BG08 Building an Empire with PowerShell Will Schroeder Justin Warner

meaning to be in the breaking ground track then perhaps you should go find another track like you to welcome today will Schroder and Justin Warner from varus group to talk to us about some PowerShell through good stuff I see building an empire or PowerShell this is our super awesome little totally not ripped off from Star Wars logo that we have but first things first before anything else this project is heavily built upon the awesome work of a lot of other people a big thing with Empire is that we want to weaponize and bring a lot of the offensive power shall work to the rest of kind of the wider pentest community and bring it to everybody in a way that can be really easily used in operations so because of that a lot of the modules and underlying stuff in the background is built on work from especially manifestation obscure sect the power sploit project carlos perez dark operator lead Christensen tifton actually built some really cool dotnet in unmanaged code spaces type stuff that we use for injection you know been 10 mg in WJ computing and our enigma X 3 our ATV padawan the rest of the awesome offensive PowerShell community we love you guys so when my name is Will Schrader my handle is harm joy I’m a security researcher and red teamer for the adaptive threat division of varus group out in Northern Virginia I’m a co-founder of the veil framework so veil evasion if any of you guys have used that on engagements I wrote a big chunk of that I’m a co-founder and developer on power tools which is a set of offensive power shell kind of scripts and projects I work on that with Justin and I talk I’ve talked a few conch MOOC on Caroline con DEFCON last year their week on what besides off Vegas is definitely one of my favorite conferences out there so I’m just an owner so I joined various group of about a year ago I’m the Red Team capability lead so I do a lot of our advanced engagements against commercial customers I’m also working with will on veil power tools spend a lot of time developing that did a little bit of work on the veil framework I have a lot of varied interests so I bounced between reverse engineering and defensive stuff but I also like studying and using it on the offensive world you can cat a lot of the same stuff that will said we do a lot of same work if you’re interested in talking about what we do or looking for a job please definitely hit us up so we’re going to be going over lots of different things today we’re going to kind of start generalized and go through offensive malware or rats and how you use them some generic characteristics about them and then we’re going to dive straight into how we actually use these thoughts to build our own rat and put it out for public use we’re gonna roll through some modules that we built think we’re up to 90 now and demo the tool as well as talk about how to take it down we try not to do too much offensive stuff without providing some defensive guidance or tell people how they could stop it you know should they see it in a real environment so we always kind of start our talks with it with a you know prepend em with a Red Team philosophy and so for us red teaming means a lot of different things different groups do it different ways some people focus on physical operations some people focus on integrating different things we primarily focus on training defenders and so whenever we do right team operations for us we want to provide a service when we want to provide skills to defenders in their own environment so it’s a pretty key thing let defenders learn in their own environment with their own tools so that should a real thing happen they get to use it this plays into Empire specifically because one of the main motivations for us writing it as we wanted to Train defenders and stopping PowerShell attacks in their own environment we do assume breach so you know we don’t necessarily always focus on that initial exploitation vector we focus heavily on post exploitation and the actions of an offensive person once they’re in the environment and so you’ll notice a lot of the modules we do or a lot of the work that’s been done in this tool is mainly suited around making this usable as a post exploitation agent so why write malware well you know previously we had been using commercial tool sets entirely we never wrote any of our own stuff we really didn’t have much of a development framework we’ll did a lot of work on the PowerShell side doing Power View and some other tools which kind of segwayed well for us and made it easy for us to transition to actually writing our own agent ideally the first reason we started doing this was is because we showed up on an engagement and within the first day we popped like 200 seven alerts and like well this isn’t really training for defenders because they called us in the first hours of the engagement and so overnight we had to stop and figure out how we were going to do some sort of custom work on this engagement and for us we had kind of had this drafted but even more motivated us to continue the work some other reasons who doesn’t want to have a dream rat with all the capabilities or team actually uses as opposed to having to adapt to other tool sets that was a big player for us and then when we started seeing things like Paulo licks come out or other powershell variance or

powershell being used and you know the evil apt attacks with macros and all sorts of other things we wanted to see if we could really center on training the good guys how to stop this and for us that was actually building our own malware with it and in deploying it in environments where we’re operating so lots of people will bash on all fenders or offensive staff they say you know why aren’t you using all your skills to do good things instead of bad we try to really focus on the union between the two we believe that offensive and defensive are together especially in the red team spaces and so without a little bit of practice you never know how you’re gonna actually square off nothing we’re releasing here is is super mind-blowing it’s not going to Eve aid any of these crazy network products it’s not you know the next-generation rootkit it’s not a Stuxnet level thing we’re releasing something that’s realistically meant to be used by red teams it actually is actually it’s overly easy to stop once you actually start performing some analysis on it and we built it that way we built it to encourage defensive people to actually go in and do the analysis and reap the rewards should they actually do that so offensive PowerShell there’s one of my favorite quotes from obscure segments the power sploit project he likes to call PowerShell Microsoft post exploitation language it’s supposed to be meant as kind of a system automation and management type framework but once