2015 - Ben Turner & Dave Hardy - PowerShell Fu with Metasploit “Interactive PowerShell Sessions...

what we do we're talking about human yellow ensure that yes yes of course after the rookies in there are the risks lot for liking groups if you fancy just being a burden in produce talk about anything same threat intelligence maybe sir then you can remember registration put your name down and you can go and give it lightning talk on any topic you want it doesn't even need to be through be security-related that's a bit thin slice so without further ado before your lunch Homer's pudding kick in are we heading over to the body thanks Kevin in there nearly the babadook this wall right there thanks for coming to scout talk center by being day everything in

the dork face except that we develop trainer to go through i'm going to talk on our powershell food with max would so who are we said thursday me as my twitter handle has faced with handle and we were together sorry lock the doors open though I think it was bored so every day with Katya now so we know to the fairly well with hackers and testers whatever you will take a bit more senior and I am like recruiter is a granddad days you're talking to me a yogurt building we hope them with Neji so what's masculine hopefully I don't have to explain that to anyone here de facto head testing framework originally written by HP more I would take over by

rapid seven well on that thought powershell story too he's covered in so yeah whats powershell so we're command prompt on steroids essentially with introduced in 2009 powder ridge along with reduced her introduced to mr. one of the beauties of PowerShell is this an object-oriented language so you can basically incorporate incorporate any the.net objects and use it basically as you will on man line uses parameters that saw a variable base so everything is kept within memory so if you write which are variable i gets reuse you can use it in code and you can background job just extendable you can but white pen testers doing young parish oh yeah I don't know whether anybody keep sort of a finger on the pulse of

Windows Microsoft these days but starting with white server 2012 introduced what was called a car installation where there was no GUI and pretty much the only way to interact with the operating system apart from the remote access tools like outside whatever you it was PowerShell so they put started to pull their eggs in one basket way back in 2012 07 2012 but now we would serve at 2016 coming along basically the default build the server is going to be no good there's going to be only PowerShell well there is the option to add it back in what girls use gooeys anyway so and then the windows are Microsoft are already got banging on about this new thing called nano server

which is like it's just enough operating system setup or I think they're mainly pitching it over web but also in the data center in the cloud and this is only managed at the moment with powershell and the DSC which is there like a pull picked up chef type implementation which allows configuration from a low-flying sauce and their pumpkin so much into these new operating systems of the way they're actually managed they've brought a new level of partial a partial five they've been books played around with the new power shell fire with windows 10 a lot of functionality in Windows 10 is also based on powershell so come shelves now like Microsoft's like bash almost the Linux it's the core

of the operating system previously like Windows was a GUI with some tools in the background now its power shell with some tools api's and everything else through powershell so they kind of put all their eggs in one basket and moving towards wipe our shells involved so why should we invested use PowerShell so alone taking over here just a quick summary of a few tools that pretty much awesome to use in Paris after they invoke commandment basically you can download honest man and supply get to be passwords and mini cat the want to highlight involves I'm going to talk about how every crumb but basically the whole framework of tools just out there brilliant powerful scripture import to a

Harrison them probably could handle in their company Empire vine and I will shell guys across tools guys really should probably no longer than a year so what we have before a mess for you so when you get session on mass boy how could you use PowerShell nor my host so the answer is that you couldn't really there was a couple of scripts in there that allowing for X cute one-liners or one script and see the output slowly wasn't quite intuitive and nothing was preserved within script so if you want to import module and running multiple functions within that module you just couldn't do it yea after in one module at a time do we want it so this is so people bit of a

background so everything we've done with tests on this talk scenario so it's quite a quality environment everything's gone through fire order that's got a B on it everything goes through a proxy with the user based authentication so it really simulate a real-world attack so just want to show me that give you a bit of a concept so the old way so this is the way you said currently have to run if you want to run basically PowerShell and anyhow so I'm assuming you all know how to get a powerful interpreter sessions so we're going to basically go from there on so as you can see I've got to interpret sessions some of you a consummate our these are all again

