Adding PowerShell to your Arsenal with PSAttack

alright so this is a incorporating PowerShell into your arsenal with PS check my name is Jared hey I'm a security engineer with a company called Gotham digital science we're a pen testing firm here in the US when I am not staring at a computer I enjoy going out into the woods and getting as far away from technology as possible I'm the co-owner of the most adorable dog on face the earth his name is Eli and he has no sense personal space and a really adorable underbite and that is kind of led to it is he has no concept of what the words like no or bad mean because he just likes he with that underbite and it's like all right

whatever you can go back to eating bunny poop or digging through the trash or whatever you were doing speaking of bunny poop i also own a really adorable bunny his name is bruiser and he had a really bad night a couple not a year ago a little bit over a year ago and now his head stuck like that he had a medical issue that has basically led to his head being permanently tilted so he walks around looking really adorable and really curious all the time so let's go ahead and grab power show for it Herschel's gotten a ton of attention in the last you know couple years to to the three years I really has picked up a lot

of attention a lot about chatter basically PowerShell is this command line scripting language that Microsoft came up with it's just celebrated its 10-year anniversary it's been around since 2006 and it's a scripting language that microsoft created to make managing windows easier and so what they did is they built it on top of the net framework which is already this very robust api framework that developers can leverage they built it into this and basically as part of that it gains access to really all the existing windows management in Japan players that you might already be familiar with wmi calm stuff like that so it's a very very powerful language ties in with all Microsoft's existing api's very

well-thought-out language there is a reason why it's gotten such positive vibe lately what makes it really cool is being a relatively modern language microsoft was able to kind of look at the existing scripting languages that were out there and figure out what worked what could be improved upon and that led them to make some really interesting very very good conventions one of the things which a lot of people hate about parishes it's very verbose so all the commands in PowerShell have a verb noun syntax and while that is very verbose it also makes it really easy to understand what you're working with you know if you're going to set the content of a file with the set content content

command 'let you can kind of figure out that get content is what's going to read the content of a file so it makes it really easy once you get used to those verbs kind of makes it easy to approach PowerShell and really quickly get up to speed and start doing some interesting stuff with the language the other great thing is it's being a language that was developed whole cloth by a single entity they were able to implement conventions as far as parameters go so all of the hamlets in PowerShell use similar parameters if you need to talk to a remote computer that is always going to be the computer name parameter no matter what command what

you're actually working with real different from coming from like bash where you know said awk creb all have their own individual oops parameters and stuff like that you know you have to really do research on each individual tool to figure out what you're trying to do powershell is a lot more intuitive that way the other great thing is they have a they from the beginning put a heavy emphasis on their health system they have a help system that's run through its called get help and it's kind of the equivalent of like Linux man pages except the get help documentation was actually written by like normal sane people as opposed to like computer doctorates from like 20

years ago that were programming and like seein assembly and developing Linux tools from scratch github actually was written by like normal people who actually use these tools to administer systems so in a real change of pace Microsoft actually made a usable help system which is greatly appreciated there's tab completion throughout the whole thing all the parameters lot of parameter values all the commandments everything you can just have complete super helpful and something that's maybe not as obvious of a benefit unless maybe you're you have a development background is that power shell is an object-oriented language so instead of in Linux when you type you know you cat something out you pipe it to grab you're

taking a string of text and really whenever your piping commands in Linux you're always dealing with the string of texts ultimately with PowerShell you're actually dealing with objects so you can take a service from get service and pipe that to restart service and the restart service automatically knows what to do it knows how to handle a service object so really easy to work with very powerful really cool stuff there is some I've gotten some pushback on calling PowerShell an object oriented language because I guess it doesn't fit the minutia details of what makes an object oriented language my background is I was a sysadmin for 10-12 years before moving into infosec I don't have a development

background so looking at PowerShell you have objects and the language seems to deal a lot with said objects so as far as I'm concerned it's an object-oriented language so like I said right now it's being used for a lot of administration if you run exchange management console since 2008 I think the exchange management console is basically just a front end for PowerShell it's PowerShell commands in the background if you run the new active directory administrative center which is the replacement for a doc users and computers same thing it's a GUI that you're interacting with but you can actually toggle the tab and see all the PowerShell commands that it's running in the background so really Microsoft is

