Powershell Empire


(Edwin Eekelaers) #1

Morning everyone,
just read an article that might be interesting for those who are into Security .

The article was posted almost half a year ago but it’s still more then interesting enough to share it here.

The Original post was made on Computerweekly.com

RSAC16: Microsoft’s Windows PowerShell fully weaponised, security expert warns

Empire was made for pen testing but as with everything else made it can also be used with bad intent.

The most noticeable i’ve got from it is that we should not depend on powershell’s execution policy as there are so many ways around it. Empire has builtin privilege escalation features.

For those running older OS’ ( Pre Windows 10 ) this may also be a reason to upgrade as in Windows 10 powershell integrates with applocker which should give you whitelisting capabilities.

It’s but one sample of what can be done with powershell. There are many more variants of this that haven’t surfaced yet. It’s better to know before and to secure you then to suffer things like this.

Enjoy reading,
Edwin


(McHelpin) #2

Hi @Edwin,

I know this is a little late to reply, but for anyone with security concerns about PowerShell there are some great resources I highly recommend looking into.

Here is a great blog post from FireEye on how to implement advanced PowerShell logging:
Greater Visibility Through PowerShell Logging

This logging catches the exploits Empire uses in memory. This was not possible previously which is part of what made Empire so popular.

Boe Prox is a Microsoft MVP for Windows PowerShell (now rebranded to Cloud and Datacenter Management) and he did a blog post showing the real value this logging can bring:
Extra PowerShell Auditing

This is possible to implement without upgrading to Windows 10/Svr 2016 but it is there out of the box once you do upgrade.

Staying educated on the latest threats is very important as daunting a task as it is, but I would encourage everyone to look into the benefits you can gain by leveraging PowerShell within your environment.

Thanks,
McHelpin