POWERSHELL SHENANIGANS KIERAN JACOBSEN HP ENTERPRISE SERVICES.

Slides:



Advertisements
Similar presentations
Configuring Windows to run Dr.Web scanner remotely.
Advertisements

The Essentials of Essentials JEREMY ANDERSON – SMALL BUSINESS SERVER MVP.
POWERSHELL SHENANIGANS LATERAL MOVEMENT WITH POWERSHELL KIERAN JACOBSEN READIFY.
Direct Access, Do’s and Don’ts
About the Presentations The presentations cover the objectives found in the opening of each chapter. All chapter objectives are listed in the beginning.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Kashif Jalal CA-240 (072) Web Development Using ASP.NET CA – 240 Kashif Jalal Welcome to week – 2 of…
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 8 Introduction to Printers in a Windows Server 2008 Network.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
Using RADIUS Within the Framework of the School Environment Charles Bolen Systems Engineer December 6, 2011.
Welcome Course 20410B Module 0: Introduction Audience
OnBase Module Deployment
Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.
Microsoft ® Official Course Module 9 Configuring Applications.
Chapter 5 Roles and features. objectives Performing management tasks using the Server Manager console Understanding the Windows Server 2008 roles Understanding.
Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.
Deploying and Managing Windows Server 2012
Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.
Remote Desktop Services Remote Desktop Connection Remote Desktop Protocol Remote Assistance Remote Server Administration T0ols.
Using the WDK for Windows Logo and Signature Testing Craig Rowland Program Manager Windows Driver Kits Microsoft Corporation.
Microsoft ® Official Course Module XA Using Windows PowerShell ®
Implementing Update Management
SharePoint 2010 Development Environment A Guide to Setup SharePoint 2010 Development Environment on Windows 7 Machine.
What! WINDOWS AZURE AND POWERSHELL POWERED MALWARE BY KIERAN JACOBSEN.
Appendix A Starting Out with Windows PowerShell™ 2.0.
CN1176 Computer Support Kemtis Kunanuraksapong MSIS with Distinction MCT, MCTS, MCDST, MCP, A+
Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.
PowerShell Shenanigans Lateral Movement with PowerShell
Good Morning and Thank You!.  Have some Fun!  Learn at least one thing new!  Make myself available to you So please …  Ask questions and enjoy!
Remote Administration Remote Desktop Remote Desktop Gateway Remote Assistance Windows Remote Management Service Remote Server Administration Tools.
Section 11: Implementing Software Restriction Policies and AppLocker What Is a Software Restriction Policy? Creating a Software Restriction Policy Using.
Module 6: Managing Client Access. Overview Implementing Client Access Servers Implementing Client Access Features Implementing Outlook Web Access Introduction.
Troubleshooting Security Issues Lesson 6. Skills Matrix Technology SkillObjective Domain SkillDomain # Monitoring and Troubleshooting with Event Viewer.
Module 5: Designing Security for Internal Networks.
Working with Users and Groups Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Introducing User Account Control Configure and troubleshoot.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 11: Group Policy for Corporate Policy.
Module 5: Creating and Configuring Group Policies.
Module 4 Planning for Group Policy. Module Overview Planning Group Policy Application Planning Group Policy Processing Planning the Management of Group.
What’s New in SharePoint 2010 SharePoint 2010 Development Primer New Developer Tools for SharePoint 2010 SharePoint 2010 Integration with PowerShell.
Corey Hynes HynesITe, Inc Session Code: SRV317 Objectives Let you walk out of here, being able to run a script against an OU of computers, to make some.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
 An alias is an alternative name assigned to a Cmdlet.  Aliases allow users to quickly interact with the shell.  The Cmdlet get-alias is.
1 Sneak Preview to Windows Key Areas of Focus of Windows 2008 Improvements in Server Security New Terminal Services capabilities Network Access.
 It is Microsoft's new task-based command- line shell and scripting language designed especially for system administration.  It helps Information Technology.
Module 14: Advanced Topics and Troubleshooting. Microsoft ® Windows ® Small Business Server (SBS) 2008 Management Console (Advanced Mode) Managing Windows.
Active X and Signed Applets Chad Bollard. Overview ActiveX  Security Features  Hidden Problems Signed Applets  Security Features  Security Problems.
Windows Certification Paths OR MCSA Windows Server 2012 Installing and Configuring Windows Server 2012 Exam (20410) Administering Windows Server.
Device Guard and AppLocker Better Together Troy L. Martin 1E.com/blogs/author/troymartin/ Technical Architect 1E.
Malware attack hardening using Software Restriction Policies
Basharat Institute of Higher Education
Office PowerShell administration
Windows 2008 Overview Lecture 1.
Introduction to Windows Server 2008
Administration Tools Cluster.exe is a command line tool that you can use for scripting or remote administration through slow WAN links. Cluadmin.exe is.
Preparing for the Windows 8.1 MCSA
Lesson 6: Configuring Servers for Remote Management
Supporting Windows 8.1 Krystle Portocarrero | Training Experts Inc.
TechEd /3/2018 4:18 AM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.
SharePoint Framework Extensions
Lesson #8 MCTS Cert Guide Microsoft Windows 7, Configuring Chapter 8 Configuring Applications and Internet Explorer.
Download dumps - Microsoft Real Exam Questions Dumps4download
Windows PowerShell Remoting: Definitely NOT Just for Servers
Microsoft Ignite NZ October 2016 SKYCITY, Auckland.
Cloud Web Filtering Platform
Mass Hunting and exploitation with powershell
Windows Remote Management
PT0-001 Exam Questions 2019
Microsoft 365 Business Technical Fundamentals Series
Preparing for the Windows 8. 1 MCSA Module 6: Securing Windows 8
Preparing for the Windows 8.1 MCSA
Presentation transcript:

