BSides DC (2016) Talk – PowerShell Security: Defending the Enterprise from the Latest Attack Platform

This Saturday at BSides DC, I am presenting on the current state of PowerShell security in a talk called, “PowerShell Security: Defending the Enterprise from the Latest Attack Platform.”

I cover some of the information I’ve posted here before:

On Saturday, October 21st, 2016, I am speaking at BSides DC in Track 2 (“Grand Central”) at 1:30pm.

Here’s the talk description from the BSides DC website:

PowerShell is a boon to administrators, providing command consistency and the ability to quickly gather system data and set configuration settings. However, what can be used to help, can also be used for less altruistic activities. Attackers have recently learned that leveraging PowerShell provides simple bypass methods for most defenses and a platform for initial compromise, recon, exploitation, privilege escalation, data exfiltration, and persistence.

With the industry shift to an “Assume Breach” mentality, it’s important to understand the impact of defending against an attacker on the internal network since this is a major shift from the traditional defensive paradigm. In its default configuration, there’s minimal PowerShell logging and nothing to slow an attacker’s activities. Many organizations seek to block the PowerShell executable to stop attacks. However, blocking PowerShell.exe does not stop PowerShell execution and can provide a false sense of security. Simply put, don’t block PowerShell, embrace it. The key is monitoring PowerShell usage to enable detection of recon and attack activity. As attack tools like PowerSploit (Invoke-Mimikatz) and the recently released PowerShell Empire become more prevalent (and more commonly used), it’s more important than ever to understand the full capabilities of PowerShell as an attack platform as well as how to effectively detect and mitigate a variety of PowerShell attack methods.

The presentation walks the audience through the evolution of PowerShell as an attack platform and shows why a new approach to PowerShell attack defense is required. PowerShell recon & attack techniques are shown as well as methods of detection & mitigation. Also covered are the latest methods to bypass and subvert PowerShell security measures including PowerShell v5 logging, constrained language mode, and Windows 10’s AMSI anti-malware for scanning PowerShell code in memory.The final part of the presentation explains why PowerShell version 5 should be every organization’s new baseline version of PowerShell due to new and enhanced defensive capability.

This talk is recommended for anyone tasked with defending and testing the defenses for an organization as well as system administrators/engineers.

This presentation outlines that capability of the current PowerShell version and how current attacks are leveraging PowerShell, including how current PowerShell security (& logging) can be bypassed!
The talk wraps up with a summary of the defensive recommendations provided throughout the presentation.

For the curious, here’s an outline of the talk*:

Continue reading

Some Favorite DerbyCon 6 Talks (2016)

This post is a collection of my favorite and interesting talks from DerbyCon 6 (2016). There were a lot of great talks and as I discover them, I’ll add them here. My goal is to collect and provide the talk videos and slides together for a single, easy reference. I’m sure I missed a few.
To read about the DerbyCon 6 presentations visit the DerbyCon 6 Schedule page and the DerbyCon 6 presentation videos are on YouTube.

Continue reading

DerbyCon 6 (2016) Talk – Attacking EvilCorp: Anatomy of a Corporate Hack

Next week at DerbyCon 6, Will Schroeder (aka Will Harmjoy, @Harmj0y) & I are presenting on enterprise security, “Attacking EvilCorp: Anatomy of a Corporate Hack.”
We call this one the “How You Got Hacked” presentation.

The company and events are fictional.

The techniques are real.

On Saturday, September 24th, 2016, Will & I are speaking at DerbyCon Track 1 (Break Me) in the Regency North room from 10:00am to 10:50am.

Here’s the talk description from the DerbyCon website:

With the millions of dollars invested in defensive solutions, how are attackers still effective?
Why do defensive techniques seem to rarely stop or slow down even mid-tier adversaries?
And is there anything the underfunded admin can do to stop the carnage?
Join us in a shift to “assume breach” and see how an attacker can easily move from a single machine compromise to a complete domain take over.
Instead of “death by PowerPoint,” see first-hand how a fictional corporation suffers “death by a thousand cuts”. The fictional EvilCorp presents their top defensive tools and practically dares someone to attack the network. The battle of Red vs. Blue unfolds showing EvilCorp’s network submit to the unrelenting attacks by an experienced adversary.
When the dust settles, the Red Team looks victorious. But what, if anything, could have tipped the scales in the other direction?
In this demo-heavy session (several demos are shown to demonstrate modern attack effectiveness), we showcase the latest attack techniques and ineffective defenses still used to protect companies. Defense evasion tools and techniques are detailed as well as attack detection methods. Effective mitigation strategies are highlighted and the Blue Team is provided a roadmap to properly shore up defenses that can stop all but the most determined attacker.

This presentation is not a standard conference talk with lots of slides. In fact, there are only a handful of slides, mostly to highlight how to mitigate the demonstrated attacks. Over the course of the 45 minute presentation, we show several attack demonstrations highlighting typical phases of how a company could be hacked and talk through the issues in the environment and real world mitigations. Instead of walking through the attacks and showing slides, we present this as a “skit”.

During the talk, Sean assumes the role of E Corp CIO who is on stage at a conference presenting about their perfect security. He effectively challenges the world to hack his company.

Will takes up this challenge and explains the problems with E Corp’s security posture by showing several demos how he can pwn them in about 25 minutes.

After this “skit”, we switch back to more traditional presentation to cover real-world mitigations.

For the curious, here’s an outline of our talk at DerbyCon next week:

Continue reading

Microsoft LAPS Security & Active Directory LAPS Configuration Recon

Over the years, there have been several methods attempted for managing local Administrator accounts:

  1. Scripted password change – Don’t do this. The password is exposed in SYSVOL.
  2. Group Policy Preferences. The credentials are exposed in SYSVOL.
  3. Password vault/safe product (Thycotic, CyberArk, Lieberman, Quest, Exceedium, etc).
  4. Microsoft Local Administrator Password Solution (LAPS).

 

LAPS Overview

Microsoft’s LAPS is a useful tool for automatically managing Windows computer local Administrator passwords. It’s important to ensure every computer changes their local Administrator password regularly, that it’s unique for every computer, there’s a way to track when it gets changed, and there’s a way to force password changes. I cover LAPS in an earlier post, including deployment, pros & cons, among other information.

Here’s a quick overview of LAPS:

  • Initial install which includes schema extensions – adds ms-mcs-AdmPwd (clear-text password) & ms-mcs-AdmPwdExpirationTime (date/time when password expires which forces the LAPS client to reset the password) attributes to computer objects.
  • Deploy the LAPS client to all computers to manage their local Administrator account password.
  • Delegate all computers access to update the ms-mcs-AdmPwd & ms-mcs-AdmPwdExpirationTime LAPS attributes on their own computer account (SELF write access).
  • Delegate the LAPS computer attributes so the appropriate users have access to view the LAPS password and/or force a reset of the LAPS password (clearing the value of ms-mcs-AdmPwdExpirationTime forces the LAPS client to change the local Administrator password).
  • Configure a new Group Policy Object (GPO) to enable & configure LAPS management of local Administrator account password management.
    LAPS-GroupPolicy-Config

Note that the LAPS GPO setting “Do not allow password expiration time longer than required by policy” is set to Enabled. This is important as you’ll see at the end of this post.

Continue reading

PowerShell Security: PowerShell Attack Tools, Mitigation, & Detection

This post is a follow-up of sorts from my earlier posts on PowerShell, my PowerShell presentation at BSides Baltimore, and my presentation at DEF CON 24.
Hopefully this post provides current information on PowerShell usage for both Blue and Red teams.

Related posts:

The Evolution of PowerShell as an attack tool

PowerShell is a built-in command shell available on every supported version of Microsoft Windows (Windows 7 / Windows 2008 R2 and newer) and provides incredible flexibility and functionality to manage Windows systems. This power makes PowerShell an enticing tool for attackers. Once an attacker can get code to run on a computer, they often invoke PowerShell code since it can be run in memory where antivirus can’t see it. Attackers may also drop PowerShell script files (.ps1) to disk, but since PowerShell can download code from a website and run it in memory, that’s often not necessary.

PowerShellSecurity-PowerShell-I-Thought-This-Was-DOS

Dave Kennedy & Josh Kelley presented at DEF CON 18 (2010) on how PowerShell could be leveraged by attackers. Matt Graeber developed PowerSploit and blogged at Exploit-Monday.com on why PowerShell is a great attack platform. Offensive PowerShell usage has been on the rise since the release of “PowerSploit” in 2012, though it wasn’t until Mimikatz was PowerShell-enabled (aka Invoke-Mimikatz) about a year later that PowerShell usage in attacks became more prevalent. PowerShell provides tremendous capability since it can run .Net code and execute dynamic code downloaded from another system (or the internet) and execute it in memory without ever touching disk. These features make PowerShell a preferred method for gaining and maintaining access to systems since they can move around using PowerShell without being seen. PowerShell Version 5 (v5) greatly improves the defensive posture of PowerShell and when run on a Windows 10 system, PowerShell attack capability is greatly reduced.

Continue reading

DEF CON 24 (2016) Talk “Beyond the MCSE: Red Teaming Active Directory” Presentation Slides Posted

On Thursday, August 4th, I presented “Beyond the MCSE: Red Teaming Active Directory” at DEF CON 24 (2016).

Here are the slides for this talk:  DEFCON24-2016-Metcalf-BeyondTheMCSE-RedTeamingActiveDirectory

Here’s my talk description from the DEF CON website:

Active Directory (AD) is leveraged by 95% of the Fortune 1000 companies for its directory, authentication, and management capabilities, so why do red teams barely scratch the surface when it comes to leveraging the data it contains? This talk skips over the standard intro to Active Directory fluff and dives right into the compelling offensive information useful to a Red Teamer, such as quickly identifying target systems and accounts. AD can yield a wealth of information if you know the right questions to ask. This presentation ventures into areas many didn’t know existed and leverages capability to quietly identify interesting accounts & systems, identify organizations the target company does business with regularly, build target lists without making a sound, abuse misconfigurations/existing trusts, and quickly discover the most interesting shares and their location. PowerShell examples and AD defense evasion techniques are provided throughout the talk.

Let’s go beyond the MCSE and take a different perspective on the standard AD recon and attack tactics.

 

Presentation Slides Posted for Black Hat USA 2016 Talk “Beyond the MCSE: Active Directory for the Security Professional”

On Wednesday, August 3rd, I presented “Beyond the MCSE: Active Directory for the Security Professional” at Black Hat USA 2016.

Here are the slides for this talk:  US-16-Metcalf-BeyondTheMCSE-ActiveDirectoryForTheSecurityProfessional

Here’s my talk description from the Black Hat website:

Active Directory (AD) is leveraged by 95% of the Fortune 1000 companies for its directory, authentication, and management capabilities. This means that both Red and Blue teams need to have a better understanding of Active Directory, it’s security, how it’s attacked, and how best to align defenses. This presentation covers key Active Directory components which are critical for security professionals to know in order to defend AD. Properly securing the enterprise means identifying and leveraging appropriate defensive technologies. The provided information is immediately useful and actionable in order to help organizations better secure their enterprise resources against attackers. Highlighted are areas attackers go after including some recently patched vulnerabilities and the exploited weaknesses. This includes the critical Kerberos vulnerability (MS14-068), Group Policy Man-in-the-Middle (MS15-011 & MS15-014) and how they take advantages of AD communication.

Some of the content covered:

  • Differing views of Active Directory: admin, attacker, and infosec.
  • The differences between forests and domains, including how multi-domain AD forests affect the security of the forest.
  • Dig into trust relationships and the available security features describing how attack techniques are impacted by implementing these trust security features.
  • AD database format, files, and object storage (including password data).
  • Read-Only Domain Controllers (RODCs), security impact, and potential issues with RODC implementation.
  • Key Domain Controller information and how attackers take advantage.
  • Windows authentication protocols over the years and their weaknesses, including Microsoft’s next-generation credential system, Microsoft Passport, and what it means for credential protection.
  • Security posture differences between AD on-premises and in the cloud (Microsoft Azure AD vs Office 365).
  • Key Active Directory security features in the latest Windows OS versions – the benefits and implementation challenges.

Let’s go beyond the standard MCSE material and dive into how Active Directory works focusing on the key components and how they relate to enterprise security.

 

Black Hat USA 2016 Talk – Beyond the MCSE: Active Directory for the Security Professional

This summer in Las Vegas, I’m speaking at Black Hat USA 2016 on Active Directory security, “Beyond the MCSE: Active Directory for the Security Professional.” This talk covers the key AD security components with specific focus on the things security professionals should know.

I put this talk together because I have noticed that while Active Directory admins, engineers, and MCSEs typically know what areas of Active Directory are critical security components, others often do not. The presentation covers the core AD components and how they impact enterprise security before diving into the most common AD security issues, new AD security enhancements in recent Windows versions, and AD security best practices.

On Wednesday, August 3rd, 2016, I am speaking at the Mandalay Bay room GH from 10:20am to 11:10am.

BHUSA2016-metcalf

Here’s my talk description from the Black Hat website:

Active Directory (AD) is leveraged by 95% of the Fortune 1000 companies for its directory, authentication, and management capabilities. This means that both Red and Blue teams need to have a better understanding of Active Directory, it’s security, how it’s attacked, and how best to align defenses. This presentation covers key Active Directory components which are critical for security professionals to know in order to defend AD. Properly securing the enterprise means identifying and leveraging appropriate defensive technologies. The provided information is immediately useful and actionable in order to help organizations better secure their enterprise resources against attackers. Highlighted are areas attackers go after including some recently patched vulnerabilities and the exploited weaknesses. This includes the critical Kerberos vulnerability (MS14-068), Group Policy Man-in-the-Middle (MS15-011 & MS15-014) and how they take advantages of AD communication.