we really started to get into it about a year and a half ago it’s been awesome for our operations it’s really changed the way that we focused and operated on engagements so why use PowerShell if you guys aren’t on if you are tester and you’re not using PowerShell and current engagements I would highly recommend checking it out considering integrate into your workflow so PowerShell provides out-of-the-box full access to the dotnet framework in the back end you can actually think of PowerShell that actually essentially is a wrapper for the.net automation components in the backend so you can do things you can create you know web clients download stuff acts as anything you could in the fold that stuff you can kind of implicitly get by some application whitelisting unless people explicitly started walking down in targeting PowerShell which we can you kind of talk about after if you’re interested in that type of thing you can get full direct access to the Windows 32 API and you can assemble malicious binary fully memory and go into a lot of these components and we realize you can write fully functioning malware in PowerShell without using anything else which is essentially what we’ve done with Empire this is a great post called why chose PowerShell zantac platform by Mac Raber one of the power sploit authors everybody check it out and also a lot of bad guys are using PowerShell so a lot of nation-states even though they typically have had like C and C++ agents historically a lot of the apt groups and even some of the more mid-level actors have started integrating PowerShell into their attack flow you know power looks was a really interesting pure powershell variant that came out over the last year deep panda was known to use PowerShell and breaching think tanks the apt 29 actor which Mac Raber talked about this morning through W my they also integrated PowerShell a lot their attack sets so if you read a lot of these threat type reports that examine specific actors a lot of the more advanced ones over the last two years if you read through the tradecraft section you’ll actually see that they have started to use PowerShell more and more and more typically it’s been for kind of like a loading component to actually load up the rest of their agent but some of them have started to use the pure offensive capability to PowerShell more and more so existing stuff that’s already out there in PowerShell the power sploit project offers everything from screenshots key logging there’s the equivalent of incognito called invoke token manipulation and of course everyone’s favorite Mimi which we’ll go over later in the project later in the presentation there’s a pure PowerShell implementation called invoke mimikatz so any function that you can use in me me cats not just driving passwords but you know Kerberos and everything else you can do purely in PowerShell while staying off a disk power bu is a tool that I wrote which is a networking domain situation awareness tool which heavily factors into log modules an empire power up is another tool I wrote which is a privilege escalation kind of automation script which will check for common Pervez vectors power breach is a tool that just an unwritten it kind of has some additional like in memory type of persistence mechanisms are really interesting and parsec mod by Carlos Perez has a lot of like Active Directory and post exploitation stuff so while there’s a whole lot of really awesome tech out there for offensive PowerShell one of the things we started to notice is the weaponization problem so if you’re on a pen test how do you actually execute these PowerShell scripts and get the results back in a secure manner how do you trigger it that’s the biggest problem that I’ve seen for this cause

the lack of adoption of offensive PowerShell by the general pen test community so using the existing PowerShell stuff at this point also hasn’t been super straightforward you know there’s execution policy stuff whether you have to RDP in whether you’re doing a one-liner with a download cradle and people aren’t familiar with it the fact you have the pipeline the fact you have to format your output the fact that you have all these weird little kind of subtleties of PowerShell that once you learn them it’s not too much of a problem you kind of know how to operate with it but at the time the kind of little learning curve is it can be an issue so this is the problem we’re trying to solve we want to solve the weaponization problem so we can bring all this offensive powershell tech to everybody to use even if you don’t know how to use the powershell so looking at all this PowerShell stuff you know I thought about nine months ago or so like well weird keyloggers and me me cats and screenshots like these are all the functions and capabilities of a rat this is everything you’re going to have interpreter this is everything you gonna have it you know whatever whatever your kind of agent of choice is why hasn’t there been a pure PowerShell brat at this point everyone tends to use these script is kind of augmented capabilities but there hasn’t been a pure PowerShell remote access covariant that actually integrates all of it together so when we first started kind of going down the development path the the IDS bird well came to me and said I think it would be really really cool to do this and I was like well let’s figure out exactly what we want and so I did a lot of work doing reverse engineering of our previous job and so it’s seen a lot of different stuff I’d seen all different variants of of malware crimeware loaders rootkits injection capabilities and I’d seen it all implemented in a ton of different ways really we really wanted to boil down to a couple unique requirements or unique things from that that we felt it was important to have in a rat so you know what what was actually operationally important to what we were doing so we like to distinguish mean a rat in our back door for us a rat is focused on the actual interaction and control of a end user system so the end point that you’re actually controlling the center point for us was not necessarily persistence or how you were going to get rebooted or how the in-depth work was going to you know doing injection they all played into it but we wanted to focus on control of the system and collection of user data when you start thinking all that there’s all different things that come into play here’s a list of a bunch of them we could go on forever all the different factors or characteristics that play into a rat you can look at all these same things when you look at meterpreter or commercial frameworks whether it’s innuendo or cobalt strike the they all implement these central themes so starting with a staging problem staging is the idea that traditionally malware will deliver a very small stub to the target initially this