pushing all of their management to using PowerShell it's used for a lot of automation so if you're familiar with puppet or chef microsoft recently started pushing out something called desired state config which is kind of their take on systems automation and it's all powered through powershell and it's because you have this modern network of where language that speaks windows works you know at scale really well it's an excellent tool for instant response and blue teams because you have this you know language that makes it really easy to query all the computers in your environment for a specific event log or for the file contents or a hash of a specific file so real easy to work

with blue team's really latched onto it I'm not a blue team ur I'm trying to learn as much as I can but it's just not my area of expertise if that's something that you're into you want to learn more about PowerShell and I are I definitely suggest checking out invoke dir comm that's a site run by this guy named Jared Addison and really smart dude just really the last time I checked his blog he at a entry on like reading raw file tables using PowerShell and stuff like that and like reconstructing mb ours and stuff like that dudes just crazy smart so I definitely suggest checking out his site they do taking pictures to my right it's

kind of freaking me out alright so we're red teamers right like that's great we can administer stuff but how do we break things with powershell and why do we want to use powershell to break things why is everybody so excited about this or scared so PowerShell is actually really hard to block because it's part of the dotnet framework a lot of people a lot of CISOs a lot of you know high tea departments they say like oh my god PowerShell is being used to reckon pleat havoc how do we stop PowerShell and you really you really can't at least it's not easy because it's actually a dll with in.net so you can block access to powershell dot exe

you can blog access to like the script editor you're still not going to block the user's ability to run PowerShell commands as will kind of cover a little bit later there's also just not a lot of awareness on the sysadmin side Microsoft despite you know pushing this for 10 years sysadmin still want to point and click at stuff windows admins at least want to point and click add stuff to configure their windows boxes I know this because I spent the last like four years of my career as a sysadmin telling everybody like guys you need to actually learn how to type into a console else you're going to be back at help desk within the

next 10 years and nobody would listen to me and I would teach classes and be like look this is how cool PowerShell it is here's all the cool stuff I'm doing here with PowerShell and that would just kind of lead to me writing PowerShell scripts for everybody else in the windows I you know systems admin department so windows has Edmonds they really really like Mouse's and they're just not aware of what powershell can do they're not looking to block it they're not they are not aware of how can bite them in the ass this is also led because of this kind of environment because PowerShell is so powerful and it's really hard to block and there's you know lack of awareness

the info the red team the offensive security side of the community is really latched onto power show so a lot of really great developers have a kind of latch on cheap our show and they're doing just incredible stuff with it and what's great about the guys are really leading this charge is they're very mature red teamers so they have very mature methodologies and a big focus on being aware of data forensics and stuff like that so there are tools they'll make sure they run in memory and they don't leave a trace behind and you know stuff like that they also bring with them a lot of them have a heavy development background so they bring

with them very mature development methodologies as well to the point that I really think a lot of the PowerShell scripts that the offensive community has put together they're really like the gold standard of like how anybody should write a powershell script get help totally works with most any offensive powershell script out there if you guys are familiar with invoke mimikatz that's one of the like big powershell offensive scripts totally has a man dog you know associated with they get help and see how to use the command from the way it's actually structured like it's just a beautifully written script and it behaves exactly as you would expect a powershell script to behave so just a

lot of really good solid work on the red team PowerShell side but we've been talking about PowerShell as a community for years now and there is still a lot of you know from the offensive side of things like people they they love their python and their responder in their metasploit and they don't know what to do if they got a PowerShell console you known on the defensive side you still have a lot of people that think that the best way to resolve PowerShell is to try to block it so there's just a lot of lack of knowledge to powershell and i think a large part of that comes from the fact that it's still development on windows is not cool

