My talk on 10 tips for PowerShell as a hacking tool @ BsidesTLV 2019 - Session code on https://github.com/YossiSassi/PowerShell-Hacking-BSidesTLV

1. Powershell as a hacking tool
2019
Yossi Sassi
White h^t ha‫כ‬ker & InfoSec Researcher
yossi_sassi

2. Whoami Y1nTh35h3ll
• ~30 years of keyboard access & guitar playing
• Researcher, White h^t hacker (Finance, Military/Gov)
• Co-Founder @ CyberArt, Board Member @ Javelin Networks
• AD Protector, Pow3r5he11 consultant/trainer, CISSP, etc…

3. What we’ll talk about
• 10 tips (out of gazillion..) for PS for hackers
• Some of our cool research ;)

4. What is PowerShell?
• Perceived as “MS shell for IT/Sys admins”
–For hackers it’s a totally different story ;)
• CMD « on steroids »
• Windows LoTL heaven
• Ideal for post-exploitation
• Runs on Windows/Linux/MacOS, open source
• Based on .net fx, works with objects

5. 1. Invoke/Execute any text stream
• Run in-memory without touching disk (fileless)
• IE (non visible)
• msxml2
• Net.WebClient
• Invoke-WebRequest (aliases: curl, wget, iwr)

6. 2. Harness the power of .Net
• [Net.WebUtility]::UrlEncode("/insider profiles/")
• ("heLlo wOrld").ToCharArray() | % {
[char]::IsUpper($_)}
• [convert]::ToBase64String($([System.Text.Enc
oding]::Unicode.GetBytes("shutdown /r /t 0")))

7. 3. Convert any to any
• Xml, json, html, bytes, whatever.
• Export/Import, ConvertTo/From

8. 4. Phish admin creds one-liner
• $c = $Host.ui.PromptForCredential("Microsoft
Outlook","Please enter your
credentials","$env:userdomain$env:username","")
• Can expand it to Windows.Security.Credentials.UI
(See @Dviros CredLeaker)

9. Under the .net framework hood…

11. 5. There is no spoon…
• Powershell.exe is just a spoon.
System.management.automation runs the show
• Run Powershell (code) without PowerShell(.exe)
• Run Powershell from binary without running the
binary process

12. 6. Run C# directly, local & remote
• Add-Type
• Utilize $using, ${function:functionName} to
deliver ANY local variables & functions to remote
sessions

13. 7. Get Objects from apps/scripts
• Convert any string output to customized objects
–Intuitive, no RegEx
• In-mem (on the fly) or template file

14. 8. Multiple encodings, Compression,
Buffers, Threads, ShellCode…
• Prepare advanced payloads
• Investigate PowerShell attacks

15. But..
What about PowerShell defenses??
• Execution Policies (Signed Scripts)
• Script Block Logging
• Module Logging
• Transcriptions
• ConstrainedLanguage
• Protected Event Logging *
• + AMSI

16. 9. (Un)Protected Event Logging
• Think “ransomware” for event logs ;)
• Leverage PS defense w/CMS for the Red team

18. 10. Total bypass of PS defenses
• Based on research by Omer Yair & team
– Bypass AMSI / Logging / Auditing with Invisi-Shell
• Does not require administrative privileges(!)
– ICLRProfiling::AttachProfiler()
– COR_PROFILER_PATH environment variable
• Gets JIT-ed code address
• Hooks powershell (system.management.automation),
hooks system.core.dll, hooks all calls to AMSI
– No hook functions – simple replace with RET opcode
• Detaches after hooks are placed

19. Key Takeaways
• PowerShell Rocks!
• PS Blue Team defenses exist
– Use/Loose PS v2.0 wherever possible
• Or use invisi-Shell
– Obfuscate vs. Look for potentially malicious activity (IEX,
.DownloadString, TOKEN_ADJUST_PRIVILEGES etc)
• For Windows + Automation = ultimate choice
– Writing payloads is fun! And robust.
– Multiple powershell offensive frameworks can be found online

20. Links & THANKS!
– Dor Amit (co-founder @ CyberArtSecurity.com)
– Omer Yair (EndPoint Team Lead @ Symantec TDAD)
– Team @ Javelin Networks (nowadays Symantec TDAD)
– Omer’s talk in last DerbyCon
• https://www.youtube.com/watch?v=Y3oMEiySxcc
• … CHECK HIM OUT this upcoming DefCon @ main stage !
• https://github.com/YossiSassi

21. T.hanks!
Yossi_Sassi