Abusing Windows with PowerShell and Microsoft debuggers in user-land and kernel-land presented at bsidesdc 2016

by Pierre-alexandre Braeken,

Summary : PowerMemory is a post-exploitation tool and an Active Directory recognition tool. It can bypass antivirus programs by its internal functioning (using only trusted tools), it can retrieve credentials information and manipulate memory to get shellcode executed and to modify process in memory.
Today, PowerShell is everywhere and, just like this tool is useful for system administrators to accomplish their tasks, it can also be a very useful tool for attackers when it is time to exploit things in a corporate environment. The other component for attacking corporate environment could be an innocent other tool like a Microsoft debugger. The debugger allows us to access everywhere in user-land and kernel-land.
To abuse Windows, a lot of tools provide access to memory through Windows APIs and, where necessary, use kernel drivers to access it. But when it is time to abuse user-land and kernel-land, it doesn't stop there, as the operating system can be abused by reading and writing its memory with simple trusted tools: debuggers. Why use a debugger to do the abuses?
Because we chose Microsoft debuggers which are trusted with sha1/sha256 certificates.
To automate the attacks, we will use PowerShell because it is installed on every corporate computers. As our method doesn't need Windows API reflection, this kind of attacks could become very hard to detect and mitigate. With such simple tools, we will demonstrate that we can do a lot. As far as I know, my attack approach is different because it only uses Microsoft debugger and PowerShell tools to succeed. Mimikatz and WCE already reveal passwords but I was not able to find tools using my approach. Also, the Pass-The-Token attack approach is not documented and could be a very easy and effective attack simply using a Microsoft debugger to be able to impersonate any process identity. How "deep" can we dig into the memory without any other help than the debugger?
Keywords: debugger attack, offensive PowerShell automation, Pass-The-Token attack, kernel security, process injection