is for lots of reasons number one that stub is usually going to be very vulnerable it could be captured or it could be caught by an antivirus or some sort of host base IDs and you don’t want your full agent to be the thing that gets caught you want to start with some sort of loading capability the staging problem is what we call the the issue where how do you deliver you’re full agent to either memory or disk and a secured capability you know meterpreter before it was had all the recent additions had a lot of problems with staging a lot of most most common anti viruses had started the signature it signature the user agents and the resources that were involved and so it was very tough to use and you don’t want that to happen you want variants and you want the ability to change that and that plays into this aging problem it can be very noisy in a network if you have a 2 megabyte agent that’s that stager is gonna have to download 2 megabytes and that could that could flag in some cases it depends on how secure the networks were we mostly work in fairly mature commercial networks so places that have a very mature Sauk Incident Response capability some of them have full-on hunt teams where they’re actively prowling the network looking for bad guys proactively meaning that we had to be conscious of all of this when we were implementing these different characteristics next time the next step so you deliver a stage you deliver your agent command and control how do you actually want to communicate out of the network we do a mix of black box external assessments as well as internal assessments so for us it was a definite requirement to have whatever we did had to be able to communicate outside of networks with strong boundary protection so these include things like proxies and firewalls and IDs we wanted our capability we wanted any capability we were even thinking about developing to be able to work through this there are tons of different columns methods out there most of them have open-source variants that do this so a sheet HTTP HTTPS or the most common if you look at any modern rat they communicate with those mechanisms because while all users browse the web unless you’re in a closed-off network and then SMB usually is a really great feature because it allows you to pivot peer-to-peer internally and so you don’t have to

worry about having 100 egress channels it’s also very tough to implement in a good correct secure way and so this was a this was a loftier requirement to kind of lump in at the beginning that’s part of our future kind of roadmap down I’m sure and then survivability is really the key feature throughout all of these characteristics is can it live in the environment is it stable and is it going to persist without you know throw those 237 alerts like we had in that first environment for us another big motivator was on that same engagement where we had to rapidly devarone malware we also reverse engineered a custom solution that was present in the environment and so there was a piece of software that was present on the standard image of every workstation in this customer environment so when we reverse engineered it we found a vulnerability in this software that allowed us to gain access as an administrator local administrator on anything that was running the standard image so it was great we found a vulnerability we wanted to weaponize that into our attack platform and since we didn’t really have an attack platform anymore because it got destroyed on our first day we decided that a key feature of our framework or agent was going to be the extensibility the ability to rapidly develop modules and put them in without having to stand down your communications or stand down your tool we wanted it to be easy so we wanted it to be anybody who could take a powershell project that already existed or write their own powershell project could implement it in the rat since this is a pure powershell post exploitation agent cool so Empire is the result of all that dev I know Justin said you we’re kind of motivated on some internal engagements where stuff got burned this has been about nine months of pretty solid dev kind of in the background so this isn’t a one-off script we put a reasonable amount of effort into this it’s about 50 to 70 thousand lines something like that and a whole lot of internal commits so Empire is a fully featured PowerShell post exploitation agent probably an easy way to explain to people on one sentence would be it’s kind of like a you know and enter an asynchronous interactive agent like meterpreter but based purely in the powershell language so the asian is running purely script based all in memory on a Windows host it aims to provide a rapidly extensible platform so we can integrate all this awesome offense and defense and PowerShell work again this is our hopeful solution to the weaponization problem just like Justin I mentioned it’s also our attempt to Train defenders and how to stop and respond to PowerShell based attacks we also like to have agent variability so for on an engagement against the mature team we like to be able to use commercial tools you know go back to meterpreter or use something like this and vary our types of lateral spread communication and agent comm whenever we’re in in network so in case one thing happens to get blocked our entire engagement doesn’t get on down so a lot of people have written off PowerShell so some people have referred to it just as a toy language there’s a lot of people that basically say if you’re not writing your agent and C or C++ then it’s not real malware and a lot of people have said you know with the with app blocker with Windows 10 and all these types of things it’s gonna be easy to block and defeat PowerShell and it’s not really a big deal anymore this has caused a lot of instant responders to overlook it as a malware vector also all the miscommunication with Microsoft about execution policy and system ins thinking it’s actually a protection mechanism has also contributed to this so we wanted to provide a an agent that you can use almost as a proof of concept that people who same look PowerShell is a big deal it’s not just a one-off toy language you can write real malware with it that can inject into different processes which we’ll go over and you could do anything you could in something like meterpreter pretty much purely in PowerShell so the server size so kind of the control server we have this is beat equivalent of like our listening-posts we have a client-server architecture the server’s written entirely in Python and multi-threaded handlers in the backend and the little client staging code is written entirely in PowerShell it’s modular and it’s kind of multi-part we have key negotiation like crypto a packetized structure and everything in the backend which will go over there’s a back-end database that preserves agent listener configuration so if everything crashes for some reason you bring it back up your listener will start back up and because the agents are asynchronous all your agents will come back in so even if they can’t reach the server they’re not going to close off for air out and everything is logged very very extensively this is a really big deal for us on red teams for deconfliction and also you know like artifact recreation for our blue teams at the end of the engagement so there’s a log per agent has timestamp taskings and results for everything the agent does any time you upload a file it’s going to md5 the file and give you the original location as well as where it’s uploaded to any time you download stuff that’s going to give

