►
Description
In this video from the Research Triangle PowerShell User Group, I_Am_Jakoby joins us to show how hackers look at computer systems differently and use PowerShell to exploit them. He’ll demonstrate techniques used to infiltrate computer networks and highlight things sysadmins can look for to protect their companies’ systems, users, and data.
Follow I_Am_Jakoby on Twitter: https://twitter.com/I_Am_Jakoby Check out I_Am_Jakoby’s GitHub: https://github.com/I-Am-Jakoby Join the Research Triangle PowerShell User Group on Meetup: https://www.meetup.com/Research-Triangle-PowerShell-Users-Group/ Visit the Research Triangle PowerShell User Group website: https://github.com/rtpsug
A
Hey
everybody
and
welcome
to
another
meeting
of
the
Research
Triangle
Powershell
users
group.
Tonight
we
are
excited
to
welcome
in
Jacoby
May,
and
many
of
you
may
know
him
as
I
am
Jacoby
online
he's
getting
quite
a
popularity
of
following
lately
if,
as
a
as
a
ethical
hacker,
who's
done
some
really
fantastic
things
in
the
community
and
we're
excited
to
have
him
sharing
with
us
tonight.
So
first
off,
let's
say:
welcome.
How
are
you
tonight,
sir
I'm.
B
A
B
Okay,
so
basically
can
all
boil
down
to
one
thing,
so
we
all
use
Powershell
use,
Powershell
I
apologize
with
different
angles
in
mind,
but
for
someone
like
me,
Powershell
is
referred
to
something
as
a
low
bin,
which
is
a
living
off
the
land,
binary
learning
to
program
or
to
make
malware
or
to
whatever
pen
test
method
you
come
up
with.
If
you
can
do
it
in
Powershell.
A
A
B
I.E.I,
you
would
be
pretty
shocked
to
learn
the
different
method.
It's
that
we're
using
or
slash
trying
to
prevent
again
a
lot
of
this
anything
that
I
can
I
do
submit
reports
on,
but
to
put
emphasis.
I
specialize
in
payloads
that
are
used
on
devices
that
are
meant
to
do
hid
based
attacks,
and
these
type
of
attacks
are
not
taken
seriously
at
all.
Despite
how
easy
it
is
to
get
into
supposedly
secure
places
and
use
any
one
of
these
devices,
but
that's
just
something
to
keep
in
mind.
B
A
Cool
all
right.
Well,
so
we
don't
want
to
delay
any
longer.
We
want
to
turn
it
over
to
you.
Let
you
do
your
thing:
I
ensure
we're
going
to
have
a
pretty
active
chat,
and
so
we'll
we'll
ping
you
if
we
have
questions
that
someone's
waiting
dying
to
get
an
answer
on,
but
otherwise
we'll
hand
it
over
to
you
and
take
it
away.
C
B
B
B
B
Yeah
but
obsidian
has
web
hooks
now
as
well.
So
if
you
had
some
sort
of
X
fill
on
whatever
payload
you
have
and
it
got
sent
to
your
obsidian
Vault,
you
can
then
use
that
to
data
mine
it,
along
with
like
two
of
the
other
plugins
that
I
use
for
like
a
data
view
and
I
forgot,
the
other
one
was
off
top
of
my
head,
but
data
view
is
a
good
one.
A
B
B
If
you
can
see
my
camera,
these
are
two
of
the
common
ones
that
I
use.
They
probably
won't
focus
into
well.
One
of
them
is
the
OMG
plug.
One
of
them
is
the
USB
rubber
ducky,
which
has
been
around
for
some
time
now
more
popular
right
now,
as
a
lot
of
people
are
using
the
flipper
and
using
its
bad
USB
capabilities
to
do
these
similar
things.
But
these.
A
B
Correct
correct
I
should
explain
that
yes,
so
basically
any
of
these
hid
attack
devices
they
are
USB
drives
that
are
programmed
in
a
way
to
be
recognized
as
keyboards.
These
devices
are
recognized
as
keyboards,
but
they're
pre-programmed
to
type
in
commands
at
lightning
speeds.
The
OMG
cable
slash
plug,
for
example,
types
in
140
characters.
A
second,
so
imagine
typing
a
script
into.