Some of the content covered:

  • Differing views of Active Directory: admin, attacker, and infosec.
  • The differences between forests and domains, including how multi-domain AD forests affect the security of the forest.
  • Dig into trust relationships and the available security features describing how attack techniques are impacted by implementing these trust security features.
  • AD database format, files, and object storage (including password data).
  • Read-Only Domain Controllers (RODCs), security impact, and potential issues with RODC implementation.
  • Key Domain Controller information and how attackers take advantage.
  • Windows authentication protocols over the years and their weaknesses, including Microsoft’s next-generation credential system, Microsoft Passport, and what it means for credential protection.
  • Security posture differences between AD on-premises and in the cloud (Microsoft Azure AD vs Office 365).
  • Key Active Directory security features in the latest Windows OS versions – the benefits and implementation challenges.

Let’s go beyond the standard MCSE material and dive into how Active Directory works focusing on the key components and how they relate to enterprise security.

For the curious, here’s an outline of my talk at Black Hat next week:

Continue reading

DEF CON 24 (2016) Talk – Beyond the MCSE: Red Teaming Active Directory

This August at DEF CON 24, I will be speaking about Active Directory security evaluation in my talk “Beyond the MCSE: Red Teaming Active Directory”. This talk is focused on the Red side of AD security, specifically how to best evaluate the security of AD and quickly identify potential security issues. Whether you perform “Red Teaming” or “Penetration testing”, this presentation covers efficient methods of Active Directory recon which can quickly identify AD privilege escalation methods, several of which aren’t well described or understood. Also discussed are the latest Active Directory defensive measures, what this means to the Red Teamer, and potential bypasses.
Note that this is the 3rd talk at DEF CON and is on Thursday, DEF CON’s opening day.

DEFCON24-2016-BTMCSE-TitleSlide

On Thursday, August 4th, 2016, I have a DEF CON 101 talk from 12:00pm to 12:50pm in the Pacific Ballroom (Bally’s Jubilee Tower, 2nd floor).
DEF CON 24 Floorplan (map)

Here’s my talk description from the DEF CON website:

Active Directory (AD) is leveraged by 95% of the Fortune 1000 companies for its directory, authentication, and management capabilities, so why do red teams barely scratch the surface when it comes to leveraging the data it contains? This talk skips over the standard intro to Active Directory fluff and dives right into the compelling offensive information useful to a Red Teamer, such as quickly identifying target systems and accounts. AD can yield a wealth of information if you know the right questions to ask. This presentation ventures into areas many didn’t know existed and leverages capability to quietly identify interesting accounts & systems, identify organizations the target company does business with regularly, build target lists without making a sound, abuse misconfigurations/existing trusts, and quickly discover the most interesting shares and their location. PowerShell examples and AD defense evasion techniques are provided throughout the talk.

Let’s go beyond the MCSE and take a different perspective on the standard AD recon and attack tactics.


DEF CON 24 talk outline:

Continue reading

So You Want to Speak at a Security Conference Part 2: How to Craft a Great Talk for a Security Conference!

This is a continuation of my earlier “So You Want to Speak at a Security Conference?” post where I cover creating a good submission to speak at a conference. I have spoken a handful of times and am definitely not an expert, though I do want to share some of the best tips I’ve discovered with others. I don’t have all the answers and I’m not an expert speaker. What I do have is some speaking experience at some notable security conferences and the tips and strategy that got me through them. 🙂 Hopefully these posts help you.

 

The Acceptance

After putting together a stellar presentation submission, you receive an email with the words you were hoping for: “your submission is accepted!”
This email arrives weeks if not months after submitting to a conference and typically about 1-3 months before the actual conference date.

After taking some time to celebrate, and you really should since most conferences get more submissions than available slots (often many times that number), it’s time to get down to business. This is also a good time to make travel arrangements (assuming you need to travel). Also review the conference CFP pages and/or speaker section (if available) for speaker logistics.

Before getting started, please read through Speaking.io it’s a great resource and has lots of great tips for speakers.

The important ones:

  • Presentation duration – usually 45 – 50 minutes, though some conferences also have other presentation formats, like 20 or 100 minutes.
  • Milestone dates:
    • Deadline to update abstract/summary and bio.
    • Deadline for slides/whitepaper/other material (typically for conference CD/DVD)
  • Projector: standard or widescreen (this matters for your slide format)
  • Note if there’s a presentation template and/or file type requirement (PDF is typically required).

Also remember that the email address the acceptance was sent to will be the one conference/speaker updates are sent to, if there are any changes (i.e. you switch jobs, etc), make sure the conference contact knows about it.

 

Creating the Presentation

The first thing to do is to review your submission (hopefully you also included an outline) and start mapping out the presentation narrative. This is the time to figure out how you are going to get all the content in the abstract/summary into the presentation slides.

Make sure that the presentation slide material, including demos, can be covered in the time allowed.

Continue reading