CINXE.COM

<!DOCTYPE html>   <html lang="en-US" prefix="og: http://ogp.me/ns#">  <head> <meta charset="UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>PowerShell Security: PowerShell Attack Tools, Mitigation, & Detection – Active Directory Security</title> <meta name='robots' content='max-image-preview:large' /> <link rel="alternate" type="application/rss+xml" title="Active Directory Security » Feed" href="https://adsecurity.org/?feed=rss2" /> <link rel="alternate" type="application/rss+xml" title="Active Directory Security » Comments Feed" href="https://adsecurity.org/?feed=comments-rss2" /> <link rel="alternate" type="application/rss+xml" title="Active Directory Security » PowerShell Security: PowerShell Attack Tools, Mitigation, & Detection Comments Feed" href="https://adsecurity.org/?feed=rss2&p=2921" /> <script type="text/javascript"> /* <![CDATA[ */ window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/adsecurity.org\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.5"}}; /*! This file is auto-generated */ !function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,0);var t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data),r=(e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0),new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data));return t.every(function(e,t){return e===r[t]})}function u(e,t,n){switch(t){case"flag":return n(e,"\ud83c\udff3\ufe0f\u200d\u26a7\ufe0f","\ud83c\udff3\ufe0f\u200b\u26a7\ufe0f")?!1:!n(e,"\ud83c\uddfa\ud83c\uddf3","\ud83c\uddfa\u200b\ud83c\uddf3")&&!n(e,"\ud83c\udff4\udb40\udc67\udb40\udc62\udb40\udc65\udb40\udc6e\udb40\udc67\udb40\udc7f","\ud83c\udff4\u200b\udb40\udc67\u200b\udb40\udc62\u200b\udb40\udc65\u200b\udb40\udc6e\u200b\udb40\udc67\u200b\udb40\udc7f");case"emoji":return!n(e,"\ud83d\udc26\u200d\u2b1b","\ud83d\udc26\u200b\u2b1b")}return!1}function f(e,t,n){var r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),a=r.getContext("2d",{willReadFrequently:!0}),o=(a.textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["flag","emoji"],n.supports={everything:!0,everythingExceptFlag:!0},e=new Promise(function(e){i.addEventListener("DOMContentLoaded",e,{once:!0})}),new Promise(function(t){var n=function(){try{var e=JSON.parse(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Worker&&"undefined"!=typeof OffscreenCanvas&&"undefined"!=typeof URL&&URL.createObjectURL&&"undefined"!=typeof Blob)try{var e="postMessage("+f.toString()+"("+[JSON.stringify(s),u.toString(),p.toString()].join(",")+"));",r=new Blob([e],{type:"text/javascript"}),a=new Worker(URL.createObjectURL(r),{name:"wpTestEmojiSupports"});return void(a.onmessage=function(e){c(n=e.data),a.terminate(),t(n)})}catch(e){}c(n=f(s,u,p))}t(n)}).then(function(e){for(var t in e)n.supports[t]=e[t],n.supports.everything=n.supports.everything&&n.supports[t],"flag"!==t&&(n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).then(function(){var e;n.supports.everything||(n.readyCallback(),(e=n.source||{}).concatemoji?t(e.concatemoji):e.wpemoji&&e.twemoji&&(t(e.twemoji),t(e.wpemoji)))}))}((window,document),window._wpemojiSettings); /* ]]> */ </script> <style id='wp-emoji-styles-inline-css' type='text/css'> img.wp-smiley, img.emoji { display: inline !important; border: none !important; box-shadow: none !important; height: 1em !important; width: 1em !important; margin: 0 0.07em !important; vertical-align: -0.1em !important; background: none !important; padding: 0 !important; } </style> <link rel='stylesheet' id='wp-block-library-css' href='https://adsecurity.org/wp-includes/css/dist/block-library/style.min.css?ver=6.5.5' type='text/css' media='all' /> <style id='classic-theme-styles-inline-css' type='text/css'> /*! This file is auto-generated */ .wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file__button{background:#32373c;color:#fff;text-decoration:none} </style> <style id='global-styles-inline-css' type='text/css'> body{--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--font-size--small: 14px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 20px;--wp--preset--font-size--x-large: 42px;--wp--preset--font-size--tiny: 10px;--wp--preset--font-size--regular: 16px;--wp--preset--font-size--larger: 26px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);--wp--preset--shadow--deep: 12px 12px 50px rgba(0, 0, 0, 0.4);--wp--preset--shadow--sharp: 6px 6px 0px rgba(0, 0, 0, 0.2);--wp--preset--shadow--outlined: 6px 6px 0px -3px rgba(255, 255, 255, 1), 6px 6px rgba(0, 0, 0, 1);--wp--preset--shadow--crisp: 6px 6px 0px rgba(0, 0, 0, 1);}:where(.is-layout-flex){gap: 0.5em;}:where(.is-layout-grid){gap: 0.5em;}body .is-layout-flex{display: flex;}body .is-layout-flex{flex-wrap: wrap;align-items: center;}body .is-layout-flex > *{margin: 0;}body .is-layout-grid{display: grid;}body .is-layout-grid > *{margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;}:where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;} .wp-block-navigation a:where(:not(.wp-element-button)){color: inherit;} :where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;} :where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;} .wp-block-pullquote{font-size: 1.5em;line-height: 1.6;} </style> <link rel='stylesheet' id='bootstrap-css' href='https://adsecurity.org/wp-content/themes/graphene/bootstrap/css/bootstrap.min.css?ver=6.5.5' type='text/css' media='all' /> <link rel='stylesheet' id='font-awesome-css' href='https://adsecurity.org/wp-content/themes/graphene/fonts/font-awesome/css/font-awesome.min.css?ver=6.5.5' type='text/css' media='all' /> <link rel='stylesheet' id='graphene-css' href='https://adsecurity.org/wp-content/themes/graphene/style.css?ver=2.8.4' type='text/css' media='screen' /> <link rel='stylesheet' id='graphene-responsive-css' href='https://adsecurity.org/wp-content/themes/graphene/responsive.css?ver=2.8.4' type='text/css' media='all' /> <link rel='stylesheet' id='graphene-blocks-css' href='https://adsecurity.org/wp-content/themes/graphene/blocks.css?ver=2.8.4' type='text/css' media='all' /> <script type="text/javascript" src="https://adsecurity.org/wp-includes/js/jquery/jquery.min.js?ver=3.7.1" id="jquery-core-js"></script> <script type="text/javascript" src="https://adsecurity.org/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.1" id="jquery-migrate-js"></script> <script defer type="text/javascript" src="https://adsecurity.org/wp-content/themes/graphene/bootstrap/js/bootstrap.min.js?ver=2.8.4" id="bootstrap-js"></script> <script defer type="text/javascript" src="https://adsecurity.org/wp-content/themes/graphene/js/bootstrap-hover-dropdown/bootstrap-hover-dropdown.min.js?ver=2.8.4" id="bootstrap-hover-dropdown-js"></script> <script defer type="text/javascript" src="https://adsecurity.org/wp-content/themes/graphene/js/bootstrap-submenu/bootstrap-submenu.min.js?ver=2.8.4" id="bootstrap-submenu-js"></script> <script defer type="text/javascript" src="https://adsecurity.org/wp-content/themes/graphene/js/jquery.infinitescroll.min.js?ver=2.8.4" id="infinite-scroll-js"></script> <script type="text/javascript" id="graphene-js-extra"> /* <![CDATA[ */ var grapheneJS = {"siteurl":"https:\/\/adsecurity.org","ajaxurl":"https:\/\/adsecurity.org\/wp-admin\/admin-ajax.php","templateUrl":"https:\/\/adsecurity.org\/wp-content\/themes\/graphene","isSingular":"1","enableStickyMenu":"","shouldShowComments":"1","commentsOrder":"newest","sliderDisable":"","sliderInterval":"7000","infScrollBtnLbl":"Load more","infScrollOn":"","infScrollCommentsOn":"","totalPosts":"1","postsPerPage":"10","isPageNavi":"","infScrollMsgText":"Fetching window.grapheneInfScrollItemsPerPage of window.grapheneInfScrollItemsLeft items left ...","infScrollMsgTextPlural":"Fetching window.grapheneInfScrollItemsPerPage of window.grapheneInfScrollItemsLeft items left ...","infScrollFinishedText":"All loaded!","commentsPerPage":"50","totalComments":"1","infScrollCommentsMsg":"Fetching window.grapheneInfScrollCommentsPerPage of window.grapheneInfScrollCommentsLeft comments left ...","infScrollCommentsMsgPlural":"Fetching window.grapheneInfScrollCommentsPerPage of window.grapheneInfScrollCommentsLeft comments left ...","infScrollCommentsFinishedMsg":"All comments loaded!","disableLiveSearch":"1","txtNoResult":"No result found.","isMasonry":""}; /* ]]> */ </script> <script defer type="text/javascript" src="https://adsecurity.org/wp-content/themes/graphene/js/graphene.js?ver=2.8.4" id="graphene-js"></script> <script type="text/javascript" id="wpstg-global-js-extra"> /* <![CDATA[ */ var wpstg = {"nonce":"7d657d8247"}; /* ]]> */ </script> <script type="text/javascript" src="https://adsecurity.org/wp-content/plugins/wp-staging-pro/assets/js/dist/wpstg-blank-loader.min.js?ver=6.5.5" id="wpstg-global-js"></script> <link rel="https://api.w.org/" href="https://adsecurity.org/index.php?rest_route=/" /><link rel="alternate" type="application/json" href="https://adsecurity.org/index.php?rest_route=/wp/v2/posts/2921" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://adsecurity.org/xmlrpc.php?rsd" /> <meta name="generator" content="WordPress 6.5.5" /> <link rel="canonical" href="https://adsecurity.org/?p=2921" /> <link rel='shortlink' href='https://adsecurity.org/?p=2921' /> <link rel="alternate" type="application/json+oembed" href="https://adsecurity.org/index.php?rest_route=%2Foembed%2F1.0%2Fembed&url=https%3A%2F%2Fadsecurity.org%2F%3Fp%3D2921" /> <link rel="alternate" type="text/xml+oembed" href="https://adsecurity.org/index.php?rest_route=%2Foembed%2F1.0%2Fembed&url=https%3A%2F%2Fadsecurity.org%2F%3Fp%3D2921&format=xml" /> <script type="text/javascript"> var _statcounter = _statcounter || []; _statcounter.push({"tags": {"author": "SeanMetcalf"}}); </script> <script> WebFontConfig = { google: { families: ["Lato:400,400i,700,700i&display=swap"] } }; (function(d) { var wf = d.createElement('script'), s = d.scripts[0]; wf.src = 'https://ajax.googleapis.com/ajax/libs/webfont/1.6.26/webfont.js'; wf.async = true; s.parentNode.insertBefore(wf, s); })(document); </script> <style type="text/css"> .header_title, .header_title a, .header_title a:visited, .header_title a:hover, .header_desc {color:#000000}.carousel, .carousel .item{height:400px}@media (max-width: 991px) {.carousel, .carousel .item{height:250px}}#header{max-height:198px}@media (min-width: 1200px) {.container {width:1280px}} </style> <script type="application/ld+json">{"@context":"http:\/\/schema.org","@type":"Article","mainEntityOfPage":"https:\/\/adsecurity.org\/?p=2921","publisher":{"@type":"Organization","name":"Active Directory Security"},"headline":"PowerShell Security: PowerShell Attack Tools, Mitigation, & Detection","datePublished":"2016-08-13T22:15:59+00:00","dateModified":"2017-10-27T10:38:33+00:00","description":"This post is a follow-up of sorts from my earlier posts on PowerShell, my PowerShell presentation at BSides Baltimore, and my presentation at DEF CON 24. Hopefully this post provides current information on PowerShell usage for both Blue and Red teams. Related posts: BSides Charm Presentation Posted: PowerShell Security: Defending the Enterprise from the Latest ...","author":{"@type":"Person","name":"Sean Metcalf"},"image":["https:\/\/adsecurity.org\/wp-content\/uploads\/2016\/08\/PSAttack-InvokeMimikatz.png"]}</script> <style type="text/css">.recentcomments a{display:inline !important;padding:0 !important;margin:0 !important;}</style><meta property="og:type" content="article" /> <meta property="og:title" content="PowerShell Security: PowerShell Attack Tools, Mitigation, & Detection" /> <meta property="og:url" content="https://adsecurity.org/?p=2921" /> <meta property="og:site_name" content="Active Directory Security" /> <meta property="og:description" content="This post is a follow-up of sorts from my earlier posts on PowerShell, my PowerShell presentation at BSides Baltimore, and my presentation at DEF CON 24. Hopefully this post provides current information on PowerShell usage for both Blue and Red teams. Related posts: BSides Charm Presentation Posted: PowerShell Security: Defending the Enterprise from the Latest ..." /> <meta property="og:updated_time" content="2017-10-27T10:38:33+00:00" /> <meta property="article:modified_time" content="2017-10-27T10:38:33+00:00" /> <meta property="article:published_time" content="2016-08-13T22:15:59+00:00" /> <meta property="og:image" content="https://adsecurity.org/wp-content/uploads/2016/08/PSAttack-InvokeMimikatz.png" /> <meta property="og:image:width" content="903" /> <meta property="og:image:height" content="630" /> </head> <body class="post-template-default single single-post postid-2921 single-format-standard custom-background wp-embed-responsive layout-boxed two_col_left two-columns singular"> <div class="container boxed-wrapper"> <div id="top-bar" class="row clearfix top-bar "> <div