you the full original path basically we wanted to go you know as in-depth as we could on logging to provide as much data as you can there’s even more if you want to do – – debug that’ll dump you know the individual tasking the communications and all that kind of stuff on the back end but even just by default there’s an agent dot log for every single agent that checks in you know kind of so that first step that doesn’t kind of talked about previously execution somehow you need to get your agent executing in memory or on disk on your host traditionally this has been a lot of exploits you know using browser exploits you know client-side flash based stuff we don’t really use exploits an incredible amount we use a lot of user driven attacks we use their assigned Java applets these are macros we use our Oly embedding then we use user driven stuff that’s not exploit focus people find it a bit more reliable but regardless you need to have a way to for Empire to execute a small PowerShell command that can load up the core component of the agent so we have different kind of stager formats is kind of a an extended extendable modular type of setup so we have VBS stuff we have macros we have self-deleting b8e files we have single commands we have ducky scripts and we also have a reflective DLL which is pretty cool so this actually forms the core of some of the process injection later on the presentation but we have a fully injectable reflective DLL that will stage up a Empire agent that’s linked to the server you can take that reflective DLL and you can use it in other exploit frameworks like Metasploit so you can use the Windows DLL injecting or verse HTTP or something like that load this as your custom agent in your custom payload and when you deliver some kind of exploit you can have your exploit server I meterpreter and have it actually staged up Empire agents to a different control server so the listeners this is the server side of the whole system you have configurations estate agents at this point you can change these / listener there’s also a bunch of default values you can all change this stuff in the backend database once originally set up we’ll go over a couple of these things later in the demo I know this is pretty hard to read but you have things like kill dates so you can set the agents to automatically exit after a certain date at the end of your engagement you can do working hours so if you only want the agent to communicate you know 9:00 to 5:00 or you don’t want it to communicate 9:00 to 5:00 you got it essentially like sleep and shutdown during specified time windows there’s default callback intervals and jitters and stuff there’s also different communication profiles so you can change even per agent what the tasking you our eyes are you get a multiple different tasks in your eyes you can change the user agents you can add additional indicators into the headers of the different nation be communications so we want to make this as flexible as possible and currently there’s HTTP and HTTPS comms I know Justin mentioned we’re hopefully going to do DNS an SMB in the future other additional listener stuff little little tidbits you can dynamically set whitelist and blacklist for IPS so if you’re on an engagement you notice there’s like really pesky Network defenders from are certain that block that is started poking your server scanning you you can basically you know block up their IP range and I’ll just return a default page or if you’re on external engagement and you want to be very controlled and how you’re doing fishing you can have just IPS from your target organization be accepted to your control server you know we’re very risk adverse we don’t want stuff to go wrong so they like being very controlled and how we do stuff again the kill dates and working hours you can also do foreign listeners to pass sessions between multiple control servers so you know multiple Empire servers set a forum listener and actually have you know different people that are geographically disparate past sessions different control servers you can also pass inject shellcode to pass agents to something like an interpreter listener that’s on a different host so the Empire staging this is the when you initially trigger a little small little one-line snippet it’s kind of a souped up version of the PowerShell down download cradle what I’ll do is it’ll request a specific URI that you can customize it’s a static value it’s going to return back a obfuscated little chunk of script this part is just base it’s just XOR on we’re assuming people are going to be able to decrypt it we’re assuming this initial AES negotiation key is going to be burned or recoverable by defenders what will happen is the the server will return that this key negotiation code this XOR the client will decode it run it in memory that key negotiation the stub will generate a public/private key pair that then that stub will take the AES negotiation key encrypt the public key post it back to the server the server then takes that publicly public key and then exchanges some stuff alike epoch time for

