Will Schroeder, profile picture
Uploaded byWill Schroeder
PPTX, PDF8,130 views

Catch Me If You Can: PowerShell Red vs Blue

The document discusses the evolution of PowerShell from an offensive and defensive perspective, detailing various tools and phases in its development from its inception to recent advancements. It highlights the ongoing 'cat and mouse' game between offensive techniques and defensive measures in the use of PowerShell. Notably, the shift towards improved defensive strategies and the vulnerabilities associated with older versions of PowerShell are emphasized.

Embed presentation

Downloaded 194 times
Catch Me If You Can PowerShell Red vs. Blue Will Schroeder, Specter Ops A Survey of PowerShell Security
Agenda • Setting the Stage: Offensive Philosophy • Infancy: from Monad to PowerSyringe • Primary School: PowerSploit • Adolescence: PEs, Mimikatz, Kansa, and more • Parental Guidance: PowerShell <3 the Blue Team • Teenage Rebellion: PowerShell Empire • Defense Grows Up: CimSweep, BloodHound, and more
Our Offensive Philosophy • “Assume breach” approach, focus on post- exploitation • “Fundamentally, if someone wants to get in, they’re getting in…accept that. What we tell clients is: Number one, you’re in fight, whether you thought you were or not. Number two, you almost certainly are penetrated.” - Michael Hayden, Former Director of NSA & CIA • “Living off the Land” • Focus on blending with normal host and network options • Led us to focus on built-in capabilities, most importantly PowerShell!
In the Beginning (2002)…
…Then There Was Light! (2009)
Offensive Infancy (2010)
From the Tree of Knowledge (2011)…
Sidenote: (2017)
Learning to Walk (2011) • Defenses: • Execution policy? Profiles? • Basic transcription (Version 2) • The True Offensive Start:
• PowerSyringe (2011) became PowerSploit (2012) • Injects shellcode into the current or arbitrary process • One of the most common components reused malware • Common post-exploitation features added logging, screen shot collection, etc.) • PowerShell Version 3 (Sept 2012) • Module logging introduced - first logging of PS commands Primary School
• Invoke-ReflectivePEInjection (2013) • Allows for the loading of arbitrary .EXEs/.DLLs into the current process or a foreign process • The big one… Invoke-Mimikatz (2013) • Dumps plaintext passwords from memory! (Amongst *many* other tasty things  ) Adolescence
Invoke-Mimikatz Demo
• PowerView (March 2014) • Network/Active Directory situational awareness tool • Fun features ruined by Microsoft  - hunting (NetCease in Oct 2016) and remote enumeration (SAMRi10 - Dec 2016) • Kansa (March 2014) • Incident response framework • Uproot (Oct 2014) • WMI based IDS with PowerShell deployment • PowerShellArsenal (Nov 2014) • PowerShell reverse engineering toolkit Adolescence
• PSReflect (Sep 2014) is “a series of helper functions designed to make defining in-memory enums, structs, and Win32 functions extremely easy” • This project immensely simplifies the usage of Win32 API calls/associated structures versus manual reflection • Really was a big “missing link” from our perspective • It can be used offensively defensively (Get-InjectedThread) Adolescence
• SharpPick (Dec. 2014) • PowerShell without PowerShell.exe! • Bypassed weak AppLocker configs/command logging • UnmanagedPowerShell (Dec 2014) • Inject PowerShell scripts into any process! • Loads .NET 2.0 runtime (if available) to bypass logging • PowerForensics (Mar 2015) • Live disk forensics with PowerShell! Adolescence
UnmanagedPowerShell Demo
Sidenote: Lee vs. Lee
Some Parental Guidance (2015)
AMSI https://blogs.technet.microsoft.com/mmpc/2015/06/09/windows-10-to-offer-application- developers-new-malware-defenses/
Bypasses Will Always Exist!
• Transcription (v2, improved in v5) • Ability to record the contents of a PowerShell session • Module Logging (v3) • Captures good execution details, but tons data • Deep Script Block Logging (v5) • Records code blocks as they’re executed • Default: logs suspicious looking scripts Logs on Logs
The Rebellious Teenager (Aug 2015)
Lee Fires Back (2015/2017)
Invoke-Mimikatz vs. Defender/AMSI Demo
