Cатсн²² (in)sесuяitу / ChrisJohnRiley

Advanced Powershell Threat: Lethal Client Side Attacks using Powershell – Nikhil Mittal

APT – A buzzword which refuses to die. Lets have some fun with it, lets move it to powershell. This talk would focus on using powershell for Client Side Attacks.

Powershell is an ideal platform for client side attacks as it is available on all the Windows machines. We would see how easy and effective it is to use powershell for various client side attacks like drive-by-downloads, malicious attachments, Java applets, Human Interface Devices etc.

The payloads which would be used with these attacks include in-memory code execeution, dump passwords and system secretsin plain text, backdoors, keyloggers, moving to other systems, reverse shells etc.

The code used in the above talk will be released as open source. The talk would be full of live demonsrations.

Client-side Attacks

Why Client-side attacks

• Server-side is being locked down, so attacks are moving more to the client-side
• Often client-side is less secured and not prioritized for patching compared to the server-side systems
• The perimeter-ized network is still the norm
• Less chance of being discovered when the attack begins from the inside of the network
• Users are too familiar with their systems, and tend to feel over-confident about their security

To avoid detection it’s best to not use exploitation or memory corruption attacks to avoid being detected by possible host-based IDS/IPS or Anti-virus.

What is Powershell / Why Powershell

Tasked-based command line shell and scripting language designed for system administrators

Powershell is already present on the majority of your target systems and is a powerful method to reside in the system. It also provides easy access to things such as the .Net classes, WMI, Windows API, WinRM, Registry, etc…

Anything we can do to reduce our dependance on Metasploit and possibly detectable tools is a good thing.

Tools to create malicious client-side files

Out-Word.ps1

Used to create “armed” or “infected” MS Word documents

Out-Excel.ps1

Same as Out-Word, but for Excel files.

Out-HTA.ps1

Creates an executable HTML application to send to the user that triggers Powershell

Out-Java.ps1

Creates an executable JAR file to launch Powershell

Out-Shortcut.ps1

Creates a malicious .lnk file that points to the Powershell on the users machine to trigger specific actions. Can also set a hotkey on the shortcut so the link is triggered whenever the user clicks a specific key combination.

Out-CHM.ps1

Creates compiled HTML Help Files to execute Powershell commands. Can be customized to include real help information to fool a user.

Defense

• Don’t click stuff! Teach your users to not trust content from external sources
• Removal of VBA from MS Office would help specific attacks
• Active monitoring of users machines may help detect such attacks
• Remove powershell access to users who don’t need it (block/limit the user)

Links:

• Presentation Abstract
• Presentation blogpost
• Nikhil Mittal Twitter
• Nikhil Mittal Homepage
• Nishang tool (github)