I am still overwhelmed by the amazing and super positive response from my presentation at this year’s inaugural CrikeyCon. I really didn’t expect anywhere near the reaction from those who attended, it has taken the last few days for everything to really sink in. I never expected people to be so amazed by the lateral movement capabilities of PowerShell combined with WinRM, I expected some to be shocked but not as many as I did.
As requested, you can find the slide deck here, and the GitHub code is available here. If you take a look through my GitHub repositories, you will notice how much PowerShell code I normally write, and you can also see the previous version of the same code.
I have to admit, there are two minor inaccuracies in my presentation. One makes things better, the other makes things much, much worse.
1. In the slides I stated that “WinRM is enabled by DEFAULT on domain 2012(R1/R2) joined servers”. I gathered this from Microsoft, but upon further investigation, this link from Microsoft actually states the situation is much worse: “In Windows Server 2012 R2 and Windows Server 2012, remote management is enabled by default.”
2. During question time, I said that installing the Windows Remote Management 4.0 bundle onto Windows 2008 (R1/2) servers, will enable WinRM for domain joined systems. I currently don’t believe this to be true, there doesn’t seem to be any confirmation from Microsoft, I am still testing in my lab and will let you all know.
I am currently working on an extended video of my presentation, in which I will go into more detail around each of the issues and will show the code in detail as well. I am also planning on writing a paper which will discuss using PowerShell and WinRM for lateral movement, possible attack vectors as well as strategies to protect your environment. Once these have been completed, I will let you all know.
I would really like to thank Ash and Wade for convincing me to speak and for organising CrikeyCon as well as Patrick over at Risky.biz for being an excellent MC.
Lastly, sorry for the lame title for this post.