behind of the name this is me running a single script on the host you can have to append each strip the function that you want to call and then it goes and it uploads it by a kbytes cuz there's a limit on the command prompt and then it comes back and it comes it all into a script and then you have one sorry Geppetto fire starting on second and then you can output it so that's just an example k used to be able to run it and its origins look that easy try that hard it's just a great truth and that's not really how power our shows view for retaining scripts your claims that between

function yeah I was just going to say that this retaining variables inside of the powershell for Disease one of the big things that you probably don't know about is when you type how shall the exe and you run some stuff and in plex of information and create some variables and then close that and then reopen it again those daily existence they've gone and that's what I've been saying about the fact that you need to preserve as a pen tester we probably want to preserve variables or preserve arounds or what over text files or whatever that were generated inside the session and now yeah so so you've gone there well this video runs this is power view which is a

bit of a larger script initially ran get password is a fairly small screen as you can see it takes a shitload longer basically and there's a lot more scripts and planets that you want to use a power youth function brother and so this is just getting the users user counselor domain but you might now I go in another function so it just doesn't work how do you want to be able to use it you want to just run all the functions all in one again you know I work for you all this for this is another one power up but again more than some guys you want very poor check yet their pen game overall

checks function to the script and then run it and as you can see it takes ages this is like a really big script so we just wanted to kind of show you'll give you concept of what it was before going with what we came up with still going imagine this over the incident I just want to represent vulnerable services I'll go to bed so a bit back background yeah this is what this was born out of letting should be up these things called clinic days were some of us society presentable smaller versions of what we're doing down and we have one powershell and I was sliding apparently and we had some issues that to say the

least I think it was like acknowledged or like if I don't know what it was like hopefully think it's quite work and we haven't up need for getting these thinnies strips powers white and power all the power of the power tools and this kind of thing on to the victim box and I kind of went away and i thought i'm going to achieve this like scripted basic website repeated all that it happens every time the same we've always got this tool set where we white and we know how to work so i came up with some house shell scripts again that used a tool that was probably release what about a year ago at Derek on faulty

nothing but Powell cap which is neck happen in PowerShell antelope and I can it rare these scripts up to use the power cat session and embodied scripts from the actual get home sites of pals fighting these these are the guys and then actually pull them into memory which make things a whole lot simpler and a lot easier for us as pen testers to be a rather largest room dear strips boomin all the tools are there which is fantastic because we never had for but then blends it well what can we do this room that's why and that's where our real so trials and tribulations start with this old thing this is what's new so yeah basically interactive

powershell sessions in mass going so it's not just a payload it's naturally a help you session type so you have to change the whole command prompt session type to pay and you perish our session so that you have to run now great post module to go with it not just any of the any liquor existing programs will work with it and the same session type and this is the kind of quick demo what it gives you basically it's like an older box experiences i call it so when you pop the powershell shall that's like it looks like our shell apart from its not blue and white is black and white well can we play like we change the covering

interview bus oh you that's like what have you running it so as you see there what comes up on the screen is what you get when you a pawn shop and that's essentially what you'll can either show you a lot more than I just want to add that this isn't a trivial task I don't know if anyone driving in temescal is an absolute [ __ ] the coding that you have follow at all processes and everything it just takes forever we managed to get six pull oppresses actually fully approve if you look up I think one of the guys who's helped massively me cause of their and a few other guys I'm sure on here hoping 78 comments one of the

payload went through just to get proof you can see the kind of or later when producer just to get this infamous point the only do it in like six weeks yeah it wasn't a bad time and when I HD r you talk to him for helping a lot as well so yeah so how's would put sir that's for nickels access granted so we shouldn't everything in memory there's no description whatsoever so it's completely offset state so unless you decide to save the file to disk the rest of it is completely invisible to antivirus anything to do in there is completely safe to be true the flight info many cats directly onto a host of the moment it'll just in mcafee less

than well I'll go out notes get a little bit anything that were you before the defender and that will touch this all there is a way to stop Windows Defender detective this so this is the new way so again we'll start on the same process will have public sessions raining pretty firewall retaining the session just well this is really there are multiple ways to deploy these payloads to stay out palos so it's not an exploit I do it a different way Ben does it appear psexec and I do it with maybe like a web browser and get the Victorian that way up there's multiple ways to get the cheapy so we've the phone is flying

basically through a firewall we can't get to indirectly and we want to now to come interpret session we upgrade that session to a parish shelter we can do all that fun stuff so one way to do it the payload inject option so that basically injects why the pale if you give it into memory directly and that's to perform with doing and so I'm running a buying shell now against the host using port forwarding with the mats Lloyd they're just alike on ack suppose you added a root and this is the load module function so the load module bit basically this goes and grabs loaded two scripts off the internet the commandments that you want to run

and it goes and directly into memory using the system net that web client with a parish out so that's kind of how you weaponize the shell you don't just get normal powershell session it's interactive that's the first really cool stuff okay secondly is that it goes and downloads all these basic your anything get over to your blazing great experience they're all that family doesn't touch dish and you can just start racking off your power you command invert that you there all that sort of great stuff that you want to use you can also set back that the URL a poor sales from from a local web server so if you're on an internal network where you

can go into access brother for web servers apprentice box with those tools in in the right for Malcolm cool so there we go we've got an interactive parish or setting like command prompt but it's purely PowerShell everything's retain all the session variables everything is purely in there and all the functions that we've loaded well now you can just run straight off the bat so who am i obviously in the parish malfunction and but this is a manner that we were loaded to get you could be password so literally just running it knows about the wall you can run it like that and command line get back instantly there's no waiting around there's no cocking it off background the section

behind you can any other session in matts for you you can write post my daughter to interact with it showing how easy is there's none this waiting on for hours see how quickly that loaded yeah look at this message it's like mid size but windows box with power shortage there's no tub completely 40 caliber maybe wedding my somebody was talking about making it happen in service of what we do but again yes as if running bases in previous chats and when I just saw talk about all the PowerShell scripts that are out there are loads of cool ones and we're just showing you how you can use them easily biomass procession some of that I've

been quite interesting with quality initiatives more about how i can run stuff in the background so when you get one session if you've run something on the command line while you do normally it sort of users of that session and a lot of this stuff like in your bed so I don't about responder basically it's a netbios spoofing the tool that allows you to gather the hashes off a network and when you're often again through a firewall you know on the home if you want to run stuff like that but also you want to run it the background if you don't want to see everything as comes back you re printer two hours come back

and get hashes also you might be wanted to run under command so as this place to get jobs is PS job in PowerShell it's a great look function basically just runs like screen on linux so you can just basically start a new session give it glamour and it'll just run to sit there pudding go get the output periodically so that we found this works really well so example if you're using invade very similar to responder just leave it running so when they're just mention about stark jobs is mentioned something else start jobs actually starts a new power shell process so if you look in touch mode you like to partial VX seizure of multiples and if you start with in too

many jobs the victim box might get a bit stressed or a bit slow or something like what all of the scripts might take all the results is on might go loop in a loop and basically breaker box so you need to be careful how many do what just beware and turns up selfie you wanna be a father loves you if someone is quite savvy checks the process that in 10s come to me in look a bit dodgy other words get around that so again so this is me is going to go down we've got loads of demos so I just thought I'd print screen so again you've got the session and basically i uploaded in bay

but this is not doing any memory following so you're gloating day to the house star javascript locked and then give it a ps1 file and basically just sits there running as you can see we are glad we have modified in vain to run as a function so you can actually import it into it into a powershell i will shell metasploit shell we've developed it does work that way also yes some people write scripts that as soon as you load them at runs where that isn't how you want it if you use this because obviously if you're important that's going to scream shell so you want it the way they writing functions like most of them in powerschool so like in

between recaps you loaded into memory and when you want to run it you run the function invoke invoke all checks or mini capsule or whatever so in very wouldn't mean quite like that so Dave just change it and basically works like an answer burden that top seconds water than save anything to discus a fire the actual huh sure that you get as well limitations of the faculty switch sides of the session you've got a copy paste vehicle you want to go

