10 tips for Powershell as a hacking tool - Yossi Sassi

after lunch PowerShell is becoming one of the more important tools especially when you want to avoid as an attacker when you want to avoid carrying stuff with you living off the land now we're gonna have a nice talk by Yosi and that shows how to use the power shell as a hacking tool this is very very exciting so thank you for that round of applause for you say ok so hello everybody hi how are you I'm Yossi and this is what I do

but this is so I I have a day job in a night job and today I'm going to talk to you about the maybe less exciting part of my life but the part I'm as passionate as I am about the music life so I've been with keyboards and code for a long time also with the guitar quite quite the same time working most of the time independently as a freelancer etc and doing some bigger whitehat basically working a lot with the government and finance around the world I'm co-founding the cyber out not Arc this is a product that we bypass when we have to go into a network but now there are great guys don't get me wrong the

pimp impede us something but still and I'm also very honored to be a member of javelin at the board of javelin that got acquired by Symantec last year and we have people from the crowd there and javelin so you'd have to them so gonna talk about partial ten tips out of honestly a gazillion I can talk about partial and my trip with partial since 2003 since the Monad days and then Microsoft shell and then they branded it PowerShell so really over a decade walking with PowerShell all the dog food debate the better stuff and training about that and also showing you some cool research so that with you so basically what this power show for

people that are not totally aware about partial that's that blue shell think blue icon that's normally we caught the Microsoft shell for C's admins and that that helps hackers a lot because it's commonly missed misleadingly perceived as the shell for sis that means but for hackers this is really a totally different story PowerShell is just a spoon you know and we do whatever we want with that we Bend that spoon on a daily basis and I'll show you how it's basically CMD on steroids but it's much more than that it's a dotnet CMD it's really living off the land heaven for for Windows it's a wrapper around windows every API protocol system calls whatever every DLL everything that you

ever imagined you can address with a lot of functionality and very little syntax and it's living off the land so it's pre pre-installed it's built in Windows seven and above and it runs even on XP etc it's probably the ideal tool of choice in many scenarios for post exploitation and other stuff and it's also open source for almost three years now people are not aware of it but PowerShell is totally open source on github before github belongs to Microsoft actually and it runs really nice on Linux and Mac OS X you can run docker etc so you can do really cool stuff about it but most important to think about partially it's based on dotnet

framework and it works with objects when I say works with objects it means that everything you do in PowerShell you get back an object so think about you know the day-to-day productivity of bash and and stuff like that and very intuitive shells but with the power of Python so I like to call it if we take a bash ksh sea shell scape Python Perl and dotnet into a motel room and you're here funny noises her and in the morning there was a baby conceived that would be partial so here you seen like four four five words you know with two three pipes I took a bunch of IP addresses around the curl I pin for got the JSON converted

the JSON in memory living off the land and got a grid on on the fly so that's the power of PowerShell that's why it's called power shell so you can have a lot of stuff with PowerShell let's start with the basic I'll run it through some basic and then we have some research and then we saw some fun stuff so you can invoke ax you could basically any text stream you think compressed memory files without touching the disk you can use com objects msxml ie but also from windows 7 and above you can use the net web client from dotnet and you can also invoke web request the curl W get of PowerShell so basically basically invoke

expression or ie X that it's Elias you take any text and basically it executes it okay so if I take get W my win32 bios I pipe it into invoke expression it actually execute that code and this is very easy also to bypass script execution policy stuff like that but you can also use built-in dotnet web client class this allows you to download the strings download files etc you can download the string from anywhere in the land on the internet or form a shortcut and then you can pipe it to invoke installation and just runs it so it's very very easy very popular methods you see it in many malware cases in the analysis investigations and you can also curl

that from your own server and that works beautifully you can also harness the power of dotnet to your own good and you can do that with very basically everything you can think about you know everything you need to do the dotnet framework is there for your help you can harness its power for everything whether it's mathematical algorithms or whatever if you want to do some calculations byte calculations there is a lot of work on done on the system reflection and reflection dll's so you can actually call any dll directly from the command line and check stuff whenever you want so if I want to know if the caps lock is on I just called the reflection console class and

I can know if the cap song is on or off very basic stuff but sometimes you know when you're in the field and especially when you are doing red teaming and and you want to do stuff you know with keyboard access whether it's a seat or or physical like so you want to be able to do that stuff quickly so partial is about that it thinks about the person and it thinks about the person that has little time and needs to do a lot of stuff so in this case I'm just converting to travel a string and then for each string I'm checking if it's very simple but just to show you the power of the language third you can

convert any to any whatever any you have in mind you can compare it digest it convert it XML JSON by its XML and you can also convert form convert to and you can also import an export for example you can convert anything to JSON so you can take a process all its threads everything you want and you can convert it to JSON on the fly this is living off the land I these functions until now there's no special code here yeah it exists in every Windows version that you can run it and execute it you can convert to HTML CSV quite easily this is stuff that it's nice for the system admins can convert to XML of course and

