Living Off the Land: A Minimalist’s Guide to Windows Post-Exploitation

DerbyCon 3.0 - All In The Family

Presented by: Christopher Campbell, Matthew Graeber
Date: Saturday September 28, 2013
Time: 18:00 - 18:50
Location: Track 1
Track: Break Me

Two of the biggest challenges of long-term penetration tests are advanced security products and active administrators. Host intrusion prevention, application white-listing and antivirus software are all looking for your tools. Administrators and network defenders are doing everything they can to find you. Surprisingly, the easiest way to hide from them and homestead in a Windows enterprise is to live off the land. Microsoft provides you with all the tools you need to get into a network and live there forever. Tools such as Wmic, Netsh and PowerShell are well-known to administrators, but they also provide an attacker a whole range of virtually untapped features. By simply leveraging PowerSploit and a few tricks you can reliably bypass antivirus, get around whitelisting, escalate privileges, redirect network traffic, take full packet captures, log keystrokes, take screenshots, dump hashes, persist and pivot to other hosts all without introducing a single binary!

Christopher Campbell

“Chris Campbell (obscuresec) is a security researcher and former operator on the US Army Red Team. He contributes to the PowerSploit project, has presented at BlackHat, Derbycon, BsidesLV, BsidesPR and Shmoocon Firetalks. Chris holds a Master of Science and a multitude of certifications that he would prefer not to have held against him.

Matthew Graeber

Matt Graeber is a security researcher who, in his spare time, has made a hobby out of pushing PowerShell/.NET to its limits as an attack platform. He has an alphabet soup of certifications which ultimately have no relevance to his infosec career. Matt is a former U.S. Navy Chinese linguist and previously worked for a government red team. He also has an overt disdain for those with inflated egos in the infosec field and believes that everyone, regardless of their experience has something worthwhile to contribute to the community.”


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats