Traditionally, exploitation has occurred with tools that drop files onto your target(s), making it much easier to detect and alert upon. Dropping files also makes it easier for IR teams to perform incident response and investigate your activities, let alone reverse engineer your weaponized payloads to determine what you're after and how you're doing it.
A few years ago we've noticed real world attackers moving away from using canned exploits and really diving into the world of what we like to call 'native leverage'. Native leverage is just a fancy way of saying that as an attacker, I'm going to use functionality that's inherent to your system(s) in order to gain more information about you and exploit your weaknesses. Low and behold, Microsoft does a fantastic job at providing this 'functionality' for us.
There are multiple pathways to utilizing PowerShell for exploitation, however, there's a great community behind developing PowerShell scripts and exploitation frameworks dedicated to the concept of native leverage. We personally use a combination of these frameworks that are customized for our needs in addition to our own scripts and tools that we have integrated into our attack platform.
PowerShell Exploitation Frameworks
- PoshSec is an exploitation framework with a GUI that was developed by Ben Ten (Ben0xA). The PoshSec framework is a great tool that can increase the efficiency of your workflow. PoshSec also allows you to add add-on modules such as PoshSec-Mod by Carloz Perez (darkoperator) and others.
- PowerSploit is one of the first projects/frameworks created for exploitation through PowerShell created by Matt Graeber (mattifestation) and is contributed to by numerous members of the community.
- PowerUp is a PowerShell tool for local service enumeration and exploitation. PowerUp was created by Will Schroeder (harmj0y) to automate privilege analysis of Windows services.
- Empire is a natural extension from PowerUp for harmj0y and expands with capabilities and functionality influenced by PowerSploit, Posh-SecMod, and PowerShell-AD-Recon.
- While not strictly a PowerShell exploitation framework, the Veil-Framework is a great collection of tools and scripts that implement attacks with IR evasion in mind. Veil-PowerView is one of the tools included in the framework that interrogates Windows domains to provide situational awareness of the network. PowerView was deprecated and rolled into PowerUp, however, we recommend checking out the Veil-Framework specifically for generating payloads with evasion capabilities and leverage them within your workflow if using Kali Linux.
PowerShell and OPSEC
The benefits of using PowerShell are multiplied when coupling PowerShell exploitation with Cobalt Strike and Beacon's post-exploitation modules. When conducting a digital strike and to provide an extra layer of mis-attrib, we use Beacon's malleable C2 profile abilities with customized profiles to provide the level of uncertainty we aim for when executing against critical targets with a higher degree of technical capabilities. By utilizing a customized C2 profile we can mimic other threat agents by adjusting the 'signature' we leave behind in logs. Doing this is a must and should be carefully researched and planned prior to engaging.
Coming up in the next post, we will take you through getting your environment ready and provide a few examples of using PowerShell for exploitation - stay tuned.