PS #> Get-Content psattack.txt

Making it easy to use PowerShell for evil

PS> whoami • Jared Haight• Security Engineer for Gotham Digital Science• PowerShell fanboy• Guess I’m a developer?• I enjoy long walks in the woods• Co-owner of a broken bunny.

What is PowerShellMicrosoft’s attempt to get admins to use a keyboard

What is PowerShell?• Windows PowerShell (as described by Wikipedia)

o task automation and configuration management frameworkoconsisting of a command-line shell and associated scripting

language obuilt on the .NET Frameworkoprovides full access to COM and WMIoenabling administrators to perform administrative tasks on

both local and remote Windows systems

What makes PowerShell great• Object Oriented Language• Intuitive Commands

oVerb-Noun format (get-help, test-connection, etc)oSimilar switches across commands (-ComputerName, -Debug,

etc)• A help system that’s actually usable• Great tab completion• Available on Windows 7 and up.

What is it being used for?• Administering all the things!

oYou can administer most anything in a Domain with PowerShell

• AutomationoDesired State Config is the Puppet/Chef/Ansible/Salt of the

Windows world.• Information Security

oLot of work in DFIRoGreat for event log parsing and WMI queries.oCheck out what’s being done at http://www.invoke-ir.com/

What can Red Teams use it for?

Offensive PowerShell is Awesome• Using the admin’s tools against them

oThere’s great stuff already there, live off the land.• Hard to lock down

oNo real logging before PowerShell v5oPowerShell is actually part of .NET, it’s NOT powershell.exeoNot a lot of awareness on the admin side of offensive PowerShell

• A lot of advanced work being done by the communityoDLL injectionoWMI AbuseoMature Methodologies

The Barrier to PowerShell• Lack of interest

oWindows isn’t cool• A little intimidating

oLots of testers are more comfortable with *nixoWhole new language to learnoWhere do you start?

• Hard to stay up on the latest and greatestoPowerShell clique on TwitteroCool stuff doesn’t always get surfaced

PS>Attack to the Rescue

What is PS>Attack• A tool that makes using Offensive PowerShell easy

oCustom console designed to emulate powershell.exeoSome of the best tools available are built inoPowerful tab completion

• Commands• File Paths• Parameters

oSingle Executable – just download and run

What’s in PS>Attack• Over 110 Commands covering Recon, Privesc,

Backdoors and Exfiltration• Including

oCommands from PowerTools, PowerSploit and Nishango Inveigh – A Windows PowerShell LLMNR/NBNS spoofer with

challenge/response capture over HTTP(S)/SMB and NTLMv2 HTTP to SMB relay.

oPowercat – Netcat, but in Powershell• Get-Attack – A command for finding the attack you’re

looking for

• An attack command search tool

Not just for the lab• Embedded Payloads are

encrypted to evade AV and IR teams

• Payloads are decrypted straight into memory so they never touch disk.

• Custom built console doesn’t rely on “powershell.exe”

• Works out of the box on everything from a fresh Windows 7 install to a patched version of Windows 10.

Get-Help• PowerShell’s help system• Available for any command in PS>Attack

oget-help invoke-mimikatz• Use the –Examples switch to view usage examples

oget-help invoke-mimikatz -examples

Demo!

Making PS>Attack Even Better

PS>Attack Shortcomings• All versions use the same encrypted files

oEasy for AV to flag• PowerShell tools are being updated daily

Enter: The PS>Attack Build Tool

What does it do?• Downloads latest release of PS>Attack• Downloads the latest versions of the modules/tools that

PS>Attack uses• Encrypts everything with a unique key• Compiles everything for you• Its super easy.

How easy is it?

PS>Attack Build Tool Dependencies• .NET 3.5 Full

oNeeded to build PS>AttackoProvides msbuild.exeoBackwards compatibility in .NET is all sorts of broken

• .NET 4.5 (and up?)oNeeded to run Build Tool

• Modules.jsono JSON file containing names and urls for PowerShell moduleso Included with the Build Tool

Getting PS>Attack• https://github.com/jaredhaight

oPS>Attack: https://github.com/jaredhaight/psattackoBuild Tool: https://github.com/jaredhaight/psattackbuildtooloPrecompiled versions are available on the releases tab

• https://www.psattack.comoTheres a bunch of stuff on there, some of it is related to

PS>Attack

PS> get-futureWhere do we go from here?

What’s next?• Bug fixes• More PowerShell modules!

oWithin reason.. PS>Punch is already 3mb.• Better AV/IR evasion

oLess static strings, more magic• Better console emulation

oScript support, Better exe support• New features

oReverse Shell? Command line params? What does the community want?

How can you help?• Submit issues

oLet me know what errors you run intooLet me know when things don’t work the way you expect

• Submit pull requestso If you want to implement a new feature or something, ping me

and we can talk• Feedback of any kind is incredibly helpful

oHit me up on twitter, email, in person.

Wrapping up

The real MVPs• @mattifestation• @sixdub• @harmj0y• @enigma0x3• @subtee• @nikhil_mitt• @kevin_robertson

Like, Comment and Subscribe• @jaredhaight• jhaight@gdssecurity.com• https://github.com/jaredhaight• Charlotte Hackers – http://www.charlottehackers.com

Fin.• Questions?