class="col-md-12 top-bar-items"> <ul class="social-profiles"> <li class="social-profile social-profile-rss"> <a href="https://adsecurity.org/?feed=rss2" title="Subscribe to Tech, News, and Other Ideations's RSS feed" id="social-id-1" class="mysocial social-rss"> <i class="fa fa-rss"></i> </a> </li> </ul> <button type="button" class="search-toggle navbar-toggle collapsed" data-toggle="collapse" data-target="#top_search"> <span class="sr-only">Toggle search form</span> <i class="fa fa-search-plus"></i> </button> <div id="top_search" class="top-search-form"> <form class="searchform" method="get" action="https://adsecurity.org"> <div class="input-group"> <div class="form-group live-search-input"> <label for="s" class="screen-reader-text">Search for:</label> <input type="text" id="s" name="s" class="form-control" placeholder="Search"> </div> <span class="input-group-btn"> <button class="btn btn-default" type="submit"><i class="fa fa-search"></i></button> </span> </div> </form> </div> </div> </div> <div id="header" class="row"> <img src="https://adsecurity.org/wp-content/themes/graphene/images/headers/fluid.jpg" alt="Active Directory Security" title="Active Directory Security" width="960" height="198" /> </div> <nav class="navbar row navbar-inverse"> <div class="navbar-header align-center"> <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#header-menu-wrap, #secondary-menu-wrap"> <span class="sr-only">Toggle navigation</span> <span class="icon-bar"></span> <span class="icon-bar"></span> <span class="icon-bar"></span> </button> <p class="header_title"> <a href="https://adsecurity.org" title="Go back to the front page"> Active Directory Security </a> </p> <p class="header_desc">Active Directory & Enterprise Security, Methods to Secure Active Directory, Attack Methods & Effective Defenses, PowerShell, Tech Notes, & Geek Trivia…</p> </div> <div class="collapse navbar-collapse" id="header-menu-wrap"> <ul class="nav navbar-nav flip"><li ><a href="https://adsecurity.org/">Home</a></li><li class="menu-item menu-item-8"><a href="https://adsecurity.org/?page_id=8" >About</a></li><li class="menu-item menu-item-41"><a href="https://adsecurity.org/?page_id=41" >AD Resources</a></li><li class="menu-item menu-item-4031"><a href="https://adsecurity.org/?page_id=4031" >Attack Defense & Detection</a></li><li class="menu-item menu-item-293"><a href="https://adsecurity.org/?page_id=293" >Contact</a></li><li class="menu-item menu-item-1821"><a href="https://adsecurity.org/?page_id=1821" >Mimikatz</a></li><li class="menu-item menu-item-1352"><a href="https://adsecurity.org/?page_id=1352" >Presentations</a></li><li class="menu-item menu-item-195"><a href="https://adsecurity.org/?page_id=195" >Schema Versions</a></li><li class="menu-item menu-item-399"><a href="https://adsecurity.org/?page_id=399" >Security Resources</a></li><li class="menu-item menu-item-183"><a href="https://adsecurity.org/?page_id=183" >SPNs</a></li><li class="menu-item menu-item-2532"><a href="https://adsecurity.org/?page_id=2532" >Top Posts</a></li></ul> </div> </nav> <div id="content" class="clearfix hfeed row"> <div id="content-main" class="clearfix content-main col-md-8"> <div class="post-nav post-nav-top clearfix"> <p class="previous col-sm-6"><i class="fa fa-arrow-circle-left"></i> <a href="https://adsecurity.org/?p=2987" rel="prev">DEF CON 24 (2016) Talk “Beyond the MCSE: Red Teaming Active Directory” Presentation Slides Posted</a></p> <p class="next-post col-sm-6"><a href="https://adsecurity.org/?p=3164" rel="next">Microsoft LAPS Security & Active Directory LAPS Configuration Recon</a> <i class="fa fa-arrow-circle-right"></i></p> </div> <div id="post-2921" class="clearfix post post-2921 type-post status-publish format-standard has-post-thumbnail hentry category-microsoft-security category-powershell category-technical-reference tag-bypass-powershell-executionpolicy tag-bypass-powershell-security tag-constrained-language-mode tag-detect-invoke-mimikatz tag-detect-offensive-powershell tag-detect-powershell-attack-tools tag-detect-powershell-attacks tag-executionpolicybypass tag-invoke-expression tag-invoke-mimikatz tag-invokemimikatz tag-new-object-net-webclient-downloadstring tag-offensive-powershell tag-offensive-powershell-indicators tag-offensivepowershell tag-powershell-attack-tool tag-powershell-attack-tools tag-powershell-attacks tag-powershell-constrained-language tag-powershell-constrained-language-mode tag-powershell-execution-policy tag-powershell-gpo tag-powershell-logging-group-policy tag-powershell-mimikatz tag-powershell-exe tag-powershellattack tag-powershelllogging tag-powershellmafia tag-powershellsecurity tag-powershellv5 tag-powersploit tag-powerup tag-powerview tag-script-block-logging tag-system-wide-transcript tag-system-management-automation-dll tag-windows10 item-wrap"> <div class="entry clearfix"> <div class="post-date date alpha with-year"> <p class="default_date"> <span class="month">Aug</span> <span class="day">13</span> <span class="year">2016</span> </p> </div> <h1 class="post-title entry-title"> PowerShell Security: PowerShell Attack Tools, Mitigation, & Detection </h1> <ul class="post-meta entry-meta clearfix"> <li class="byline"> By <span class="author"><a href="https://adsecurity.org/?author=2" rel="author">Sean Metcalf</a></span><span class="entry-cat"> in <span class="terms"><a class="term term-category term-11" href="https://adsecurity.org/?cat=11">Microsoft Security</a>, <a class="term term-category term-7" href="https://adsecurity.org/?cat=7">PowerShell</a>, <a class="term term-category term-2" href="https://adsecurity.org/?cat=2">Technical Reference</a></span></span> </li> </ul> <div class="entry-content clearfix"> <p>This post is a follow-up of sorts from my earlier posts on PowerShell, my <a href="https://adsecurity.org/?page_id=1352">PowerShell presentation at BSides Baltimore</a>, and my <a href="https://adsecurity.org/?page_id=1352">presentation at DEF CON 24</a>.<br /> Hopefully this post provides current information on PowerShell usage for both Blue and Red teams.</p> <p><strong>Related posts:</strong></p> <ul> <li><a href="https://adsecurity.org/?p=2843" target="_top">BSides Charm Presentation Posted: PowerShell Security: Defending the Enterprise from the Latest Attack Platform </a></li> <li><a href="https://adsecurity.org/?p=2668" target="_top">PowerShell Version 5 is Available for Download (again) </a></li> <li><a href="https://adsecurity.org/?p=2604" target="_top">Detecting Offensive PowerShell Attack Tools </a></li> <li><a href="https://adsecurity.org/?p=2277" target="_top">PowerShell Version 5 Security Enhancements </a></li> </ul> <h3><strong> The Evolution of PowerShell as an attack tool</strong></h3> <p>PowerShell is a built-in command shell available on every supported version of Microsoft Windows (Windows 7 / Windows 2008 R2 and newer) and provides incredible flexibility and functionality to manage Windows systems. This power makes PowerShell an enticing tool for attackers. Once an attacker can get code to run on a computer, they often invoke PowerShell code since it can be run in memory where antivirus can’t see it. Attackers may also drop PowerShell script files (.ps1) to disk, but since PowerShell can download code from a website and run it in memory, that’s often not necessary.</p> <p><a href="https://adsecurity.org/wp-content/uploads/2016/06/PowerShellSecurity-PowerShell-I-Thought-This-Was-DOS.jpg"><img fetchpriority="high" decoding="async" class="alignnone size-full wp-image-2922" src="https://adsecurity.org/wp-content/uploads/2016/06/PowerShellSecurity-PowerShell-I-Thought-This-Was-DOS.jpg" alt="PowerShellSecurity-PowerShell-I-Thought-This-Was-DOS" width="450" height="268" srcset="https://adsecurity.org/wp-content/uploads/2016/06/PowerShellSecurity-PowerShell-I-Thought-This-Was-DOS.jpg 450w, https://adsecurity.org/wp-content/uploads/2016/06/PowerShellSecurity-PowerShell-I-Thought-This-Was-DOS-300x179.jpg 300w" sizes="(max-width: 450px) 100vw, 450px" /></a></p> <p><a href="https://www.youtube.com/watch?v=q5pA49C7QJg">Dave Kennedy & Josh Kelley presented at DEF CON 18 (2010)</a> on how PowerShell could be leveraged by attackers. <a href="http://www.exploit-monday.com/2012/08/Why-I-Choose-PowerShell.html">Matt Graeber developed PowerSploit and blogged at Exploit-Monday.com</a> on why PowerShell is a great attack platform. Offensive PowerShell usage has been on the rise since the release of “<a href="https://github.com/PowerShellMafia/PowerSploit">PowerSploit</a>” in 2012, though it wasn’t until Mimikatz was PowerShell-enabled (aka <a href="https://raw.githubusercontent.com/PowerShellEmpire/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1">Invoke-Mimikatz</a>) about a year later that PowerShell usage in attacks became more prevalent. PowerShell provides tremendous capability since it can run .Net code and execute dynamic code downloaded from another system (or the internet) and execute it in memory without ever touching disk. These features make PowerShell a preferred method for gaining and maintaining access to systems since they can move around using PowerShell without being seen. <a href="https://adsecurity.org/?p=2277">PowerShell Version 5</a> (v5) greatly improves the defensive posture of PowerShell and when run on a Windows 10 system, PowerShell attack capability is greatly reduced.</p> <p><span id="more-2921"></span></p> <h3><strong>Attackers have options</strong></h3> <p>This post obviously covers how attackers can subvert the latest security enhancements in PowerShell, including PowerShell v5.<br /> Keep in mind that attackers have options. PowerShell is one option, but dropping a custom exe is another one.<br /> Options include:</p> <ul> <li>Custom executables (EXEs)</li> <li>Windows command tools</li> <li>Remote Desktop</li> <li>Sysinternal tools</li> <li>Windows Scripting Host</li> </ul> <ul> <li>VBScript</li> <li>CScript</li> <li>JavaScript</li> <li>Batch files</li> <li>PowerShell</li> </ul> <h3><strong>PowerShell attack capability</strong></h3> <p>There are a number of reasons why attackers love PowerShell:</p> <ul> <li>Run code in memory without touching disk.</li> <li>Download & execute code from another system.</li> <li>Interface with .Net & Windows APIs.</li> <li>Built-in remoting.</li> <li>CMD.exe is commonly blocked, though not PowerShell.</li> <li>Most organizations are not watching PowerShell activity.</li> <li>Many endpoint security products don’t have visibility into PowerShell activity.</li> </ul> <p>PowerShell is often leveraged as part of client attack frequently invoked by one of the following (typically an Encoded Command (bypasses exec. policy).</p> <p><span style="text-decoration: underline;">Typical PowerShell run options</span></p> <p style="padding-left: 30px;">-WindowsStyle Hidden<br /> -NoProfile<br /> -ExecutionPolicy Bypass<br /> -File <FilePath><br /> -Command <Command><br /> -EncodedCommand <BASE64EncodedCommand></p> <h3><strong>Real World PowerShell Attack Tools</strong></h3> <h4><strong><a href="https://github.com/PowerShellMafia/PowerSploit">PowerSploit</a></strong></h4> <p>Description: A PowerShell Post-Exploitation Framework used in many PowerShell attack tools.<br /> Use: Recon, privilege escalation, credential theft, persistence.<br /> Authors: Matt Graeber (@Mattifestation) & Chris Campbell (@obscuresec)</p> <p>Popular cmdlets:</p> <ul> <li>Invoke-DllInjection.ps1</li> <li>Invoke-Shellcode.ps1</li> <li>Invoke-WmiCommand.ps1</li> <li>Get-GPPPassword.ps1</li> <li>Get-Keystrokes.ps1</li> <li>Get-TimedScreenshot.ps1</li> <li>Get-VaultCredential.ps1</li> </ul> <ul> <li>Invoke-CredentialInjection.ps1</li> <li>Invoke-Mimikatz.ps1</li> <li>Invoke-NinjaCopy.ps1</li> <li>Invoke-TokenManipulation.ps1</li> <li>Out-Minidump.ps1</li> <li>VolumeShadowCopyTools.ps1</li> <li>Invoke-ReflectivePEInjection.ps1</li> </ul> <h4><strong><a href="https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-Mimikatz.ps1">Invoke-Mimikatz</a></strong></h4> <p>Capabilities: <a href="https://adsecurity.org/?p=2207">Mimikatz </a>execution from PowerShell, Credential theft & injection, Forged Kerberos ticket creation, Much more!</p> <p>Use: Credential theft & reuse, Persistence</p> <p>Author: Joseph Bialek (@clymb3r)</p> <p><img decoding="async" class="alignnone" src="https://adsecurity.org/wp-content/uploads/2016/08/Invoke-Mimikatz-DumpCreds-RunFromWeb.jpg" width="651" height="457" /></p> <h4><strong><a href="https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1">PowerView</a></strong></h4> <p>Description: Pure PowerShell domain/network situational awareness tool.<br /> Now part of PowerSploit.