HackDig : Dig high-quality web security articles for hackers

toolsmith #112: Red vs Blue - PowerSploit vs PowerForensics, (Wed, Jan 6th)

2016-01-06 23:20

The following is a cross-posted from HolisticInfoSec.

Happy New Year and welcome to 2016! When last we explored red team versus blue team tactics inMay 2015, we utilizedInvoke-Mimikatz, then reviewed and analyzed a victim with WinPmem and Rekall. The recent release of PowerSploit 3.0.0 on 18 DEC 2015 presents us with another opportunity to use PowerShell for a red team versus blue team discussion. This time its an all PowerShell scenario, thanks as well to PowerForensics. Forget the old Apple pitch line: Theres an app for that. With so much PowerShell love, theres a PowerShell script for that!

For the uninitiated, a description of each. PowerSploitis a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. PowerForensicsis a PowerShell digital forensics framework. It currently supports NTFS and is in the process of adding support for the ext4 file system. Both are updated regularly and are GitHub projects subject to your feedback and contributions. PowerSploit includes scripts that aid in antimalware bypasses, code execution, exfiltration, persistence, privilege escalation, reconnaissance, script modification, and general mayhem.PowerForensics includes scripts the allow analysis of the boot sector, Windows artifacts, the Application Compatibility Cache, Windows Registry, as well as create forensic timelines. There are also Extended File System 4 (ext4) scripts as well as some utilities.

Credit where due, these two projects include some excellent developers, includingJared Atkinson, who leads PowerForensics but also contributes to PowerSploit. The PowerSploit team also includesMatt GraeberandJoe Bialek, Ive admired their work and skill set for years.We wont explore it here, but be sure to check out Empire fromWill Schroeder, who also contributes to PowerSploit. The topic of a future toolsmith, Empire is a pure PowerShell post-exploitation agent built on cryptologically-secure communications and a flexible architecture.

Before working through a couple of red vs. blue scenarios, a quick rundown on installation for both tool sets. For PowerSploit, useDownload Zipfrom the Githubrepo, move the zip package to yourDocumentsWindowsPowerShellModulespath under your user directory, unpack it, and renamePowerSploit-master toPowerSploit. From an administrator PowerShell prompt, run">Import-Module PowerSploitand follow it with">Get-Command -Module PowerSploitto ensure proper import. You will definitely want to run">$Env:PSModulePath.Split() | % { if ( Test-Path (Join-Path $_ PowerSploit) ) {Get-ChildItem $_ -Recurse | Unblock-File} }to avoid the incredibly annoying Do you really want to run scripts downloaded from the Internet warning. Yes, I really do. For PowerForensics, the routine is similar, however the modules for PowerForensics are buried a bit deeper in the ZIP package. Again, useDownload Zipfrom the Githubrepo, unpack the ZIP, drill down to">PowerForensics-masterPowerForensicsModuleand copy the PowerForensics directory there to your">DocumentsWindowsPowerShellModules">IssueGet-Module -ListAvailable -Name PowerForensics, them">Import-Module PowerForensics. Again,">Get-Command -Module PowerForensicswill ensure a clean import and show you available modules. Likely worth adding">$Env:PSModulePath.Split() | % { if ( Test-Path (Join-Path $_ PowerForensics) ) {Get-ChildItem $_ -Recurse | Unblock-File} }to avoid hassles as well. Lets begin with my absolute favorite, it is the ultimate in absolute nerd humor and is a force to be reckoned with all by itself. Imagine a red team engagement where youve pwned the entire environment, then you leave the following calling card. If you run">Get-Help Add-Persistence -examplesyou will discover the best infosec joke ever, forget just PowerShell. I" />

Three files are written:">Persistence.ps1,">RemovePersistence.ps1, and">rr.ps1which is">EncodedPersistence.ps1renamed. Inspecting">rr.ps1reveals base64 encoding designed to conceal the 80s musical flashback that follows.