synchronization and also a randomized a AES session key after this the communications will start and the point with this is it something called encrypted key exchange it provides something called perfect forward secrecy so even if defenders are doing a full pcap of all this they can’t recover the randomized AES session key per agent and then also each AES key is different per agents so someone does do a memory analysis they won’t be able to decrypt everything in your entire mesh so this is this Nomi the c2 in the back end it uses a lot of these dotnet methods in the back end to actually do the HPER HTTP communication there’s the net dot web client if you guys think the law is a new object that dot web client thing that’s the same type of primitive that’s using in the backend again there’s nothing too magical here it uses a getting post type structure so the client is going to periodically do get requests now if there’s nothing that’s tast then the server is going to return a default page that’s again this is customizable if you want to do some other kind of default page if there is tasking the server is going to return an encrypted blob that’s encrypted with the AES session key best specific or that agent if there’s results from the agent it’ll post encrypted stuff back we do on cipher block chaining randomized initialization vectors honest the fully packet I structure underneath and we’re not saying we did the crypto completely right but we thought a lot about it and we try our hardest to do it reasonably correctly crypto is hard crypto is very very hard everyone says don’t roll your own crypto and then we tried to roll our own crypto so if you guys find a problem with this please please please let us know don’t just pop our servers so once you actually have your interactive execution with agents it’s essentially kind of like an interactive remote PowerShell problem so you can run any PowerShell code that you normally would any of the commandments like you know get that good process or something like that or you can run any typical shell commands you can see Dee dur PS LS all that type of stuff you’re used to a normal shell commands for an agent you can also upload and download and all those the types of things you would expect from a normal rat we also have the ability to import specific PowerShell scripts what this will do is it will take a opti SCADA powershell script and stuff it into an encrypted block in memory for the agent then you can execute a particular command the script will be decoded it’ll execute a command and get the results this is her things like Power View that we use a lot that have a whole lot of command lists that you want to chain together and just access specific functions you can also build modules for specific PowerShell execution things like me me cats things like tokens we’ll go over the the module section here in a second and there’s a whole lot of this in the demo this is the whole you know wanting to try to have a mature pitaya module type functionality you can build this stuff out even customize some things and make it super easy to use without knowing how to like type stuff in PowerShell so we’re gonna go through as many modules as we can obviously with limited on time we did develop I think we’re up to 90 modules we have a bunch still private that we’re testing and working on internally so we’ll be continuing to support put out modules as we go so worth noting that what you see there you know please feel free to contribute if you are interested in this kind of thing we love public support and public research on the project PowerShell is traditionally something to get hard to get into and so we’re trying to spread the awareness and get people in love with it so so like I said about 90 modules several warned testing we focus more of our first round of modules on things that we actually needed to use in the gauge like I said this this was kind of spurred on by the fact that we had to develop something custom in a very very short time period and so most of the first modules we had were pulling together all the current projects solving that weaponization problem and integrating them into the agent so that we could use them fluidly in an operational environment again we baited this in several real environments now with customers that we’ve had tougher times with and so it’s definitely not perfect I’m sure there are issues but it’s been run through some pretty complicated networks and it seemed to work very very well in the real world we’re going to show some of the top used ones here so there are tons of categories we we break it into category so that it’s organized I’m a little bit OCD and so I don’t like the fact that modules could just be scattered about when I first joined the project wills just like theirs modules everywhere it’s just raining modules and there’s no names on them are like module one two three four five six seven eight and so no we took the time to organize it put folders around it and try to make it easy to use and jump into we’re going to talk about some of these it’s worth noting that we kind of break it into the phases of an engagement too and we always like to have a little if anybody does like CCDC we have a troll sploit category for you you can have some fun with it don’t use that in a real environment we may or may not have a module that plays thunderstruck well maxing out the volume on your computer so yeah without actually popping a window so you know you should you can have some fun with

that so module development we wanted to make this very easy so what we did is each module is essentially a Python metadata container so it’s a Python script but there’s not much set there there’s a template that you just take and you set some variable specific for your module so things like does it require admin what powershell version does it require is it OPSEC safe for example does it drop something to disk once you set those all you have to do is include your PowerShell scripts that’s it that’s a module and so any existing powershell functionality can be turned into a module and have restrictions set around it to work inside the framework our first module that we kind of ran into was well every defender who knows we’re bringing a PowerShell toolkit is going to go looking for PowerShell and so in Carolina con about all fibers months ago we released a project called power pick we didn’t say it at the time power pick was actually built to support Empire and so power pick was essentially a project which allows you to run PowerShell without PowerShell there are a couple major components of it there is short pick which allows a c-sharp binary which allows you to execute power shell with c-sharp PowerShell never spawns in the backend that uses all the dotnet api’s I took that and we had a big Twitter discussion about whether this was possible to do inside like a C++ binary guy namely Christiansen from silent break security did this awesome project where he put out unmanaged PowerShell there was a lightweight project written in C C++ that actually implemented the dotnet CLR completely in C++ so with his little executable you could run PowerShell and again never started PowerShell problems I took that and turned it into a reflective DLL which made it injectable using a lot of common tools and then wrote a script called invoke PS injector it’s built on power sploit reflective PE injection again I very didn’t do anything or super original here took a lot of other people’s projects I like to make sure they get the credit and and and stuffed it all together what this essentially allows us to do is run a PowerShell script to inject a reflective DLL into a remote process which will then run PowerShell in that remote process so when we release it at Carolina con there’s like zero interests and we’re like because who cares