you guys are essentially but does the pipeline with powershell as well as they call it you know you have things in bash the same kind of thing the subcommanders don't like pipeline but you can I stuff out to another place one of the things I like to do to get past antivirus when I can actually drop stuff on a box i'll get it to it is used new PS drive which is like nothing to drive you through PowerShell and this right if you stand an SMB server on your pen test box and you on the same network or you can reach it you can use new PS drive now the drive with which got to share full of

bar full of powerful tools of whatever you want an answer by student see inside so you can basically get sorted evil tools and anton artis nothing so that's probably yeah sorry go back to the get job so again I'll just run that job to get a job you just seem listed a three or four it'll all be listed there to receive the output from that job and just type sort of cheap dominantly and the idea of the job so again so that's me running advice proofing on on the network it's going back saying advice witness disabled whatever for their houses but you look really long enough and you're going at half so again I'm not here to talk about

what the strip does that the functionality you can use it within hours you can bring it as a job separately they're running wake the vehicle ashes take it back and it doesn't interact it doesn't mess up your session essentially a little bit about the code so it seems like it's a lot for actually because the oil powder really is really not kidding you know you can use all the dotnet objects to create or teach of defiance and ssl streams and basically there's two pages of code here I would work for you and go for it all essentially the topic and if you're in a proxy away environment when you go to download the modules you want to make

sure you're using the credentials of that login user and you don't have to supply them because if you want to know that point so that's basically the first function of the top powerful I'm pretty [ __ ] with names and demo why I or the pattern but it's kind of stopped now it's so obvious thing about you see great over very imaginative at one of the hell would survive the power so when we first create this it wasn't quite as well they didn't have binding our reverse Robin ssl aware but when we put it into mastoid HC way I was really good but it's all in clear text HTTP Lorana okay all in venice's have my

pendulum and your own internet as a vine that one traversed okay we'll go and find that and so this is kind of how to spawn into this so this is basis you can use it as a buying shelter or this one thing we want to do in the future is a risk HTTP which again I'll come on to in a bit but that's the first bit of 7 line of code as you can see it's not very very clever grip if it's clever godlessness its roots profit or loss but I'm not going I'm going enough we must up together and I guess so the download that's down the cradle survey stakes proxy potential goes down as module that

you supplied from as wood and basically wire loop is the main bed so it's it's ended man and pretty adversity back to you in the street and wait to another command that's essentially the world with that does everything and one thing we did notice is the size of the limit as you can see quite at the top twenty thousand k bikes now and we started like tonight 255 and we found loads of errors just because when we try to upload a module which again will come on to an invader is it its natural i negatives of bites at a time and I just took absolute age and yet dying what so Elliot increase well I ball round when I

started trying to develop a script sons was great so we were that you are well it won't be a workout I would been struggling with this and he looked out for like three minutes ago fits this you are the Deaf it's this and then he worked but essentially everything you type in is plating it to invoke expression in PowerShell and his wife is out shrink to get the response back in most aspects so I suppose there are some limitations about how much light in one line like that so that when we found many invitations at all with it and if you do you just upload the whole script as a function and do

so we've done some extra stuff as well this top line 64-bit powershell sessions that was another one of these why the hell is this thing they'll work several well I used to be able to get to work every time and he had loads of trouble and I'm like what's going on and then we actually worked out what it was because of the way mascot actually deployed it's a payload at the end of the day the way it works is it uses the command function and it actually deploys it using a bloody to pick 32-bit piece of code so it was deploying our 64-bit powershell session into a 32-bit process I just didn't work so once we works on that

another liable moment we decided to develop specific session which gave us completely focused on one thing are they is normally ordinary that wouldn't matter however when you want to get password out of lsat which is really the 64-bit process you kind of screwed if you're only 32 the Christmas just can't see it so that would boil everything else works except when you want to get into a 64-bit process when he was running a 32-bit Windows machine you but are great to meet growing up because every time yes you make that work work work [ __ ] so this will actually quite a bit chosen is kind of happened HT was out again with it when we try to get

