Upload
harmj0y
View
3.926
Download
2
Tags:
Embed Size (px)
Citation preview
Building an Empire with PowerShell
Will Schroeder, Justin WarnerVeris Group’s Adaptive Threat Division (ATD)
First Things First
○ This tool and presentation would not be possible if it wasn’t for the help and phenomenal work from these people:□ @mattifestation and @obscuresec
○ https://github.com/mattifestation/PowerSploit/
□ @carlos_perez / https://github.com/darkoperator/
□ @tifkin_ / https://github.com/leechristensen/□ @ben0xa and @mwjcomputing□ @enigma0x3 - The ATD Padawan□ And the rest of the offensive PowerShell
community! All you guys rock!
@harmj0y
○ Security researcher and red teamer for the Adaptive Threat Division of Veris Group
○ Co-founder of the Veil-Framework and PowerTools
○ Cons: Shmoocon, Carolinacon, Defcon, Derbycon, various BSides
@sixdub
○ Red Team Capability Lead for the Adaptive Threat Division of Veris Group
○ Lots of interest: red team ops, reverse engineering, adversarial tactics, etc
○ Developer on the Veil-Framework and co-founder of PowerTools
tl;dr
○ Red Team Philosophy○ (Offensive) PowerShell○ RATs 101○ Empire○ Modules○ Demo○ Taking Down the Empire○ The Future
Red Team PhilosophyIn Defense of Offense
Red Teaming
○ Red teaming means different things to different people□ physical ops, in-depth social engineering,
custom exploit dev, pure network based operations, etc.
○ Common thread of increased time frame, more permissive scope and adversarial mentality
○ We have a ‘assume breach’ perspective□ It’s not a matter of ‘if’, but ‘when’
Malware Motivations
○ Why did we decide to go custom?□ Clients were signaturing tool sets□ Needed rapid dev capability while
on ops to integrate unique vulnerabilities○ And chance to build the RAT features we
always wanted
□ Wanted a better way to utilize existing PowerShell capabilities○ Attempt at solving the “weaponization
problem”
In Defense of Offense
○ We want to help secure companies against the level of threat that they’ve been unknowingly facing for over a decade□ So we need to be able to simulate at least
some of the actions of these advanced groups.
○ There is a balance between making OSS useable for training and making the “next-gen rootkit”
(Offensive)PowerShell“Microsoft’s Post-Exploitation Language”
-@obscuresec
Why PowerShell
○ PowerShell provides (out of the box):□ Full .NET access□ application whitelisting□ direct access to the Win32 API□ ability to assemble malicious binaries in
memory□ default installation Win7+ !
○ “Why I Choose PowerShell as an Attack Platform”□ http://www.exploit-monday.com/2012/08/Wh
y-I-Choose-PowerShell.html
“Bad Guys”
Existing Tech
○ PowerSploit□ Screenshots, keylogging, Mimikatz, etc.
○ PowerView□ Network situational awareness
○ PowerUp□ Privilege escalation
○ PowerBreach□ Additional persistence
○ Posh-SecMod□ Lots of goodies
The Weaponization
Problem○ There’s been an sharp increase in
offensive PowerShell projects over the past year
○ But many people still struggle with how to exactly work PowerShell into engagements
○ Using existing tech at this point hasn’t always been the most straightforward□ This is the problem we’re trying to solve!
RATs 101I smell a RAT….
Just RAT Things...
○ RAT vs Backdoor… Yes they differ
○ What different things do you need to focus on when building a RAT?□ Delivery□ Staging & C2□ Modularity / Expandability□ Forensics□ The list goes on!!!
The Staging Problem
○ Exotic C2 channels are nice, but somehow your agent code has to get to your target
○ This is often the most vulnerable point of your entire process□ staging can be be noisey□ some kind of logic needs to be sent “in the
clear”□ stager needs to be able to detect and utilize
proxies as best as possible
Command & Control
○ What are the characteristics of moderate to advanced malware out there?□ Asynchronous
○ Low and slow wins the race□ Variable comms
○ HTTP, HTTPS, DNS, SMB, etc.□ Flexible indicators
○ Survivability across defensive sensors or boundary defensive solutions□ Proxy awareness!
Extensibility
○ The core agent should be as small as possible with only required functionality
○ It is best to make an module interface to allow an operator to add/subtract features□ Follow on payloads, scripts, persistence
modules
○ The modules can be loaded and removed during use
Wait… What?
○ Empire is a full-featured PowerShell post-exploitation agent
○ Aims to provide a rapidly extensible platform to integrate offensive/defensive PowerShell work
○ An attempt to train defenders on how to stop and respond to PowerShell “attacks”□ Another tool in the belt!
PowerShell = Just a Toy Language?
○ Many people have written off PowerShell as being a real malware solution because it is a scripting language□ “Easy” to defeat/block the interpreter
○ This has also caused incident responders to overlook it as a malware vector□ Helpful if we provide some real world demos
:)
Server Features
○ Client-Server architecture□ Server = Python | Client = PowerShell
○ A backend database preserves agent/listener configurations□ In case something goes down, your agents
won’t!