• CimSweep (Jan 2016) • C-based defensive sweeping tool • BloodHound (April 2016) • Active Directory attack path analysis • A modified version of PowerView is used the data ingestion • WMI load events (~2016) • SELECT * FROM Win32_ModuleLoadTrace WHERE FileName "%System.Management .Automation%.dll%" • https://gist.github.com/mattifestation/7fe1df7ca2f a3d067def00c01af • Take memory dump each time a PS process closes Defense Grows Up
• Invoke-Obfuscation (Sep 2016) • Encyclopedia of PowerShell obfuscation methods Things Get Complicated… http://www.danielbohannon.com/blog-1/2016/10/1/invoke-obfuscation-v11-release-sunday-oct-9
Invoke-Obfuscation Demo
• Device Guard (2016+) allows for the enforcement of constrained language • Strong application whitelisting/code integrity • Unsigned scripts run in Constrained Mode • No access to underlying .NET framework • WMImplant (late 2016) • WMI/PowerShell based toolkit that deploys functions even in constrained language Towards the Future…
https://github.com/FuzzySecurity/PSKerne l-Primitives PowerShell <3 The Kernel?? (2016- 2017+)
• Get-InjectedThread (April 2017) • Enumerates all current running threads • For each thread: • Finds the base address of each thread • Checks if the initial memory page of thread is allocated • Checks if the if the initial memory not backed by an file on disk • If the thread page IS committed and NOT backed by a file, then it is likely • Catches nearly all stock malware injection approaches! Scary (for us attackers ;)
Invoke-PSInject vs. Get-InjectedThread Demo
• Command line logging • Full transcription (if possible) • Install v5, and uninstall v2!! • Windows10: • Defender + AMSI • Deep script block logging • Device Guard and constrained language mode • Great resource: https://www.fireeye.com/blog/threat- research/2016/02/greater_visibilityt.html Tips for Securing a PowerShell Deployment
Summary • There‘s a huge variety of offensive and defensive projects and technologies available • PowerShell red and blue will continue to play cat and mouse • PowerShell Version 2 remains a big achilles heel • The tide has started to really shift towards blue/defense! • We‘re actually moving towards C# for
• Now: 15 min break • Grab a coffee • Stay here to enjoy next presentation • Change track and switch to another room • Ask me questions or meet me in a breakout session room afterwards Next Steps...
Questions?
• Will Schroeder (@harmj0y) • http://blog.harmj0y.net | will [at] harmj0y.net • Red teamer and offensive engineer for Specter Ops • Co-founder: • Veil-Framework | Empire/EmPyre | BloodHound • Developer of: • PowerView | PowerUp | current PowerSploit developer • Microsoft CDM/PowerShell MVP • Veteran trainer About_Author
• PowerSploit - Matt Graeber, Chris Campbell, Joe Bialek • Kansa - Dave Hull • Uproot - Jared Atkinson • PowerShellArsenal - Matt Graeber • PowerView/PowerUp - Will Schroeder • PSReflect - Matt Graeber • SharpPick - Justin Warner • UnmanagedPowerShell - Lee Christensen • PowerShell Empire - Will Schroeder, Justin Warner, many many others About_References
• CimSweep - Matt Graeber, Jared Atkinson, Lee Christensen • BloodHound - Andy Robbins, Rohan Vazarkar, Will Schroeder • Invoke-Obfuscation - Daniel Bohannon • WMIPlant - Chris Truncer • PSKernel-Primitives - Ruben Boonen • Get-InjectedThread - Jared Atkinson About_References
• https://github.com/trustedsec/social-engineer- toolkit/blob/master/src/powershell/powerdump.powershell • https://github.com/PowerShellMafia/PowerSploit/tree/dev/ • https://gallery.technet.microsoft.com/Net-Cease-Blocking-Net-1e8dcb5b • https://gallery.technet.microsoft.com/SAMRi10-Hardening-Remote-48d94b5b • https://github.com/davehull/Kansa • https://github.com/Invoke-IR/Uproot • https://github.com/mattifestation/PowerShellArsenal • https://github.com/mattifestation/PSReflect • https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick • https://github.com/leechristensen/UnmanagedPowerShell • https://github.com/EmpireProject/PSInject • https://github.com/EmpireProject/Empire • https://github.com/PowerShellMafia/CimSweep • https://github.com/BloodHoundAD/BloodHound • https://github.com/danielbohannon/Invoke-Obfuscation • https://github.com/ChrisTruncer/WMImplant • https://github.com/FuzzySecurity/PSKernel-Primitives • https://gist.github.com/jaredcatkinson/23905d34537ce4b5b1818c3e6405c1d2 About_References

