Defend PowerShell Attacks When All Else Fails

Video in TIB AV-Portal: Defend PowerShell Attacks When All Else Fails


Purchase DVD

Formal Metadata

Defend PowerShell Attacks When All Else Fails
Alternative Title
Defend PowerShell attacks when all else fails
Title of Series
Part Number
Number of Parts
Kornkitichai, Pornsook
CC Attribution 3.0 Germany:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
PowerShell has gained considerable attention over the past few years in response to increased task automation in the Windows environment. Regardless of PowerShell’s capability to address administrators’ day-to-day operations, it is widely used for penetration testing and even attacking purposes. Specifically designed post-exploitation attacks and payloads by utilizing PowerShell are difficult to prevent on the condition that as the attackers gain privilege accounts. All protections ranging from the control on Execution Policy, Constrained PowerShell to customize the remote endpoints, AppLocker to allow or deny applications from running, to the control of objects with PSLockdownPolicy in PowerShell V3 could be, in some ways, tampered or bypassed to run malicious PowerShell script. Security monitoring by enabling subtle details in PowerShell Event Logs is able to collect useful information when PowerShell is called, but attackers could find a way to alter or disable those legitimately. So far no major study exists to corroborate such a conclusion on about the defense against PowerShell attacks in this condition. Until such a study is undertaken or a new feature is introduced, we have built a PowerShade platform, a prototype in python script to observe, capture, and neutralise PowerShell post-exploitation attacks.