User-level and elevated persistent scheduled tasks are created, called TN Updater, and aprofile.ps1file is written toC:UsersDocumentsWindowsPowerShell. If you inspect the profile script, youll initially say to yourself Whatever, the file is empty. Au contraire, ami. Scroll right. Ah there it is:iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String(U8hMrVDQyCwvUsgoKSmw0tdPyizRy6nUTzXwLbcsV9BUAAA=),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd()

Should your victim, or you on behalf of your victim, run" />

All good chuckles aside, a persistent rickroll is really just an example of any number of truly evil options. Shells, beacons, downloaders all come to mind, creativity is really your only challenge,Add-Persistenceis your vehicle for scripting forget-me-not. All good for the red teamers, whats there for the blue team?

PowerForensics">Get-ForensicTimelineis likely a good start, Im a huge fan of a complete timeline. When you run">Get-Help Get-ForensicTimelineyoull quickly learn that it incorporates the following cmdlets:

  • Get-ForensicScheduledJob
  • Get-ForensicShellLink
  • Get-ForensicUsnJrnl
  • Get-ForensicEventLog
  • Get-ForensicRegistryKey

Get-ForensicTimelineleft unchecked will, of course, dump a timeline for the entire discernible date range of all artifacts. This can lead to an unwieldy, huge text dump, I suggest filtering up front. Assume as a blue team member I knew my attack had occurred sometime during the New Year holiday. As such, I ran">Get-ForensicTimeline | Sort-Object -Property Date | Where-Object { $_.Date -ge 12/30/2015 -and $_.Date -le 01/04/2016 } c:tmptimeline2.txt.

This resulted in a much more manageable file for indicator searches. In this case, wed like to attribute detail to the creation and execution ofrr.ps1. There are a couple of ways to dig in here.SLS, alias for">Select-Stringis your PowerShell friend:" />

You can see weve easily discovered who, what, and where. The why is easy, because rickrolls rule! :-)

Timeline analysis is always vital and important but there are more opportunities here, lets put these kits through their paces for a second scenario.PowerSpoit includes">Invoke-WmiCommand. Per its description,">Invoke-WmiCommandexecutes a PowerShell ScriptBlock on a target computer using WMI as a pure C2 channel. It does this by using the StdRegProv WMI registry provider methods to store a payload into a registry value. The command is then executed on the victim system and the output is stored in another registry value that is then retrieved remotely.">Invoke-WmiCommand -Payload { 1+3+2+1+1 } -RegistryHive HKEY_LOCAL_MACHINE -RegistryKeyPath SOFTWAREpwnkey -RegistryPayloadValueName pwnage -RegistryResultValueName pwnresults -ComputerName -Credential DOMAINusername -Verbose

I changed my domain and username to DOMAINusername for the example, obviously you" />

The payload here is simple math, 1+3+2+1+1, as executed on my victim server ( and returned the result (8) to my attacker host. You can imagine how useful quick, easy remote WMI calls might be for a red team. Obviously a more constructive (destructive?) payload would be in order. But how to spot this from the blue teams perspective?

PowerForensics includes">Get-ForensicEventLog.Registry tweaks create Windows Security event log entries, including 4656 for registry key open, 4657 for creation, modification and deletion of registry values, and 4658 for registry key closed.Imagine a security event log export file from a victim system, ready for analysis on your forensic workstation. As such, you could run the likes of">Get-ForensicEventLog -path C:tmpsecurity.evtx | Where-Object { $_.EventData -like EventId: 4656" />

See? Thats not so bad, right? Red team events do not need to leave the blue team scrambling to catch up. Similar tactics but different outcomes.Ive done neither of these PowerShell infosec offerings any real justice, but hopefully opened your eyes to the options and opportunities the represent. Use them both and youll be better for it.Conduct your red vs. blue exercises in concert, cooperatively, and youll achieve improved outcomes. Emulate that adversary, then hunt him down.

Please feel free to share your red team vs. blue team PowerShell concepts via comments, readers will benefit from your experience as well.

Follow these guys on Twitter if you want to stay up on the PowerShell arms race. :-)

Ping me via email or Twitter if you have questions: russ at holisticinfosec dot org or">|">@holisticinfosec

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: ssr;pma&97502=diyrots?lmth.yraid/ude.snas.csi

Read:3788 | Comments:0 | Tags:No Tag

“toolsmith #112: Red vs Blue - PowerSploit vs PowerForensics, (Wed, Jan 6th)”0 Comments

Submit A Comment



Blog :

Verification Code:


Tag Cloud