More Related Content

PPTX
Here Be Dragons: The Unexplored Land of Active Directory ACLs
byAndy Robbins
 
PDF
aclpwn - Active Directory ACL exploitation with BloodHound
byDirkjanMollema
 
PPTX
Abusing Microsoft Kerberos - Sorry you guys don't get it
byBenjamin Delpy
 
PDF
Hunting for Credentials Dumping in Windows Environment
byTeymur Kheirkhabarov
 
PDF
ReCertifying Active Directory
byWill Schroeder
 
PDF
Windows Threat Hunting
byGIBIN JOHN
 
PPTX
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
byNikhil Mittal
 
PPTX
PSConfEU - Offensive Active Directory (With PowerShell!)
byWill Schroeder
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
byAndy Robbins
 
aclpwn - Active Directory ACL exploitation with BloodHound
byDirkjanMollema
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
byBenjamin Delpy
 
Hunting for Credentials Dumping in Windows Environment
byTeymur Kheirkhabarov
 
ReCertifying Active Directory
byWill Schroeder
 
Windows Threat Hunting
byGIBIN JOHN
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
byNikhil Mittal
 
PSConfEU - Offensive Active Directory (With PowerShell!)
byWill Schroeder
 

What's hot

PPTX
PowerShell for Practical Purple Teaming
byNikhil Mittal
 
PDF
Hunting for Privilege Escalation in Windows Environment
byTeymur Kheirkhabarov
 
PPTX
PurpleSharp BlackHat Arsenal Asia
byMauricio Velazco
 
PPTX
(Ab)Using GPOs for Active Directory Pwnage
byPetros Koutroumpis
 
PDF
Derbycon - The Unintended Risks of Trusting Active Directory
byWill Schroeder
 
PDF
How fun of privilege escalation Red Pill2017
byAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
PDF
Fantastic Red Team Attacks and How to Find Them
byRoss Wolf
 
PPTX
Six Degrees of Domain Admin - BloodHound at DEF CON 24
byAndy Robbins
 
PDF
Red Team Methodology - A Naked Look
byJason Lang
 
PDF
DerbyCon 2019 - Kerberoasting Revisited
byWill Schroeder
 
PDF
The Unintended Risks of Trusting Active Directory
byWill Schroeder
 
PPTX
I hunt sys admins 2.0
byWill Schroeder
 
PPTX
Defending Your "Gold"
byWill Schroeder
 
PDF
The innerHTML Apocalypse
byMario Heiderich
 
PPTX
Windows Privilege Escalation
byRiyaz Walikar
 
PPTX
Kheirkhabarov24052017_phdays7
byTeymur Kheirkhabarov
 
PDF
remote-method-guesser - BHUSA2021 Arsenal
byTobias Neitzel
 
PPTX
Red Team Revenge - Attacking Microsoft ATA
byNikhil Mittal
 
PDF
Social Engineering the Windows Kernel by James Forshaw
byShakacon
 
PDF
Hunting Lateral Movement in Windows Infrastructure
bySergey Soldatov
 
PowerShell for Practical Purple Teaming
byNikhil Mittal
 
Hunting for Privilege Escalation in Windows Environment
byTeymur Kheirkhabarov
 
PurpleSharp BlackHat Arsenal Asia
byMauricio Velazco
 
(Ab)Using GPOs for Active Directory Pwnage
byPetros Koutroumpis
 
Derbycon - The Unintended Risks of Trusting Active Directory
byWill Schroeder
 
How fun of privilege escalation Red Pill2017
byAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
Fantastic Red Team Attacks and How to Find Them
byRoss Wolf
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
byAndy Robbins
 
Red Team Methodology - A Naked Look
byJason Lang
 
DerbyCon 2019 - Kerberoasting Revisited
byWill Schroeder
 
The Unintended Risks of Trusting Active Directory
byWill Schroeder
 
I hunt sys admins 2.0
byWill Schroeder
 
Defending Your "Gold"
byWill Schroeder
 
The innerHTML Apocalypse
byMario Heiderich
 
Windows Privilege Escalation
byRiyaz Walikar
 
Kheirkhabarov24052017_phdays7
byTeymur Kheirkhabarov
 
remote-method-guesser - BHUSA2021 Arsenal
byTobias Neitzel
 
Red Team Revenge - Attacking Microsoft ATA
byNikhil Mittal
 
Social Engineering the Windows Kernel by James Forshaw
byShakacon
 
Hunting Lateral Movement in Windows Infrastructure
bySergey Soldatov
 

Viewers also liked

PDF
A Case Study in Attacking KeePass
byWill Schroeder
 
PPTX
Invoke-Obfuscation nullcon 2017
byDaniel Bohannon
 
PDF
Ace Up the Sleeve
byWill Schroeder
 
PPTX
Living off the land and fileless attack techniques
bySymantec Security Response
 
