*EDIT* This repo has been renamed to PowerPick and added to the Veil-Framework’s PowerTools. Find it HERE! See below for more edits. *EDIT*
Attackers have evolved to love PowerShell more than most defenders or system administrators. Tools like Powersploit’, Veil Power*, and Nishang have become routine capabilities used by Red Teams, Pentesters, Evil attackers, and skiddies alike. With this evolution and overall consolidation of techniques into a single scripting language, surely defenders have found a proven method to prevent PowerShell execution? Surely Software Restriction Policies (SRP) or AppLocker can save the day? Don’t be so sure…
Assessment after Assessment, I find that we can compromise a domain user, elevate local privileges, steal credentials, inject payloads, and escalate in the domain all using PowerShell. I have nightmares of the day someone effectively restricts PowerShell and some of the old school tactics must return. From my conversations with defenders or infosec junkies, awareness of these techniques is on the rise and people are finally starting to pay attention to the routine release of PowerShell tools to aid in offense. With that being said, until disabling PowerShell on unneeded systems becomes common practice in the trenches of commercial enterprise, attackers will still have an easy[ier] win. At this point, the restriction of PowerShell is unlikely to happen until the time/cost required to implement such defensives are minimized to a point where it can be realistically accomplished natively at scale.
For some previous research attackers’ use of PowerShell:
- FireEye WhitePaper from Blackhat – Includes discussion of incident response with PowerShell. Awesome writeup! Props to these guys for taking a stab at defensive conversation in this arena. I hope to see some of this work recreated on an engagement some time.
- Crowdstrike Report on DeepPanda – Example of threat actor using PowerShell
- Weaponizing PowerShell – harmj0ys post on weaponizing PowerShell. Good write up on bypassing execution restrictions
- PowerShell Basics – Carlos Perez tutorials on PowerShell. Definitely worth the read
- Powersploit’ Github – Essential for Offensive PowerShell users