Investigating PowerShell Attacks - Black Hat
[Pages:50]Investigating PowerShell Attacks
Black Hat USA 2014 August 7, 2014
PRESENTED BY: Ryan Kazanciyan, Matt Hastings
? Mandiant, A FireEye Company. All rights reserved.
Background Case Study
Attacker Client
Victim VPN
WinRM, SMB,
NetBIOS
Victim workstations, servers
? Fortune 100 organization ? Compromised for > 3 years
? Active Directory ? Authenticated access to
corporate VPN
? Command-and-control via
? Scheduled tasks ? Local execution of
PowerShell scripts ? PowerShell Remoting
? Mandiant, A FireEye Company. All rights reserved.
2
Why PowerShell?
It can do almost anything...
Execute commands Reflectively load / inject code
Enumerate files Interact with services Retrieve event logs
Download files from the internet Interface with Win32 API Interact with the registry Examine processes Access .NET framework
? Mandiant, A FireEye Company. All rights reserved.
3
PowerShell Attack Tools
? PowerSploit
? Reconnaissance ? Code execution ? DLL injection ? Credential harvesting ? Reverse engineering
? Nishang
? Posh-SecMod ? Veil-PowerView ? Metasploit ? More to come...
? Mandiant, A FireEye Company. All rights reserved.
4
PowerShell Malware in the Wild
? Mandiant, A FireEye Company. All rights reserved.
5
Investigation Methodology
WinRM
PowerShell Remoting
evil.ps1
Local PowerShell script
backdoor.ps1
Persistent PowerShell
Registry
File System
Event Logs
Memory
Sources of Evidence
? Mandiant, A FireEye Company. All rights reserved.
Network Traffic
6
Attacker Assumptions
? Has admin (local or domain) on target system ? Has network access to needed ports on target system ? Can use other remote command execution methods to:
? Enable execution of unsigned PS scripts ? Enable PS remoting
? Mandiant, A FireEye Company. All rights reserved.
7
Version Reference
2.0 Default (SP1)
3.0
Requires WMF 3.0 Update
Default (R2 SP1)
Requires WMF 3.0 Update
Default
4.0 Requires WMF
4.0 Update
Requires WMF 4.0 Update
Requires WMF 4.0 Update
Default
Default
Default (R2)
? Mandiant, A FireEye Company. All rights reserved.
8
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related download
- investigating powershell attacks black hat
- 1 2 https 200y3w
- sans powershell cheat sheet
- convert docx to pdf using openxml c
- encode text to base64
- resource files resx and deserialization issues
- decode base64 string to pdf file
- powershell convert base64 to pdf
- powershell for pen tester post exploitation cheat sheet
- a hunting story recorded future
Related searches
- new york hat cap
- pull names out of a hat online
- red hat linux command list
- red hat linux command reference
- red hat linux commands pdf
- red hat linux 7 commands
- red hat linux 7 download
- ww2 german hat insignia
- ww2 military hat insignias
- us army hat insignia
- us military hat insignia
- fbi investigating psa card company