your mask boy but all it doesn't look like it's a big thing it just took a little while to get it's just that wall you stare up for hours and hours and just don't see anything plastic swallow those moments but like you said earlier when I codes when you've made this happen because we need to determine I Benjamin should we've done an ssl spot so it's completely coated sorry HTTP you were 21 that's good and still is it so the moment if you so if you initially employ this without using an interpretive session and you do reverse due to pain that's not proxy aware so it won't want to get your shell if you're in a proxy

where environment if you use it you know the ers is shaking they allow for three out without going through Fox are you happy but if not you can't at the moment so we're working on that I can get it working just fine that's what the load script is the thing that caused me other's hair and be greater that's more of a so you're in you've got a section you've got a script that you want to load locally so maybe the hopes doesn't have any ports open useful so you can use a local web server there's no internet access the load script is like hopes module almost in a way that you can use the strip to load your power

supply your power tools you all these other things through the matter message quite channel being so they actually victim gentlemen we're still trying to get laid too much like some reasons a long time we don't really know why I guess last weekend CT eight years work night but I think that will be once that's their that sort of big power function LTR allows you to do a lot more in a library locks down environment yeah lets you load it from either file on your host or give it an older so do you fight I have a pen have folded back no matter that day we want powershell scripts in once you got session this power show you can say

right hello doll that script in that folder then i'll just clearly i'll just got a massive weaponized session so it doesn't go off to the get up and get the get an obsession like you the way did this is 280 renovating so ever walk away to me but I it's just that just stops every issue like regress on you feel like that because you actually been able to connect through prevents quite channels or to the actual session and we've got a few simple post modules book they are some bloody really any men to a talk about how simple it is to our personal you realistically it's when you eat post on your phone I guess we didn't

really know how much would wanted to go with this so we didn't know whether they wanted us to provide although at first one who's already exists so for example messing with a listing all the services and service by agreed on a house in Windows is quite difficult because you've got you to SC to get a name and then you go look in the registry to get the actual image path when you're doing basic preventive checks and things like that whereas in power shots which you like one line of code and it brings you all that data back so it's like well actually yeah we could do with it run even post modules that already exist but for the

PowerShell session so just again that's like an interview process because none of them have their own support PowerShell go through in anyone's that we think we can migrate over we can just go ahead and do that or anyone not just listed and finally those that the rewriting of mixing modules HD said to me one day basically I'm every object oriented I like to go top down with my coding so everyone you're like creating sorry every pelota created 6432 like you to copy paste and makes you so no wonder you mixing module and i won yeah i basically just object-oriented other places at once superclass and you call it from that rather than writing code ten times make sense if you're good so

i'm just going to demo the 64-bit basically with the mini cats that the loads of laundry so y'all know how this differs well i'll talk about it we have to write a bit pretty simple again this way yeah so i'm doing different way this time so i'm using this exact so when this is like wait you during all internal pat tests you've got add me crazy surround and you basically want to get powerful session instead of a richer procession you can go straight here then go right on a powershell and find tcp 64-bit straight out the back 30 would in the our house payload with poor

Oh

my secure passwords but absolutely I'm worried about not working but I know video rather we had such a discussion no we need to do it live than the believers much like the other war when it goes wrong but actually bingo wrong with it so you can see it just opens up pretty quick to it we haven't loaded any it's not wet my marriage to purely powershell the u.s. system because you bid them in and a subtle services system the cool thing is now so we're going to weaponize it with the other way this is a post module again it isn't in that's wait a moment if you use our version of math squad from the from Ben's gear it's actually

there but again I'm subject to change it and yes is not approved in a pigeon racing so you can give it a folder you give it script and then you give it a matter spoke such depth sorry para short session to the Indian family we're going to show you how quick mrs. as opposed to the very hostile way instagram so basically it chokes it we have to write stadium because of what was said before about the bite size limit was to fight for we thought that to 2005 now and now you can stage in two thousand bite jobs so you can just rip away the code basically it converge the script to the basis of forward splits into troops if