windows is not a platform that people look to to develop on or use like to us red teamers windows is a target it's not something to be productive on like that's what linux is for Windows is there so we can get da and then write a pretty report about how we totally owned everybody and I think Microsoft has done a lot recently that has made them a cooler company but they have definitely some Croft that people just don't care about and so unless you're really following the PowerShell community unless you're really following like you know the offensive like you know windows sides of things you're not aware of even just how cool all this stuff is that's

coming out like a lot of people are aware of invoke mimikatz but they're not aware of like in Bay which is basically a version of responder that's totally written in PowerShell it's super cool but unless you're in the clerk in the community or you're just not aware it's just not cool stuff hmm the other problem is it's it can be low intimidating you know a lot of pen testers I talked to like learning python is still on their list of things to do they haven't gotten around to it despite the fact that you know we've been using Python to hack ship for the past like 15 years to come at them and say like hey

now there's this new language on this platform you don't respect that you know you really should learn it's just not going to click and you know where do you start like you have this whole new language learner ultimately you just want to learn how to hack stuff with it like you don't care about managing DSC or like Active Directory or whatever though you should but we'll get it to that in a minute you know where do you start so I wanted to make something that kind of addressed all this right like how do we make it easier for people to get started using PowerShell offensively so let me create the school called PS attack and

PS attack is a custom console that allows you to run PowerShell commands and it's it's designed to emulate PowerShell dot exe but it doesn't rely on parish ldx see it has a real powerful tab completion so just like PowerShell you know you sit down you can tap complete commands parameters file path stuff like that and it's a single executable you just download it run PS attack and you this console ray to go what's cool about this console is it's fully weaponized so it contains over 100 commands that cover the full gamut of like what you would expect to encounter on a pen test so we have commands from more popular frameworks such as power tools and power

supply we have a lesser known tools as well like inve that I talked about you know recently or power cat or DNS cat you know and stuff like that and then because you end up at the same situation of okay I got this scary blue box that was supposed to type stuff into but what do i type so I wrote a family called get attack and get attacked kind of functions as a search engine for PowerShell attacks with NPS attack so what you can do is type get attack passwords and it's going to return back a list of all the commands in PS attack that have something to do with passwords so in this case you can see we have you

know invoke mimikatz and get gpp password you know so real helpful way to kind of get you pointed in the right direction to do whatever it is you're trying to do and I wanted to create a tool that wasn't just useful for the lab so I wanted this be something that people could actually use on engagements so one of the things that it does is when PS attack is built it downloads all of the tools that it relies on so powers Floyd and nisha and in Bay and all that it encrypts them using AES and stores those encrypted blobs within the actual console within the actual binary exe and then when you double-click that exe when you run it it

takes all those encrypted blobs and it D crypts them straight into memory so the actual malicious files the raw payloads never actually touch disk the computer is not aware that they're there unless it's actually a scanning ram which is real rare just doesn't happen it also doesn't like I said it before it doesn't rely on PowerShell DHCS so if you have an environment where you can't run shot exe you were probably going to be able to run PS attack and still be able to run those PowerShell commands and it's designed to work on everything from a brand new windows seven install to the latest versions of Windows 10 basically anything that has power shell on it PS attacks should be able to run

and be able to wrexham shop because it is using the built-in net PowerShell it's basically just a PowerShell console it still includes access to get help so you can figure out what command you're trying to run with good attack and then you can use get help to figure out how to use that command that you found one of the great things about it help is it has an examples parameter so for example if you run get help invoke mimikatz dash examples it prints out like four different examples of what you can do with invoke mimic cats so let me grab some water and we will do a little demo of how great PS jackets

that was real fun alright so in this case I'm sitting at a windows 7 box as a low-level user so maybe I found some rdp creds that you know I was able to get into somebody's box or physically on site came across an unmarked machine and I drop PS attack on there so we'll go ahead and run PS check and the first thing I want to do is try to see what i can do to escalate privileges Reich's I'm a low-level user I want to try to get around that so let's do get attack let me just do prove see if that works one of the things about good attack you can see each command has a type so I