right like PowerShell and remote processes well when you stuff it into a project like this it means a lot more and so here’s a cute little diagram and how to conquer the internet basically you have an invoke PS injector it’s a PowerShell script change X inside of an executable that executable is now running a reflective DLL which is reflective thick which drops a dotnet assembly in memory which allows you to get an interface into the dotnet backend which then allows you to run PowerShell something like a download cradle or our initial staging code which will then call out to the internet and pick up more PowerShell to execute only in memory and so nothing touches disk here you gain PowerShell execution and remote processes and then we have to have the token meme and this is our favorite to always do so yes it can get rather complicated you’re running our shell and PowerShell and PowerShell and dotnet inside of see inside of processes that don’t belong there we recognize that it’s kind of crazy we hopefully abstract it it out and there’s there’s plenty more work that can be done to make this more efficient or turn this into shell code or or do other things here so one of the first times we actually got this built into the agent will was like well I want to see what this can do and so he goes and he injects this thing into like twenty five processes all at the same time and we’re like well this isn’t gonna be good definitely the seams in the crotch surprisingly as you can see here we actually have our PowerShell agent running an else and Explorer and services and I know pretty much every standard notepad process and nothing crashed the agent was pretty stable the reflective DLL that we wrote that that launches all of this was pretty stable and what it allows you to do is if that defender knows you you are using a power soul toolkit and they go kill PowerShell you still win and it forces them to actually look and do perform a full analysis on the system so all joking aside this is going to force people to start doing proper you know memory analysis instead of just killing or looking for encoded command inside of PowerShell probs they’re gonna have to dump memory they’re gonna have to go to work the recover scripts so the next step we use this in an external engagement and we were like well oh crap users use UAC that’s been a solved problem for a long time and things like meterpreter or a lot of other offense projects but when you’re using pure PowerShell when we first worked on it there was no UAC Version inside of PowerShell and so what we had to do is we had to take a step back from the agent and work on some of the core capabilities we built a bypass UEC version of PowerShell again very little original here we essentially took the Metasploit dll’s which have been already developed and we took the technique which has been heavily blogged upon by the person who wrote it and implement it inside of PowerShell and so what it allows you to do is it allows you do in joke inject using using bypass UAC it

allows you to inject the DLL you need to inject to get into a high integrity context and spawn our initial stager so using a lot of the same technologies here reflective thick is essentially combined with bypass UAC to allow you to get into high integrity context after a Spearfish all using our agent it’s worth noting on the previous slide sorry we’ve tested up to eight one on this we’ve had little situations where it’s been flaky we haven’t been able to figure out what the flakiness is caused by we I’d say we’re about 90 to 95% there in test environments with all the different service packs Windows 7 and Windows 8 one should be x86 so if you see certain use cases where you’re using it again we invite we love good issues what we’re going to learn to love good issues and we would love you to give us feedback on it so Mimi cats you know you can’t have a modern windows rat now without using Mimi cats and if you don’t know it is your pen tester obviously shame on you it’s everyone’s favorite post exploitation capability it lets you view everything from you know pulling plaintext credentials out of memory which is what a lot of people use it for but you can also do your Kerberos Golden Tickets you can do your silver tickets you can actually do pass the hash or over pass the hash with me me cats which is what Empire integrates in the backend for its past the hash capability you can do on skeleton keys on domain controllers like there’s an enormous amount of functionality me me cats then a lot of people aren’t fully aware of that we’re hopefully going to try to build some modules for make it super easy to use and also Empire has an internal credential model if it will automatically parse the results of Mimi casts out Mimi cats output preserve it in a credential model on the backend and then you can reuse those credentials on additional modules so if you dump a domain controllers and TDs that di T which will show in the demo the the krbtgt hash will be saved in the backend and then you can just specify a credit to the golden ticket module and have it fill all the information in for you this is just you know what the actually running the log on passwords module and Mimi Casper Empire looks like you know you said it you can run X you can hit execute and we have you know a lot of those options that Justin mentioned specified in the module so we can set it to say it will only run in Highgate high integrity context so it won’t try to task an agent with me me cats unless it knows that they can actually run it all these results will come back and then if you type creds you can actually pull up all the parsed and save credentials in the backend so another step that’s real Commodus lateral spread our favorite method for lateral spread is w my no pentesters have been used to using p s exact for a long time d essays that gives much much noisier than w my you’re creating a service you might be dropping a little bat file loader to disk or something like that we’ve actually been caught by clients with PS exec they’ve written some custom signatures and given us every single machine we’ve spread to with PS is XP sh so W my is our go to luckily there’s a really nice native functionality for W my and PowerShell so we’ve integrated this into a lateral spread invoke W my method you can specify a listener and a host it’ll execute the little key negotiation stage and the remote host and load everything up into memory without touching disk I think it’s pretty easy to use there can be a few subtleties that W mine should we you know if you’re interested we can talk about but this is our kind of go-to I’ll spread there’s what it will look like and we’ll show this and in the demo as well see the the module configuration up top you can set computer names wherever your target is you set your listener name that’s