</p> <p>Use: Recon</p> <p>Author: Will Harmjoy (@HarmJ0y)</p> <ul> <li>Get-NetUser</li> <li>Get-NetGroup</li> <li>Get-NetGroupMember</li> <li>Get-NetLocalGroup</li> <li>Get-NetSession</li> <li>Invoke-UserHunter</li> <li>Get-NetOU</li> <li>Find-GPOLocation</li> <li>Get-NetGPOGroup</li> </ul> <ul> <li>Get-ObjectACL</li> <li>Add-ObjectACL</li> <li>Invoke-ACLScanner</li> <li>Set-ADObject</li> <li>Invoke-DowngradeAccount</li> <li>Get-NetForest</li> <li>Get-NetForestTrust</li> <li>Get-NetForestDomain</li> <li>Get-NetDomainTrust</li> <li>Get-MapDomainTrust</li> </ul> <p><a href="https://adsecurity.org/wp-content/uploads/2016/08/AD-Recon-PowerView-GetNetGPOGroup-01.png"><img decoding="async" class="alignnone size-full wp-image-3116" src="https://adsecurity.org/wp-content/uploads/2016/08/AD-Recon-PowerView-GetNetGPOGroup-01.png" alt="AD-Recon-PowerView-GetNetGPOGroup-01" width="1852" height="884" srcset="https://adsecurity.org/wp-content/uploads/2016/08/AD-Recon-PowerView-GetNetGPOGroup-01.png 1852w, https://adsecurity.org/wp-content/uploads/2016/08/AD-Recon-PowerView-GetNetGPOGroup-01-300x143.png 300w, https://adsecurity.org/wp-content/uploads/2016/08/AD-Recon-PowerView-GetNetGPOGroup-01-768x367.png 768w, https://adsecurity.org/wp-content/uploads/2016/08/AD-Recon-PowerView-GetNetGPOGroup-01-1024x489.png 1024w" sizes="(max-width: 1852px) 100vw, 1852px" /></a></p> <h4><strong><a href="https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1"> PowerUp</a></strong></h4> <p>Description: Identifies methods of local Privilege Escalation.<br /> Part of PowerShell Empire.</p> <p>Use: Privilege Escalation</p> <p>Author: Will Harmjoy (@harmj0y)</p> <ul> <li>Get-ServiceUnquoted</li> <li>Get-ServiceFilePermission</li> <li>Get-ServicePermission</li> <li>Invoke-ServiceAbuse</li> <li>Install-ServiceBinary</li> <li>Get-RegAutoLogon</li> </ul> <ul> <li>Get-VulnAutoRun</li> <li>Get-VulnSchTask</li> <li>Get-UnattendedInstallFile</li> <li>Get-WebConfig</li> <li>Get-ApplicationHost</li> <li>Get-RegAlwaysInstallElevated</li> </ul> <h4><strong><a href="https://github.com/samratashok/nishang">Nishang</a></strong></h4> <p>Description: PowerShell for penetration testing and offensive security.<br /> Use: Recon, Credential Theft, Privilege Escalation, Persistence<br /> Author: Nikhil Mitt (@nikhil_mitt)</p> <ul> <li>Get-Unconstrained</li> <li>Add-RegBackdoor</li> <li>Add-ScrnSaveBackdoor</li> <li>Gupt-Backdoor</li> <li>Invoke-ADSBackdoor</li> <li>Enabled-DuplicateToken</li> <li>Invoke-PsUaCme</li> <li>Remove-Update</li> <li>Check-VM</li> <li>Copy-VSS</li> <li>Get-Information</li> <li>Get-LSASecret</li> </ul> <ul> <li>Get-PassHashes</li> <li>Invoke-Mimikatz</li> <li>Show-TargetScreen</li> <li>Port-Scan</li> <li>Invoke-PoshRatHttp</li> <li>Invoke-PowerShellTCP</li> <li>Invoke-PowerShellWMI</li> <li>Add-Exfiltration</li> <li>Add-Persistence</li> <li>Do-Exfiltration</li> <li>Start-CaptureServer</li> </ul> <h4><strong><a href="https://github.com/PowerShellEmpire/Empire">PowerShell Empire</a></strong></h4> <p>Current Version: 1.5 (3/31/2016)</p> <p><a href="https://adsecurity.org/wp-content/uploads/2016/08/PowerShellEmpire-Empire-Load-Screen-v1.5.jpg"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-3070" src="https://adsecurity.org/wp-content/uploads/2016/08/PowerShellEmpire-Empire-Load-Screen-v1.5.jpg" alt="PowerShellEmpire-Empire-Load-Screen-v1.5" width="472" height="294" srcset="https://adsecurity.org/wp-content/uploads/2016/08/PowerShellEmpire-Empire-Load-Screen-v1.5.jpg 472w, https://adsecurity.org/wp-content/uploads/2016/08/PowerShellEmpire-Empire-Load-Screen-v1.5-300x187.jpg 300w" sizes="(max-width: 472px) 100vw, 472px" /></a></p> <p>Capabilities:</p> <ul> <li>PowerShell based Remote Access Trojan (RAT).</li> <li>Python server component (Kali Linux).</li> <li>AES Encrypted C2 channel.</li> <li>Dumps and tracks credentials in database.</li> </ul> <p>Use: Integrated modules providing Initial Exploitation, Recon, Credential Theft & Reuse, as well as Persistence.</p> <p>Authors: Will Schroeder (@harmj0y) & Justin Warner (@sixdub) & Matt Nelson (@enigma0x3)</p> <p>Modules:</p> <ul> <li>Code Execution</li> <li>Collection</li> <li>Credentials</li> <li>Exfiltration</li> <li>Exploitation</li> <li>Lateral Movement</li> <li>Management</li> <li>Persistence</li> <li>Privilege Escalation</li> <li>Recon</li> <li>Situational Awareness</li> <li>Fun & Trollsploit</li> </ul> <p>Cmdlets:</p> <ul> <li>Invoke-DllInjection</li> <li>Invoke-ReflectivePEInjection</li> <li>Invoke-ShellCode</li> <li>Get-ChromeDump</li> <li>Get-ClipboardContents</li> <li>Get-FoxDump</li> <li>Get-IndexedItem</li> <li>Get-Keystrokes</li> <li>Get-Screenshot</li> <li>Invoke-Inveigh</li> <li>Invoke-NetRipper</li> <li>Invoke-NinjaCopy</li> <li>Out-Minidump</li> <li>Invoke-EgressCheck</li> <li>Invoke-PostExfil</li> <li>Invoke-PSInject</li> <li>Invoke-RunAs</li> <li>MailRaider</li> </ul> <ul> <li>New-HoneyHash</li> <li>Set-MacAttribute</li> <li>Get-VaultCredential</li> <li>Invoke-DCSync</li> <li>Invoke-Mimikatz</li> <li>Invoke-PowerDump</li> <li>Invoke-TokenManipulation</li> <li>Exploit-Jboss</li> <li>Invoke-ThunderStruck</li> <li>Invoke-VoiceTroll</li> <li>Set-Wallpaper</li> <li>Invoke-InveighRelay</li> <li>Invoke-PsExec</li> <li>Invoke-SSHCommand</li> </ul> <ul> <li>Get-SecurityPackages</li> <li>Install-SSP</li> <li>Invoke-BackdoorLNK</li> <li>PowerBreach</li> <li>Get-GPPPassword</li> <li>Get-SiteListPassword</li> <li>Get-System</li> <li>Invoke-BypassUAC</li> <li>Invoke-Tater</li> <li>Invoke-WScriptBypassUAC</li> <li>PowerUp</li> <li>PowerView</li> <li>Get-RickAstley</li> </ul> <ul> <li>Find-Fruit</li> <li>HTTP-Login</li> <li>Find-TrustedDocuments</li> <li>Get-ComputerDetails</li> <li>Get-SystemDNSServer</li> <li>Invoke-Paranoia</li> <li>Invoke-WinEnum</li> <li>Get-SPN</li> <li>Invoke-ARPScan</li> <li>Invoke-PortScan</li> <li>Invoke-ReverseDNSLookup</li> <li>Invoke-SMBScanner</li> </ul> <h3><strong>Learning about Offensive PowerShell Tools</strong></h3> <p>Most of the best PS attack tools are in Empire, so download the <a href="https://github.com/PowerShellEmpire/Empire/releases">PowerShell Empire zip file</a> & extract.<br /> Once extracted, review PS1 files in data\module_source.</p> <p><a href="https://adsecurity.org/wp-content/uploads/2016/08/PowerShell-Empire-ZipFile-Contents-Module_Source.png"><img loading="lazy" decoding="async" class="alignnone wp-image-3123" src="https://adsecurity.org/wp-content/uploads/2016/08/PowerShell-Empire-ZipFile-Contents-Module_Source.png" alt="PowerShell-Empire-ZipFile-Contents-Module_Source" width="222" height="347" srcset="https://adsecurity.org/wp-content/uploads/2016/08/PowerShell-Empire-ZipFile-Contents-Module_Source.png 424w, https://adsecurity.org/wp-content/uploads/2016/08/PowerShell-Empire-ZipFile-Contents-Module_Source-192x300.png 192w" sizes="(max-width: 222px) 100vw, 222px" /></a></p> <p><a href="https://adsecurity.org/wp-content/uploads/2016/08/PowerShell-Empire-ZipFile-Contents-Module_Source-Credentials.png"><img loading="lazy" decoding="async" class="alignnone wp-image-3122" src="https://adsecurity.org/wp-content/uploads/2016/08/PowerShell-Empire-ZipFile-Contents-Module_Source-Credentials.png" alt="PowerShell-Empire-ZipFile-Contents-Module_Source-Credentials" width="307" height="178" srcset="https://adsecurity.org/wp-content/uploads/2016/08/PowerShell-Empire-ZipFile-Contents-Module_Source-Credentials.png 585w, https://adsecurity.org/wp-content/uploads/2016/08/PowerShell-Empire-ZipFile-Contents-Module_Source-Credentials-300x174.png 300w" sizes="(max-width: 307px) 100vw, 307px" /></a> <a href="https://adsecurity.org/wp-content/uploads/2016/08/PowerShell-Empire-ZipFile-Contents-Module_Source-Persistence.png"><img loading="lazy" decoding="async" class="alignnone wp-image-3124" src="https://adsecurity.org/wp-content/uploads/2016/08/PowerShell-Empire-ZipFile-Contents-Module_Source-Persistence.png" alt="PowerShell-Empire-ZipFile-Contents-Module_Source-Persistence" width="305" height="180" srcset="https://adsecurity.org/wp-content/uploads/2016/08/PowerShell-Empire-ZipFile-Contents-Module_Source-Persistence.png 592w, https://adsecurity.org/wp-content/uploads/2016/08/PowerShell-Empire-ZipFile-Contents-Module_Source-Persistence-300x177.png 300w" sizes="(max-width: 305px) 100vw, 305px" /></a></p> <h3><strong>PowerShell is more than PowerShell.exe</strong></h3> <p>Blocking access to PowerShell.exe is an “easy” way to stop PowerShell capability, at least that’s how it seems. The reality is that PowerShell is more than a single executable. PowerShell is a core component of Windows (not removable) exists in the System.Management.Automation.dll dynamic linked library file (DLL) and can host different runspaces which are effectively PowerShell instances (think PowerShell.exe & PowerShell_ISE.exe). A custom PowerShell runspace can be instantiated via code, so PowerShell can be executed through a custom coded executable (such as MyPowershell.exe). In fact there are several current methods of running PowerShell code without Powershell.exe being executed. Justin Warner (<a href="https://twitter.com/sixdub">@SixDub</a>) blogged about <a href="http://www.sixdub.net/?p=367">bypassing PowerShell.exe on Red Team engagements in late 2014, </a><a href="http://www.powershellempire.com/?page_id=135">aka PowerPick</a>). Since PowerShell code can be executed without running PowerShell.exe, blocking this executable is not an ideal solution to block attacks (and by “not an ideal solution” I mean this doesn’t stop PowerShell from being executed, so no it doesn’t solve the problem).</p> <p>There are two sides to every argument. On the “Block PowerShell” side, there is the positive result that initial attack code will not execute since PowerShell is not allowed to run, with potential issues later on due to Microsoft and/or 3rd party requirements for PowerShell. Often an organization will “block” access to PowerShell.exe to stop the initial attack. There are side-effects to this, including potentially reduced management capability.<br /> On the “Don’t Block PowerShell” side, there are other ways to limit an attacker’s PowerShell capability without blocking PowerShell from running. Configuring PowerShell protection/limitation via AppLocker is worth investigating (and testing) as well as setting Powershell to constrained language mode. For more on this, review the later section on “Limiting PowerShell Capability.”</p> <ul> <li>PowerShell = System.Management.Automation.dll</li> <li>Applications can run PowerShell code</li> <li>“PowerShell ps = PowerShell.Create()”</li> <li>Ben Ten’s AwesomerShell<br /> <a href="https://github.com/Ben0xA/AwesomerShell">https://github.com/Ben0xA/AwesomerShell</a></li> </ul> <h3><strong>Executing PowerShell commands without PowerShell.exe<br /> </strong></h3> <p><span style="text-decoration: underline;">Starting with PowerShell v2:</span></p> <p><i><a href="https://msdn.microsoft.com/en-us/library/system.management.automation.powershell%28VS.85%29.aspx">“Provides methods that are used to create a pipeline of commands and invoke those commands either synchronously or asynchronously within a runspace. This class also provides access to the output streams that contain data that is generated when the commands are invoked. This class is primarily intended for host applications that programmatically use Windows PowerShell to perform tasks. This class is introduced in Windows PowerShell 2.0″.</a></i></p> <ul> <li>Create C# application that references Powershell System.Automation.dll assembly.</li> <li>Leverage Automation assembly’s functions to execute PowerShell Code.</li> <li>Similar to how PowerShell.exe works.</li> </ul> <p><a href="https://github.com/leechristensen/UnmanagedPowerShell">Unmanaged PowerShell</a> by Lee Christensen (<a href="https://twitter.com/tifkin_">@tifkin_</a>) is the foundation for most PowerShell attack tools running outside of powershell.exe. It starts up .NET & performs in-memory loading of a custom C# assembly that executes PowerShell from an unmanaged process.<br /> The Metasploit PowerShell module leverages unmanaged PowerShell since March 2016.</p> <p>Another PowerShell project that leverages unmanaged PowerShell is <strong>P0wnedShell</strong> a “PowerShell Runspace Post Exploitation Toolkit”. It runs PowerShell commands and functions within a powershell runspace environment (.NET) and includes many PowerShell attack tools, including those from PowerSploit, Nishang, PowerCat, Inveigh, etc all contained within a single executable.</p> <p><img loading="lazy" decoding="async" class="alignnone" src="https://adsecurity.org/wp-content/uploads/2016/08/P0wnedShell-Calc.png" width="1631" height="870" /><br /> This project provides a simple ‘Order by Number’ for simple PowerShell attack tool execution.<br /> I renamed it to “Calc.exe”, though I have never been able to get Calc to use more than a few MB of RAM. When I run Mimikatz through it, “Calc” uses > 180MB. 