tried to group similar types of commands so primp didn't actually get me the command that I wanted for this demo so let's do escalation there we go so all sorts cool stuff in here a lot of it is provided by the powerup package of commands which is basically suite for fine being typical privilege escalation issues with windows box so services that are over privileged but run commands that are run exe s that you may have write privileges to or unattended ml files power up is going to be able to help you find all this stuff the command that I really enjoyed running though is called invoke ms 1603 too and this exploits a recent windows flaw with the secondary logon

service that basically allows us to get system creds our system privileges on a windows box it isn't patched for this so let's go ahead and just run invoke ms 16 32 and that's going to pop us at a command prompt and you can see we have system access man around that computer so let's go ahead and run PS attack now as system now that I have system rights the next thing I'd want to do is start looking at mimic cats right because we can use mimic ads to start getting credentials off the box how many people in the room are familiar with mimic cats okay so mimic cats is really like a Swiss Army knife like windows

credentials awesomeness what we're going to see here is it's commonly used to dump credentials from memory on a windows box and that's what most people use it for you can actually leverage mimic cats to do all sorts of really cool like ticket based attacks like golden ticket and stuff like that in this case though we're just going to keep it simple and we're going to look at what we can do with nimma cats so let's run get help you can see it gives us a synopsis some links here gives us all these switches that we could use with the command description blah blah blah great stuff let's go ahead and run whoops that's my supposed map

oops let's try that again that was a bug in PS attack it's open source you're welcome to figure out what caused that and try to fix it alright so let's do get help and vogue Democrats examples all right so we can dump certs we could dump creds we can give it a list or computer names to try to dump creds against so we can run this over the network or we can just run straight commands that mimic at supports in this case we're just going to dump creds vogue Democrats breads and hopefully the creds that I have staged here will work I think this bombed out when I did it at dirty tony is very

embarrassing all right

oh cool so we have the local users creds we are apparently running as be banner with the password was so angry there's also a different set of credits thattekad here a user name called back or upper with a password of change me one I think that's all the creds will have in here so let's uh so we're running a system on in this window what I want to do is maybe investigate that back rubber account and see what we can do with that account so we'll go back to my user account because he has domain access he can start query in the domain so let's do a good attack will look for a user

saw privilege escalation stuff find user field find local admin

almost there we go all right so Power View is a selection of a PowerShell command lights are used for a recon it's part of its now part of PS attack but it's developed by some of the guys out of Barras harm joy and those guys a lot of really great stuff what we're going to use here is a command line called get net user which is really just kind of a replacement for the net users domain command but we're going to use this to query that backer upper account and see what we can find out about alright so we can see that he is a member of the service count so you [Music] and he's a member of the domain admins

group because he's a backup account so of course we're gonna put them in the domain admins group it's too hard to figure out how not to put him in the domain admins group so let's go ahead and start a PS attack as our backer upper account

alright so I don't know how much longer I'm gonna have access to this box right like I may be sitting at some dudes cube or maybe i think is already peak reading is going to log in again sometime soon whatever so i want to set up some sort of persistence right so let's go ahead and do get attack persist and there is one command because that's the only command that i have written so far [Music] there is not a lot of persistence commands in powershell that worked the way i would want them to work there's they always seem very like overly complicated and for example scheduled tasks my stuff didn't add support for a scheduled task

man let's in Silla powershell 30 which i think came out with like vista and won't necessarily be installed on windows seven boxes and it to set up a schedule test using the built-in command lets is like seven different commands or something like that it's not like i just want to be able to say like hey at this time run this command so what I did is I went ahead and wrote a new schedule task Z that way doesn't conflict with the existing new schedule tasks so if we do get help new scheduled task we can see all the crazy parameters we can run here give it a time we told to run on log on on boot

if we do the examples we can see I provided three different examples of just different commands that you could run just set up a scheduled task but i'm going to cheap here so a lot of you have probably seen this right here or something similar so what this does is this is a download cradle for powershell what it does is creates a dot net web client tells it to download whatever is at this you are as a string and then this I X is Elias for a commandment called invoke expression so basically what we're saying is hey go download this ps1 file and then run it this colon then lets us run whatever that was in that ps1 file so in this