A
Okay,
and
so
let
me
just
ask
another
question:
if
you
don't
mind
since
I'm,
not
a
security
guy
and
I,
don't
think
the
same,
whether
you
do
those
devices
that
you
were
talking
about,
they're
programmed
to
do
X
I
understand
that
is
that
core
security
purposes
only
or
is
there
a
practical
usage
that
that
would
be
used
for
a
regular
user
and
a
security
person
discovered
a
way
to
use
that
to
their
advantage
like
if
I,
what
I?
Why
would
I
buy
that
for
myself?
If
I'm
not
doing
sort
of
security
focused
work.
B
Okay,
so
initially
the
rubber
ducky,
the
first
gen
of
it,
it
wasn't
for
security.
It
was
for
automation,
God
Darren
was
using
the
rubber
ducky
to
automate
the
process
of
setting
up
a
bunch
of
different
systems
in
their
Network.
You
know
going
from
computer
to
computer
instead
of
doing
it
manually.
You
know
he
just
automated
the
process
with
the
ducky
and
my
girlfriend
computer
to
computer,
and
that's
probably
the
biggest
practical
application.
B
B
Okay,
so
yeah
so
anyways
these
these
devices,
like
I,
said
what
they
do
is
they
replicate
a
keyboard
and
you
can
pre-program
it
to
type
out
specific
things.
You
know
as
soon
as
you
plug
it
in
it.
Types
in
window,
R
opens
up
the
Run
box
and
can
type
something
in
the
Run
box
right.
So
there
are
two
different
ways
to
utilize.
B
This
attack,
either
a
or
I'll
say
two
main
ways:
either
a
keystroke
injection
attack,
which
is
just
as
I
just
described
it
you,
GUI,
R
type
in
Powershell,
hit,
enter
open,
Powershell
type
in
a
script,
hit
enter,
run
it
alt,
f4,
whatever
close
out,
that
is
a
straight
hid.
Keystroke
injection
based
attack.
Now
that
is,
that
showcases
its
capabilities
and
it's
like
most
basic
format,
the
next
way
and
most
common
way
that
scripts
are
executed.
B
Using
these
devices
is,
you
know,
just
using
the
simple
invoke
rest
method,
invoke
web
request,
pulling
down
a
script
from
a
malicious,
URL
and
piping.
It
into
invoke
expression
and
I
definitely
forgot
to
put
the
pipe
symbol
here
in
the
image,
but
using
aliases.
This
is
basically
what
a
payload
would
look
like.
B
This
is
all
that
needs
to
be
typed
into
a
run
box
to
pull
a
payload
down
from
the
internet
somewhere
and
execute
it
onto
a
system
so
that
right
there
is
the
number
of
characters
and,
if
you
remember
I
said
it
types
it
out
at
140
characters
a
second.
So
something
like
this
is,
you
know,
executed
sub
one
second
and
you
can
walk
away
and
that
script
is
now
active
and
running
on
the
target
system.
B
So
that
is
the
delivery
method.
That
I
particularly
use,
that's
not
to
say
that
the
same
Powershell
scripts
that
I
deliver
in
that
way
cannot
be
delivered
in
other
methods
and
still
be
just
as
effective.
This
is
just
how
I,
personally
showcase
them
now,
whenever
we're
using
iwr
to
grab
a
URL
and
piping
it
into
IEX,
where
we're
basic
we're
not
even
touching
memory,
that's
the
way
that
most
scripts
will
operate
if
they
don't
have
any
sort
of
dependencies.
Any
sort
of
images
I
have
some
of
mine
that
are
just
funny.
B
B
These
would
be
the
places
that
you'd
look
for
keeping
in
mind
that
this
would
be
protecting
against
people
who
are
describing
these
scripts
and
running
them,
not
the
people
who
know
what
they're
doing
so
they're
you
know
modifying
that
location
to
be
something
Universal,
but
more
specific.
But
it's
honestly
those
people
who
are
just
grabbing
and
running
what
they
don't
know
what
it
is
that
are
more
dangerous.
B
You
know
they're
just
Reckless,
so
the
directories
to
look
out
for
is
literally
just
the
temp
directory
in
the
root
the
temp
directory,
that's
stored
in
your
environment,
variable
with
the
temp
directory
and
then
your
app
data
folder
inside
of
your
environment
variables.
Those
are
the
three
most
common
locations
for
these
specific
locations.
B
You
know:
I
have
different
scripts,
where
I'll
run
something
like
in
here.
I
have
one
called
Watcher,
which
I
basically
just
use
to
monitor
certain
folders
and
pay
attention
for
anything.