🙂</p> <h3><strong>PowerShell v5 Security Enhancements<br /> </strong></h3> <p>I cover these in a <a href="https://adsecurity.org/?p=2277">previous post. </a>How about a quick refresher?</p> <ul> <li><strong>Script block logging</strong> – logs the PowerShell code actually executed by PowerShell. Without this enabled, obfuscated code is logged, making it far more difficult to create useful indicators.<br /> <a href="https://adsecurity.org/wp-content/uploads/2016/08/PowerShellv5-Security-ScriptBlockLogging-InvokeMimikatz-PowerShellEvent-4104.png"><img loading="lazy" decoding="async" class="alignnone wp-image-3109" src="https://adsecurity.org/wp-content/uploads/2016/08/PowerShellv5-Security-ScriptBlockLogging-InvokeMimikatz-PowerShellEvent-4104.png" alt="PowerShellv5-Security-ScriptBlockLogging-InvokeMimikatz-PowerShellEvent-4104" width="470" height="380" srcset="https://adsecurity.org/wp-content/uploads/2016/08/PowerShellv5-Security-ScriptBlockLogging-InvokeMimikatz-PowerShellEvent-4104.png 538w, https://adsecurity.org/wp-content/uploads/2016/08/PowerShellv5-Security-ScriptBlockLogging-InvokeMimikatz-PowerShellEvent-4104-300x243.png 300w" sizes="(max-width: 470px) 100vw, 470px" /></a></li> <li><strong>System-wide transcripts</strong> – When enabled, a transcript file can be written to a write-only share for each PowerShell user per computer. If the share is offline, the computer will cache the file data until it’s back online.<br /> <a href="https://adsecurity.org/wp-content/uploads/2016/08/PowerShell-v5-Transcription-InvokeMimikatz-cropped.png"><img loading="lazy" decoding="async" class="alignnone wp-image-3004" src="https://adsecurity.org/wp-content/uploads/2016/08/PowerShell-v5-Transcription-InvokeMimikatz-cropped.png" alt="PowerShell-v5-Transcription-InvokeMimikatz-cropped" width="645" height="720" srcset="https://adsecurity.org/wp-content/uploads/2016/08/PowerShell-v5-Transcription-InvokeMimikatz-cropped.png 1123w, https://adsecurity.org/wp-content/uploads/2016/08/PowerShell-v5-Transcription-InvokeMimikatz-cropped-269x300.png 269w, https://adsecurity.org/wp-content/uploads/2016/08/PowerShell-v5-Transcription-InvokeMimikatz-cropped-768x857.png 768w, https://adsecurity.org/wp-content/uploads/2016/08/PowerShell-v5-Transcription-InvokeMimikatz-cropped-918x1024.png 918w" sizes="(max-width: 645px) 100vw, 645px" /></a></li> <li><strong>Constrained PowerShell enforced with AppLocker</strong> – When PowerShell v5 installed and AppLocker in Allow mode, PowerShell operates in constrained language mode which is a limited language mode preventing and Windows API access. For more on this, keep reading. 🙂<br /> <a href="https://adsecurity.org/wp-content/uploads/2016/08/PowerShell-Security-ConstrainedPowerShell-Enabled-AttackTools.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-3097" src="https://adsecurity.org/wp-content/uploads/2016/08/PowerShell-Security-ConstrainedPowerShell-Enabled-AttackTools.png" alt="PowerShell-Security-ConstrainedPowerShell-Enabled-AttackTools" width="900" height="262" srcset="https://adsecurity.org/wp-content/uploads/2016/08/PowerShell-Security-ConstrainedPowerShell-Enabled-AttackTools.png 900w, https://adsecurity.org/wp-content/uploads/2016/08/PowerShell-Security-ConstrainedPowerShell-Enabled-AttackTools-300x87.png 300w, https://adsecurity.org/wp-content/uploads/2016/08/PowerShell-Security-ConstrainedPowerShell-Enabled-AttackTools-768x224.png 768w" sizes="(max-width: 900px) 100vw, 900px" /></a></li> <li>The <strong>Anti-Malware Scan Interface (AMSI)</strong> in Windows 10 enables all script code to be scanned prior to execution by PowerShell and other Windows scripting engines. The Anti-Virus/Anti-Malware solution on the system must support AMSI for it to scan the code. The great benefit is that all code delivered to the PowerShell engine is scanned, even code injected into memory that was downloaded from the internet. As of mid-2016, only Microsoft Defender and AVG support AMSI.<br /> <a href="https://adsecurity.org/wp-content/uploads/2016/08/PowerShell-v5-Win10-AMSI-Graphic.jpg"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-3096" src="https://adsecurity.org/wp-content/uploads/2016/08/PowerShell-v5-Win10-AMSI-Graphic.jpg" alt="PowerShell-v5-Win10-AMSI-Graphic" width="728" height="321" srcset="https://adsecurity.org/wp-content/uploads/2016/08/PowerShell-v5-Win10-AMSI-Graphic.jpg 728w, https://adsecurity.org/wp-content/uploads/2016/08/PowerShell-v5-Win10-AMSI-Graphic-300x132.jpg 300w" sizes="(max-width: 728px) 100vw, 728px" /></a></li> </ul> <p>Unfortunately, most AntiVirus companies don’t see the benefit of AMSI<br /> <img loading="lazy" decoding="async" class="alignnone wp-image-3750" src="https://adsecurity.org/wp-content/uploads/2016/08/AMSISupport.png" alt="" width="489" height="309" srcset="https://adsecurity.org/wp-content/uploads/2016/08/AMSISupport.png 1530w, https://adsecurity.org/wp-content/uploads/2016/08/AMSISupport-300x189.png 300w, https://adsecurity.org/wp-content/uploads/2016/08/AMSISupport-768x485.png 768w, https://adsecurity.org/wp-content/uploads/2016/08/AMSISupport-1024x647.png 1024w" sizes="(max-width: 489px) 100vw, 489px" /></p> <p> </p> <p>There are also PowerShell cmdlets to interact with Defender to get status on detected threats.</p> <p>The first detection shows a detected threat in a couple of different files on disk.</p> <p><a href="https://adsecurity.org/wp-content/uploads/2016/08/AMSI-ThreatDetection-Report.jpg"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-3092" src="https://adsecurity.org/wp-content/uploads/2016/08/AMSI-ThreatDetection-Report.jpg" alt="AMSI-ThreatDetection-Report" width="2655" height="827" srcset="https://adsecurity.org/wp-content/uploads/2016/08/AMSI-ThreatDetection-Report.jpg 2655w, https://adsecurity.org/wp-content/uploads/2016/08/AMSI-ThreatDetection-Report-300x93.jpg 300w, https://adsecurity.org/wp-content/uploads/2016/08/AMSI-ThreatDetection-Report-768x239.jpg 768w, https://adsecurity.org/wp-content/uploads/2016/08/AMSI-ThreatDetection-Report-1024x319.jpg 1024w" sizes="(max-width: 2655px) 100vw, 2655px" /></a></p> <p>The second detection shows a detected threat in “PowerShell.exe_10.0.1058.0000000000010”. Hmmm, that’s odd.<br /> It detected a threat in memory that was downloaded from the internet and executed in memory. 🙂</p> <p><a href="https://adsecurity.org/wp-content/uploads/2016/08/AMSI-ThreatDetection-Report-IEX-InvokeMimikatz-From-Web.jpg"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-3090" src="https://adsecurity.org/wp-content/uploads/2016/08/AMSI-ThreatDetection-Report-IEX-InvokeMimikatz-From-Web.jpg" alt="AMSI-ThreatDetection-Report-IEX-InvokeMimikatz-From-Web" width="2613" height="792" srcset="https://adsecurity.org/wp-content/uploads/2016/08/AMSI-ThreatDetection-Report-IEX-InvokeMimikatz-From-Web.jpg 2613w, https://adsecurity.org/wp-content/uploads/2016/08/AMSI-ThreatDetection-Report-IEX-InvokeMimikatz-From-Web-300x91.jpg 300w, https://adsecurity.org/wp-content/uploads/2016/08/AMSI-ThreatDetection-Report-IEX-InvokeMimikatz-From-Web-768x233.jpg 768w, https://adsecurity.org/wp-content/uploads/2016/08/AMSI-ThreatDetection-Report-IEX-InvokeMimikatz-From-Web-1024x310.jpg 1024w" sizes="(max-width: 2613px) 100vw, 2613px" /></a></p> <p>There are issues with Windows 10’s AMSI, though Microsoft is making great strides in providing visibility in an area traditionally missed by Anti-Virus/Anti-Malware.</p> <p>There are two primary methods of bypassing AMSI (at least for now):</p> <ul> <li><a href="https://cn33liz.blogspot.nl/2016/05/bypassing-amsi-using-powershell-5-dll.html">Provide & use a custom amsi.dll and call that one from custom EXE.</a></li> <li>Matt Graeber described how to use reflection to bypass AMSI<br /> <a href="https://twitter.com/mattifestation/status/735261120487772160">[Ref].Assembly.GetType(‘System.Management .Automation.AmsiUtils’).GetField(‘amsiInitFailed’,’NonPublic,Static’).SetValue($null,$true)</a></li> </ul> <p>Though with the appropriate rights, one can simply disable AntiMalware though there are logged events relating to this activity.</p> <p>Sometimes, “malicious” PowerShell code gets through.</p> <h3><a href="https://adsecurity.org/wp-content/uploads/2016/08/Windows10-AMSI-Defender-Fail-InvokeMimikatz.jpg"><img loading="lazy" decoding="async" class="alignnone wp-image-3084" src="https://adsecurity.org/wp-content/uploads/2016/08/Windows10-AMSI-Defender-Fail-InvokeMimikatz.jpg" alt="Windows10-AMSI-Defender-Fail-InvokeMimikatz" width="650" height="440" srcset="https://adsecurity.org/wp-content/uploads/2016/08/Windows10-AMSI-Defender-Fail-InvokeMimikatz.jpg 1754w, https://adsecurity.org/wp-content/uploads/2016/08/Windows10-AMSI-Defender-Fail-InvokeMimikatz-300x203.jpg 300w, https://adsecurity.org/wp-content/uploads/2016/08/Windows10-AMSI-Defender-Fail-InvokeMimikatz-768x520.jpg 768w, https://adsecurity.org/wp-content/uploads/2016/08/Windows10-AMSI-Defender-Fail-InvokeMimikatz-1024x694.jpg 1024w" sizes="(max-width: 650px) 100vw, 650px" /></a></h3> <h3>Limiting PowerShell Capability</h3> <p>It’s not difficult to find a variety of recommendations regarding how to lock down PowerShell.<br /> These include:</p> <ol> <li>Remove PowerShell (not possible)</li> <li>Lock down PowerShell.exe (not 100% effective since PowerShell.exe is not Powershell)</li> <li>AppLocker control of PowerShell (can be effective if deployed properly)</li> <li>Constrained Language Mode</li> </ol> <p>Since PowerShell is used for system management and logon scripts (and more and more for application management as with Exchange and DSC), blocking PowerShell isn’t realistic (and again, not terribly effective).</p> <p>I prefer to configure PowerShell with Constrained language mode which locks down PowerShell to the core elements (no API or .NET access).</p> <h4><strong>Limiting PowerShell Attack Capability with Constrained Language Mode<br /> </strong></h4> <p>Additionally, PowerShell supports various language modes that restrict what PowerShell can do. The PowerShell Constrained Language Mode was developed to support the Surface RT tablet device, though this mode is available in PowerShell in standard Windows as well. Constrained language mode limits the capability of PowerShell to base functionality removing advanced feature support such as .Net & Windows API calls and COM access. The lack of this advanced functionality stops most PowerShell attack tools since they rely on these methods. The drawback to this approach is that in order to configured PowerShell to run in constrained mode, an environment variable must be set, either by running a command in PowerShell or via Group Policy.</p> <p>Constrained language mode is a useful interim PowerShell security measure and can mitigate many initial PowerShell attacks, though it is not a panacea. It should be considered minor mitigation method on roadmap to whitelisting. Keep in mind that bypassing Constrained PowerShell is possible and not all PowerShell “attack scripts” will be blocked – certainly the ones that use advanced functionality to reflectively load a DLL into memory like Invoke-Mimikatz will be blocked.</p> <p>Enable Constrained Language Mode:<br /> <i> [Environment</i><i>]::</i><i>SetEnvironmentVariable</i><i>(‘__</i><i>PSLockdownPolicy</i><i>‘, ‘4’, ‘Machine</i><i>‘)</i></p> <p>Enable via Group Policy:<br /> <em>Computer Configuration\Preferences\Windows Settings\Environment</em></p> <p><a href="https://adsecurity.org/wp-content/uploads/2016/02/PowerShell-Security-ConstrainedPowerShell-GPO-EnvironmentalVariable.png" rel="attachment wp-att-2624"><img loading="lazy" decoding="async" class="alignnone wp-image-2624" src="https://adsecurity.org/wp-content/uploads/2016/02/PowerShell-Security-ConstrainedPowerShell-GPO-EnvironmentalVariable.png" sizes="(max-width: 260px) 100vw, 260px" srcset="https://adsecurity.org/wp-content/uploads/2016/02/PowerShell-Security-ConstrainedPowerShell-GPO-EnvironmentalVariable.png 425w, https://adsecurity.org/wp-content/uploads/2016/02/PowerShell-Security-ConstrainedPowerShell-GPO-EnvironmentalVariable-268x300.png 268w" alt="PowerShell-Security-ConstrainedPowerShell-GPO-EnvironmentalVariable" width="260" height="291" /></a></p> <p>Once Constrained Language Mode is enabled, many PowerShell attack tools don’t work since they rely on components blocked by constrained language.