you can also export export means convert and saving out file redirecting basically the output to to a file or to a printer or whatever we want and in this case of course we we got the the XML but we can also do some other conversions for example we can take any bytes I can read bytes of a file very easily with the IO file read all bytes so I can read the bytes of this file and I can convert them very easily to for example 400 hex I can get to string and I can get the hex from that from that back from those bytes and if I want to dwell in it some more I can take those bytes

and actually join them and I can get the o hex so all this one-liner is very powerful living of the land let's get into the juicy stuff as hackers okay so you can fish any credentials with a dialog box actually there is a one-liner to do it and you can customize in that wine one-liner the text that you want to have in the form header the text inside it cetera and you can also take it to the next level with a Windows security credential well you I with the stuff that Wheels did I think is here in the audience with red liquor so this is a single liner sometimes you don't have to go to Elsa's and dumping and mimikatz

and all this stuff you just pop up this credential also remoting Lee and I can get the network credential in clear-text who speaks about dumps you know people come back to the old school stuff you know just credential phishing and you can also get this dialog box this baby actually sends an HTTP GET you know to Apache server or whatever and it leaks your credentials to somewhere else in the network or outside the network let's get serious PowerShell is an illusion under the dotnet framework partial X is just a variant you know it's like it's plague it's a disease it's just one variant out of the many and you can basically what you call PowerShell is

system management automation inside the dotnet framework it's a built in into the framework hence windows in the last two decades and what you see is just the host interface so PowerShell essentially is just variant so if you're trying to protect PowerShell exit' you're maybe going statistically to an right place but you're living away the serious hackers so PowerShell for example can be in very interesting places for example did you know that the only one troubleshoot wizards it's just a powerful script as you see in the background there is a nice defense control technique that's called transcriptions so it transcripts every PowerShell script that you run you have this is not turned on by default you have to run it with go policy

registry and basically it money its audits all the input outputs from a partial code even if the host of the partial code is not partial so what do you inject it run dll whatever or this exit that I built that just gets out the BIOS information so as you can see it got audited and you see the transcript so basically PowerShell can come from any executable that references system management automation we can go further than that for example I can use this base64 encoded string yes for getting the BIOS information and what I'm going to do now is I'm going to run it and I'm going to show you how we run PowerShell without partial X that we saw now I'm

going to run PowerShell without a process so now I turned on process creation and termination inside the policy of this machine and as you can see I have we have some code that what it does basically it queries the event log of the machine skilled event log and shows us the last creation and termination events so you can see magnified that I just used in in this short video and now we're gonna run some other processes we're gonna run out but ok I'm gonna run notepad we're gonna maximize no wait a minute not but and then we're gonna run this again and as you can see voila so we saw notepad SVC host you can

count on SVC O's to appear in every 10 20 seconds or something like that in Windows and basically I have this MST SC you know the max of terminal source client the RDP but this is a slightly different variation of it's that runs and coded strings so if the customer is not checking for hashing put it as MSDS C and all the customer will see is MSDS cxz was launched so you see I have my mstc they I handle this executable what it has is basically a piece of code that runs a system of management automation around space but now I'm going to run a different function that I'm going to put on the github later and what this

function does it takes a binary weather URL Oh a file and it invokes it in memory we use I use it the dotnet load binary function and this means that I'm loading the binary in memory to the c-sharp compiler and I'm running encoded bases in 64 without using the process good luck with that so there is no spoon marshalling this is a spoon guys you know don't get excited about spoons especially if they're plastic not like idiots it's very good spoon very good spoon you can have culture called the PowerShell PSW a power PWS age or pouch Alexa and you can actually run PowerShell as you just saw from binary without running the binary process next

you can run a power language dotnet language directly in pouch it doesn't matter that you can run the syntax directly VB script JavaScript C shop and you can also utilize local variables and functions from your sessions to remote sessions so first thing we're gonna show I'm gonna put some C shout code just between this here yeah I don't know if you can see that but that's basically a c-sharp code and when I run it I add type so now I have this type inside my shell and I run this C sharp function that this is c-sharp function is running directly in PowerShell so I don't need to compile anything no DLL is executables I can run C shop directly

