Good afternoon everybody. How are we doing? [ applause & cheers ]. >> All right. Let's learn some stuff about Powershell. In my day job I'm a simple country lawyer but I open up the computer now and then. I remember when I first saw Powershell I thought this is neat. This is my directory listing. This is awesome. What's my ipo address. It doesn't do anything. And then I hate Powershell. Done with this. So long those lines I like to use the power from Powershell and I'm doing demos on my own systems but it can be frustrating. Rich is going to show us what he has done. Let's give him a big hand [ applause ] >> All right. Thanks for coming. A lot bigger crowd than I realize. My name is Rich Kelley. First talk first time at Defcon. Background on myself. Come officer officer. Network engineering software development, end up in security mostly for government. Most recently branched out cofounded a company out of Virginia. In my spare time I will release some utilities. All right. So why should you care? If you are here you probably know this. The first point is that Powershell is here to stay. It's going to be on windows in the foreseeable future. If you are not using it, you are really just cheating yourself. It's resource that's there and don't have to put on disk usually. I recommend taking a look at Powershell. Offensive community is focusing on that. From the defense side I get the feeling that a lot of defender don't realize how powerful it has. The function within Powershell, completely unnecessary. The more we bring up the more we can secure things. I was struck by most mortem analysis, incident attacker will use Powershell. Research topic that might be a good area for focusing. Okay. So what is the Powershell weaponization problem? I guess to put it simply how to get your Powershell running on your machine and get your results back. It may not be obvious but up until few months ago I was actually not really that easy to work Powershell into your work flow. There's number of script and tools came out but they are still vague understanding of how you would use it on an engagements. So when I started this project I was trying to make it easy for myself and number of people convinced me to put in a talk so here I am. So has this problem been solved? Yes. The couple of months we've had interesting and great tools came out to utilize Powershell. Excuses are getting less and less. When I started this and drove me down this path is there's this fuzzy area you gain access, use Powershell and good to go. And that's where I started to fill in the gaps. There's bunch of solutions, a few days I'll talk about quickly and everybody should check out as well. All right. Briefly I want to go over other ways to use Powershell, weaponize it. If you have ipo access you can bring up the Powershell. If you bypass the execution policy, input your script. Copy/paste your Powershell. It's there free to use. You are probably use the line on top there which is refer to the demo, where you are using the web client to reach out and download and staged on some web server. The next way is if you have command shell, probably where you used it. You can't just drop in Powershell console like you would normally. The nature of the Powershell and way it works makes it difficult to get around that payload. There's number of utilities that will help you with that. Command argument. Powershell execute and go ahead and execute that return some results. That's probably how most of you use Powershell on most of your tests. If you have this shell you can use modules that make things not easy. You can use execute Powershell module. It's been around. And you can stage your script on your local attack machine, takes care some of the heavy lifting for you. Through the interpreter section to execute. I have had few issues with it. Occasionally opens up a lot of Powershell incidents. It was flaky a couple of times. Most recently April or may, Powershell payloads. If it was around when I started it, I may not have gone down the path. It has some nice features. You do get an interactive console. And pass it extreme of file path where your local scripts are. Once it runs it will load up scripts for you. It's nice you can use right now. There's cobra strike. If you have that, I think this is probably the first really clean solution to the Powershell weaponization problem that I saw. In this case if you have beacon on a machine and I'm a big fan of that, import and local script and does the hard work for you. Your function is available there. So if you have cobra strike, this is really easy. Some other options. Powershell remoting. You have to have enabled. Once it is you can use Powershell to invoke, whether it's administrator or once you get on the machine it's a nice feature and you don't have to install anything. Wmi there's going to be a talk on that tomorrow. And I recommend you go to that. And empire this is the tool I was eluding to. Just couple of days ago, it's kind of a game changer post exploitation agent implemented in Powershell. It has a really nice fame work to build modules for that. I recommend you go to their website and take a look at that. Okay. So I'm always hard on my client to give requirements. On myself I want fully interactive Powershell as the native Powershell executable. And I want capability to seamlessly import. You don't want to