That's
dropped
in
there
certain
file
types
if
anything's
ran
from
there
and
those
those
would
be
basic
ways
to
protect
yourself
from
those
kind
of
attacks
from
low-level
users.
B
D
Attacks
are
using
an
HID
using
a
keyboard,
but
that's
while
the
user
is
logged
in
so
getting.
You
know
walking
up
to
a
computer
and
then,
but
if
the
computer
is
not
logged
in
there's
other
things
that
you'd
have
to
do
to
inject
that
into
with
the
OS
like,
acknowledge
those
keyboards
and
do
all
that
without
a
login
and
all
that
other
stuff.
So.
B
If
you
are
not
logged
into
the
system,
you
would
use
a
different
device.
The
now,
if
you
knew
what
their
login
was.
Obviously
keystroke
injection
it
right.
Sometimes
you
shoulder
surf
a
PIN
number
or
something
right
whatever
it
may
be.
Now,
if
you
absolutely
don't
have
any
access
and
you're
on
the
login
screen,
that
doesn't
mean
that
you
can't
get
in.
That
means
that
you
just
have
to
use
a
different
device.
These
two
guys
right
here
that
might
not
come
into
Focus.
These
are
the
bash
bunnies
that
are
offered
through
hack5.
B
They
look
like
USB
devices,
but
they're
little
Linux
computers,
they're
single
board,
Linux
computers,
and
these
devices
can
act
as
a
few
more
different
types
of
devices
other
than
just
a
keyboard.
They
can
act
as
any
hid
device,
an
ethernet
port
or
an
Ethernet
device,
I
apologize
and
using
that
device
it
is
possible
to
dump
password
hashes
from
the
login
screen,
in
which
case
you
would
have
to
you
know,
decrypt
them.
What
not!
But
it's
not
hard,
it's
a
matter
of
grabbing
the
hash
that
is
supposed
to
be
the
difficult
part.
A
B
Correct
yeah
correct
along
those
lines
now
because
of
its
advance,
so
much
that's
not
so
much
something
they
do
as
much
like
the
Gen
1
rubber
duckies.
You
know
it's
something
that
you'd
see
them
do
is
they
would
drop
them
in
parking,
lots
and
hope
that
someone
picked
them
up
and
they
would
auto
run,
but
the
new
rubber
ducky
that
just
came
out,
for
example,
at
Defcon
this
last
year
in
August
it
was
launched.
B
It
actually
introduced
logic
into
the
hid
attack
surface,
whereas
before
the
only
way
you
would
get
logic
is
by
you
know,
running
a
Powershell
script
specifically
like
if
you
downloaded
one
or
typed
it
in
the
window.
The
new
rubber
ducky,
which
was
the
one
that
I,
was
just
showing
you
the
new
rubber
ducky.
It
has
logic,
so
you
can
has
OS
detection,
so
it
can
go
into
different
systems
or
it
has
logic
to
determine
when
certain
key
states
are
active.
B
So,
with
the
advancements
with
it,
there
are
different
ways
of
delivering
I
guess
these
payloads
outside
of
the
drop
method
for
drop
method.
People
like
to
you
know,
use
little
Arduino
boards
or
something
else
something
really
disposable.
Digi
Sparks
you
can
use
them.
You
could
put
single
payload
on
them.
You
know
they're
two
dollars
a
piece
size
of
a
posted
stamp.
You
can
walk
by
stick
in
the
computer,
walk
away
and
never
see
it
again.
You
know
no
big
deal.
E
B
Well,
to
use
one
as
like
a
very
specific
example.
You
know
the
OMG
cable
that
came
out.
That
was
a
that
was
one
of
the
devices
that
got
leaked
back
in
like
2013
I
want
to
say.
Maybe
you
know
that
device
itself
was
straight
keystroke
injection.
It
did
not
have
wireless
capabilities,
nothing
like
that
and
the
cables
themselves
were
going
for
about
twenty
thousand
a
piece.
Whereas
now
you
know
you
can
get
a
drmg
cable
hundred
eighty
dollars,
it
can
store
up
to
200
individual
payloads.
B
You
can
connect
to
the
cable
with
your
phone,
so
you
can,
you
know,
run
payloads
remotely,
but
it's
not
even
just
that.
On
top
of
that,
you
can
tether,
you
could
tether
the
current
cable
to
a
known,
Network,
that's
nearby,
and
then
you
can
tunnel
into
the
cable
from
anywhere
in
the
world.