case it's downloading a PowerShell pile for invoke metasploit payload which is a commandment that I wrote that allows you to use metasploit web delivery module and powers that's a PowerShell script that will just go out download whatever payload you're giving through the web delivery module and it will go ahead and execute it so in this case we're running invoke metasploit payload and pointing it to the URL of pwnage example.com / payload then what i did is this is another real common PowerShell trick is PowerShell natively supports commands that are encoded with base64 they did this to kind of help get around a lot of the issues you come up with where like you're trying to use

different quotes or brackets or params friends in like a command line prompt and like you have to escape everything this makes a lot easier because you can just base64 the entire command you know it's going to be safe no matter where you pass it through and powershell would decode it and run it this also makes it a lot a real benefit for us as red teamers because it makes it really easy to pass these commands over shells or you know you know just a real basic obfuscation of the command so what I did is I took this string right here and this is the base64 encoded version of this command alright so what we're going to do is

we're in run new schedule task we're going to tell it to run a time-based task this is going to be called updater it's going to repeat every 90 minutes it's going to run powershell as the back rubber account password changeme one and when it runs powershell these are the arguments that's going to present power Schultz can say it's an honor interactive session the window is going to be hidden and here's the encoded command to run so every 90 minutes it's going to go ahead and do this going to 90 minutes it's going to reach out to this URL download this ps1 file and run in both metasploit payload before I do that let me make sure I

actually have metasploit set up

pincode brain doesn't that's true two yes i'm glad i checked this ok so python a simple HTTP

new

I'll go ahead and let this start up

for those who haven't played around with web delivery payload pretty straightforward so you specify a server host that's going to spin up a web server and then you tell it what payload to get back in this case we're going to get back a reverse HTTPS and then it just runs so whenever a box hits this URL it's going to respond back with that reverse HTTPS payload

alright

alright so we're going to run that Earthwise back with some xml so by default when we do a time-based task using that new scheduled task command line it's going to run that task in 30 seconds one of the things I learned from my Derby common presentation is if you're on battery power schedule test doesn't give a and it's not going to run that scheduled task at all so yeah the the demo at dirty was a complete fail it was great so let's go ahead and cheat her we're going to run this manually

on this forgot the password have changed me one that's pathetic all right so there's our scheduled task let's go ahead and manually run this

there we go so we see it come across download the IMS file and it should create a payload metasploit show their am so web delivery is delivering the payload and we should get our meterpreter shell back cool so we have a mature procession and this scheduled task yeah that's you know if you want to cheer and applaud that's cool yeah the schedule test run every 90 minutes we're running as a main admin account so pretty successful little you know 10-minute trip to somebody's computer

all right [Music] good okay so i think PS attack is really cool i think it's it's a great way for people to get started with PowerShell I've tried to make it so that anything you learn use aim PS attack will hopefully translate over to actual just regular PowerShell prompts but there's definite areas for improvement one of the problems that I really wanted to address is that all it takes is for somebody to download that PS attack exe binary and upload it to virustotal and now virus you know abies across the board are going to be start flagging on the EPS check binary because it all uses the same encrypted strings it doesn't matter that they are encrypted at this

point they're part of a bio signature somewhere the other issue is that the tools themselves are a static so you know there's such an active development community in PowerShell that you know when we download these you know PowerShell tools we embed them in this binary you know within a week they're out of date because be able to push out fixes or enhancements or you know whatever so I wanted to come up with a way to make it easy for people to really build their own PS attack which is why I created the build tool so what the build tool does is it downloads the latest release of PS attack from github downloads the actual source code for it it downloads all of

the modules and everything that PS tag depends on it then encrypts those modules with the unique key it goes through and then obfuscated certain strings within the source code of PS attack so for example the actual phrase PS attack and then take some of the values that AV had started tripping on encrypts those sources and basically it's like a CSB that it's an encrypted CSV that PS attack is going to open up and start reading values from when it's compiled and then it compiles everything for you super easy like you don't you don't need to know how to compile stuff this build tool is going to go ahead and take of that and at the end you get your

