Riktade angrepp - Under radarn med PowerShell & andra inbyggda verktyg Kenneth Ljungqvist (@kewngen) Hasain Alshakarti (@Alshakarti)
Hackers <3 PowerShell Objektorienterat skriptspråk baserat på .Net Inbyggt i alla supporterade versioner av Windows Exekvera kod i minnet Nedladdning & exfiltrering av data Remote PowerShell Windows API & .Net Open Source
Offensiva PowerShell-verktyg PowerSploit Matt Graeber (@Mattifestation) Chris Campbell (@obscuresec) PowerView & PowerUp Will Schroeder (@HarmJ0y) Nishang Nikhil Mitt (@nikhil_mitt) p0wnedShell Cornelis de Plaa (@Cneelis) PS>Attack Jared Haight (@jaredhaight) PowerShell Empire Will Schroeder (@harmj0y) Justin Warner (@sixdub) Matt Nelson (@enigma0x3)
DEMO
PowerShell v5 – Intressanta säkerhetsfeatures Logging (Script block & Transcripts) AMSI – Antimalware Scan Interface Constrained Language Mode JEA – Just Enough Administration
Frågor på det? Kenneth Ljungqvist Hasain Alshakarti @kewngen @Alshakarti Kenneth.ljungqvist@truesec.se Hasain.alshakarti@truesec.se
Länkar PowerSploit (inkl. PowerView & PowerUp) Sean Metcalf’s blog on Windows security https://github.com/PowerShellMafia/PowerSploit http://adsecurity.org/ Nishang https://github.com/samratashok/nishang PS>Attack https://github.com/jaredhaight/PSAttack p0wnedShell https://github.com/Cn33liz/p0wnedShell PowerShell Empire https://www.powershellempire.com/ https://github.com/adaptivethreat/Empire Invoke-Obfuscation https://github.com/danielbohannon/Invoke-Obfuscation