<br /> <a href="https://adsecurity.org/wp-content/uploads/2016/02/PowerShell-Security-ConstrainedPowerShell-Enabled-AttackTools.png" rel="attachment wp-att-2625"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-2625" src="https://adsecurity.org/wp-content/uploads/2016/02/PowerShell-Security-ConstrainedPowerShell-Enabled-AttackTools.png" sizes="(max-width: 900px) 100vw, 900px" srcset="https://adsecurity.org/wp-content/uploads/2016/02/PowerShell-Security-ConstrainedPowerShell-Enabled-AttackTools.png 900w, https://adsecurity.org/wp-content/uploads/2016/02/PowerShell-Security-ConstrainedPowerShell-Enabled-AttackTools-300x87.png 300w, https://adsecurity.org/wp-content/uploads/2016/02/PowerShell-Security-ConstrainedPowerShell-Enabled-AttackTools-768x224.png 768w" alt="PowerShell-Security-ConstrainedPowerShell-Enabled-AttackTools" width="900" height="262" /></a></p> <p>This environment variable can be modified by an attacker once they have gained control of the system. Note that they would have to spawn a new PowerShell instance to run code in full language mode after changing the environment. These changes would be logged and could help the defender in identifying unusual activity on the system.</p> <p>Remove Constrained Language Mode:<br /> <i>Remove-Item </i><i>Env</i><i>:\__</i><i>PSLockdownPolicy</i></p> <p>Check Language Mode:<br /> <i>$</i><i>ExecutionContext.SessionState.LanguageMode</i></p> <p>Enabling PowerShell Constrained Language mode is another method that can be used to mitigate PowerShell attacks.</p> <p><strong>Update:</strong><br /> Matt Graeber continues to find ways around PowerShell barriers. Leverage AppLocker/DeviceGuard for more effective controls with Constrained Language Mode. Microsoft continuously improves this position as well.</p> <p><a href="https://twitter.com/mattifestation/status/921509830644269062"><img loading="lazy" decoding="async" class="alignnone wp-image-3758" src="https://adsecurity.org/wp-content/uploads/2016/08/Twitter-mattifestation-CLM.png" alt="" width="383" height="377" srcset="https://adsecurity.org/wp-content/uploads/2016/08/Twitter-mattifestation-CLM.png 1225w, https://adsecurity.org/wp-content/uploads/2016/08/Twitter-mattifestation-CLM-300x295.png 300w, https://adsecurity.org/wp-content/uploads/2016/08/Twitter-mattifestation-CLM-768x756.png 768w, https://adsecurity.org/wp-content/uploads/2016/08/Twitter-mattifestation-CLM-1024x1008.png 1024w" sizes="(max-width: 383px) 100vw, 383px" /></a></p> <p> </p> <p><em><strong>Pairing PowerShell v5 with AppLocker – Constrained Language Mode No Longer Easily Bypassed.</strong></em></p> <p>PowerShell v5 also supports automatic lock-down when AppLocker is deployed in “Allow” mode. Applocker Allow mode is true whitelisting and can prevent any unauthorized binary from being executed. PowerShell v5 detects when Applocker Allow mode is in effect and sets the PowerShell language to Constrained Mode, severely limiting the attack surface on the system. With Applocker in Allow mode and PowerShell running in Constrained Mode, it is not possible for an attacker to change the PowerShell language mode to full in order to run attack tools.When AppLocker is configured in “Allow Mode”, PowerShell reduces its functionality to “Constrained Mode” for interactive input and user-authored scripts. Constrained PowerShell only allows core PowerShell functionality and prevents execution of the extended language features often used by offensive PowerShell tools (direct .NET scripting, invocation of Win32 APIs via the Add-Type cmdlet, and interaction with COM objects).</p> <p>Note that scripts allowed by AppLocker policy such as enterprise signed code or in a trusted directory are executed in full PowerShell mode and not the Constrained PowerShell environment. This can’t be easily bypassed by an attacker, even with admin rights.</p> <p><a href="https://adsecurity.org/wp-content/uploads/2016/01/PowerShellv5-Security-ConstrainedPowerShell.png" rel="attachment wp-att-2428"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-2428" src="https://adsecurity.org/wp-content/uploads/2016/01/PowerShellv5-Security-ConstrainedPowerShell.png" sizes="(max-width: 718px) 100vw, 718px" srcset="https://adsecurity.org/wp-content/uploads/2016/01/PowerShellv5-Security-ConstrainedPowerShell-300x104.png 300w, https://adsecurity.org/wp-content/uploads/2016/01/PowerShellv5-Security-ConstrainedPowerShell.png 718w" alt="PowerShellv5-Security-ConstrainedPowerShell" width="718" height="248" /></a></p> <p>If you’re really daring, lock down systems that should never use PowerShell to No Language Mods which means PowerShell is extremely limited.</p> <blockquote> <pre>NO LANGUAGE (NoLanguage) In NoLanguage language mode, users may run commands, but they cannot use any language elements.</pre> </blockquote> <p><a href="https://technet.microsoft.com/en-us/library/dn433292.aspx">About PowerShell Language Modes</a></p> <p> </p> <h4><a href="https://github.com/jaredhaight/psattack"><b>PS>Attack</b></a></h4> <p>PS>Attack is a self contained custom PowerShell console which includes many offensive PowerShell tools which calls PowerShell (System.Management.Automation.dll) through .Net. The PowerShell attack tools are encrypted (AV evasion) and decrypted to memory at run-time.</p> <p><a href="https://adsecurity.org/wp-content/uploads/2016/08/PSAttack-Startup-2.png"><img loading="lazy" decoding="async" class="alignnone wp-image-3067" src="https://adsecurity.org/wp-content/uploads/2016/08/PSAttack-Startup-2.png" alt="PSAttack-Startup-2" width="583" height="503" srcset="https://adsecurity.org/wp-content/uploads/2016/08/PSAttack-Startup-2.png 1164w, https://adsecurity.org/wp-content/uploads/2016/08/PSAttack-Startup-2-300x259.png 300w, https://adsecurity.org/wp-content/uploads/2016/08/PSAttack-Startup-2-768x662.png 768w, https://adsecurity.org/wp-content/uploads/2016/08/PSAttack-Startup-2-1024x883.png 1024w" sizes="(max-width: 583px) 100vw, 583px" /></a></p> <p>There’s also a custom build tool for ensuring every built exe is different (AV bypass).</p> <p><a href="https://adsecurity.org/wp-content/uploads/2016/08/PSAttack-BuildTool.png"><img loading="lazy" decoding="async" class="alignnone wp-image-3028" src="https://adsecurity.org/wp-content/uploads/2016/08/PSAttack-BuildTool.png" alt="PSAttack-BuildTool" width="630" height="611" srcset="https://adsecurity.org/wp-content/uploads/2016/08/PSAttack-BuildTool.png 1801w, https://adsecurity.org/wp-content/uploads/2016/08/PSAttack-BuildTool-300x291.png 300w, https://adsecurity.org/wp-content/uploads/2016/08/PSAttack-BuildTool-768x745.png 768w, https://adsecurity.org/wp-content/uploads/2016/08/PSAttack-BuildTool-1024x994.png 1024w" sizes="(max-width: 630px) 100vw, 630px" /></a></p> <p>PS>Attack includes some of the most popular PowerShell attack tools:</p> <ul> <li>Powersploit <ul> <li>Invoke-Mimikatz</li> <li>Get-GPPPassword</li> <li>Invoke-NinjaCopy</li> <li>Invoke-Shellcode</li> <li>Invoke-WMICommand</li> <li>VolumeShadowCopyTools</li> </ul> </li> <li>PowerTools</li> <li>PowerUp</li> <li>PowerView</li> <li>Nishang</li> <li>Powercat</li> <li>Inveigh</li> </ul> <p>While PS>Attack is simply one method that an attacker can leverage PowerShell offensive tools without running PowerShell.exe, it is extremely effective.</p> <p>Since PS>Attack is calling PowerShell from an exe, the executed PowerShell code bypasses constrained language mode.</p> <p><a href="https://adsecurity.org/wp-content/uploads/2016/08/PSAttack-PowerShellConstrainedLanguageMode.png"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-3031" src="https://adsecurity.org/wp-content/uploads/2016/08/PSAttack-PowerShellConstrainedLanguageMode.png" alt="PSAttack-PowerShellConstrainedLanguageMode" width="1440" height="1560" srcset="https://adsecurity.org/wp-content/uploads/2016/08/PSAttack-PowerShellConstrainedLanguageMode.png 1440w, https://adsecurity.org/wp-content/uploads/2016/08/PSAttack-PowerShellConstrainedLanguageMode-277x300.png 277w, https://adsecurity.org/wp-content/uploads/2016/08/PSAttack-PowerShellConstrainedLanguageMode-768x832.png 768w, https://adsecurity.org/wp-content/uploads/2016/08/PSAttack-PowerShellConstrainedLanguageMode-945x1024.png 945w" sizes="(max-width: 1440px) 100vw, 1440px" /></a></p> <p>PS>Attack PowerShell code runs in the earlier version of the PowerShell engine, if available.<br /> This means that if a system has PowerShell v2 (Windows 7 & Windows Server 2008 R2), then any PowerShell code executed is not logged. Event if PowerShell v5 is installed with system-wide transcript or script block logging.</p> <p><a href="https://adsecurity.org/wp-content/uploads/2016/08/PSAttack-PowerShellv5-Win7-NoLogging-PowerShellOperationalLog.png"><img loading="lazy" decoding="async" class="alignnone wp-image-3009" src="https://adsecurity.org/wp-content/uploads/2016/08/PSAttack-PowerShellv5-Win7-NoLogging-PowerShellOperationalLog.png" alt="PSAttack-PowerShellv5-Win7-NoLogging-PowerShellOperationalLog" width="702" height="415" srcset="https://adsecurity.org/wp-content/uploads/2016/08/PSAttack-PowerShellv5-Win7-NoLogging-PowerShellOperationalLog.png 1305w, https://adsecurity.org/wp-content/uploads/2016/08/PSAttack-PowerShellv5-Win7-NoLogging-PowerShellOperationalLog-300x177.png 300w, https://adsecurity.org/wp-content/uploads/2016/08/PSAttack-PowerShellv5-Win7-NoLogging-PowerShellOperationalLog-768x454.png 768w, https://adsecurity.org/wp-content/uploads/2016/08/PSAttack-PowerShellv5-Win7-NoLogging-PowerShellOperationalLog-1024x606.png 1024w" sizes="(max-width: 702px) 100vw, 702px" /></a></p> <p>Windows 10 provides the ability to remove PowerShell v2.0 (no, this doesn’t remove PowerShell).</p> <p><a href="https://adsecurity.org/wp-content/uploads/2016/08/PSAttack-Windows10-PowerShellv2-Removed.png"><img loading="lazy" decoding="async" class="alignnone wp-image-3020" src="https://adsecurity.org/wp-content/uploads/2016/08/PSAttack-Windows10-PowerShellv2-Removed.png" alt="PSAttack-Windows10-PowerShellv2-Removed" width="431" height="378" srcset="https://adsecurity.org/wp-content/uploads/2016/08/PSAttack-Windows10-PowerShellv2-Removed.png 899w, https://adsecurity.org/wp-content/uploads/2016/08/PSAttack-Windows10-PowerShellv2-Removed-300x263.png 300w, https://adsecurity.org/wp-content/uploads/2016/08/PSAttack-Windows10-PowerShellv2-Removed-768x674.png 768w" sizes="(max-width: 431px) 100vw, 431px" /></a></p> <p>Once PowerShell v2 is removed from Windows 10, PS>Attack usage is clearly logged.</p> <p><a href="https://adsecurity.org/wp-content/uploads/2016/08/PSAttack-PSv5-EventID-4100-BypassExecutionPolicy-02.png"><img loading="lazy" decoding="async" class="alignnone wp-image-3024" src="https://adsecurity.org/wp-content/uploads/2016/08/PSAttack-PSv5-EventID-4100-BypassExecutionPolicy-02.png" alt="PSAttack-PSv5-EventID-4100-BypassExecutionPolicy-02" width="570" height="664" srcset="https://adsecurity.org/wp-content/uploads/2016/08/PSAttack-PSv5-EventID-4100-BypassExecutionPolicy-02.png 1116w, https://adsecurity.org/wp-content/uploads/2016/08/PSAttack-PSv5-EventID-4100-BypassExecutionPolicy-02-258x300.png 258w, https://adsecurity.org/wp-content/uploads/2016/08/PSAttack-PSv5-EventID-4100-BypassExecutionPolicy-02-768x895.png 768w, https://adsecurity.org/wp-content/uploads/2016/08/PSAttack-PSv5-EventID-4100-BypassExecutionPolicy-02-879x1024.png 879w" sizes="(max-width: 570px) 100vw, 570px" /></a></p> <p> </p> <p> </p> <h3><span style="text-decoration: underline;"><strong>Detecting custom EXEs calling PowerShell</strong></span></h3> <ul> <li>Event 800: HostApplication not standard Microsoft tool (PowerShell , PowerShell ISE, etc).<br /> <a href="https://adsecurity.org/wp-content/uploads/2016/08/PowerShell-v5-PowerShellLog-PSAttack-MinLog.png"><img loading="lazy" decoding="async" class="alignnone wp-image-3008" src="https://adsecurity.org/wp-content/uploads/2016/08/PowerShell-v5-PowerShellLog-PSAttack-MinLog.png" alt="PowerShell-v5-PowerShellLog-PSAttack-MinLog" width="514" height="582" srcset="https://adsecurity.org/wp-content/uploads/2016/08/PowerShell-v5-PowerShellLog-PSAttack-MinLog.png 702w, https://adsecurity.org/wp-content/uploads/2016/08/PowerShell-v5-PowerShellLog-PSAttack-MinLog-265x300.png 265w" sizes="(max-width: 514px) 100vw, 514px" /></a></li> <li>Event 800: Version mismatch between HostVersion & EngineVersion (problematic).</li> <li>System.Management.Automation.dll hosted in non-standard processes.