Related Material

Computer animation
Computer animation
Computer animation
Computer animation
Computer animation
hello everyone and when it's fun so can't decide I come from Thailand and today I'm going to talk about how to define culture that that's when all every different fast but before going over there I would like to you a bit more about myself I'm working as a senior Malaysia and the of security assessment team at its Infotech Thailand and basically in my every day classes of a lot about contesting doing some kind of IT security consulting and 93 such heated intéressés about Office of security and sometimes it's about defensive security of all warfare now that
topics that I'm going to call the for 2 days and there several ones the 1st 1 is about and going to talk publish and is often seen sites nexus about why for defense against the Polish at at 1st next I'm going to talk about how and why it it is quite difficult to do some implementation to defend the publisher of and next and going to introduce you to the prototype of published yet to defend those that and then I'm going to lose some demonstrations and
basically if you have a reduced postal before you might have to to question why that's always in the new edition of Windows and going to talk about a little bit about because I when you go into endorse they and we don't we have just justly come but sometimes later there are going to Microsoft would like to have some kind of public culture that of for common life like sharing in the notes but as you know is different have formed in existence of fibers platform but in Windows API and object there's so we cannot implemented that some kind of channel command like a cheerleader looks so they create things like hallways shell and the you had this thing just but since 2010 so there have been lots of our pseudowords and research too often think of either poll shows and and why certain that there are a lot of people here have a was seen these leads also often those before but I would like to give you a quick will be what each of the models the the first one is policies for a light post Freud's of selection of um was exploitation published would if you can test that you can use it to bypass and they were asked to the walk some chilled water injection on you can use it to do some data X few duration and framework is in the shadow of the Chinese collection of policy trees and payloads between the main purpose of the Chinese just leave often its Puritan nets view power if you have a list of the of reuse framework before this model with the same culture the idea of polio is used when you can get so we would like to add texts some enrollment but that can remain the simple non so the altar of we're probably will create some more to meaning the behavior on that come up for example you can use get in there user of object that in state of instead of negative 0 username groups next public 1 of the guys 1 hearts of public tools polar is used for all the p rest escalation and another friend was public cash public having netcat that is implemented in Polish nexus and is the payload called interactive OK look in at this point if you haven't used to make before if you land shell and then Clyde Polish so that EXE Europe session will be force and because you cannot have an interactive session with the publisher so in these data have been in the call indirectly publisher that you can use and get an interactive to the college still on the target system that abstract and then later on in the world is opposed to compile is published gene and besides class just this year basically ideas about creating some kind of a policy engine send it to the talk system when the practices and random topology location it connects back to you of command and control then you can do anything you want with Polish here for example you can say in something like chili what injection involved on the hour and injection not doing anything they want you want with publisher it looked like Metasploit Framework but this policy so this is not just only some examples of aircraft and the security models of the policy of next time going to talk about why all of these
things pop culture also fails to deal and the at the 1st 1 is this is the 1st
line of defense maybe you have heard of this before it's an execution polite if you a newer to always tell if you are and i'm going from USA you cannot learn PostScript but if you are informed user you can line to our culture script as you can see from the screenshot you cannot like POS just the poachers format is not P S 1 1 thing that you can do is just pile the common on the console or just copied the publishers created and piercing in the console and run that's the way you can do and even you know about how the execution execution policy work you can bypass normally there have 5 options for for execution places 1 is recent that which is that the form that in 2nd and I have all signed but but when if we more side before the bypass and 5 and restrict if you just change the option to bypass you can't do anything well the main purpose of this execution wise C is true p when user from lining that publishers created an intentionally it is not decided to defend the at that so it's not the defense another technique to
bypass execution policies you can use their 60 64 cortical commands for example if you have the publisher script just and according to basically fall and hit it into the core of policy common consoles and running you can bypass another thing that I talked about order command because some and the rest when you download when you use some polish your screen when you look at the system some and the rest can detect you can use and what command to kind so but that's a limitation in of about window X he and then you will wish because the length of the console if we need to allow a thousand and 100 something so if you have a wary all cultures where you need to do some complications and then the complexity and the memory and some people here but there is some people you that great their rights more due to do this for you so that's the that's not the problem and that their protection
mechanism is apple up here and not there will also introduce us since there and and intuitive Boston it not to but you can use it all the points in there on the Enterprise and Ultimate motion only that of most of that block is to allow that many services to a lot about the system to p when and the running from the UN authorized applications you might have thought about software restrictions apply see if this the same but is it to the order taken all the system why while this order because when you set up fiction where the rules you cannot have act lied to each user partition will and it's quite difficult to manage but if you enable more at locker and solve anything the fictional place at the same time you will matching we which shows all the apple up this when you have time at moderate to prevent Polish here you can use to block executable file causes policy of script file that see if you
set the rules here with Polish 0 . txt and I see that the exceed restriction you can run the next is you can use to
appear and any running the poachers 55 but as you know this is the 2nd from atmosphere if the that can gain access to the as at cost p that label of the systems these both action mechanism is useless now