own custom made version of PS attack that has unique foul signatures it's completely up to date and hopefully should ave davie for another day so to demonstrate this this is basically how easy it is to run the build tool whoops that's not it for the life of me I cannot get that video to play when I'm actually doing a presentation okay so all this stuff that I said here this video goes through that except it was also really slow cuz i was on hotel internet when i recorded that so you're probably better off for not seeing this video the cool thing i want to reiterate though is that you don't need to know how to build software for this to work

it actually leverages a lot of stuff that's in.net to build these software 4 u.net provides ms build exe which is the same thing visual studio uses to compile C sharp applications so I'm just as long as you have net 35 and 45 on your box you'll be able to compile PS tag using this build tool I also want to make it really easy for people to add their own tools so the way it loads tools is through a JSON file that's just in the root of wherever the bill tool is a real simple format you just give it a name tell if we're to download the ps1 file from and now whenever you run the build

tool that will get pulled in as part of PS attack automatically so you can add as many tools as you want you can strip out stuff if for whatever reason you don't want to include something real flexible real easy to use both of these are available on my github github.com / jared hey they both come with pre compiled binaries so if you don't want to run through the whole build tool thing you can just go to PS attack download from the release file the latest binary exe and run it there are last I checked there were seven or 14 virus vendors that actually detect PS attack github as malicious so probably only good for lab work but you know if

you want to just get running that's a really easy way to do it the build tool as well has a binary precompiled for you can just download it run it and get your custom made PS attack so I wanted to tell a little story so at last year's besides Charleston I gave my first like public talk where it wasn't just you know 20 friends and you know little hacker meetups that we have at Charlotte like this was I went through a CFP and like people I didn't know that I might actually have something to say and be worthwhile so I gave a talk on an intro to powershell and how to use it for evil and it went

really well uh the only thing that I really felt bad about was at the end of the talk somebody had asked me how do you defend against you know this stuff that you've laid out and what I meant to say was that you know look I work primarily an offense you know defense and forensics hasn't really been a focus of mine you know so you know it's kind of something you have to research on your own own have a lot to contribute to that what actually came out of my mouth is I break things I don't fix them which as those words were queuing up like I already knew like that is the most immature like you know that that's not

my approach to infosec like that's such an immature like shitty thing to say of course like but I said it anyway isn't God publish to youtube but I earn that like it was a super successful talk like you know for a first talk I was very proud of it and it was actually credible because a while ago a while after the talk it got published by like security tube or something like that and Jeffrey's nobre actually retweeted it and quoted me in it if you don't know Jeffrey snowbirds which you probably shouldn't he is the he's a technical fellow at Microsoft like one of eight like it's the highest engineering position you can at Microsoft Jeffrey's

never actually created PowerShell this is his baby and now he runs like their entire server like wine like it's Jeffrey snipers awesome it's why you see things now like Server 2016 we're like it's there's no GUI it's just you know console he is on record of saying like if a server has a GUI it you're doing it wrong like it's up so really cool dude like this is you know the dude the creative power shows like talking about me that's awesome and then shortly after this tweet this tweet came out if you're not familiar with manifestation he's like he's like he's been my role model for a long time manifestation is like really dude that

late took offensive powershell to a whole new level like he's a genius super cool dude like pushes out so much great stuff and he was it was nice enough to not call me out directly on this but like I tweeted at him I'm like dude you know you're absolutely right like I screwed up you know I'm so sorry blah blah blah so we actually ended up working it out this is a completely unedited DM that he sent me and I mean super cool we're actually we're on pretty friendly terms now we talk regularly you know things kind of worked out in the end if you're not familiar with harm joy or enigma those are the guys that do Empire

which is another great parish all product and they are really fun to troll so what I wanted to do is make up for my b sides Charleston talk right because it's important that as security professionals we're not just here to break like we're here to actually try to make things better so I wanted to hit the right button and let's talk about actually defending against powershell in an enterprise environment so the important thing to know about PowerShell especially when you're defending against it is that it's not special powershell is a post exploitation framework like nobody's popping zero days powershell they're using powershell leverage existing access to either target other vulnerabilities in the environment or misuse privileges that

