Inexorable PowerShell – A Red Teamer’s Tale of Overcoming Simple AppLocker Policies

*EDIT* This repo has been renamed to PowerPick and added to the Veil-Framework’s PowerTools. Find it HERE! See below for more edits. *EDIT*

Attackers have evolved to love PowerShell more than most defenders or system administrators. Tools like Powersploit’, Veil Power*, and Nishang have become routine capabilities used by Red Teams, Pentesters, Evil attackers, and skiddies alike. With this evolution and overall consolidation of techniques into a single scripting language, surely defenders have found a proven method to prevent PowerShell execution? Surely Software Restriction Policies (SRP) or AppLocker can save the day? Don’t be so sure…

Assessment after Assessment, I find that we can compromise a domain user, elevate local privileges, steal credentials, inject payloads, and escalate in the domain all using PowerShell. I have nightmares of the day someone effectively restricts PowerShell and some of the old school tactics must return. From my conversations with defenders or infosec junkies, awareness of these techniques is on the rise and people are finally starting to pay attention to the routine release of PowerShell tools to aid in offense. With that being said, until disabling PowerShell on unneeded systems becomes common practice in the trenches of commercial enterprise, attackers will still have an easy[ier] win. At this point, the restriction of PowerShell is unlikely to happen until the time/cost required to implement such defensives are minimized to a point where it can be realistically accomplished natively at scale.

For some previous research attackers’ use of PowerShell:

Continue reading