you set this to the bonus which I didn't for the video it's showing your loading each chunk and that's how it sent one yeah it's a learning 45 gemstone songs that's quite a big one that's probably in what movie but it's still fairly quick doing what what size of scripture alone so you just leave that learning in 20 scripts 11 or the password stuff full power

so you can see it up to basically it pucks in two variables you see that out unfortunately but they're all in there now so you just call them as the function in the module then maybe half the size exported machine you're in your system you can outtalk else asked and you can get the clear text passwords out memory which is happy day so anyone who's wild on the box you just get the password Elsa again no such as this so this point amy has got no chance at all and even a forensic investigation pretty tough to find of this information is power you step again I'm not going to show you all of them but just show you a

few of the more thing just to prove that it does whatever we're not just talking [ __ ] now if you take a little while was a wicked talk walk I just probably good there we are going to big domain you want to know what's out there from networks that should go to there's any cream cheese this is quite a big deal isn't it a lot of people don't think about trusts and actually what you can do if you can access information on interests and also now many cats Bali believe it can actually use their trust abuse those trusts to actually create tickets in pair of devices subdomain of childhood shall commence through absolutely the

domains utama trust set between Alec million cats has not once just to show you there so what you might not realize is when you're running like power do it gets an object back so like a pipe that threw for each basically I just wanna get the same account name basic term yes they would just be aware that when you rid of these tools some of the powers it brings back an object so you might have to then pipe the object to find out what fear the object that you want so if it's not working it might be worth giving my knees give me back blows day so this just aware that when you win stuff in parish on it's been

really good essentially creating mapping object yes last one is basically the HTTP proxy so like I was saying before you could do to reverse tcp for the Crocs you aware a situation yes when you a proxy where situation and you want to settle in a pouch or payload by some document via forever and and you want to use the proxy that's built in I've really enjoyed all that so it does the backhand side of it but it's not integrated into masc yet so as you can see I've set up a ruby Haitian to feature the handles to repress this side and I've set up a load in and you get a powerful session and that's all

basically over HTTP so it's not just a teacher's be stream it's all by a teensy or proxy logs anything but this isn't quite integrate information it's just as good of a shell and we're getting the essentials that with it it's just been quite and at the time you go into medicine we are coated in needs to change to get that fruit and wait until the house documentation ism follow but we'll get that simple functional and that's pretty much it as you see that most of its matters quite stop it but again energies telling you booth red white girls while all of our and in a simplest way it's using the three lines that I wanted to

print and whatever just rips it and you use in the session shelter them and the contents of the PS command variable to really the first module of our session yeah first it's in its simplest form if you want to go out there by tomorrow or put it in your data set or folder and use it against our powershell sessions and that's what we have to do coffee place that you can write like load if you don't need you but you can my PowerShell command sorry strict but if you want to prop it in max Boyce you can go you poster with a set of session run that's how you do it it's all that bring

the back is all the services obviously anything you can write in power shopping for my Indian so it's just quite a cool way to 30 inch credit so it's a bit more like Empire so vampires who uses the modules and doesn't like doin anything directly that's how you can do that motorists bog standard medical stuff so this is something that I've been working on recently as we said earlier that the powerful of ps1 it's a powershell script and lattice weighting system deploys park on his payload and that's where the powerful at ps1 script lives if you take that coat and modify very slightly you'll see it's a function you can actually incorporate our function into a

script and then the rest of this to you really it's just what you want to do with it so we talked about our compact is well that's how compact it is when you need to use it in a powershell scripts 46 lines of code and in this one I just don't looking to see at the top there you're not going to see where it says change this at the top so that's Anunnaki address where you want the connections come back to buy into and then the part and that will when you run that and you've got a listener there it'll come back and give you a PowerShell session it's as simple as that so how can we use it well an