the account already has access to so para show is really just a programming language it's not a scripting language it's not you know super special it's not it's not mimic cats you know it's just a scripting language and so really defending against PowerShell really comes back to just basic security hygiene you know talking about like protecting your privilege tax your privileged accounts and logging what's actually happening within your environment and keeping your systems patched that really is going to mitigate like ninety-eight percent of what you see happening in like offensive powershell one of the big things that I see in environments is shared local admin passwords so you know you have all these you know and end points throughout your

work straight or your environment and they're all using the same local admin password of you know and it could be like hyper like super leet and 20 characters long but if i can run mimic cats and you know get that password now i have local admin privs to every single box in your environment and if those local admin privs can be used to log them remotely to other machines then like why do I really need to main admin anymore like I can now just run free throughout your environment and administer everything to my heart's content like as an attacker I'm not out to do schema upgrades I don't need like you know domain admin access I just want

to be able to install and run on your boxes so there's a couple ways you can address this one is you should be randomizing your local admin passwords and Microsoft provides a great solution for this that they just don't advertise well enough I think and it's called laps it is super easy to implement it works as basically what a-what lapse does is it installs a client on the local workstation it extends the Active Directory schema to a password field to your computer objects and then through group policy it just communicates with that client says hey it's time to update your password the client sends password to that field and Active Directory that active directory is what's called a protectant

or that Active Directory field is what's called a protected field so only your domain admins have access to initially and you can kind of dole out access as you see fit and what's great is you can totally log all of that it's also fully supported by microsoft they have gone on record saying like hey if you want to run this and reset your local admin passwords every single day like you can still call us up and we'll support it so super easy to set up definitely worth looking into absolutely free there is no reason this shouldn't be running in your environment the other great thing is that should be done is preventing local admins from

logging into other boxes there's really no reason in an environment that a local admin should log into another computer remotely and that's another real easy fix through group policy you can just update the denying access group policy object to omit local administrators and prevent that from happening so now with this configuration if I get a local admin password it's good for that box and that's it and it's probably going to change in 20 days or whatever you have it configured for it so you greatly reduce the risk of just you know loose creds the other interesting thing that I've kind of seen mentioned recently is we regularly approach privileged access protecting privileged access from from a bottom-up sort of

standpoint we don't want lower user lower level users performing administrative actions right so it's also starting to come out that really this idea that you should be approaching is from the reverse side as well you don't want your domain admins logging into local workstations there's no reason for that you know your your domain admin accounts these high privileged accounts should be used solely for administering the domain so many people treat domain admin account says basically a administrator account like I need to install software so I'm going to use the domain admin account it's like know the the domain admin account is should be you know extending schemas and cleaning up ad objects and like that it shouldn't

be used for installing photoshop on an endpoint so setting up your domain which is starts to where you get into privileged access workstations which microsoft has a lot of great documentation on that you know if you go to that link it kind of links to their documentation on that but definitely something to look into is you know administrating boxes from a dedicated machine a vm or something like that and using those accounts solely for administration using a lesser user account for your day-to-day web browsing and stuff like that same boat service accounts never need to main admin access like they should never need domain admin access and i know it's really hard when it comes to things like

backups and stuff like that but you know you come across so many accounts where it's like I need the schedule test to like copy some files from A to B so I'm going to run them as a domain admin so you know that's that's completely abusing the domain admin privileges so these real basic concepts like it addresses most of what PowerShell is being used for any other thing that I definitely want to talk about and this is just general Windows security is logging what matters when I was a sysadmin it was really hard for me to find resources on okay Microsoft has you know like 20,000 of nids how do I know which ones actually matter Jessica pain is a

instant responder for Microsoft and she put together a great article on login what matters and using Windows built-in event log forwarding almost as a cheap free sim for your environment so basically she covers how to log things like your event log is being cleared which that should raise red welcome you know alarm bells throughout your environment there's never a good reason for event logs to be manually cleared when somebody clears event logs that logs an event that should be instantly forwarded to your sim to your sock you know tears this admins whoever's monitoring the sort of stuff you can also monitor dcs for stuff like you know domain admins or enterprise admins groups being changed this is a