So
you
have
remote
access
from
anywhere
through
a
C2
server.
B
So
I
imagine
maybe
there's
some
more
stuff
in
development,
that's
kind
of
hidden
that
might
be
more
advanced,
but
as
far
as
comparisons
to
what
like
hack5
offers
to
what
I
think
you
know
we'll
say,
like
nation
states
have
I,
don't
think
that
they're
I
don't
think
that
they're
they
could
be
too
far
ahead.
If
at
all,
to
be
honest
with
the
team,
that's
behind
the
devices
that
are
being
put
out
currently.
A
B
Oh
fair
enough,
fair
enough.
Okay,
so
hack5
is
the
company
that
makes
all
the
devices
that
I
was
just
showing
you
they've
been
around
since
about
2009
and
they're
they're,
pretty
much
the
go-to
for
devices,
there's
a
company
or
two
that
might
make
a
single
device
or
they
try
to
make
clones
or
whatever
it
is,
but
a
hack5
has
just
become
the
go-to
for
these
devices
for
these
payloads.
A
I
think
says:
I'm,
not
here
we
go.
Oh
can
you
hear
me
now?
Yeah
yep
I
can't
hear
you
okay,
so
I
was
gonna
say
so
we
jumped
into
this
pretty
quick
and
I
apologize.
I
didn't
give
you
an
opportunity
to
kind
of
speak
about
your
background.
A
little
bit
I
was
going
to
say
that
I
believe
you
write,
exploits
and
share
them
with
the
community
to
help
people
learn
about
security
and
how
to
how
to
basically
have
better
security
posture
right.
So
one
of
the
things
that
people
can
do
is
help.
A
B
Okay,
so
now,
with
these
devices
again,
the
main
way
that
scripts
are
run
and
executed
is
using
iwr
pulling
them
down
in
just
piping
with
IEX.
Now,
of
course,
A
lot
of
people
are.
You
know
that
are
put
in
positions
where
they
gotta
think
of
security
to
any
capacity.
You
know
they
would
just
use
the
Arco
Powershell
constrained
language
or
something
or
put
something
in
place,
so
that
these
random
scripts
aren't
being
run.
B
I
know
that
some
people
might
think
execution
policy,
but
just
to
remind
you,
you
can
change
the
execution
policy
right
from
the
Run
box,
so
you
know
that
doesn't
really
matter,
and
you
know
again
unless
you
have
something
else
in
place
now.
With
that
in
mind,
though,
once
you
have
something
in
place
to
try
to
deter
from
people
just
doing
something
as
simple
as
invoking
down
a
payload
and
executing
it
on
your
system,
are
there
different
ways
to
get
these
payloads
on
your
system?
B
That
aren't
as
obvious
and
the
answer
is
of
course.
Yes,
there
are
so
many
different
things
to
exploit,
and
people
just
don't
do
anything
about
them.
This
next
one
I'm
going
to
show
you
I
wrote
a
report
up
for
Microsoft
I
submitted
it
and
they
determined
that
it
wasn't
actionable,
which
is
fine,
that's
their
decision
to
make.
But
yeah
it's
it's.
It's
kind
of
a
little
terrifying.
B
B
I
made
a
module
and
I
just
called
it.
Tpl
TPL
stands
for
test
payload,
so
if
we
do
find
module
and
test
payload
it'll
give
us
the
version,
the
name,
the
repository
and
actually
it
should
have-
should
have
the
description
over
there,
but
that's
fine,
so
I,
imagine
everybody
being
Powers
you're,
probably
familiar
with.
You,
know
the
Powershell
gallery
and
how
you
submit
modules,
how
it's
a
universal
library
that
everybody
has
access
to.
Assuming
you
have
you
know
the
new
get
installed
in
your
system.
B
B
Now,
if
all
those
characters
are
there,
I
mean
you
could
put
whatever
you
want
inside
of
it
whatever
you
want
like.
Let's
say
that
you
were
to
put
a
payload
inside
the
description
of
a
module
in
order
to
use
a
module
you
have
to
download
it.
You
have
to
say
yes,
I
want
to
download
it
and
go
through
the
whole
process
or
you
can
make
a
module.
You
could
put
your
payload
in
the
description.
You
can
just
query
that
save
it
to
a
variable,
execute
it
and
go
from
there.
B
So
that
is
what
I've
done
here.
So
inside
of
the
description
of
this
module,
I
made
a
function,
that's
just
called
exclamation
mark
C
and
it
takes
a
parameter,
the
parameter
it
takes
from
the
pipeline.