PPTX
Taking the Attacker Eviction Red Pill (v2.0)
byFrode Hommedal
 
PPTX
Catching fileless attacks
byBalaji Rajasekaran
 
PDF
SANS DFIR Prague: PowerShell & WMI
byJoe Slowik
 
PPTX
BSides London 2017 - Hunt Or Be Hunted
byAlex Davies
 
PDF
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
byPriyanka Aash
 
PPTX
Obfuscating The Empire
byRyan Cobb
 
PDF
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
byChris Thompson
 
PPTX
Pwning the Enterprise With PowerShell
byBeau Bullock
 
PPTX
PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...
byPuppet
 
PPTX
WMI for Penetration Testers - Arcticcon 2017
byAlexander Polce Leary
 
PPTX
Building Better Backdoors with WMI - DerbyCon 2017
byAlexander Polce Leary
 
PDF
Kavya racharla ndh-naropanth_fin_jp-final
byPacSecJP
 
A Case Study in Attacking KeePass
byWill Schroeder
 
Invoke-Obfuscation nullcon 2017
byDaniel Bohannon
 
Ace Up the Sleeve
byWill Schroeder
 
Living off the land and fileless attack techniques
bySymantec Security Response
 
Taking the Attacker Eviction Red Pill (v2.0)
byFrode Hommedal
 
Catching fileless attacks
byBalaji Rajasekaran
 
SANS DFIR Prague: PowerShell & WMI
byJoe Slowik
 
BSides London 2017 - Hunt Or Be Hunted
byAlex Davies
 
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
byPriyanka Aash
 
Obfuscating The Empire
byRyan Cobb
 
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
byChris Thompson
 
Pwning the Enterprise With PowerShell
byBeau Bullock
 
PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...
byPuppet
 
WMI for Penetration Testers - Arcticcon 2017
byAlexander Polce Leary
 
Building Better Backdoors with WMI - DerbyCon 2017
byAlexander Polce Leary
 
Kavya racharla ndh-naropanth_fin_jp-final
byPacSecJP
 

Similar to Catch Me If You Can: PowerShell Red vs Blue

PPTX
Building an Empire with PowerShell
byWill Schroeder
 
PPTX
Hacked? Pray that the Attacker used PowerShell
byNikhil Mittal
 
PPTX
Client side attacks using PowerShell
byNikhil Mittal
 
PPTX
PowerShell for Cyber Warriors - Bsides Knoxville 2016
byRussel Van Tuyl
 
PPTX
PowerShell: The increased use of PowerShell in cyber attacks
bySymantec Security Response
 
PPTX
PSConfEU - Building an Empire with PowerShell
byWill Schroeder
 
PPTX
Bridging the Gap: Lessons in Adversarial Tradecraft
byenigma0x3
 
PPTX
Bsides tampa
byOctavio Paguaga
 
PDF
2017-BSidesCharm-DetectingtheElusive-ActiveDirectoryThreatHunting-Final.pdf
bykhalil511890
 
PPTX
An Introduction to PowerShell for Security Assessments
byEnclaveSecurity
 
PDF
Powershell-hacking-1nTh35h311-BSidesTLV2019
byYossi Sassi
 
PDF
Power on, Powershell
byRoo7break
 
PDF
The Dark Side of PowerShell by George Dobrea
byEC-Council
 
PPTX
Incorporating PowerShell into your Arsenal with PS>Attack
byjaredhaight
 
PDF
Who Should Use Powershell? You Should Use Powershell!
byBen Finke
 
PPTX
PowerShell - Be A Cool Blue Kid
byMatthew Johnson
 
PPTX
Drilling deeper with Veil's PowerTools
byWill Schroeder
 
PDF
Powering up on PowerShell - BSides Charleston - Nov 2018
byFernando Tomlinson, CISSP, MBA
 
PPTX
Pwning with powershell
byjaredhaight
 
PPTX
Top 10 PowerShell Features in Server 2012
byThomas Lee
 
Building an Empire with PowerShell
byWill Schroeder
 
Hacked? Pray that the Attacker used PowerShell
byNikhil Mittal
 
Client side attacks using PowerShell
byNikhil Mittal
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
byRussel Van Tuyl
 
PowerShell: The increased use of PowerShell in cyber attacks
bySymantec Security Response
 
PSConfEU - Building an Empire with PowerShell
byWill Schroeder
 
Bridging the Gap: Lessons in Adversarial Tradecraft
byenigma0x3
 
Bsides tampa
byOctavio Paguaga
 
2017-BSidesCharm-DetectingtheElusive-ActiveDirectoryThreatHunting-Final.pdf
bykhalil511890
 
An Introduction to PowerShell for Security Assessments
byEnclaveSecurity
 
Powershell-hacking-1nTh35h311-BSidesTLV2019
byYossi Sassi
 
Power on, Powershell
byRoo7break
 
The Dark Side of PowerShell by George Dobrea
byEC-Council
 
Incorporating PowerShell into your Arsenal with PS>Attack
byjaredhaight
 
Who Should Use Powershell? You Should Use Powershell!
byBen Finke
 
PowerShell - Be A Cool Blue Kid
byMatthew Johnson
 
Drilling deeper with Veil's PowerTools
byWill Schroeder
 
Powering up on PowerShell - BSides Charleston - Nov 2018
byFernando Tomlinson, CISSP, MBA
 
Pwning with powershell
byjaredhaight
 
Top 10 PowerShell Features in Server 2012
byThomas Lee
 

More from Will Schroeder

PDF
A Year in the Empire
byWill Schroeder
 
PDF
Not a Security Boundary
byWill Schroeder
 
PPTX
Bridging the Gap
byWill Schroeder
 
PDF
SpecterOps Webinar Week - Kerberoasting Revisisted
byWill Schroeder
 
PPTX
I Hunt Sys Admins
byWill Schroeder
 
PDF
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
byWill Schroeder
 
PPTX
The Travelling Pentester: Diaries of the Shortest Path to Compromise
byWill Schroeder
 