all tab completable we had a big UI focus you execute and you can get a new agent coming in on your remote system for pivoting system to system without piping something new in through a different control channel a lot of people like well what about past the hash even though there was a you know supposedly a Microsoft patch the hatch hash patch last year this is still a really common vector especially for domain accounts so the you know the KB 287 107 it doesn’t fix anything with the with domain accounts were relaying ntlm authentication I know with some of the new Windows 10 OS stuff they’re trying to fix on these components we’ll see if they actually do it took them several several years to even acknowledge the past the hash was an issue so you know I’m not too too worried so we’ll use the Mimi Katz patch the hash module in the background to actually execute this functionality what this will do is it’ll spawn a new process hidden so it won’t pop up to the user and it’ll be running with these specified credentials of whatever whatever you fill then you can then use the credentials token module to do like a steal token and steal the new authenticated token from the hidden created process cool is what will look like you know if we’re up there I will show this no no no we won’t show this in the demo but up here you have like der of remote machines is access denied we have the credential model so you see everything saved up there you can use the full use credentials mimic as pth or we also have an accelerator for it which is PTH and then a

credential ID for that top one it will inject everything in a memory it’ll start this PID 932 for a hidden process we can steal that token this will inject the token stuff in the backend and now we’re running with the context of that user only with the hash completely through a PowerShell post exploitation ad there’s also red to self after year toka manipulation you can wipe everything back to home so we were gonna tempt the demo gods but then we decided against it so we got a video recorded demo sorry hope you guys still enjoy we were gonna be a little tight on time here we’re trying to cover a lot of material and so we’ll talk through this and it’ll show pretty solid use case of an average workflow obviously this can get really large there’s not any modules there’s lots to play with but this will cover basically a gaining access to an initial system pivoting off of that hitting another system so this is the main UI when you start it up you’ll see the number of mod so we’re gonna zoom in a second so you can see it but you have the number of modules loaded the number of agents you have the number of listeners the first thing we need to is set up our listener so we uh we can set it for a particular name this is an alias that can be used for lateral sprite or wherever else tab completed we’re not gonna set our you know kill date or working hours you execute it so it actually stands up at thread h8 threaded HTTP server in the backend now we need to produce our like launching capability we were gonna simulate a fish or something on just for the purposes of the demo we generate a self-deleting dat we all know users click everything so we actually like to take the be a tease a lot into oh le embedding and uh like a word document with a different template so it’ll like self extract run and then delete itself off at this i triggered it on a remote system you see the initial agent coming back with the rain of my session ID you can actually rename these agents to whatever you want so i’m going to rename it fish user that will actually changed the save folder and all the stuff in the backend the first thing I’m gonna do is I’m going to use powerup so run all these credential checks to see if there’s a method to privilege escalate on this agent you see info this is that kind of module modular setup that we talked about again you don’t have to know really anything about PowerShell to use this right you get them you send them a phishing payload they run it you can run this all these all checks and per desk and powerup and you don’t actually see any power show code yet it’s gonna test up in the backend it’s going to kick off the background job with full Java fide kind of method in the backend we see that the current user is actually already local admin but he’s running a medium integrity so you need to run a bypass UAC attack you can use the module or again we have an accelerator ease we use it so much so bypass UAC and then you can tab complete your listener name if you have multiple listeners it’ll ask you if it’s OPSEC safe because this is dropping files to disk so this is just you know take a step back make sure you kind of know what you’re doing to the system and now we get an agent to comes back as high integrity you see here we have a little star for the high integrity agent meaning it we can actually do our really interesting post exploitation actions we can still any tokens we can run our maybe cat stuff I’m going to rename this agent as well now I’m gonna run a PS to see who else is on the system I’ll take a second again this is on like a five-second reach-back interval so again full asynchronous tasking we’ve the architecture and everything broken out we see there’s this other user this test lab DFM on there we’re gonna run the PS inject module it did everything that justin talked about of all of our options now we execute this this will send down a PowerShell script to the current running agent that script will inject that reflected DLL into the target process that reflected DL will load up all the dotnet runtime which will then kick off for a little PowerShell key negotiation code and now we have a brand new agent running in CMD running under this different user context the FM’s our boss so of course he’s high you know high administrator access in the domain he’s the boss again here again with all the UI focus you see all that up that pops up everything is tab completable for all the modules so I can use situation awareness and tab we have broken two hosted Network so the next module we’re going to run is find local I’ve in Access what this will do is take your current user token privileges and then query the domain for all machines in the domain and try to open up the service control Handler and every single one of them and quickly close it it’s pretty noisy but for the purposes of the demo it can tell you exactly where you have admin access and the rest of the network very very quickly so we see we have access to primary test lab dot local now we’re going to do our loud movement we’re gonna set the computer name to primary we’re gonna set the listener and tag complete to our current listener execute it this will task everything in the backend to from your initial pivot run a WI command to the remote machine which will trigger the staging code and get a new agent running in a high integrity process coming back

