So much of our industry focuses at Red Team P0wnage. I read a retweet by my Con 'son' @Ben0xA last week on PowerShell Shells by 'Lab of a Penetration Tester' Blog Nikhil Mittal @Nikhil_Mitt. Nikhil did a week of PowerShell Shells on his Blog found at:
Nikhil did a great five days of PowerShell Shell examples of different types. Here are the five PowerShell Shells Nikhil reported on:
- Day 1 - Interactive PowerShell shells over TCP
- Day 2 - Interactive PowerShell shells over UDP
- Day 3 - Interactive PowerShell shells over HTTP/HTTPS
- Day 4 - Interactive PowerShell shells with WMI
- Day 5 - Interactive PowerShell shells over ICMP and DNS
This is a perfect exercise for Blue Teamer's as more and more malware is trying to use PowerShell and by default, Windows has terrible default logging to detect PowerShell use or misuse. PowerShell provides malwarians a way to persist their backdoors without having to leave a malware payload behind on disk that us defenders may be able to find. This method is also used by MetaSploit and the 'Social Engineering Toolkit' (SET) pen testing tools.
The post exploitation kit known as PowerShell is included in every newer version of Windows and being used more an more by administrators, InfoSec pros and yes, the malwarian Hackers since it is so powerful and already on the system reducing the need for malware files to remain behind and potentially get detected.
The week of PowerShell Shells is interesting in that you can try the Shells in the five posts Nikhil created as he provided great examples and sample code and scripts. This is kewl in that you can try them and for those of us on the Blue Team side, figure out what we would do to detect this type of attack. If you are like me, you use these types of Red Team Hackery posts to test, validate and improve your defenses.
So what can we do to defend against PowerShell P0wnage? A lot actually, but you do have some configuration to do which I have already discussed in a previous post, but let's take a direct look at one of the the PowerShell Shells.
Here is a screen shot of the TCP PowerShell Shell I ran for the test.