I'm running on a hostname called 1 DC 1 and I have a remote session saved into a variable on a client launch CL 1 I can get this partial session partial sessions the way the powershell it's like the built-in ssh for powershell PS remoting win RM works with the web services management protocol soap XML and you can see that when I run I invoke command into this remote session so I can see the host name of that remote machine machine is of course loan C l1 and I can on I'd pick config whatever of this is the new RDP instead of ransomware deployment protocol you have PS remoting so this is my IP and now I

can run whatever I want and I'll show you this dollar using so dollar using basically you can send it it's just HTTP and it's also encrypted with your TGS when you work in a domain so a couple stickers encrypts all the traffic so I can just send over local variables to one hundred one thousand ten thousands machines from my own machine I don't have to redistribute code or wave variables now I created the local function get hostname that what that's what this function does but I can run my local function directly on the remote host so if I run it locally of course this is the result this is the result and you don't have this function in the

remote machine as you probably understood so that makes things interesting seven you can actually turn everything into an object when you walk with PowerShell literally no reg X very intuitive in memory on the fly there are a lot of living off the land tools that do a great job you know see a curls whatever a net start and but the problem with them is that they work with text you know and text is very nice for example one of those tools is K list Kerberos tickets in memory and K list of course I can wrap it selects playing I can take from its certain strings at UTP but I can do more with that maybe I want

the entire ticket so I can how can I do that without going into a gux headache so I can basically just send out a sample output from any tool mimic its net that whatever and I can just tell PowerShell how it standout output of this application this tool looks like and I can just put it between between curly brackets and just name my own properties and basically it will convert it to objects according to the curly brackets and property or properties that I put so just go over a bit quickly here and as you can see I delete whatever I don't need and voila now I can pipe it into convert from string and use the

template file I just created and watch this it literally turns everything into objects so you can use any two you want and convert it into objects in like two three minutes and turn it into whatever and just you know because you know it's something that it's really meaty bookish to do so you can net that convert from straying into a template I put in a memo it's just a string template content you don't need it on a file and then I get objects so you can just basically turn anything you want into objects of course pouch is a full-fledged blown shell you can do whatever you want on shellcodes buffers compressions etc let's look at a real

malicious code sample I caught on a on a custom L so this has a base64 encoded think that were restarted but when I could decode it from base64 that's when we get the real PowerShell going on so as you can see it creates there is an invoke expression we saw this bad guy in the beginning and then there is a stream model and it decompresses it and enriched to end you have to be careful with the invoke expression even if you're running over on a VM you know just neutralize it and just run it through the end and then you'll get the decompressed string and here in the decompressed at the code so actually now

we get the partial code as you can see it's doing via log stuff that we know some c-sharp code and it's doing of course allocating a buffer can anything and thread and one thing for a single object which is the thread okay so all we have to do is just to get the shellcode so now I can get the shellcode directly from that and this shellcode I can run in shellcode debugger or whatever D compile it see the actual CPU instructions etc or form PowerShell but there are partial defenses you know partial has great defenses we can talk about all of them protected event login is the interesting one that nobody talks a lot of basically it's the ability to

because when you log partial events to the event log so basically you log everything also the IT systems on the day-to-day and basically it logs connection strings the database you know hosts in the network etc so Microsoft developed protected event logging basically register the HP local machine that you can actually encrypt with a public key certificate with cryptography it measures syntax CMS you can protect the messages and that's a very cool blue team technique but what if I thought about it I tried it in few customer engagements and it worked like magic what if you think ransomware for event logs what if you turn it around and you use it against Microsoft so that's exactly what I do

the minute I have LPE so I take my own certificate so if you look today on the event log so that's what you see from the messages in the event log you can see the invocation and the warnings you can see the actual content in the message of the of the event but once I set this property to on to enable protected event login and I give it my own thumb print my own certificate now when I will run a different code or a different shell for example I will open up fire up a new shell and run some code in it so the next thing that will happen is now go back and query the the event

viewer is basically me as an attacker everything I do is the syslog gets all the right information it gets the pan created ID level but everything is encrypted so good luck with your forensics afterwards to understand what we just did here so don't ask what the shell can do for you ask what you can do to the ship so you're sure I'll pass you say we thought about that we have all meld lue il-allah and the team in javelin and and really I was very happy to be part of this research basically almost led us into the beautiful ways of you know getting cheated code addresses working with the seal our profiler really a calm object that I don't know

how many of you are aware or using but beautiful way to hook powershell and then hook the system called dll for the event log and then to hook the all the calls to him am site or the system calls basically would simply replace with that opcode and so i don't have time to show this and alma talked about it in depth but i will tell you that one way once we run this I'll let you see almost talking they'll be gone once you run this you have no visibility of the attacker in visi she'll literally no transcripts no logging no a MSI you can run whatever you want mimic heads and nothing gets logged or it powers he'll that's what it

does key takeaways partial rocks for the red team try to use PowerShell to no blue team defenses there or using visi shell we have flagged as Melville but you can create variants because we are in github look it look for it don't lose your Python skills but for windows with automation this is your ultimate choice it's very fun and there are multiple offensive frameworks behind heavy good hacker there is a very good even greater developer it's always a team all the good things that we do though my partner at cyber out Omar Abdel lugar here and all the team from javelin and you should check home as a token they'll become but you should check about this upcoming DEFCON on the

main stage yeah it's going to talk about some other stuff but definitely one of the more pure genius mines you'll see very humble only thing that is close to his coding technique is the sense of humor and you should really check that out so this everybody T