Tag Archives: Powershell

Persistence via Creating a Windows Service

In this scenario, we assumed that we have a reverse shell to the victim’s machine and want persistence on the machine. For this, we will use Windows services.

First, we start with creating a malicious .exe file called mal.exe with msfvenom.

With this payload, we will be able to create a service running our malicious executable.

As the second step, I need to download it to the victim’s machine. For this, I create a web server on my Kali and run the command below in the victim’s machine;

This command can download anything with powershell. As you can see, I run it with my first reverse shell on the victim.

Now, I need to create a Windows service for persistence, using my mal.exe file. So when this service run, mal.exe file will execute on the machine;

After creating the service called MalService, I started it with the second command above.

While I am listening port 4445, when I started the MalService on the victim’s machine, I got the reverse shell as you can see below;

Windows Defender may block it as Trojan:Win64/Meterpreter.E so it is important to make tests according to victim’s antivirus or EDR before running.

Importing Module in Powershell

Modules are typically work in Powershell directly. “Get-Module” command can be used to see imported modules.

“Get-Module -ListAvailable” command show the modules available.

For the additional modules we want to use, we should import them first. Once we import the module, we can use its all commands anymore. We will add PowerSploit as example. PowerSploit project is a project no longer supported but sometimes we may want to use its capabilities. For importing, we firstly download the package from here. After downloading the module, we need to copy it to one of the module folders in PC. There are different module locations and we can see them with “$Env:PSModulePath” command.

We create a folder called PowerSploit and copy all files here from the downloaded package.

“Import-Module PowerSploit” command will install the module and all its commands will be available for us to use.

“Get-Command -Module PowerSploit” command can list all commands of this module.

“Get-Help <command>” command will show you the usage of the commands.

Zone Identifier Commands

With Zone Identifier, we can say whether a file downloaded from internet or not.

A file with zone.identifier extension is an ADS (Alternate Data Stream) file that contains information about another file. It describes the security zone for the file. Zone identifier files are generated by Internet Explorer and Outlook when saving files to a Windows operating system. These files are normally hidden and cannot be opened directly.

Via powershell, we can find Zone Identifiers of a file;

PS C:\Progs\Forensics> Get-Content -Path C:\Progs\Forensics\autopsy-4.17.0-64bit.msi -Stream zone.identifier

PS C:\Progs\Forensics> Get-Item -Path C:\Progs\Forensics\autopsy-4.17.0-64bit.msi -Stream *

How To Remove Zone Identifier

For several reasons, you may choose to delete zone.identifiers. It is very easy to do it. Just right click the file and click “Unblock” tick in “Properties > General” menu.

If you want to remove multiple files, it is still easy. Just navigate to folder including files you want to remove with Powershell and type;

dir .* | Unblock-File

This will clear zone identifier from this folder.

C&C with Empire – A Mitre Att&ck T1071 and T1086 Demo

.. a pure PowerShell post-exploitation agent built on cryptologically-secure communications and a flexible architecture. Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework. It premiered at BSidesLV in 2015.
ReadMe file of Empire 

Empire is a publicly available post-exploitation framework used by nation state threat actors and red teams. This demo is about gaining C&C and associated to MITRE ATT&CK (r) Tactic: Command and Control and Technique: T1086, T1071.

It is important to install Empire with this command to use all functions of it;

        git clone https://github.com/BC-SECURITY/Empire

After installing Empire, we are creating a listener on port 80. I am using Ubuntu for this demo.

After enabling listener, we must use a stager. Here, we are using a batch stager;

With executing the commands above, a malicious batch file has been created in /tmp/ folder. When the victim executed this file in his/her machine, we get a session. With the “agents” command, we can see active sessions like below. Then with the “interact <agent id>” command, we can get the C&C connection to the victim. 

Empire is a good and fast framework for C&C. But if we do not make obfuscation, it is very possible to detect these processes for defense teams. In EventViewer, we can find logs of the malicious behaviors;

For defense, it is important to use an EDR solution on endpoint machine. You can find here is my EDR Choosing Guide post. 