PPTX
Trusts You Might Have Missed
byWill Schroeder
 
PPTX
PowerUp - Automating Windows Privilege Escalation
byWill Schroeder
 
PDF
I Have the Power(View)
byWill Schroeder
 
PDF
Trusts You Might Have Missed - 44con
byWill Schroeder
 
PDF
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
byWill Schroeder
 
PDF
Certified Pre-Owned
byWill Schroeder
 
PPTX
Adventures in Asymmetric Warfare
byWill Schroeder
 
PDF
Building an EmPyre with Python
byWill Schroeder
 
PPTX
Derbycon - Passing the Torch
byWill Schroeder
 
PDF
Nemesis - SAINTCON.pdf
byWill Schroeder
 
PPTX
Pwnstaller
byWill Schroeder
 
A Year in the Empire
byWill Schroeder
 
Not a Security Boundary
byWill Schroeder
 
Bridging the Gap
byWill Schroeder
 
SpecterOps Webinar Week - Kerberoasting Revisisted
byWill Schroeder
 
I Hunt Sys Admins
byWill Schroeder
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
byWill Schroeder
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
byWill Schroeder
 
Trusts You Might Have Missed
byWill Schroeder
 
PowerUp - Automating Windows Privilege Escalation
byWill Schroeder
 
I Have the Power(View)
byWill Schroeder
 
Trusts You Might Have Missed - 44con
byWill Schroeder
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
byWill Schroeder
 
Certified Pre-Owned
byWill Schroeder
 
Adventures in Asymmetric Warfare
byWill Schroeder
 
Building an EmPyre with Python
byWill Schroeder
 
Derbycon - Passing the Torch
byWill Schroeder
 
Nemesis - SAINTCON.pdf
byWill Schroeder
 
Pwnstaller
byWill Schroeder
 

Recently uploaded

PDF
Supercharging Android Apps with On-Device AI: Gemini Nano
bydinoykraj
 
PDF
November 2025 OpenMetadata Community Spotlight - Astronomer & Airflow 3
byOpenMetadata
 
PDF
UiPath DevConnect 2025: UiPath ScreenPlay - The Future of Human-Like Automation
byDianaGray10
 
PDF
Build an AI/ML-driven image archive processing workflow: Image archive, analy...
bywesley chun
 
PDF
IDSECCONF2025 - Aan Wahyu - Maze–Malware Analysis Platform.pdf
byidsecconf
 
PDF
Running Non-Cloud-Native Databases in Cloud-Native Environments_ Challenges a...
byAlkin Tezuysal
 
PDF
OutSystsems User Group Brabant November 2025
bymail496323
 
PPTX
How Design Systems and AI Agents Accelerate Product Delivery Sixt
byBoyan Dimitrov
 
PPTX
Explaining ourselves – people, computers and AI
byAlan Dix
 
PDF
Supervised Machine Learning Approaches for Log-Based Anomaly Detection: A Cas...
byMohammed BEKKOUCHE
 
PPTX
Streamlining Business Processes with UiPath Apps
byTracy Dixon
 
PPTX
Redcentric Data Centres: vision, mission and values
byRedcentric
 
PDF
KMWorld - KM & AI Bring Collectivity, Nostalgia, & Selectivity
byJonathan Ralton
 
PDF
Mastering UiPath Maestro – Session 2 – Building a Live Use Case - Session 2
byDianaGray10
 
PDF
PMI PMBOK8 Released on November 13, 2025
byScott M. Graffius
 
PDF
Top Crypto Supers 15th Report November 2025
byStephen Perrenod
 
PDF
Dev Dives: Build smarter agents with UiPath Agent Builder
byUiPathCommunity
 
PPTX
The power of Slack and MuleSoft | Bangalore MuleSoft Meetup #60
byshyamraj55
 
PPTX
Support, Monitoring, Continuous Improvement & Scaling Agentic Automation [3/3]
byUiPathCommunity
 
PDF
Command Line Text Processing - RHCSA +.pdf
byLinuxCert Guru
 
Supercharging Android Apps with On-Device AI: Gemini Nano
bydinoykraj
 
November 2025 OpenMetadata Community Spotlight - Astronomer & Airflow 3
byOpenMetadata
 
UiPath DevConnect 2025: UiPath ScreenPlay - The Future of Human-Like Automation
byDianaGray10
 
Build an AI/ML-driven image archive processing workflow: Image archive, analy...
bywesley chun
 
IDSECCONF2025 - Aan Wahyu - Maze–Malware Analysis Platform.pdf
byidsecconf
 
Running Non-Cloud-Native Databases in Cloud-Native Environments_ Challenges a...
byAlkin Tezuysal
 
OutSystsems User Group Brabant November 2025
bymail496323
 
How Design Systems and AI Agents Accelerate Product Delivery Sixt
byBoyan Dimitrov
 
Explaining ourselves – people, computers and AI
byAlan Dix
 
Supervised Machine Learning Approaches for Log-Based Anomaly Detection: A Cas...
byMohammed BEKKOUCHE
 
Streamlining Business Processes with UiPath Apps
byTracy Dixon
 
Redcentric Data Centres: vision, mission and values
byRedcentric
 
KMWorld - KM & AI Bring Collectivity, Nostalgia, & Selectivity
byJonathan Ralton
 
Mastering UiPath Maestro – Session 2 – Building a Live Use Case - Session 2
byDianaGray10
 
PMI PMBOK8 Released on November 13, 2025
byScott M. Graffius
 
Top Crypto Supers 15th Report November 2025
byStephen Perrenod
 
Dev Dives: Build smarter agents with UiPath Agent Builder
byUiPathCommunity
 
The power of Slack and MuleSoft | Bangalore MuleSoft Meetup #60
byshyamraj55
 
Support, Monitoring, Continuous Improvement & Scaling Agentic Automation [3/3]
byUiPathCommunity
 
Command Line Text Processing - RHCSA +.pdf
byLinuxCert Guru
 
In this document
Powered by AI

Overview of the presentation on PowerShell security and its offensive and defensive aspects.