<br /> <a href="https://adsecurity.org/wp-content/uploads/2016/08/Detect-PowerShellDLL-In-Process-01.png"><img loading="lazy" decoding="async" class="alignnone wp-image-3119" src="https://adsecurity.org/wp-content/uploads/2016/08/Detect-PowerShellDLL-In-Process-01.png" alt="Detect-PowerShellDLL-In-Process-01" width="549" height="97" srcset="https://adsecurity.org/wp-content/uploads/2016/08/Detect-PowerShellDLL-In-Process-01.png 1937w, https://adsecurity.org/wp-content/uploads/2016/08/Detect-PowerShellDLL-In-Process-01-300x53.png 300w, https://adsecurity.org/wp-content/uploads/2016/08/Detect-PowerShellDLL-In-Process-01-768x135.png 768w, https://adsecurity.org/wp-content/uploads/2016/08/Detect-PowerShellDLL-In-Process-01-1024x180.png 1024w" sizes="(max-width: 549px) 100vw, 549px" /></a><br /> <a href="https://adsecurity.org/wp-content/uploads/2016/08/Detect-PowerShellDLL-In-Process-02.png"><img loading="lazy" decoding="async" class="alignnone wp-image-3120" src="https://adsecurity.org/wp-content/uploads/2016/08/Detect-PowerShellDLL-In-Process-02.png" alt="Detect-PowerShellDLL-In-Process-02" width="546" height="141" srcset="https://adsecurity.org/wp-content/uploads/2016/08/Detect-PowerShellDLL-In-Process-02.png 1948w, https://adsecurity.org/wp-content/uploads/2016/08/Detect-PowerShellDLL-In-Process-02-300x77.png 300w, https://adsecurity.org/wp-content/uploads/2016/08/Detect-PowerShellDLL-In-Process-02-768x198.png 768w, https://adsecurity.org/wp-content/uploads/2016/08/Detect-PowerShellDLL-In-Process-02-1024x264.png 1024w" sizes="(max-width: 546px) 100vw, 546px" /></a></li> <li>Remember that custom EXEs can natively call .Net & Windows APIs directly without PowerShell.</li> </ul> <h3><span style="text-decoration: underline;"><strong>Detecting Offensive PowerShell Tools</strong></span></h3> <p>Step one is configuring PowerShell logging:</p> <ul> <li>Deploy PowerShell v5 (or newer) and enable module logging & script block logging.</li> <li>Send the following PowerShell log event ids to the central logging solution: 400 & 800</li> <li>Pull the following PowerShell Operational log event ids to the central logging solution: 4100, 4103, 4104</li> <li>Configuring system-wide transcription to send a log of all activity per user, per system to a write-only share, is incredibly valuable to catch suspicious/malicious activity that can be missed or not logged to the event logs. Even better is ingesting these transcript text files into something like Splunk for further analysis.</li> </ul> <p>I have noted several required elements in most of the offensive PowerShell tools.<br /> Using the following indicators along with PowerShell module logging (preferably with script block logging), it’s possible to detect most PowerShell attack tools.<br /> Make sure you properly tune these in your environment to weed out false positives.</p> <ul> <li>AdjustTokenPrivileges</li> <li>IMAGE_NT_OPTIONAL_HDR64_MAGIC</li> <li>Management.Automation.RuntimeException</li> <li>Microsoft.Win32.UnsafeNativeMethods</li> <li>ReadProcessMemory.Invoke</li> <li>Runtime.InteropServices</li> <li>SE_PRIVILEGE_ENABLED</li> <li>System.Security.Cryptography</li> <li>System.Reflection.AssemblyName</li> <li><i>System.Runtime.</i><i>InteropServices</i></li> <li>LSA_UNICODE_STRING</li> <li>MiniDumpWriteDump</li> <li>PAGE_EXECUTE_READ</li> <li>Net.Sockets.SocketFlags</li> <li>Reflection.Assembly</li> <li>SECURITY_DELEGATION</li> <li>TOKEN_ADJUST_PRIVILEGES</li> <li>TOKEN_ALL_ACCESS</li> <li>TOKEN_ASSIGN_PRIMARY</li> <li>TOKEN_DUPLICATE</li> <li>TOKEN_ELEVATION</li> <li>TOKEN_IMPERSONATE</li> <li>TOKEN_INFORMATION_CLASS</li> <li>TOKEN_PRIVILEGES</li> <li>TOKEN_QUERY</li> <li>Metasploit</li> <li>Advapi32.dll</li> <li>kernel32.dll</li> <li>msvcrt.dll</li> <li>ntdll.dll</li> <li>secur32.dll</li> <li>user32.dll</li> </ul> <p><span style="text-decoration: underline;"><strong>Update: 2/07/2017:</strong></span></p> <p><img loading="lazy" decoding="async" class="alignnone wp-image-3544" src="https://adsecurity.org/wp-content/uploads/2017/02/OffensivePowerShellIndicators-20170205.jpg" alt="" width="489" height="285" srcset="https://adsecurity.org/wp-content/uploads/2017/02/OffensivePowerShellIndicators-20170205.jpg 1815w, https://adsecurity.org/wp-content/uploads/2017/02/OffensivePowerShellIndicators-20170205-300x175.jpg 300w, https://adsecurity.org/wp-content/uploads/2017/02/OffensivePowerShellIndicators-20170205-768x448.jpg 768w, https://adsecurity.org/wp-content/uploads/2017/02/OffensivePowerShellIndicators-20170205-1024x597.jpg 1024w" sizes="(max-width: 489px) 100vw, 489px" /></p> <p>Note the addition of “KerberosRequestorSecurityToken” which is the PowerShell method to request Kerberos tickets (typically used for “<a href="https://adsecurity.org/?s=kerberoasting">Kerberoasting</a>“).</p> <p> </p> <p> </p> <p> </p> <div class="tptn_counter" id="tptn_counter_2921">(Visited 88,386 times, 6 visits today)</div> </div> <ul class="entry-footer"> <li class="post-tags col-sm-8"><i class="fa fa-tags" title="Tags"></i> <span class="terms"><a class="term term-tagpost_tag term-873" href="https://adsecurity.org/?tag=bypass-powershell-executionpolicy">Bypass PowerShell ExecutionPolicy</a>, <a class="term term-tagpost_tag term-977" href="https://adsecurity.org/?tag=bypass-powershell-security">bypass PowerShell security</a>, <a class="term term-tagpost_tag term-998" href="https://adsecurity.org/?tag=constrained-language-mode">constrained language mode</a>, <a class="term term-tagpost_tag term-880" href="https://adsecurity.org/?tag=detect-invoke-mimikatz">Detect Invoke-Mimikatz</a>, <a class="term term-tagpost_tag term-881" href="https://adsecurity.org/?tag=detect-offensive-powershell">Detect offensive PowerShell</a>, <a class="term term-tagpost_tag term-882" href="https://adsecurity.org/?tag=detect-powershell-attack-tools">detect PowerShell attack tools</a>, <a class="term term-tagpost_tag term-996" href="https://adsecurity.org/?tag=detect-powershell-attacks">Detect PowerShell attacks</a>, <a class="term term-tagpost_tag term-874" href="https://adsecurity.org/?tag=executionpolicybypass">ExecutionPolicyBypass</a>, <a class="term term-tagpost_tag term-878" href="https://adsecurity.org/?tag=invoke-expression">Invoke-Expression</a>, <a class="term term-tagpost_tag term-336" href="https://adsecurity.org/?tag=invoke-mimikatz">Invoke-Mimikatz</a>, <a class="term term-tagpost_tag term-868" href="https://adsecurity.org/?tag=invokemimikatz">InvokeMimikatz</a>, <a class="term term-tagpost_tag term-879" href="https://adsecurity.org/?tag=new-object-net-webclient-downloadstring">New-Object Net.WebClient DownloadString</a>, <a class="term term-tagpost_tag term-866" href="https://adsecurity.org/?tag=offensive-powershell">Offensive PowerShell</a>, <a class="term term-tagpost_tag term-997" href="https://adsecurity.org/?tag=offensive-powershell-indicators">Offensive PowerShell indicators</a>, <a class="term term-tagpost_tag term-994" href="https://adsecurity.org/?tag=offensivepowershell">OffensivePowerShell</a>, <a class="term term-tagpost_tag term-871" href="https://adsecurity.org/?tag=powershell-attack-tool">PowerShell Attack Tool</a>, <a class="term term-tagpost_tag term-995" href="https://adsecurity.org/?tag=powershell-attack-tools">PowerShell attack tools</a>, <a class="term term-tagpost_tag term-865" href="https://adsecurity.org/?tag=powershell-attacks">PowerShell Attacks</a>, <a class="term term-tagpost_tag term-999" href="https://adsecurity.org/?tag=powershell-constrained-language">PowerShell constrained language</a>, <a class="term term-tagpost_tag term-875" href="https://adsecurity.org/?tag=powershell-constrained-language-mode">PowerShell Constrained Language Mode</a>, <a class="term term-tagpost_tag term-872" href="https://adsecurity.org/?tag=powershell-execution-policy">PowerShell Execution Policy</a>, <a class="term term-tagpost_tag term-877" href="https://adsecurity.org/?tag=powershell-gpo">PowerShell GPO</a>, <a class="term term-tagpost_tag term-876" href="https://adsecurity.org/?tag=powershell-logging-group-policy">PowerShell Logging Group Policy</a>, <a class="term term-tagpost_tag term-869" href="https://adsecurity.org/?tag=powershell-mimikatz">PowerShell Mimikatz</a>, <a class="term term-tagpost_tag term-864" href="https://adsecurity.org/?tag=powershell-exe">PowerShell.exe</a>, <a class="term term-tagpost_tag term-143" href="https://adsecurity.org/?tag=powershellattack">PowerShellAttack</a>, <a class="term term-tagpost_tag term-863" href="https://adsecurity.org/?tag=powershelllogging">PowershellLogging</a>, <a class="term term-tagpost_tag term-867" href="https://adsecurity.org/?tag=powershellmafia">PowerShellMafia</a>, <a class="term term-tagpost_tag term-788" href="https://adsecurity.org/?tag=powershellsecurity">PowerShellSecurity</a>, <a class="term term-tagpost_tag term-69" href="https://adsecurity.org/?tag=powershellv5">PowerShellv5</a>, <a class="term term-tagpost_tag term-232" href="https://adsecurity.org/?tag=powersploit">PowerSploit</a>, <a class="term term-tagpost_tag term-965" href="https://adsecurity.org/?tag=powerup">PowerUp</a>, <a class="term term-tagpost_tag term-696" href="https://adsecurity.org/?tag=powerview">PowerView</a>, <a class="term term-tagpost_tag term-862" href="https://adsecurity.org/?tag=script-block-logging">script block logging</a>, <a class="term term-tagpost_tag term-858" href="https://adsecurity.org/?tag=system-wide-transcript">System-wide transcript</a>, <a class="term term-tagpost_tag term-870" href="https://adsecurity.org/?tag=system-management-automation-dll">System.Management.Automation.dll</a>, <a class="term term-tagpost_tag term-494" href="https://adsecurity.org/?tag=windows10">Windows10</a></span></li> <li class="addthis col-sm-8"><div class="add-this"></div></li> </ul> </div> </div> <div class="entry-author"> <div class="row"> <div class="author-avatar col-sm-3"> <a href="https://adsecurity.org/?author=2" rel="author"> <img alt='' src='https://secure.gravatar.com/avatar/1f3ad5e878e5d0e6096c5a33718a04d0?s=200&d=mm&r=g' srcset='https://secure.gravatar.com/avatar/1f3ad5e878e5d0e6096c5a33718a04d0?s=400&d=mm&r=g 2x' class='avatar avatar-200 photo' height='200' width='200' loading='lazy' decoding='async'/> </a> </div> <div class="author-bio col-sm-9"> <h3 class="section-title-sm">Sean Metcalf</h3> <p>I improve security for enterprises around the world working for TrimarcSecurity.com<br /> Read the About page (top left) for information about me. :)<br /> https://adsecurity.org/?page_id=8</p> <ul class="author-social"> <li><a href="mailto:sean@adsecurity.org"><i class="fa fa-envelope-o"></i></a></li> </ul> </div> </div> </div> <div id="comments" class="clearfix no-ping"> <h4 class="comments current"> <i class="fa fa-comments-o"></i> 2 comments </h4> <div class="comments-list-wrapper"> <ol class="clearfix comments-list" id="comments_list"> <li id="comment-10757" class="comment even thread-even depth-1 comment"> <div class="row"> <div class="comment-wrap col-md-12"> <ul class="comment-meta"> <li class="comment-avatar"><img alt='' src='https://secure.gravatar.com/avatar/6d2a9d9e1c18fafff20abfb86f9811cb?s=50&d=mm&r=g' srcset='https://secure.gravatar.com/avatar/6d2a9d9e1c18fafff20abfb86f9811cb?s=100&d=mm&r=g 2x' class='avatar avatar-50 photo' height='50' width='50' loading='lazy' decoding='async'/></li> <li class="comment-attr"><span class="comment-author">Avi Ron</span> on <span class="comment-date">August 15, 2016 <span class="time">at 10:57 am</span></span></li> <li class="single-comment-link"><a href="https://adsecurity.org/?p=2921#comment-10757">#</a></li> </ul> <div class="comment-entry"> <p>Thank you for a great post.<br /> I’ve been following the progress on PS research as an attack tools. With so many readily available tools, I wonder why malware authors don’t use it more frequently. File-less malware sounds like a great idea, but only few samples are know.<br /> Do you have a theory about his?</p> </div> </div> </div> <ol class="children"> <li id="comment-10759" class="comment byuser comment-author-seanmetcalf bypostauthor odd alt depth-2 comment"> <div class="row"> <div class="comment-wrap col-md-12"> <ul class="comment-meta"> <li class="comment-avatar"><img alt='' src='https://secure.gravatar.com/avatar/843fd885d49f892c4bc60ed0f9eef40b?s=50&d=mm&r=g' srcset='https://secure.gravatar.com/avatar/843fd885d49f892c4bc60ed0f9eef40b?s=100&d=mm&r=g 2x' class='avatar avatar-50 photo' height='50' width='50' loading='lazy' decoding='async'/></li> <li class="comment-attr"><span class="comment-author"><a href="https://ADSecurity.org" rel="external">Sean Metcalf</a></span> on <span class="comment-date">August 15, 2016 <span class="time">at 7:54 pm</span></span><br /><span class="label label-primary author-cred">Author</span></li> <li class="single-comment-link"><a href="https://adsecurity.org/?p=2921#comment-10759">#</a></li> </ul> <div class="comment-entry"> <p>Not really. Attackers (and ransomware) use what works: WSH, Java, Javascript, VBscript, etc.<br /> Fileless malware is nice, but it still needs something to call it (which often can be identified). It’s a cat & mouse game. 🙂</p> </div> </div> </div> </li> </ol> </li> </ol> </div> </div> <div id="respond"> <h3 id="reply-title"><i class="fa fa-comment-o"></i> Comments have been disabled.