been to some kind of power-sharing more they being published a remote thing means that if you land Polish and would like to execute on the remote machine recordings publish only more than when you use in poetry we more than you connect to their default costs the session conflagration you can say 5 some conflagration on you mentioned with this command that appears scission configurations it released all settings of the remorse more and point but I mean you will were always from our policy and later wishing you can enable some con
strained Polish and endpoint 4 that's it means it means that you can lead the number of 2 come that they're reading what sentence can use for example by I 100 2 of the matching hole we know 81 look at playing once and the and try to leave that number of the common what I got back is allowed less than 10 command that I can use normally them more than 100 commands in Polish silicon so so if you want to apply these insights to work in the Python organization you could do it but as soon as add appear the Vatican can get access to their pattern level our concept how which of doesn't have a nexus of about a
lot of doubtful ICT post a lot about stories and there is not much information related to the there's just 2 lanes and the thing is you can use some environmental warrior by creating some way below we call P and locked up more a and set the number 2 full your publish open so change the more into con strained language more what this means is that you can use the command you can just come out late in publisher but you cannot access any type of document object you cannot access class we cannot access instance because this is in the more coal constrained language more but the same assumption the same thing I can know about this little well they can DVDs wearable and apply it they can bypass these pieces so my what what my
what about my work working basis on these assumptions 1st at accurate could gain access to the previous accounts for example they can get access to local administrator of the target system that can get access to 1 actual of domain happening 2nd assumption is they can enable published during morning and 1st all what what I said before all of the protection I mentioned earlier Atticus nodes when the wealth and forward I don't talk about evil not because attacker can be simple that's next why is the friends against culture hack is difficult for some of you might think why are we going to do some of gain of artists in the set into we individual API function I did it but it's quite a few people that each that see the screenshot of or if you call local Polish error that the college should not exceed forces on here and then if you do some kind of stack tracing all monitoring the dispatch in here you see that there is no torque applied to do some thinking like deception all what you can season but then I thought people or this is where a new typology of publisher is implemented with all documents objects class and instance library so that have not applied to the best result we needed to API
for Polish doing more things you might think that why we don't want do some kind of of the intersection and analyze the traffic on my monitors traffic I it's the same basically when we use policy we more things he published we use the protocol the been doing S when we go all out right so we management protocol it landed on http and attached to the P. S . 1 hour 59 60 65 to 66 sorry 59 65 to but when you use that the the data X to the P content this encrypted you can see only the that STDP here which is not much if you must have more information you can see just delete all the can entropy with something when do you suppose more inside enrollment keep this interest that would cover lost but if you use in their work could be encrypted with class SSP you cannot do any many that we have only you use xt at all hectares and content but I don't think twice so it's phrase difficult to do some man in the middle here and do some analyzes on my just but in these
years and Microsoft published some tools recognized to basically if you use do with some traffic on it what's sniffling if you use wide shot TCP down but Microsoft has a new
tool for Microsoft all message and I said you can have what some glandular details of methods in each even knowledge sources that we know use when a land Microsoft Message slices when I use publisher with more things I can see everything uses the year everything you see insult message because our approach to remotely using web service you can see some plane method Pressac Pentecost communication you can analyze it but this impact according to AP functions into each and every workstation in the organization because of its values for you lies and that will be a source and a workstation results too much so and this is why it's quite difficult last year that
a favors where 1 won't be able Interpol which is is the new base again in Polish still at texts are published in depth 1 2014 and and black capped 2nd year of the paper tried to 5 information about how to look at some of the begins from these former memory and from the middle of wind is supposed to act but I will give you some have before going infer because if we going to to my work because the spirit great influence my my platform as well when you do some published showing more things when you type the command line under Polish open source you come alive inside you matching is a dominant class and object it you see your eyes and then send it to the target system the target workstation on that the new estimate protocol when that communication traffic received by these patches on the part of the system and it will here which application has been received her to these patches it may be considered a retreat this policy or not whether if it is supposed to be sent it to the new S and of course the EXE this 1 this is the
topic matching when it received some of the more common be more social commerce and if you use Florence any larger executable files EP was response a natural process these favor said that if you
want to see some postal common and if you want to see some important remnants of optimal the you need to do some memory analyzes and again that the new him the ball most of the exceed but the problem is the proper losses terminated itself immediately after the end of the session that's why it's very difficult to do some real-time analyzes on the memory of the the US simple ports so from the gas
constant from their lots of from the letters suddenly I'm going to propose the bolded type called published you can implement you just copy my idea to apply to some workstation in your organization or just apply to some handing matching the ideation DY into the fire of 3 components the 1st 1 is c to control its ID half-life centralized local man and receive and send the command receiving even from the Asian on the sensor 2nd if the client like . sensor and from my experiments I did on the window so when by 1 which we know about the publisher to between the fall and that internal component of the distances to the components tool adaptive and 1 since the 1st is supposed to adapt their next is that the new it's temporal force the vector and instances since there is line before because it needs to communicate with the US C 2 you can see them affordable above 5 fivesome of voice commands from the R C 2 No. 5 even at traffic I even information from the sensor is eccentric that's the AES introduction