Outline covers topics from offensive strategies to the evolution of PowerShell security tools.

Discussion of the 'Assume breach' approach, focusing on post-exploitation and PowerShell's role in offensive strategies.

A timeline detailing key milestones in PowerShell's development and its impact on security.

Introduction of defense mechanisms and initial tools like PowerSyringe and logging features.

Emergence of critical offensive tools like Mimikatz, PowerView, and scripting capabilities in PowerShell.

Challenges and responses related to security measures, including various logging improvements and defenses.

Introduction of defensive measures like BloodHound and improvements in application security.

Discussion on obfuscation methods, constrained language mode, and evolving malware defenses.

Insights into PowerShell's evolution, security recommendations, and future-focused security enhancements.

Summary of key points and the plan for the next part of the presentation.

Open floor for audience questions related to the presentation's topics.

Introduction of Will Schroeder and his background in PowerShell and security.

List of contributors and references related to PowerShell security projects and tools.

Catch Me If You Can: PowerShell Red vs Blue

  • 1.
    Catch Me IfYou Can PowerShell Red vs. Blue Will Schroeder, Specter Ops A Survey of PowerShell Security
  • 2.
    Agenda • Setting theStage: Offensive Philosophy • Infancy: from Monad to PowerSyringe • Primary School: PowerSploit • Adolescence: PEs, Mimikatz, Kansa, and more • Parental Guidance: PowerShell <3 the Blue Team • Teenage Rebellion: PowerShell Empire • Defense Grows Up: CimSweep, BloodHound, and more
  • 3.
    Our Offensive Philosophy •“Assume breach” approach, focus on post- exploitation • “Fundamentally, if someone wants to get in, they’re getting in…accept that. What we tell clients is: Number one, you’re in fight, whether you thought you were or not. Number two, you almost certainly are penetrated.” - Michael Hayden, Former Director of NSA & CIA • “Living off the Land” • Focus on blending with normal host and network options • Led us to focus on built-in capabilities, most importantly PowerShell!
  • 4.
  • 5.
    …Then There WasLight! (2009)
  • 6.
  • 7.
    From the Treeof Knowledge (2011)…
  • 8.
  • 9.
    Learning to Walk(2011) • Defenses: • Execution policy? Profiles? • Basic transcription (Version 2) • The True Offensive Start:
  • 10.
    • PowerSyringe (2011)became PowerSploit (2012) • Injects shellcode into the current or arbitrary process • One of the most common components reused malware • Common post-exploitation features added logging, screen shot collection, etc.) • PowerShell Version 3 (Sept 2012) • Module logging introduced - first logging of PS commands Primary School
  • 11.
    • Invoke-ReflectivePEInjection (2013) •Allows for the loading of arbitrary .EXEs/.DLLs into the current process or a foreign process • The big one… Invoke-Mimikatz (2013) • Dumps plaintext passwords from memory! (Amongst *many* other tasty things  ) Adolescence
  • 12.
  • 13.
    • PowerView (March2014) • Network/Active Directory situational awareness tool • Fun features ruined by Microsoft  - hunting (NetCease in Oct 2016) and remote enumeration (SAMRi10 - Dec 2016) • Kansa (March 2014) • Incident response framework • Uproot (Oct 2014) • WMI based IDS with PowerShell deployment • PowerShellArsenal (Nov 2014) • PowerShell reverse engineering toolkit Adolescence
  • 14.
    • PSReflect (Sep2014) is “a series of helper functions designed to make defining in-memory enums, structs, and Win32 functions extremely easy” • This project immensely simplifies the usage of Win32 API calls/associated structures versus manual reflection • Really was a big “missing link” from our perspective • It can be used offensively defensively (Get-InjectedThread) Adolescence
  • 15.
    • SharpPick (Dec.2014) • PowerShell without PowerShell.exe! • Bypassed weak AppLocker configs/command logging • UnmanagedPowerShell (Dec 2014) • Inject PowerShell scripts into any process! • Loads .NET 2.0 runtime (if available) to bypass logging • PowerForensics (Mar 2015) • Live disk forensics with PowerShell! Adolescence
  • 16.
  • 17.
  • 18.
  • 19.
  • 20.
  • 21.
    • Transcription (v2,improved in v5) • Ability to record the contents of a PowerShell session • Module Logging (v3) • Captures good execution details, but tons data • Deep Script Block Logging (v5) • Records code blocks as they’re executed • Default: logs suspicious looking scripts Logs on Logs