POWERSHELL SHENANIGANS KIERAN JACOBSEN HP ENTERPRISE SERVICES

WHAT IS POWERSHELL? Developed by Microsoft in 2006 Cross between a shell script and C# Replacement for VBScript Significant number of commands (called CMDLets) Runs on.NET Framework

CHALLENGE Move from social engineered workstation to domain controller Where possible use only PowerShell code Demo environment will be a “corporate like” environment

ADVANTAGES AS AN ATTACK PLATFORM Code is very easy to develop Windows integration Remote execution offerings Often overlooked by AV Easily hidden from administrators Installed by DEFAULT

MY POWERSHELL MALWARE Single Script – SystemInformation.ps1 Runs as a schedule task, every 5 minutes Script: Collects system information and more Connects to C2 infrastructure, downloads a task list and executes tasks Executes each task, if successful, task will not be rerun Tasks can be restricted to individual computers

DEMO: THE ENTRY

WINDOWS POWERSHELL REMOTING AND WINRM PowerShell Remoting is based upon WinRM, Microsoft’s WS-Management implementation Supports execution in 3 ways: Remote enabled commands Remotely executed script blocks Remote sessions Security Model = Trusted Devices + User Credentials WinRM is required for the Windows Server Manager As requested, you can find the slide deck here, and the GitHub code is available here. If you take a look through my GitHub repositories, you will notice how much PowerShell code I normally write, and you can also see the previous version of the same code.

DEMO: THE DC

POWERSHELL SECURITY FEATURES Administrative rights UAC Code Signing Local or Remote source using zone.identifier alternate data stream PowerShell Execution Policy

EXECUTION POLICY There are 6 states for the execution policy UnrestrictedAll scripts can run Remote SignedNo unsigned scripts from the Internet can run All SignedNo unsigned scripts can run RestrictedNo scripts are allowed to run Undefined (Default)If no policy defined, then default to restricted BypassPolicy processor is bypassed

BYPASSING EXECUTION POLICY Simply ask PowerShell: powershell.exe –executionpolicy unrestricted Switch the files zone.idenfier back to local:unblock-file yourscript.ps1 Read the script in and then execute it (may fail depending on script) Get/Steal a certificate, sign script, run script

DEMO: THE HASHES

OTHER CONSIDERATIONS PowerShell Web Access Desired State Configuration

LINKS AND QUESTIONS Blog: Code on GitHub: QuarksPWDump: PowerSploit: Microsoft PowerShell/Security Series: Practical Persistence in PowerShell:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.