</h3> </div> </div> <div id="sidebar1" class="sidebar sidebar-right widget-area col-md-4"> <div id="recent-posts-4" class="sidebar-wrap widget_recent_entries"> <h3>Recent Posts</h3> <ul> <li> <a href="https://adsecurity.org/?p=4436">BSides Dublin – The Current State of Microsoft Identity Security: Common Security Issues and Misconfigurations – Sean Metcalf</a> </li> <li> <a href="https://adsecurity.org/?p=4434">DEFCON 2017: Transcript – Hacking the Cloud</a> </li> <li> <a href="https://adsecurity.org/?p=4432">Detecting the Elusive: Active Directory Threat Hunting</a> </li> <li> <a href="https://adsecurity.org/?p=4430">Detecting Kerberoasting Activity</a> </li> <li> <a href="https://adsecurity.org/?p=4428">Detecting Password Spraying with Security Event Auditing</a> </li> </ul> </div><div id="text-3" class="sidebar-wrap widget_text"><h3>Trimarc Active Directory Security Services</h3> <div class="textwidget">Have concerns about your Active Directory environment? Trimarc helps enterprises improve their security posture. <p> <a href="http://trimarcsecurity.com/security-services">Find out how...</a> TrimarcSecurity.com</div> </div><div id="widget_tptn_pop-4" class="sidebar-wrap tptn_posts_list_widget"><h3>Popular Posts</h3><div class="tptn_posts tptn_posts_widget tptn_posts_widget4"><ul><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=478" class="tptn_link"><span class="tptn_title">PowerShell Encoding & Decoding (Base64)</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=2362" class="tptn_link"><span class="tptn_title">Attack Methods for Gaining Domain Admin Rights in…</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=483" class="tptn_link"><span class="tptn_title">Kerberos & KRBTGT: Active Directory’s…</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=2288" class="tptn_link"><span class="tptn_title">Finding Passwords in SYSVOL & Exploiting Group…</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=3377" class="tptn_link"><span class="tptn_title">Securing Domain Controllers to Improve Active…</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=3299" class="tptn_link"><span class="tptn_title">Securing Windows Workstations: Developing a Secure Baseline</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=3458" class="tptn_link"><span class="tptn_title">Detecting Kerberoasting Activity</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=1729" class="tptn_link"><span class="tptn_title">Mimikatz DCSync Usage, Exploitation, and Detection</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=3658" class="tptn_link"><span class="tptn_title">Scanning for Active Directory Privileges &…</span></a></span></li><li><span class="tptn_after_thumb"><a href="https://adsecurity.org/?p=3164" class="tptn_link"><span class="tptn_title">Microsoft LAPS Security & Active Directory LAPS…</span></a></span></li></ul><div class="tptn_clear"></div></div></div><div id="categories-4" class="sidebar-wrap widget_categories"><h3>Categories</h3> <ul> <li class="cat-item cat-item-565"><a href="https://adsecurity.org/?cat=565">ActiveDirectorySecurity</a> </li> <li class="cat-item cat-item-55"><a href="https://adsecurity.org/?cat=55">Apple Security</a> </li> <li class="cat-item cat-item-431"><a href="https://adsecurity.org/?cat=431">Cloud Security</a> </li> <li class="cat-item cat-item-17"><a href="https://adsecurity.org/?cat=17">Continuing Education</a> </li> <li class="cat-item cat-item-396"><a href="https://adsecurity.org/?cat=396">Entertainment</a> </li> <li class="cat-item cat-item-347"><a href="https://adsecurity.org/?cat=347">Exploit</a> </li> <li class="cat-item cat-item-1039"><a href="https://adsecurity.org/?cat=1039">Hacking</a> </li> <li class="cat-item cat-item-168"><a href="https://adsecurity.org/?cat=168">Hardware Security</a> </li> <li class="cat-item cat-item-172"><a href="https://adsecurity.org/?cat=172">Hypervisor Security</a> </li> <li class="cat-item cat-item-126"><a href="https://adsecurity.org/?cat=126">Linux/Unix Security</a> </li> <li class="cat-item cat-item-343"><a href="https://adsecurity.org/?cat=343">Malware</a> </li> <li class="cat-item cat-item-11"><a href="https://adsecurity.org/?cat=11">Microsoft Security</a> </li> <li class="cat-item cat-item-819"><a href="https://adsecurity.org/?cat=819">Mitigation</a> </li> <li class="cat-item cat-item-48"><a href="https://adsecurity.org/?cat=48">Network/System Security</a> </li> <li class="cat-item cat-item-7"><a href="https://adsecurity.org/?cat=7">PowerShell</a> </li> <li class="cat-item cat-item-698"><a href="https://adsecurity.org/?cat=698">RealWorld</a> </li> <li class="cat-item cat-item-21"><a href="https://adsecurity.org/?cat=21">Security</a> </li> <li class="cat-item cat-item-234"><a href="https://adsecurity.org/?cat=234">Security Conference Presentation/Video</a> </li> <li class="cat-item cat-item-1045"><a href="https://adsecurity.org/?cat=1045">Security Recommendation</a> </li> <li class="cat-item cat-item-24"><a href="https://adsecurity.org/?cat=24">Technical Article</a> </li> <li class="cat-item cat-item-4"><a href="https://adsecurity.org/?cat=4">Technical Reading</a> </li> <li class="cat-item cat-item-2"><a href="https://adsecurity.org/?cat=2">Technical Reference</a> </li> <li class="cat-item cat-item-156"><a href="https://adsecurity.org/?cat=156">TheCloud</a> </li> <li class="cat-item cat-item-930"><a href="https://adsecurity.org/?cat=930">Vulnerability</a> </li> </ul> </div><div id="tag_cloud-3" class="sidebar-wrap widget_tag_cloud"><h3>Tags</h3><div class="tagcloud"><a href="https://adsecurity.org/?tag=activedirectory" class="tag-cloud-link tag-link-20 tag-link-position-1" style="font-size: 22pt;" aria-label="ActiveDirectory (55 items)">ActiveDirectory</a> <a href="https://adsecurity.org/?tag=active-directory" class="tag-cloud-link tag-link-75 tag-link-position-2" style="font-size: 10.453608247423pt;" aria-label="Active Directory (8 items)">Active Directory</a> <a href="https://adsecurity.org/?tag=active-directory-security" class="tag-cloud-link tag-link-976 tag-link-position-3" style="font-size: 9.7319587628866pt;" aria-label="Active Directory Security (7 items)">Active Directory Security</a> <a href="https://adsecurity.org/?tag=activedirectorysecurity" class="tag-cloud-link tag-link-113 tag-link-position-4" style="font-size: 13.773195876289pt;" aria-label="ActiveDirectorySecurity (14 items)">ActiveDirectorySecurity</a> <a href="https://adsecurity.org/?tag=adreading" class="tag-cloud-link tag-link-5 tag-link-position-5" style="font-size: 13.340206185567pt;" aria-label="ADReading (13 items)">ADReading</a> <a href="https://adsecurity.org/?tag=ad-security" class="tag-cloud-link tag-link-100 tag-link-position-6" style="font-size: 8pt;" aria-label="AD Security (5 items)">AD Security</a> <a href="https://adsecurity.org/?tag=adsecurity" class="tag-cloud-link tag-link-86 tag-link-position-7" style="font-size: 10.453608247423pt;" aria-label="ADSecurity (8 items)">ADSecurity</a> <a href="https://adsecurity.org/?tag=azure" class="tag-cloud-link tag-link-25 tag-link-position-8" style="font-size: 8pt;" aria-label="Azure (5 items)">Azure</a> <a href="https://adsecurity.org/?tag=azuread" class="tag-cloud-link tag-link-136 tag-link-position-9" style="font-size: 8pt;" aria-label="AzureAD (5 items)">AzureAD</a> <a href="https://adsecurity.org/?tag=dcsync" class="tag-cloud-link tag-link-598 tag-link-position-10" style="font-size: 10.453608247423pt;" aria-label="DCSync (8 items)">DCSync</a> <a href="https://adsecurity.org/?tag=domaincontroller" class="tag-cloud-link tag-link-101 tag-link-position-11" style="font-size: 15.216494845361pt;" aria-label="DomainController (18 items)">DomainController</a> <a href="https://adsecurity.org/?tag=goldenticket" class="tag-cloud-link tag-link-303 tag-link-position-12" style="font-size: 11.175257731959pt;" aria-label="GoldenTicket (9 items)">GoldenTicket</a> <a href="https://adsecurity.org/?tag=grouppolicy" class="tag-cloud-link tag-link-196 tag-link-position-13" style="font-size: 8pt;" aria-label="GroupPolicy (5 items)">GroupPolicy</a> <a href="https://adsecurity.org/?tag=hyperv" class="tag-cloud-link tag-link-3 tag-link-position-14" style="font-size: 8pt;" aria-label="HyperV (5 items)">HyperV</a> <a href="https://adsecurity.org/?tag=invoke-mimikatz" class="tag-cloud-link tag-link-336 tag-link-position-15" style="font-size: 10.453608247423pt;" aria-label="Invoke-Mimikatz (8 items)">Invoke-Mimikatz</a> <a href="https://adsecurity.org/?tag=kb3011780" class="tag-cloud-link tag-link-337 tag-link-position-16" style="font-size: 9.7319587628866pt;" aria-label="KB3011780 (7 items)">KB3011780</a> <a href="https://adsecurity.org/?tag=kdc" class="tag-cloud-link tag-link-80 tag-link-position-17" style="font-size: 8pt;" aria-label="KDC (5 items)">KDC</a> <a href="https://adsecurity.org/?tag=kerberos" class="tag-cloud-link tag-link-81 tag-link-position-18" style="font-size: 15.216494845361pt;" aria-label="Kerberos (18 items)">Kerberos</a> <a href="https://adsecurity.org/?tag=kerberoshacking" class="tag-cloud-link tag-link-298 tag-link-position-19" style="font-size: 11.752577319588pt;" aria-label="KerberosHacking (10 items)">KerberosHacking</a> <a href="https://adsecurity.org/?tag=krbtgt" class="tag-cloud-link tag-link-394 tag-link-position-20" style="font-size: 9.7319587628866pt;" aria-label="KRBTGT (7 items)">KRBTGT</a> <a href="https://adsecurity.org/?tag=laps" class="tag-cloud-link tag-link-631 tag-link-position-21" style="font-size: 9.0103092783505pt;" aria-label="LAPS (6 items)">LAPS</a> <a href="https://adsecurity.org/?tag=lsass" class="tag-cloud-link tag-link-71 tag-link-position-22" style="font-size: 11.175257731959pt;" aria-label="LSASS (9 items)">LSASS</a> <a href="https://adsecurity.org/?tag=mcm" class="tag-cloud-link tag-link-6 tag-link-position-23" style="font-size: 14.061855670103pt;" aria-label="MCM (15 items)">MCM</a> <a href="https://adsecurity.org/?tag=microsoftemet" class="tag-cloud-link tag-link-58 tag-link-position-24" style="font-size: 11.175257731959pt;" aria-label="MicrosoftEMET (9 items)">MicrosoftEMET</a> <a href="https://adsecurity.org/?tag=microsoftwindows" class="tag-cloud-link tag-link-102 tag-link-position-25" style="font-size: 9.7319587628866pt;" aria-label="MicrosoftWindows (7 items)">MicrosoftWindows</a> <a href="https://adsecurity.org/?tag=mimikatz" class="tag-cloud-link tag-link-207 tag-link-position-26" style="font-size: 18.103092783505pt;" aria-label="mimikatz (29 items)">mimikatz</a> <a href="https://adsecurity.org/?tag=ms14068" class="tag-cloud-link tag-link-295 tag-link-position-27" style="font-size: 11.175257731959pt;" aria-label="MS14068 (9 items)">MS14068</a> <a href="https://adsecurity.org/?tag=passthehash" class="tag-cloud-link tag-link-44 tag-link-position-28" style="font-size: 9.7319587628866pt;" aria-label="PassTheHash (7 items)">PassTheHash</a> <a href="https://adsecurity.org/?tag=powershell" class="tag-cloud-link tag-link-575 tag-link-position-29" style="font-size: 18.536082474227pt;" aria-label="PowerShell (31 items)">PowerShell</a> <a href="https://adsecurity.org/?tag=powershellcode" class="tag-cloud-link tag-link-22 tag-link-position-30" style="font-size: 14.927835051546pt;" aria-label="PowerShellCode (17 items)">PowerShellCode</a> <a href="https://adsecurity.org/?tag=powershellhacking" class="tag-cloud-link tag-link-68 tag-link-position-31" style="font-size: 8pt;" aria-label="PowerShellHacking (5 items)">PowerShellHacking</a> <a href="https://adsecurity.org/?tag=powershellv5" class="tag-cloud-link tag-link-69 tag-link-position-32" style="font-size: 8pt;" aria-label="PowerShellv5 (5 items)">PowerShellv5</a> <a href="https://adsecurity.org/?tag=powersploit" class="tag-cloud-link tag-link-232 tag-link-position-33" style="font-size: 10.453608247423pt;" aria-label="PowerSploit (8 items)">PowerSploit</a> <a href="https://adsecurity.org/?tag=presentation" class="tag-cloud-link tag-link-422 tag-link-position-34" style="font-size: 9.7319587628866pt;" aria-label="Presentation (7 items)">Presentation</a> <a href="https://adsecurity.org/?tag=security" class="tag-cloud-link tag-link-576 tag-link-position-35" style="font-size: 8pt;" aria-label="Security (5 items)">Security</a> <a href="https://adsecurity.org/?tag=silverticket" class="tag-cloud-link tag-link-304 tag-link-position-36" style="font-size: 11.175257731959pt;" aria-label="SilverTicket (9 items)">SilverTicket</a> <a href="https://adsecurity.org/?tag=sneakyadpersistence" class="tag-cloud-link tag-link-596 tag-link-position-37" style="font-size: 9.0103092783505pt;" aria-label="SneakyADPersistence (6 items)">SneakyADPersistence</a> <a href="https://adsecurity.org/?tag=spn" class="tag-cloud-link tag-link-294 tag-link-position-38" style="font-size: 9.0103092783505pt;" aria-label="SPN (6 items)">SPN</a> <a href="https://adsecurity.org/?tag=tgs" class="tag-cloud-link tag-link-528 tag-link-position-39" style="font-size: 9.0103092783505pt;" aria-label="TGS (6 items)">TGS</a> <a