○ Everything is logged, extensively□ Taskings/results per agent, along with
timestamps□ Hashes of any files uploaded to target□ --debug will dump a ton of output to
empire.debug
Methods of Execution
○ Small “stager” that can be manually executed or easily implemented elsewhere□ A powershell command block can load an
Empire agent□ Generated per listener inside the menu
○ Stager Formats:□ .vbs (macro), .bat, ducky script, etc.□ Reflective Pick .DLL - Allows integration with
many other tools like MSF
Listeners
○ The “server” side of the whole system□ Configuration of the agent set here
Additional Listener Stuff
○ IP whitelisting/blacklisting dynamically or by a common config
○ Kill dates and working hours nicely integrated into listener management
○ “foreign listeners” allow the passing
of agents within the team□ and to other agents like
Meterpreter/Beacon!
Empire Staging
Control Server Client
2. return key negotiation stager.ps1 w/ shared AES staging key
3. gen priv/pub keys, post ENCstaging(PUB) to /<stage1>
5. decrypt session key, post ENCsession(sysinfo) to /<stage2>
6. return ENCsession(agent.ps1) patched with key/delay/etc. and register agent. Agent starts beaconing.
1. GET /<stage0>
4. return ENCpub(epoch + AES session key)
C2
○ Utilizes the .NET backend with HTTP or HTTPS
○ Nothing too magical here…□ “Get” request is looking for tasking
□ “Post” is returning encrypted results
In the Agent: Contexts
○ Shell - Run Empire or PowerShell cmds
○ Scripts - Import and run PowerShell cmdlets
○ Modules - Utilize pre-built functionality to execute PowerShell functions across agents
○ More later during the demo...
ModulesBecause an agent actually needs functionality
Modules
○ Currently 90 released modules□ several more in testing testing
○ First round of modules focused on integrating all of the current projects□ Wanted an operational beta to use in real
environments
○ We will show some of the top used ones…
Module Categories
○ Currently have the following categories for modules:□ code_execution - ways to run more code□ collection - post exploitation data
collection□ credentials - collect and use creds□ lateral_movement - move around the
network□ management - host management and
auxiliary□ persistence - survive the reboot□ privesc - escalation capabilities□ situational_awareness - network
awareness□ trollsploit - for the lulz
Module Development
○ Development is extremely fast due to the wealth of existing PowerShell tech and the ease of development in a scripting language
○ Modules are essentially metadata containers for an embedded PowerShell script
○ Things like option sets, needs admin, opsec safe, save file output, etc
management/psinject
○ First up: our auto-magic process injection module for Empire□ Takes a listener name and an optional
process name/ID
○ Uses Invoke-PSInjector to inject our ReflectivePick .DLL into the host or specified process□ The launcher code to stage the agent is
embedded in the .DLL
ReflectivePick
*.exeInvoke-PSInjector
ReflectivePick
.NET AssemblyDownload Cradle
Invoke-PowerCeption?
PowerShell in LSASS? lol
Invoke-BypassUAC
○ Second, we need a way to escape medium-integrity process contexts
○ The .DLL used by Metasploit’s bypassuac_injection is open source, and works when combined with PowerSploit’s Invoke--Shellcode.ps1□ Works on Win 7 and 8.1!
○ Lets us spawn high-integrity agents
Invoke-Mimikatz
○ Everyone's favorite post-exploitation capability
○ Not just dumping creds:□ Golden tickets□ Silver tickets□ PTH□ Skeleton key
○ Empire has Internal credential model □ Lets you easily reuse creds you’ve stolen
Invoke-WMI
○ Invoke-WMIMethod is our primary way of moving around□ Can take a listener name and transform it
into configurations for a launcher□ Fairly lightweight and safe to use
○ Uses PowerShell’s Invoke-WMIMethod to run the launcher code on a remote host
PTH
○ “But what about pass-the-hash?!!”
○ The credentials/mimikatz/pth module (alias- pth) lets you spawn a new process with a local or domain user’s hash□ You can then use the credentials/tokens
module to steal the token from this new process
○ Lets you execute whatever actions you want with just a hash
Demo
Taking Down the EmpireHow to Find and Stop Us
Detection
○ The typical network indicators will reveal some things□ Not as proxy aware as some agents□ High entropy byte strings in HTTP POSTs
○ Endpoint indicators are plentiful:□ Prefetch with PowerShell□ .NET Assemblies loaded into odd processes□ The list goes on…
Umm… Weird?
Memory Analysis
○ Memory analysis will reveal the entire Empire agent plaintext in memory□ No obfuscation is done at this point□ Allows the extraction of AES keys
○ Decryption of malware C2□ Useful for a red team because it rewards IR
teams to take the next step and chain analysis
Yes… plaintext
Windows 10 :)
○ “ZOMG HACKING IS OVER!!” - harmj0y
○ But for real… major improvements in the security and monitoring of PowerShell□ Who knows when/how clients will actually
implement the added features
○ Initial testing:□ Logging is very very noisy with Empire□ Constrained mode might be circumvented
with PowerPick
The FutureThe Shiny Shiny Future
Moving Forward
○ We’ve released full documentation and demo videos hosted at www.PowerShellEmpire.com□ There’s also a formal spec on the agent and
its associated protocol□ All future updates will be posted here
○ This will be a long-running and fully supported project
Dream Capabilities
○ New C2 methods□ SMB, DNS, SOCKS Proxying etc
○ Script obfuscation/mangling to help prevent memory parsing and to increase training value
○ Contribute modules! it’s super easy
@harmj0y@sixdub
https://github.com/powershellempire/empire www.PowerShellEmpire.com
Any questions?