Credential Dumping – Attack and Defense Techniques (MITRE ATT&CK T1003)

Credential Dumping

As MITRE says on its website, adversaries dump credentials to obtain login credentials to perform lateral movement when they got access to a computer. Several tools and techniques may be used to dump credentials of a computer. Here, I will try to show two different credential dumping techniques and prevention of it using FireEye’s Endpoint Security product, as a quick demo.


Before demo, I wanna give a short brief about lsass. LSA (Local Security Authority) is a process that authenticates user to computer. It checks SAM (Security Accounts Manager) database to validate user information. LSASS.exe (Local Security Authority Subsystem Service) is the process that is responsible for enforcing the local security policy on the system. If someone can dump lsass on the computer and get this dump file, it means the users’ credentials are stolen because lsass stores the credentials as clear text. 

FireEye HX Process Guard

HX is the Endpoint Security producth of FireEye as you know already. I will not explain what it is and what it does here but typically it is an EDR solution with AV and some other prevention modules also. I wanted to try its Process Guard module, basically blocking attackers to dump lsass process. 

“The Process Guard Module for FireEye Endpoint Security prevents attackers from obtaining access to credential data or key material stored within the lsass.exe process, thus protecting endpoints against common credential theft attacks” says FireEye about Process Guard. 

Here, I will try to show some dump techniques to dump lsass and how Process Guard preventing it. This techniques are associated to MITRE ATT&CK (r) Tactic: Credential Access and Technique: T1003

Credential Dumping with comsvcs.dll

comsvcs.dll is a part of Windows OS. It is a system file and hidden. It is found in \Windows\System32 and can call minidump with rundll32.exe, so it can be used to dump credentials via lsass.exe process. 

Firstly, process ID of lsass.exe process must be identified;

Then, the command below will dump the lsass;

A file about 48MBs being created with this process;

Now, it is time to use Mimikatz and get the passwords as clear text or hashes of the passwords (depends on the OS);

As you can see, it is very easy to get the credentials of the user of a compromised computer, if you do not prevent lsass.exe process against malicious behaviours. Now, I will try to prevent it using FireEye HX’s Process Guard module. For this, I enable Process Guard module on my computer’s policy;

lsass dump command again;

After that, when I check the created dump file, I can see a 0MB sized file has been created;

When I check Process Guard module in HX’s console, I can see HX has detected this behavior done by PowerShell;

Credential Dump with ProcDump

ProcDump is a Sysinternals tool used to generate memory dumps of applications. After disabled Process Guard module on HX again, I try to dump lsass using ProcDump;

A 48MBs sized file has been created;

Again Mimikatz and get the passwords or hashes (depends on the OS);

Then, let’s try again after enabling Process Guard. I try ProcDump again, but this time Process Guard is enabled;

It got error while creating the file and could not create any dump file. 
NOTE 1: This tests are done while Antivirus of HX is disabled. Otherwise, AV would block and delete or quarantine Mimikatz. This is an alarm of this behavior;

NOTE 2: Even if you do not enable Process Guard and Antivirus at the same time, HX generates an IOC alert for these attacks. The IOC says us “-ma” command is being used with “lsass.exe” on cmd. This attack and IOC are associated to MITRE ATT&CK (r) Tactic: Credential Access and Technique: T1003

wget with Powershell

 function global:wget($Address, [switch]$NoCache)
 $client = New-Object Net.WebClient
 $proxy = New-object System.Net.WebProxy “”
 $proxy.Credentials = New-Object System.Net.NetworkCredential (“DOMAIN\user”, “password”
$Client.Headers.Add(“user-agent”, “Windows Powershell WebClient Header”
if ($NoCache) {
# doesn’t use the cache at all
$client.CachePolicy = New-Object Net.Cache.RequestCachePolicy([Net.Cache.RequestCacheLevel]::NoCacheNoStore)
wget -Address http://www.be4sec.com&#8221; -NoCache