Two of the biggest challenges of long-term penetration tests are advanced security products and active administrators. Host intrusion prevention, application white-listing and antivirus software are all looking for your tools. Administrators and network defenders are doing everything they can to find you. Surprisingly, the easiest way to hide from them and homestead in a Windows enterprise is to live off the land. Microsoft provides you with all the tools you need to get into a network and live there forever. Tools such as Wmic, Netsh and PowerShell are well-known to administrators, but they also provide an attacker a whole range of virtually untapped features. By simply leveraging PowerSploit and a few tricks you can reliably bypass antivirus, get around whitelisting, escalate privileges, redirect network traffic, take full packet captures, log keystrokes, take screenshots, dump hashes, persist and pivot to other hosts all without introducing a single binary!
“Chris Campbell (obscuresec) is a security researcher and former operator on the US Army Red Team. He contributes to the PowerSploit project, has presented at BlackHat, Derbycon, BsidesLV, BsidesPR and Shmoocon Firetalks. Chris holds a Master of Science and a multitude of certifications that he would prefer not to have held against him.
Matt Graeber is a security researcher who, in his spare time, has made a hobby out of pushing PowerShell/.NET to its limits as an attack platform. He has an alphabet soup of certifications which ultimately have no relevance to his infosec career. Matt is a former U.S. Navy Chinese linguist and previously worked for a government red team. He also has an overt disdain for those with inflated egos in the infosec field and believes that everyone, regardless of their experience has something worthwhile to contribute to the community.”