very ok thanks a very rare event that you know should be brought to your attention when it happens same goes for local groups local admins how often is a local account created in your enterprise you know hon a and users workstation it should be once a quarter maybe so definitely something you want to be aware of if that's happening same goes for new services not something that happens super often when a new service is created on an endpoint you should probably be aware that that is happening because that's a great sign of compromise within your environment now if we want to talk specifically about PowerShell and how to secure against PowerShell power show offers insane amounts of logging each version

para show creates more and more logs to the point where with powershell version 5 which is the most recent version but you can install it on any you know windows 7 and up offers basically over the shoulder transcription logging where you can see every single thing that's typed into the console and it gets logged to an event log and you can ship that out the other thing is if you are deploying newer versions of PowerShell make sure to remove PowerShell 20 when you do this a lot of the PowerShell upgrades aren't an in-place upgrade excuse me so PowerShell 20 is still going to be available if you run PS attack on a box that has both 2 dot 0

and you know four or five dot 0 PS attack is going to use two dot 0 by default because none of that login is there so you know leverage that but as an example this is when you run PS attack on a box as an ant's logging this is the sort of stuff you see you can see hey we are running in both mimic cats right now it logs it after all that encryption and obfuscation none of that matters to the event log it's log in it right when it's right when it's about to run that script so when you run PS attack with lot of games totally turned up I think it generates something like nine hundred

some odd events in the event log like it is the noisiest like language ever so in a properly configured environment powershell is the absolute worst thing an attacker can use because it is noisy as like I would much rather go back to visual basic or Python or something like that where there isn't that log game you know its power shell shouldn't be scary that kind of leads to some of the last reading they'll leave you guys off with there's a goatee PFE did a great summary of the modern state of PowerShell security you can get to that at that link there Sean Metcalf if you're not familiar with him super cool dude basically the like

the voice for securing active directory in windows today like just a great guy he wrote a great article on defending against PowerShell attack tools and everybody should just follow jessica pain on twitter and do whatever she says because she just treats constant gold as far as like defending windows and working as an incident under a lot of great stuff coming from her alright so we talked about PS attack that's the tool that i wrote makes it easy to use Farish all offensively you should totally use the build tool it is open source so if you guys have any suggestions feel free to submit either issues or if you don't have a code if you want

to submit a pro request that would be super appreciated but really I just love hearing any sort of feedback whatsoever you know if you used on engagement and it was great let me know if you tried to run something it didn't behave the way you expected I want to hear about that too so you know whatever you want to talk to me about like as long as it's related to PS attack I'll talk to you about it otherwise I have very small this stuff I'm interested in so we'll see if we hit up on that the last thing I want to leave off on is if you are working in defense there is no reason to be afraid of power

show any properly configured environment PowerShell is useless to offenders it's it's crazy nosy I want to wrap up with if I'd mentioned earlier about the PowerShell click that you know if you're if you're not following the PowerShell community then you know you're kind of missing out on all the cool stuff that's happening out there this is a great starting point for that click these guys are really they are the people that developed all the cool offensive stuff that went into PS attack so definitely worth following them and you know giving them the attention that they deserve a lot of great stuff coming out of that group and that's it for me I am Jared 8 on

twitter if you want to email me j'ai hate at GDS security com if you're in the Charlotte area a group of us get together about once a month for Charlotte hackers anonymous where we talk about hacking stuff so totally worth checking that out and all of the links that i posted throughout this talk are available at that website down there Jared hate key-based pal so yeah I think we have a little bit of time questions or you guys can go run and get food question

so yeah the question is how does the PowerShell login handle base64 encoding powershell login what it does is it's going to log everything right before it hits the scripting knows which is the actual engine that runs scripting stuff in Windows so yeah it would totally you would see the decoded command being wrong so yeah same goes for encryption the only thing that can really mess with it and from what I understand is like obfuscation because it's still legit PowerShell that you're running there's nothing for it to try to like d you know compress or whatever but you'll still see at least what the obfuscating command was that was wrong so any other questions alright guys well thank you very much

I'm very calm [Applause]