under primary muri named this guy do you see it’s actually the domain controller in this test environment now I’m going to extract all the user hashes on the network the NTDs di T I’m going to use credentials me me cats there’s a lot of them broken up and a different functionality logon passwords LS a Dom old ticket if you use the LS a dump it’ll dump all either the the LSA in a particular host or the NTDs type e AIT on a domain controller if you just want a specific user like here BT GT you can specify that this is a pretty small domain so we’re going to show just all this data coming back so all the hashes what we do with this output is we actually just save the krbtgt hash for any database dumps that come back so we don’t have 5000 people in the backend now I’m going to go back to my first unprivileged user show that if I try to derp the domain controller I get an access denied because you’re unpublished at this point now I’m going to use the golden ticket module look at the info and you see this cred ID field up here so I can set cred ID – whatever that krbtgt credential ideas for the credential model on the back end then I’ll fill in the curve hash the domain Sid and all the Meishan you need for a golden ticket essentially catalog and then set my user to say I want to be administrator in this domain I’m executed this will task me invoke me me cats in the backend build your golden ticket your golden TGT inject it all in the memory get nothing’s touching disk I think we should get them maybe cuts output here in a second yep it’s a gold ticket for administrator created now if I go back and just do my shell command Seder you know the domain controller I might persistent access again so I could read you my lateral spread if I wanted to I could data mine I could add a user do whatever Thank You Benjamin del P so we knew we’re gonna be a little tight on time here so we might move a little quick the slides will be out there already up on SlideShare for reference so as we keep going here so how do you detect it well just like every other has a lot of similar characteristics of course it’s a little less proxy where because it’s relying on system proxy credentials that it gathers from windows and so if you have any sort of really tight restricting proxy that uses like manual credentials we punched in or things are not stored via the system cache this thing might bounce against the proxy a couple times really good way to pick up malicious things that are not making it out of your network really standout something worth noting high entropy byte strings so there’s just random encrypted blobs in plain text HTTP we’ve seen that network heuristics actually catch on this in very tight environments usually it has to be some sort of very large cloud product to catch something like that but it will flag on our columns in this case and then our favorite way to do is on endpoints you’re loading dotnet assemblies and all sorts of windows processes that don’t normally load dotnet assemblies and so there’s heuristics that can be written here to kind of start preventing and guarding yourself against net like this I don’t know if L SAS is hosting the PowerShell commands dotnet assemblies it’s probably pretty strange I would recommend you calling incident response if you do memory analysis on this guy right now we have zero obfuscation on the script in memory we did this on purpose we want incident responders to do memory analysis and so we we leave this all plain-text both the stager code as well as the full agent you do a memory dump on this and do a strings and you set the right strings length you’re going to recover the full agent in memory so what exactly will that give you it’ll give you the AES keys and this giant nasty thing you’ll notice that we do camelcase and all sorts of weird casing here we do this to try to prevent any automated detection our goal is to prevent automated detection and encourage defenders with the AES key they could then decrypt network traffic so when Windows 10 started talking about PowerShell we’ll about quit his job because he thought hacking was over forever because PowerShell was gonna be stopped I will say it’s not like we’re giving a talk in a PowerShell agent and then two months before Microsoft actually implements PowerShell defenses for the first time and you know seven years we are we are really happy with what we’ve seen we’ve done a lot of testing with Windows 10 Microsoft did a great job actually starting to build in and really focusing on PowerShell it’s a really first acknowledgement that PowerShell could be used really by really bad guys and that users were having a hard time with it so they did a great job there’s actually two main features they added a crazy amount of logging and then they added something called constrain mode built-in app Locker which prevents you from using all the dotnet resources we’ve done some initial testing we’ve been able to get around constrained mode slightly because we think that it’s built on the PowerShell Dexy process and not on the dotnet back-end however it greatly complements complicates the attack chain

our one feedback would be that who knows when clients are actually gonna start turning on app Locker or using Windows 10 because let’s be honest we still see 2k3 in environments it’s probably realistically gonna take at least two years and best-case scenario before large enterprises start implementing you know large windows 10 rollouts as we started testing this and working with it we’ll be sure to keep it up to date on the website with what we know it’s compatible with in any work we do that with Windows 10 it’s not the end of the wall believe it or not so the future what do we want to do in the future well we put up a PowerShell website for this we want we want it to be very very easy so we actually fully documented everything we could to this point including all our back-end and staging processes we have a full spec out on it so if anybody’s interested in using it that they could figure it out and learn how to use it we’re going to put all future updates and videos and different things we work on here for you so you can go there you can also get it at the github it’s been posted about an hour ago and so you guys can download it was released for besides they’ll be my first b-sides LV so we wanted to drop something nice and then this will be a long-running project so we’ll and I really like this we’ve used it an environment we think it’s really successful for our team and so we’ll be supporting it we’d love to see good issues we’d also like to see pull requests and people to contribute cool if you guys have questions we can take questions outside but I think we had to take everyone out of the room and the next like two minutes we we do