PowerPwning: Post-Exploiting By Overpowering PowerShell

Presented at DEF CON 21 (2013), Aug. 4, 2013, 3 p.m. (20 minutes)

PowerShell is a scripting language included with all modern Windows operating systems, which, among other features, provides access to the Win32 API and the capability to run scripts on remote servers without writing to disk. PowerShell scripts bypass application white listing, application-signing requirements, and generally bypass anti-virus as well.

While all of these characteristics are very desirable to a penetration tester, rewriting penetration test tools in PowerShell would be time consuming. Instead, I will show how to combine PowerShell and assembly to reflectively load existing EXE’s and DLL’s without writing to disk, triggering anti-virus, or triggering application whitelisting. I’ll finish with several demonstrations of the Invoke-ReflectivePEInjection script in action.

Presenters:

• Joe Bialek - Security Engineer, Microsoft
  Joe Bialek (@JosephBialek) is currently a Security Engineer on the Office 365 Red Team at Microsoft where he does security research, red teaming, penetration testing, tool development, and code review. Joe was a contributor to Microsoft's Pass the Hash guidance paper, and has been a contributor to other large security efforts within the company. Prior to his role at Microsoft, Joe graduated from Western Washington University with a Bachelors degree in Computer Science.

Links:

• https://defcon.org/html/defcon-21/dc-21-speakers.html#Bialek
• https://infocon.org/cons/DEF CON/DEF CON 21/DEF CON 21 video and slides/DEF CON 21 - Joe Bialek - PowerPwning Post-Exploiting By Overpowering PowerShell - Video and Slides.mp4 (Video and Slides)
• https://www.youtube.com/watch?v=GG6owHOS4MU

Similar Presentations:

• PancakesCon 1 (2020) Virtual / PowerShell and Pickling
• DeepSec 2016 „Ten“ / Offensive PowerShell for Red and Blue Teams (closed)
• DeepSec 2015 „DeepSec No. 9“ / PowerShell for Penetration Testers