Abusing Windows with PowerShell and Microsoft debuggers in user-land and kernel-land

Presented at BSidesDC 2016, Oct. 22, 2016, 4:30 p.m. (50 minutes)

**PowerMemory** is a post-exploitation tool and an Active Directory recognition tool. It can bypass antivirus programs by its internal functioning (using only trusted tools), it can retrieve credentials information and manipulate memory to get shellcode executed and to modify process in memory. Today, PowerShell is everywhere and, just like this tool is useful for system administrators to accomplish their tasks, it can also be a very useful tool for attackers when it is time to exploit things in a corporate environment. The other component for attacking corporate environment could be an innocent other tool like a Microsoft debugger. The debugger allows us to access everywhere in user-land and kernel-land. To abuse Windows, a lot of tools provide access to memory through Windows APIs and, where necessary, use kernel drivers to access it. But when it is time to abuse user-land and kernel-land, it doesn't stop there, as the operating system **can be abused by reading and writing its memory** with simple trusted tools: debuggers. Why use a debugger to do the abuses? Because we chose Microsoft debuggers which are trusted with sha1/sha256 certificates. **To automate the attacks, we will use PowerShell** because it is installed on every corporate computers. As our method doesn't need Windows API reflection, this kind of attacks could become very hard to detect and mitigate. With such simple tools, we will demonstrate that we can do a lot. As far as I know, my attack approach is different because it only uses Microsoft debugger and PowerShell tools to succeed. Mimikatz and WCE already reveal passwords but I was not able to find tools using my approach. Also, the Pass-The-Token attack approach is not documented and could be a very easy and effective attack simply using a Microsoft debugger to be able to impersonate any process identity. How "deep" can we dig into the memory without any other help than the debugger? Keywords: debugger attack, offensive PowerShell automation, Pass-The-Token attack, kernel security, process injection

Presenters:

• Pierre-Alexandre Braeken - Senior Consultant / Security Architect at Deloitte
  Mr. Braeken is an accomplished and highly experienced Security Architect possessing over 12 years of experience in engineering and system architecture. In his career, he has focused specifically on security, MCSE, MCSA, MCITP specialized in the implementation of large projects for businesses relying on the Microsoft infrastructure and alternative platforms. He is a Microsoft Certified Solutions Expert in Server Infrastructure. He holds an excellent command and understanding of information security, security architecture, secure application development and strong analytical skills pertaining to enterprise situations, risk and contingency plans. Mr. Braeken works for Deloitte as a Senior Consultant in Cyber Risks (Entreprise Risk Services) . He does unique Windows security research and speaks about it at international conferences (HackFest 2015 - Québec, Canada; Infosecurity Europe - London, UK).

Links:

• https://bsidesdc2016.busyconf.com/schedule#activity_5768a3998411fbe1540001e3
• https://www.youtube.com/watch?v=im2hf5NLQxo

Similar Presentations:

• DeepSec 2016 „Ten“ / Offensive PowerShell for Red and Blue Teams (closed)
• NorthSec 2017 / Hack Microsoft Using Microsoft Signed Binaries
• DeepSec 2015 „DeepSec No. 9“ / PowerShell for Penetration Testers