  • 22.
  • 23.
    Lee Fires Back(2015/2017)
  • 24.
  • 25.
    • CimSweep (Jan2016) • C-based defensive sweeping tool • BloodHound (April 2016) • Active Directory attack path analysis • A modified version of PowerView is used the data ingestion • WMI load events (~2016) • SELECT * FROM Win32_ModuleLoadTrace WHERE FileName "%System.Management .Automation%.dll%" • https://gist.github.com/mattifestation/7fe1df7ca2f a3d067def00c01af • Take memory dump each time a PS process closes Defense Grows Up
  • 26.
    • Invoke-Obfuscation (Sep2016) • Encyclopedia of PowerShell obfuscation methods Things Get Complicated… http://www.danielbohannon.com/blog-1/2016/10/1/invoke-obfuscation-v11-release-sunday-oct-9
  • 27.
  • 28.
    • Device Guard(2016+) allows for the enforcement of constrained language • Strong application whitelisting/code integrity • Unsigned scripts run in Constrained Mode • No access to underlying .NET framework • WMImplant (late 2016) • WMI/PowerShell based toolkit that deploys functions even in constrained language Towards the Future…
  • 29.
  • 30.
    • Get-InjectedThread (April2017) • Enumerates all current running threads • For each thread: • Finds the base address of each thread • Checks if the initial memory page of thread is allocated • Checks if the if the initial memory not backed by an file on disk • If the thread page IS committed and NOT backed by a file, then it is likely • Catches nearly all stock malware injection approaches! Scary (for us attackers ;)
  • 31.
  • 32.
    • Command linelogging • Full transcription (if possible) • Install v5, and uninstall v2!! • Windows10: • Defender + AMSI • Deep script block logging • Device Guard and constrained language mode • Great resource: https://www.fireeye.com/blog/threat- research/2016/02/greater_visibilityt.html Tips for Securing a PowerShell Deployment
  • 33.
    Summary • There‘s ahuge variety of offensive and defensive projects and technologies available • PowerShell red and blue will continue to play cat and mouse • PowerShell Version 2 remains a big achilles heel • The tide has started to really shift towards blue/defense! • We‘re actually moving towards C# for
  • 34.
    • Now: 15min break • Grab a coffee • Stay here to enjoy next presentation • Change track and switch to another room • Ask me questions or meet me in a breakout session room afterwards Next Steps...
  • 35.
  • 36.
    • Will Schroeder(@harmj0y) • http://blog.harmj0y.net | will [at] harmj0y.net • Red teamer and offensive engineer for Specter Ops • Co-founder: • Veil-Framework | Empire/EmPyre | BloodHound • Developer of: • PowerView | PowerUp | current PowerSploit developer • Microsoft CDM/PowerShell MVP • Veteran trainer About_Author
  • 37.
    • PowerSploit -Matt Graeber, Chris Campbell, Joe Bialek • Kansa - Dave Hull • Uproot - Jared Atkinson • PowerShellArsenal - Matt Graeber • PowerView/PowerUp - Will Schroeder • PSReflect - Matt Graeber • SharpPick - Justin Warner • UnmanagedPowerShell - Lee Christensen • PowerShell Empire - Will Schroeder, Justin Warner, many many others About_References
  • 38.
    • CimSweep -Matt Graeber, Jared Atkinson, Lee Christensen • BloodHound - Andy Robbins, Rohan Vazarkar, Will Schroeder • Invoke-Obfuscation - Daniel Bohannon • WMIPlant - Chris Truncer • PSKernel-Primitives - Ruben Boonen • Get-InjectedThread - Jared Atkinson About_References
  • 39.
    • https://github.com/trustedsec/social-engineer- toolkit/blob/master/src/powershell/powerdump.powershell • https://github.com/PowerShellMafia/PowerSploit/tree/dev/ •https://gallery.technet.microsoft.com/Net-Cease-Blocking-Net-1e8dcb5b • https://gallery.technet.microsoft.com/SAMRi10-Hardening-Remote-48d94b5b • https://github.com/davehull/Kansa • https://github.com/Invoke-IR/Uproot • https://github.com/mattifestation/PowerShellArsenal • https://github.com/mattifestation/PSReflect • https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick • https://github.com/leechristensen/UnmanagedPowerShell • https://github.com/EmpireProject/PSInject • https://github.com/EmpireProject/Empire • https://github.com/PowerShellMafia/CimSweep • https://github.com/BloodHoundAD/BloodHound • https://github.com/danielbohannon/Invoke-Obfuscation • https://github.com/ChrisTruncer/WMImplant • https://github.com/FuzzySecurity/PSKernel-Primitives • https://gist.github.com/jaredcatkinson/23905d34537ce4b5b1818c3e6405c1d2 About_References