efficient attack for instance so we all know about fishing without strife already a Kshatriya complete see word document for instance all right cells you're one of them I've been a stager a macro or a batch file or another whatever way you decided to make this thing so it calls in the powerful scripts from your web web server or whether you be certain deployed and you get a reverse shell and it's all in memory again you yet now antivirus issue and if you choose to use maps quite as your listener you get exactly what we just show you the videos and we talked about earlier okay so if you want to get a bit more clever and a bit more evil as

it says that we're going to use PowerShell in its proper way that powershell can work so we're going to write a script and use functionality from shoulder as it says they interrogate the network and active directory I'm assuming were Derek an active directory situation you obviously you do get done at the bottom I'm assuming that so we're going to use PowerShell to get lots of information back about the network and active directory she's all built in we're going to watch the user to give me the necra den chills and we're going to get the box to email it back to me and then we're going to drop a shell in a new process using powerful all done

ethically like says they're all done with powershell so if we take one exam one part of that we've got let's get some information from the network so we're going to use W open get w my object which is windows management interface half power shell let's query the network let's clear the local computer with no information about that computer whatsoever using standard variables are our end go on Lara Lara building so let's get all the information about the machine we're actually attacking you let's look at active directory this is just an example this is part of the fact that he needs to emails look back out to me nice that's the query active directory again with no knowledgeable of

the domain or a security we've dropped on sir we use powershell with commands like that using system directory services active their agencies all dot nest of buildings powershell all native a dsi searcher which is another building searching functionality for search active directory again here we're looking for a looking for an exchange server we find one of the boxes find one at the bottom you can modify that's final all that you wouldn't hate it so can we saw a light variables genet so the next part we want the users credentials as a lovely part in powershot goal get credentialed the commander look so we create a function get pass work on it we ask it to pop a

box that looks just like a window spiritual box because it is a windows control box we pre populate the username with their domain of their username and we ask them for their credits which they typing lovely and click ok then we use the information with lighted from exchange blah blah blah and we use a lovely windows early PowerShell command block called send mail message which basically sends an email populate whether our variables sticks and stuff in the body from all the other we've collected boom sends me an email baby generally no well I don't use what you've got against it and then this is another part this is what Ben was talking about which jobs talked about

the staff job earlier this is these up left two things in there thurs what call the job method which bends talks about that jobs if you run too many you get too many instances blood above that the way I haven't used it here is I created a script block or it's actually not separate fun like Ben's was dropped on the box mine's actually Park the scripts you create what's called houses with one and then the job is running from the function and blood of our like through there I've been too technical other then there's the other method which is what probably more work today stroll run spaces which are a lot more control you can buy what color throttles and supply

that stopped the actual process is running away with themselves and you can remorseful to leave an unnatural memory and the process service campaign you can you don't impact on the box whatsoever so using either of these methods whichever way you choose we can drop powerful into a completely separate process and connect back to our command of control and just sit there up early even after the main scripts did you don't so like I said you asked for the kress that's what the user sees on the screen like I've bled about my domain out that's my pacifier username there any type of us went into the box one lovely thing about power shadows and max off if they thought the big cube for so

you know you type that in but it's encrypted well technically not it is encrypted well there's a prophecy of the get up get so good actually allows you to extract in clear text only if you do it well that powershell sessions actually active if you close that partial session the key is gone completely on everything fruit so if you actually take that property and stick I in your email you get there clear text grunts and that's just the that's just doing that are so listen to do with net cap or end caps or even wanna come to enma obviously i been saved accessor sale you get back it's up to the same thing despite winning the

powerful scripts so this is just how you can use it outside an asteroid it's not just in that's what you wanted to go in the mess with it you can face it a day just taking it mess with in usually completely standalone it if you want to use it that way anymore that's next look again that's just the email that my email account set back to me with its insulation and that's basically how you well you just get whatever you decide to collect you can get the whole thing to send email about and that's all in basic functionality so it's not just the lattice point is actually a usual thing you had to be responsible hackers i guess if we must