href="https://adsecurity.org/?tag=tgt" class="tag-cloud-link tag-link-529 tag-link-position-40" style="font-size: 9.0103092783505pt;" aria-label="TGT (6 items)">TGT</a> <a href="https://adsecurity.org/?tag=windows7" class="tag-cloud-link tag-link-117 tag-link-position-41" style="font-size: 8pt;" aria-label="Windows7 (5 items)">Windows7</a> <a href="https://adsecurity.org/?tag=windows10" class="tag-cloud-link tag-link-494 tag-link-position-42" style="font-size: 10.453608247423pt;" aria-label="Windows10 (8 items)">Windows10</a> <a href="https://adsecurity.org/?tag=windowsserver2008r2" class="tag-cloud-link tag-link-46 tag-link-position-43" style="font-size: 9.0103092783505pt;" aria-label="WindowsServer2008R2 (6 items)">WindowsServer2008R2</a> <a href="https://adsecurity.org/?tag=windowsserver2012" class="tag-cloud-link tag-link-47 tag-link-position-44" style="font-size: 11.175257731959pt;" aria-label="WindowsServer2012 (9 items)">WindowsServer2012</a> <a href="https://adsecurity.org/?tag=windowsserver2012r2" class="tag-cloud-link tag-link-54 tag-link-position-45" style="font-size: 9.7319587628866pt;" aria-label="WindowsServer2012R2 (7 items)">WindowsServer2012R2</a></div> </div><div id="search-2" class="sidebar-wrap widget_search"><form class="searchform" method="get" action="https://adsecurity.org"> <div class="input-group"> <div class="form-group live-search-input"> <label for="s" class="screen-reader-text">Search for:</label> <input type="text" id="s" name="s" class="form-control" placeholder="Search"> </div> <span class="input-group-btn"> <button class="btn btn-default" type="submit"><i class="fa fa-search"></i></button> </span> </div> </form></div> <div id="recent-posts-2" class="sidebar-wrap widget_recent_entries"> <h3>Recent Posts</h3> <ul> <li> <a href="https://adsecurity.org/?p=4436">BSides Dublin – The Current State of Microsoft Identity Security: Common Security Issues and Misconfigurations – Sean Metcalf</a> </li> <li> <a href="https://adsecurity.org/?p=4434">DEFCON 2017: Transcript – Hacking the Cloud</a> </li> <li> <a href="https://adsecurity.org/?p=4432">Detecting the Elusive: Active Directory Threat Hunting</a> </li> <li> <a href="https://adsecurity.org/?p=4430">Detecting Kerberoasting Activity</a> </li> <li> <a href="https://adsecurity.org/?p=4428">Detecting Password Spraying with Security Event Auditing</a> </li> </ul> </div><div id="recent-comments-2" class="sidebar-wrap widget_recent_comments"><h3>Recent Comments</h3><ul id="recentcomments"><li class="recentcomments"><span class="comment-author-link">Derek</span> on <a href="https://adsecurity.org/?p=3592#comment-13603">Attacking Read-Only Domain Controllers (RODCs) to Own Active Directory</a></li><li class="recentcomments"><span class="comment-author-link"><a href="https://ADSecurity.org" class="url" rel="ugc">Sean Metcalf</a></span> on <a href="https://adsecurity.org/?p=3782#comment-13545">Securing Microsoft Active Directory Federation Server (ADFS)</a></li><li class="recentcomments"><span class="comment-author-link">Brad</span> on <a href="https://adsecurity.org/?p=3782#comment-13544">Securing Microsoft Active Directory Federation Server (ADFS)</a></li><li class="recentcomments"><span class="comment-author-link">Joonas</span> on <a href="https://adsecurity.org/?p=3719#comment-13229">Gathering AD Data with the Active Directory PowerShell Module</a></li><li class="recentcomments"><span class="comment-author-link"><a href="https://ADSecurity.org" class="url" rel="ugc">Sean Metcalf</a></span> on <a href="https://adsecurity.org/?p=3719#comment-13215">Gathering AD Data with the Active Directory PowerShell Module</a></li></ul></div><div id="archives-2" class="sidebar-wrap widget_archive"><h3>Archives</h3> <ul> <li><a href='https://adsecurity.org/?m=202406'>June 2024</a></li> <li><a href='https://adsecurity.org/?m=202405'>May 2024</a></li> <li><a href='https://adsecurity.org/?m=202005'>May 2020</a></li> <li><a href='https://adsecurity.org/?m=202001'>January 2020</a></li> <li><a href='https://adsecurity.org/?m=201908'>August 2019</a></li> <li><a href='https://adsecurity.org/?m=201903'>March 2019</a></li> <li><a href='https://adsecurity.org/?m=201902'>February 2019</a></li> <li><a href='https://adsecurity.org/?m=201810'>October 2018</a></li> <li><a href='https://adsecurity.org/?m=201808'>August 2018</a></li> <li><a href='https://adsecurity.org/?m=201805'>May 2018</a></li> <li><a href='https://adsecurity.org/?m=201801'>January 2018</a></li> <li><a href='https://adsecurity.org/?m=201711'>November 2017</a></li> <li><a href='https://adsecurity.org/?m=201708'>August 2017</a></li> <li><a href='https://adsecurity.org/?m=201706'>June 2017</a></li> <li><a href='https://adsecurity.org/?m=201705'>May 2017</a></li> <li><a href='https://adsecurity.org/?m=201702'>February 2017</a></li> <li><a href='https://adsecurity.org/?m=201701'>January 2017</a></li> <li><a href='https://adsecurity.org/?m=201611'>November 2016</a></li> <li><a href='https://adsecurity.org/?m=201610'>October 2016</a></li> <li><a href='https://adsecurity.org/?m=201609'>September 2016</a></li> <li><a href='https://adsecurity.org/?m=201608'>August 2016</a></li> <li><a href='https://adsecurity.org/?m=201607'>July 2016</a></li> <li><a href='https://adsecurity.org/?m=201606'>June 2016</a></li> <li><a href='https://adsecurity.org/?m=201604'>April 2016</a></li> <li><a href='https://adsecurity.org/?m=201603'>March 2016</a></li> <li><a href='https://adsecurity.org/?m=201602'>February 2016</a></li> <li><a href='https://adsecurity.org/?m=201601'>January 2016</a></li> <li><a href='https://adsecurity.org/?m=201512'>December 2015</a></li> <li><a href='https://adsecurity.org/?m=201511'>November 2015</a></li> <li><a href='https://adsecurity.org/?m=201510'>October 2015</a></li> <li><a href='https://adsecurity.org/?m=201509'>September 2015</a></li> <li><a href='https://adsecurity.org/?m=201508'>August 2015</a></li> <li><a href='https://adsecurity.org/?m=201507'>July 2015</a></li> <li><a href='https://adsecurity.org/?m=201506'>June 2015</a></li> <li><a href='https://adsecurity.org/?m=201505'>May 2015</a></li> <li><a href='https://adsecurity.org/?m=201504'>April 2015</a></li> <li><a href='https://adsecurity.org/?m=201503'>March 2015</a></li> <li><a href='https://adsecurity.org/?m=201502'>February 2015</a></li> <li><a href='https://adsecurity.org/?m=201501'>January 2015</a></li> <li><a href='https://adsecurity.org/?m=201412'>December 2014</a></li> <li><a href='https://adsecurity.org/?m=201411'>November 2014</a></li> <li><a href='https://adsecurity.org/?m=201410'>October 2014</a></li> <li><a href='https://adsecurity.org/?m=201409'>September 2014</a></li> <li><a href='https://adsecurity.org/?m=201408'>August 2014</a></li> <li><a href='https://adsecurity.org/?m=201407'>July 2014</a></li> <li><a href='https://adsecurity.org/?m=201406'>June 2014</a></li> <li><a href='https://adsecurity.org/?m=201405'>May 2014</a></li> <li><a href='https://adsecurity.org/?m=201404'>April 2014</a></li> <li><a href='https://adsecurity.org/?m=201403'>March 2014</a></li> <li><a href='https://adsecurity.org/?m=201402'>February 2014</a></li> <li><a href='https://adsecurity.org/?m=201307'>July 2013</a></li> <li><a href='https://adsecurity.org/?m=201211'>November 2012</a></li> <li><a href='https://adsecurity.org/?m=201203'>March 2012</a></li> <li><a href='https://adsecurity.org/?m=201202'>February 2012</a></li> </ul> </div><div id="categories-2" class="sidebar-wrap widget_categories"><h3>Categories</h3> <ul> <li class="cat-item cat-item-565"><a href="https://adsecurity.org/?cat=565">ActiveDirectorySecurity</a> </li> <li class="cat-item cat-item-55"><a href="https://adsecurity.org/?cat=55">Apple Security</a> </li> <li class="cat-item cat-item-431"><a href="https://adsecurity.org/?cat=431">Cloud Security</a> </li> <li class="cat-item cat-item-17"><a href="https://adsecurity.org/?cat=17">Continuing Education</a> </li> <li class="cat-item cat-item-396"><a href="https://adsecurity.org/?cat=396">Entertainment</a> </li> <li class="cat-item cat-item-347"><a href="https://adsecurity.org/?cat=347">Exploit</a> </li> <li class="cat-item cat-item-1039"><a href="https://adsecurity.org/?cat=1039">Hacking</a> </li> <li class="cat-item cat-item-168"><a href="https://adsecurity.org/?cat=168">Hardware Security</a> </li> <li class="cat-item cat-item-172"><a href="https://adsecurity.org/?cat=172">Hypervisor Security</a> </li> <li class="cat-item cat-item-126"><a href="https://adsecurity.org/?cat=126">Linux/Unix Security</a> </li> <li class="cat-item cat-item-343"><a href="https://adsecurity.org/?cat=343">Malware</a> </li> <li class="cat-item cat-item-11"><a href="https://adsecurity.org/?cat=11">Microsoft Security</a> </li> <li class="cat-item cat-item-819"><a href="https://adsecurity.org/?cat=819">Mitigation</a> </li> <li class="cat-item cat-item-48"><a href="https://adsecurity.org/?cat=48">Network/System Security</a> </li> <li class="cat-item cat-item-7"><a href="https://adsecurity.org/?cat=7">PowerShell</a> </li> <li class="cat-item cat-item-698"><a href="https://adsecurity.org/?cat=698">RealWorld</a> </li> <li class="cat-item cat-item-21"><a href="https://adsecurity.org/?cat=21">Security</a> </li> <li class="cat-item cat-item-234"><a href="https://adsecurity.org/?cat=234">Security Conference Presentation/Video</a> </li> <li class="cat-item cat-item-1045"><a href="https://adsecurity.org/?cat=1045">Security Recommendation</a> </li> <li class="cat-item cat-item-24"><a href="https://adsecurity.org/?cat=24">Technical Article</a> </li> <li class="cat-item cat-item-4"><a href="https://adsecurity.org/?cat=4">Technical Reading</a> </li> <li class="cat-item cat-item-2"><a href="https://adsecurity.org/?cat=2">Technical Reference</a> </li> <li class="cat-item cat-item-156"><a href="https://adsecurity.org/?cat=156">TheCloud</a> </li> <li class="cat-item cat-item-930"><a href="https://adsecurity.org/?cat=930">Vulnerability</a> </li> </ul> </div><div id="meta-2" class="sidebar-wrap widget_meta"><h3>Meta</h3> <ul> <li><a href="https://adsecurity.org/wp-login.php">Log in</a></li> <li><a href="https://adsecurity.org/?feed=rss2">Entries feed</a></li> <li><a href="https://adsecurity.org/?feed=comments-rss2">Comments feed</a></li> <li><a href="https://wordpress.org/">WordPress.org</a></li> </ul> </div> </div> </div> <div id="sidebar_bottom" class="sidebar widget-area row footer-widget-col-3"> <div id="text-2" class="sidebar-wrap widget_text col-sm-4"><h3>Copyright</h3> <div class="textwidget">Content Disclaimer: This blog and its contents are provided "AS IS" with no warranties, and they confer no rights. Script samples are provided for informational purposes only and no guarantee is provided as to functionality or suitability. The views shared on this blog reflect those of the authors and do not represent the views of any companies mentioned. Content Ownership: All content posted here is intellectual work and under the current law, the poster owns the copyright of the article. Terms of Use Copyright © 2011 - 2020.</div> </div> </div> <div id="footer" class="row default-footer"> <div class="copyright-developer"> <div id="copyright"> <p>Content Disclaimer: This blog and its contents are provided "AS IS" with no warranties, and they confer no rights. Script samples are provided for informational purposes only and no guarantee is provided as to functionality or suitability. The views shared on this blog reflect those of the authors and do not represent the views of any companies mentioned. </p> </div> <div id="developer"> <p> Made with <i class="fa fa-heart"></i> by <a href="https://www.graphene-theme.com/" rel="nofollow">Graphene Themes</a>. </p> </div> </div> </div> </div>  <script>  </script> <script type="text/javascript" src="https://secure.statcounter.com/counter/counter.js" async></script> <noscript><div class="statcounter"><a title="web analytics" href="https://statcounter.com/"><img class="statcounter" src="https://c.statcounter.com/10100711/0/4b306538/1/" alt="web analytics" /></a></div></noscript>  <a href="#" id="back-to-top" title="Back to top"><i class="fa fa-chevron-up"></i></a> <script type="text/javascript" id="tptn_tracker-js-extra"> /* <![CDATA[ */ var ajax_tptn_tracker = {"ajax_url":"https:\/\/adsecurity.org\/wp-admin\/admin-ajax.php","top_ten_id":"2921","top_ten_blog_id":"1","activate_counter":"11","top_ten_debug":"0","tptn_rnd":"99356865"}; /* ]]> */ </script> <script type="text/javascript" src="https://adsecurity.org/wp-content/plugins/top-10/includes/js/top-10-tracker.min.js?ver=1.0" id="tptn_tracker-js"></script> <script defer type="text/javascript" src="https://adsecurity.org/wp-includes/js/comment-reply.min.js?ver=6.5.5" id="comment-reply-js" async="async" data-wp-strategy="async"></script> </body> </html>