Editor's Notes

  • #3 Will show the evolution of offense and the defensive projects and mitigations that have been implemented in response Will not cover ALL tools, just ones I think are “evolutionary” relevant Focus only on “legitimate”/open-source offensive capabilities -> won’t cover crimeware/etc.
  • #4 Quote- Microsoft Office365 red teaming whitepaper Access to .NET/the API, can stay off of disk, can reassemble malicious binaries in memory, etc. Explain what led us to PowerShell
  • #6 “The Version 2 problem” – explain why we care about it from the offensive perspective
  • #7 https://www.youtube.com/watch?v=JKlVONfD53w Talked some about execution policy Main contribution - PowerDump
  • #11 Built by Matt Graeber Eventually repurposed into open source offensive toolsets like Metasploit
  • #12 Both coded by Joe Bialek Mainly built so every binary didn’t have to be recoded into pure PowerShell https://github.com/PowerShellMafia/PowerSploit/blob/dev/CodeExecution/Invoke-ReflectivePEInjection.ps1 https://github.com/PowerShellMafia/PowerSploit/blob/dev/Exfiltration/Invoke-Mimikatz.ps1
  • #13 Invoke-Mimikatz that creates a golden ticket for the parent domain and then DCSyncs the krbtgt of the root
  • #14 https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 https://gallery.technet.microsoft.com/Net-Cease-Blocking-Net-1e8dcb5b https://gallery.technet.microsoft.com/SAMRi10-Hardening-Remote-48d94b5b   https://github.com/davehull/Kansa - Incident response collection cmdlets (Dave Hull) https://github.com/Invoke-IR/Uproot - IDS via WMI Event Subscriptions https://github.com/mattifestation/PowerShellArsenal - Reverse engineering
  • #15 https://github.com/mattifestation/PSReflect Why not use Add-Type? Explain… Swap over- show PowerView code before and after
  • #16 Twitter thread about “can we run PowerShell without powershell.exe” PowerForensics – explain CreateFile() approach to avoid native APIs http://www.sixdub.net/?p=367#more-367 https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick/SharpPick https://github.com/leechristensen/UnmanagedPowerShell
  • #17 https://github.com/EmpireProject/PSInject $Code = ' [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms"); [System.Windows.Forms.MessageBox]::Show("This is PS code! Current proc: $(Get-Process -Id $PID)"); ' $Encoded = [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($Code)) Start-Process notepad Invoke-PSInject -ProcName notepad -PoshCode $Encoded
  • #18 Command Line Version Parameter – “-version 2” Hosting Applications Compiled using V2 Reference Assemblies – “the “Windows PowerShell” classic event log has event ID 400. This is the “Engine Lifecycle” event, and includes the Engine Version.”
  • #19 Released a month before Empire was slated to be released – gave me an existential freakout! -Better transcription with Start-Transcript and automatic transcription options -Deep script block logging -AMSI
  • #22 -Transcription allows for automatic recording of PowerShell sessions -Module logging records pipeline execution details as PowerShell executes, including variable initialization and command invocations. -Module logging will record portions of scripts, some de-obfuscated code, and some data formatted for output.  -Script block logging records blocks of code as they are executed by the PowerShell engine, thereby capturing the full contents of code executed by an attacker, including scripts and commands. Including code AFTER it was de-obfuscated! These suspicious blocks are logged at the “warning” level in EID 4104, unless script block logging is explicitly disabled. This feature ensures that some forensic data is logged for known-suspicious activity, even if logging is not enabled https://github.com/PowerShell/PowerShell/blob/02b5f357a20e6dee9f8e60e3adb9025be3c94490/src/System.Management.Automation/engine/runtime/CompiledScriptBlock.cs#L1612-L1660
  • #23 PowerShellEmpire – talked about last year https://github.com/EmpireProject/Empire
  • #24 2015- “Measure-VariableObfuscation” which relies on PowerShellArsenal to create “Obfuscation Metrics” for scripts
  • #26  And system.management.automation.ni.dll – why the wildcard https://github.com/PowerShellMafia/CimSweep https://github.com/BloodHoundAD/BloodHound https://gist.github.com/mattifestation/7fe1df7ca2f08cbfa3d067def00c01af
  • #28 ipmo .\Invoke-Obfuscation.psd1 Invoke-Obfuscation SET SCRIPTBLOCK function Invoke-Stuff { Get-Process }; Invoke-Stuff token all 1 clip (Show you executing it in a powershell window) back back STRING 3 clip (Show you executing it in a powershell window) back encoding 6 clip (Show you executing it in a powershell window) back launcher rundll++ 0 clip (run in cmd.exe)
  • #29 Matt Graeber will speak on this on day 3 (device guard) Device Guard force PS into constrained language mode - https://msdn.microsoft.com/powershell/reference/5.1/Microsoft.PowerShell.Core/about/about_Language_Modes No reflection, add-type, limits New-Object(e.g. no creating arbitrary COM objects) https://github.com/ChrisTruncer/WMImplant
  • #31 https://gist.github.com/jaredcatkinson/23905d34537ce4b5b1818c3e6405c1d2
  • #33 After this, you should WANT attackers to use PowerShell! Try and block the attacker, but if he still gets in, we want to be able to detect and see what he did
  • #36 42:00