ok so is it possible to stop this yeah so you can do close monitor them as well you can blacklist stroke wireless applications in fact I guarantee good policy you can change firewall rules to stop accessed by it whatever challenge we decide to stop those are the 18 for for free direct and that kind of thing and then you've got systems like bit now and calibike after Steve clearly that one on the end of this week yes they were like we've written a blog post about stopping this new empire tool that's been released that be sighs over the last week though so if you see that that's the event blog so i guess like same systems would see in the event log

that power shoulder EFC was wrong but that's all they see they don't see what's actually being right inside the powershell sessions yes they would you see this in very proud of these apparently they would just seem purely pouch are being run with their encoded script locked and how do you reverse everything else has done and no that'll be log here so it's fairly simplistic and actually that needs individual boxes to be modified registry hacks to allow to happen to see the bottom you can actually see for us this command line powershell like I was in calculus exam what he was there but to make that happen you need to have your very own which box to do it and then we've got

group policies I said blacklist a bloodless obviously out the best way to do this white listing is probably the best option that's one way to stop it running and that won't stop the attack if you can stop PowerShell a THC running in our context that is the game over is no there's no there's no ifs books wise main reasons the end of the game but there are ways around huh and then we've obviously got seven firewall to stop any uterus bit9 carbon black retinol they can do this kind of thing as well but they only detects Kyle shoulder AFC being run they again have got no defense against walls for the Li injection reflexive lowly

which another way if anybody's seen or I'll use em pilot which was released by harm join in six Stewart besides lb which is like my favorite in pop culture they've got what's called reflexive do unloading for an agent or session there's no defense against our present so you don't get that pouch other action box you block it front row center thought you can witness the allow somehow probably many people don't understand that the pouch ella eh c program is just a wrapper for doctor and all the api's behind that windows is essentially an API based operating system and the powershell the exe just provides a front-end that allows to access all that behind it so you can

actually even gotten that classy cell so we can interact directly with it and that's how the deal an injection part works with the back so essentially you can use PowerShell I'm sure if you have get using it and pretty cool for a job where people stealthy and not just get on with it brickma how great a blog about it at using it your choice so if you anything pick a side homie available at well later so from a go for anything but yet quite suitable buffer and hope you have a look at any random slate after this is being run to look for things like the email address that nods might be set being sent away to or anything like that

no that would be an exchange that would that be because I step for a box women so you're effectively you've the send email messages effectively using like the exchange server to send the email other users connected to or i will first record of the commands would be left behind from the publisher clean though if you use something like volatility over a standard window random you can pull out a list of the recently run commands from command i see so would that be similar to powershell because the scripts are being run that it will essentially be like typing out the commands i'm presuming into ram parachute while the if the house of them in boonton it's in

the same fashion again not to shoot myself before you exactly like I've grown is more digital forensics so if this was to be entirely stealthy be useful for it to go back through memory and perhaps or scrub things like that out there because responder they're sort of things that people are going to be looking for you should download quickly yeah what you can should publish don't be so sure the way stopping we thank you so now it is a really good point i have a look that's like that at all because that's not really my side it but it's worth looking at because as you said with the vostro you would get the output etc around all of those commands being

run there you see anything text goes to the time so even though as a from a remote attackers point of view you're not going to see the descript being put together and the little line of command through email it back to yourself you're just going to be see email this to me essentially or whatever I find you might be running I do be really interesting to see how much of the actual script gets left behind in our job for you right make sure you mention anybody else I guess some some might pick up maybe like a PDF in or something and it's got our references I think it's over time will actually stop it and be a taxi memory once you on the

box yes I talked about really cuts can be detective but only is it's dropped on the boss because they detect the actual name of the file and some of the others inside politics so if you change the name of the file and you take the head is aways and then like I said if you open the PowerShell command and then map the drive with new PS drives your share on the other end that's what should all your evil tools in it you don't see anything so you can win them happy as much as I an antivirus will not get interested in this thing you do it lutely immune other one I think some are trying to make it's a virus that's the

hook in memory but you've imagined the overhead on looking a memory and a powerful session on that solution was canceled

you