stage them. I just want to import modules give it to path and be done with it. Last December sometimes and work on and off and proved more challenging than I thought. All right. I'm going to attempt a live demo here and see how this works out. Okay. Harness is the actual payload. It's interactive remote, c sharp. So Microsoft has got a lot of functions that you can use to build out your custom host. So if you want to big into the library you can do that. The documentation on it was limited and that's why I struggled quite a bit at the beginning. I bundle everything in the python fame framework. You can integrate the payload in. It's got the usual command. In this case there's not a whole lot of modules. It's not the focus of the handler. I have a number of payloads here. Mostly just 86 and 64-bits. Executable and drl to inject into the memory and I will show yaw that. So if you want to use payload, very similar meta display here. So in practice you probably wouldn't use the dropper. You try to avoid touching disk when you are on mission. You run it like that and executable and it's up to you how you would get it to your target. In this case I've already dropped it on the target. And see if we can get a call back. I want to show you is you don't need a special handler. In this case, see if we can use net cat. We give a nice call back. So you don't need special features. This is running unmanaged payload. One of the things I also that you don't get in interactive payloads is you notice in Powershell you get the multiline inputs. So I want the feature in there. Hallmark of having Powershell. You can do stuff like this now. What is doing in the background is every time you send something it's doing the check. And once it says it's clean it goes ahead and executes it. You can just print out. This allows you to build function on a fly. The buffer can't keep up with each other. Eventually I would like to have that problem solved as well. So that was getting kind of close to my first objective. It's not completely implemented yet. But I'm working through some of the bugs. The next thing if you use handler built in to the framework here you get a little bit more functionality. You load the handler here. Running on ad. Once again it will execute it. And we get a call back here. So. We can interact here. Using the server and client together you can import modules across the wires. So in this case built in some custom command. The difference is the module...and I'll try it send it through wire. It's through the same channel you are currently using. In this case once you in the memory there you can see the function from power up available. See if we can do...invoke all checks. What I have noticed so that it does consume a lot of memory. There you go. The next thing I want to show is reflected payload. I want to show you a video. I apologize if it's too small. So in this case you are going to run your handled like you normally would. Load up the reflected dol, from the reflective pet project. You should get out those as well. And reflected drl are built off the students here. Without those projects I could not implement this myself. So now you create the payload. I've staged an interpreter call back here and running the system. And you can use the reflect drl module and -- memory directly into l sec here. Okay. So it inject into l saas this payload is getting more to ramp up but eventually you get a call back here into your system. Any time now. There you go. You get a call back and you can interact with the session. You can do indoor min nigh cats. Before you can import your modules all the way across the wire. Any special function require handler there's a symbol in front of it. Differentiate the commands. In this case I'll import minicats. And just to prove that it's loaded into the memory you can take a look at what the current process i.d. is. Running in l saas. This is very similar to the capability like things like empire out it's hard to detect in the future as well. So invoke minicats. There we go. You get your results back just normally would. Minicats for your passwords. Okay. So under the hood the payload is compiled net 4.0 I think you can down to 3.5 if you needed to. It does need system assemble where all the internal management come from to built out your Powershell host. I've tested a number of systems. As far as the server concern it's a separate project. You can build your own. The listener is a sync io it allows you to run asynchronous processes, but tasks in the thread. That's kind of a pet project you can implement. You can easily do that. Why python? It's for the learning experience. It helped me to actually fill in some gaps that I had. And I have a lot of appreciations now that it does behind the seen. No critique there. It's also my performance. Payload is compatible. As far as the defense I haven't done too much work in this. You can actually probably stop attacks in-system automation and trigger any malicious use and see if it's loaded and tell whether something is there that shouldn't be. And also new features in Powershell 5.0 has nice log in features. The talk earlier today he went through a lot of great defense techniques. Okay. That's all I have. Big thanks to all these people. Wouldn't be possible. Thanks for the encouragement. Here's all my contacts if you have questions. Thank you [ applause ]