so I'm going to solve the problem of the the new simple cost see you can see that this is found in the part see Windows is sensitive that to I the located at Purdue as simple costs here you might notice that out to the the poniewa? simple force that you see the real ones every matching system in the wake of endorsing this I renamed it into the new estimate plot course 1 that see you can rename it into anything you want to do just change the configuration file in the prototype and effect what I'd and means their mind adapter used but the new simple paucity exceed so next time if there is a color to morning if you direct directly into red after and some
prerequisite this the big US improper cost and power so that the X C B on the on the application is not do that day induces faster he diffusion renamed it you need to change on you and then after reviewing and you need to show that this is a prerequisite now what I'm going to intercept is I'm going to desert some window to API to look some important information I tried to add in the desert to process in the initial state the first one is as I mentioned the problem is it 2 minutes break quickly you cannot do anything with it itself so I call in Texas forced because I need to pause some time and then do some immunizes before community itself and then I hope we create process because they would like to know if the attacker spawned some arterial executable files and the next is the text to the to adopt the out what I want to use to some network traffic because the money's just publish share often download things from the network uh OK this is what I'm going to try to located inside the memory from the neighbor investigating publisher attack they try to find out do some analysis confided pattern of the common from number 2 to 5 that I from my experiments number 1 is very important to because it contained some previous command that particular used again at let's see some
demonstrations I have the demonstration that the tool while we do a demonstration the reason is because I need to change their and to turn on and turn off in some power-sharing always need to take some cancer I will show the Organization for 2 and life or 1 of the 1st demonstration is a series of 3 more for show commands window for Windows 7 is um this the client you see this is surrounded by sea to landed on my Mac you will see later this is the bachelor
right in the creek interface
with no going to learn the same thing with with OK essential stopped at next answer which
student Windle 2008 to disarm
culturally model we know 7 minus partially and in the north pressing is partially to I tried to do some summary morning with entropy essential wikibooks that because his inside the woman in the domain I use seals off command get cost vector something get process and if in some place like thing make save committed session and then and then I go
back to the command control and when to posterior you you can see all of these that the days of happened after this session to minute when don't want it into the existing process because so I would like to do some real time and when i 6 but the results of the memory see at this point depends on what these insights the memory sometimes I got important clues some coming up model depends now back to their that's what can
see it there's some some
for here you you can see some
commands but not 100 per cent because I just got some when the remnants of the memory at that time and if you to be session for long term maybe you can get just ordered 30 % because I just hope he to exit process next
the I'm going to do some left demonstration
project 1st I'm going to land mine was to keep the server 1st because I put some knowledge is
publishers people here then I'm going to land see OK so the 2 works going to into 8 . 1 this is a client I really wonder since you you cannot be studied this 1 under atmospheric appearance back to win the 2012
and going to use in will command the command means that we want to land the commanding montly under leaning on the target matching I want to to come onto that name called we know for a 1 we did didn't come on the inside of this thing here buying use highly mean that we have to be 1 to download some script that's is for the more menial . ps 1 song these IP address which is my Mac machine and in line with what many cats so let's see that's what the come over here so what
about the demonstration and not sure why that's problem here just that lecture about this because I have just a reflection and less I'm going to show you some acts some of my video demonstration instead is the same I think that is high
status and no 8 . 1 9 point back to and the door of 2012 again and
then induce general command he will be me have tried to look at some US AC current paintings but as you know if you line on window 2012 statue you can see anything important as it finished the more common than back to we do it type 1 again you can't see
it there is some sort of there's
a whole gene and there's a capturing here capturing means that if the day some network dolloping from the internet from the network it will capture something and he keeps saying to idiocy see truth now I
think it's holding back to that that's what began now you can see that there is still a fly that the Polish only morning from the more common and download from the next word is the policy of states if you user and general prediction mechanism you cannot see CDC because it is isn't introduced that you need to do some time and when Sicily and in the last 1 is
I show you some them the more demonstration but this 1 is local Polish at much lower tax I use this script called from this you out let's see what did you like I start
multi-hundred to
listen for that depicted to back not going back to Windows and imagine that this is the user try to hold in
some natural enabled natural and then everything seems to be OK and then back to tell the time interpreter
backed beast macro use marriages power we show inside now back to you of that school what's yeah you can
see here there's a complete opposable from that macro on the final thing
that I would like to remind you is Polish error is not published so that each Si or it's not PowerShell privacy that exceed these 2 which is only the horse application inside your Windows systems if attacker can rights documents application themselves they can create more land that not directly access to deduct object classes that Incheon everything solution know enrollment which might for the I cannot detect it at all but if you things in another way if they can run that let applications in your matching they don't need to use approaches that can do anything right and yes this just was applications this is the limitation of my work there are some serial work talking about we know was application you can learn from the sleaze find last but not least is the publisher we find this is greatly improved from there we to to be in the fall because there is a feature of corn wall and the wall are scattered in different this is worrying about the cost if you remember that I tried to intercept some window the 2 API but this time some guys from Microsoft a wide open API to you and its API you can all which he and the rest company can use these people logging of finding the regions that you can identify which is which is not from hoping so let's start off as a publisher motives doesn't work ontology we find in the note right now and if you
have any questions just this uh has me here of if you want you would like to talk much about the platform and going on here for tomorrow and and maybe thank you for attending the last system for today thank you very much much


  613 ms - page object


AV-Portal 3.16.0 (9cfa3864b8acb689056f9c67aa39bc8ec4c75d58)