a command line tool that you can use for scripting or remote administration through slow WAN links. Cluadmin.exe is.

Preparing for the Windows 8.1 MCSA

Lesson 6: Configuring Servers for Remote Management

Deploy and get started with Microsoft Advanced Threat Analytics

Exam In The First Attempt?

Modernize ConfigMgr OSD with Community Tools

Microsoft Azure Deployment Planning Services

Security Incident Response: Faster and Safer with PowerShell

1Y0-253 Exam Implementing Citrix NetScaler 10.5 for App and Desktop Solutions

Microsoft Azure Deployment Planning Services

Lesson #8 MCTS Cert Guide Microsoft Windows 7, Configuring Chapter 8 Configuring Applications and Internet Explorer.

Universal SQL Installations Framework (Script review and Demo)

Windows PowerShell Remoting: Definitely NOT Just for Servers

Microsoft Ignite NZ October 2016 SKYCITY, Auckland.

Chapter 10: Supporting and Maintaining Desktop Applications

{ Security Technologies}

System Admin Best Practices for NAV 2013 R2

Mass Hunting and exploitation with powershell

Windows Remote Management

Windows without windows...

Microsoft 365 Business Technical Fundamentals Series

Preparing for the Windows 8.1 MCSA

Presentation transcript:

POWERSHELL SHENANIGANS LATERAL MOVEMENT WITH POWERSHELL KIERAN JACOBSEN READIFY

WHO AM I Kieran Jacobsen Technical Readify Blog: poshsecurity.com

OUTLINE PowerShell as an attack platform PowerShell malware PowerShell Remoting PowerShell security features Defence

CHALLENGE Within a “corporate like” environment Start with an infected workstation and move to a domain controller Where possible use only PowerShell code

POWERSHELL AS AN ATTACK PLATFORM Obvious development, integration and execution options Installed by default since Windows Vista PowerShell still considered harmless by the majority of AV vendors

POWERSHELL MALWARE PowerWorm PoshKoder/PoshCoder

MY POWERSHELL MALWARE Single Script – SystemInformation.ps1 Runs as a schedule task – “WindowsUpdate” Collects system information Reports back to C2 infrastructure Collects list of tasks to run

DEMO: THE ENTRY

POWERSHELL REMOTING PowerShell Remoting is based upon WinRM, Microsoft’s WS-Management implementation Supports execution in 3 ways: Remote enabled commands Remotely executed script blocks Remote sessions Simple security model Required for the Windows Server Manager Enabled by default Allowed through Windows Firewall

DEMO: THE DC

POWERSHELL SECURITY FEATURES Administrative rights UAC Code Signing File source identification (zone.identifier) PowerShell Execution Policy

EXECUTION POLICY There are 6 states for the execution policy Unrestricted Remote Signed All Signed Restricted Undefined (Default) Bypass

Simply ask PowerShell Switch the files zone.idenfier back to local Read the script in and then execute it Encode the script and use BYPASSING EXECUTION POLICY

DEMO: THE HASHES

DEFENCE Restricted/Constrained Endpoints Control/limit access to WinRM

LINKS Code on GitHub: QuarksPWDump: PowerWorm Analysis: Microsoft PowerShell/Security Series:

Q AND Poshsecurity.com