Now
what
I
do
is
I
pass
it.
A
number
and
I
have
a
switch
statement,
so
I
got
four
numbers
and
these
are
the
name
of
functions
I
just
named
them.
The
numbers
for
E's
here
so
I
pass
in
the
number
for
the
function,
and
then
it
executes
whichever
one
of
them
or
in
whatever
order
that
I
want.
B
So
if
you
see
here
we're
just
going
to
preface
it
with
IEX
the
same
way,
instead
of
just
grabbing
the
description
and
then
once
we
grab
it,
so
this
function
is
loaded
into
our
system,
we'll
pass
it
a
a
range.
So
we're
going
to
go
through
functions,
one
two
and
three,
and
then
we're
going
to
pass
that
into
our
function
to
execute
them.
So
when
I
run
this,
it
does
command
one
two
and
three
command
one.
B
So
this
is
just
one
of
the
techniques
that
we
use
this
one's
becoming
a
little
bit
more
common
I,
I
gotta,
be
honest,
I'd,
never
seen
it
before
I
did
it.
I
did
try
to
report
it.
It
was
something
that
they
were
interested
in
fixing,
but
I
I
know
it's
just
like
a
regular
data
query,
but
there's
rules
and
suggestions.
We
kind
of
put
in
place
that
we,
you
know
we
tried
to
help
them,
make
it
happen,
but
yeah
that
that
that
is
just
kind
of
one
way.
B
C
B
I
read
that
so
this
is
my
actual
DNS
text
record
set
up
for
my
website
online
right
now.
I
leave
these
up
just
because
I
have
a
video
going
over
it
and
I.
Let
people
experiment
and
try
them
out,
there's
a
couple
different
ways
that
you
can
run
this
I
have
it
set,
so
you
can
either
take
named
variables
for
payloads
or
you
can
take
numbers,
so
you
get
set
up
for
ranges
again.
Just
like
you
just
saw
at
the
Powershell
College.
You
can
do
ranges
of
functions
to
execute.
B
Yeah
yeah,
so
yeah
I,
just
open
up
forms
open
up
the
the
URL
YouTube
has
the
whole
question
mark
sub
confirmation
equals
one
Ender
you
can
put
on
a
URL
which
will
pop
up
the
box.
That
says,
are
you
sure
you
want
to
subscribe,
send
keys
to
put
tab
twice
and
enter
and
you're
not
subscribed
to
my
YouTube
channel.
B
B
Now,
once
we
have
these
in
place,
what
we're
going
to
do
is
pulling
pulling
one
down
and
executing
is
easy
enough.
Now
there
is
a
character
limit
for
each
one
of
those
of
255
characters.
So
if
you're
going
to
attempt
to
run
any
sort
of
script,
that's
going
to
be
longer
than
that
you
have
to
combine
them.
So
that
is
what
this
simple
command
does
right
here,
takes
a
range
of
whatever
you
want
it
to
I
have
one
through
three
as
the
example
we'll
resolve
a
DNS
name
to
cycle
through
each
one
of
them.
B
Look
for
the
text
record,
grab
the
strings
from
it,
create
a
script
block
from
what
we
grab
and
then
execute
it.
So
this
will
pull
down
multiple
DNS
records
in
a
row.
So
if
we
run
this,
it
just
line
one
line,
two
line
three,
and
then
again,
if
you
see
here
it
just
Echoes
line,
one
line,
two
line:
three
and
again
those
could
be
whatever
commands.
You
want,
one
that
does
a
Recon
one,
that
checks
to
see
if
RDP
is
enabled.
If
RDP
is
enabled,
then
do
number
four
which
is
exploit
RDP
whatever
it
is.
B
B
Very
very
often
I
have
one
of
my
best.
Friends
is
a
CFO
for
a
pen
testing
company,
a
cyber
security
firm
rather
and
after
I
post
that
video
they
started
using
it
on
on
jobs
and
like
they
were
just
telling
me
like
how
ridiculously
easy
it
was
like
just
a
breeze.
You
know
before.
That
was
something
they
had
to
plan
out,
but
it's
just
so
ridiculously
overlooked.
B
So
it's
a
255
character
limit
per
tax
record,
which
is
why
yeah
it's
why
I
had
to
write
that
function,
so
you
could
go
through
a
range,
pull
them
down,
combine
them
and
then
execute
them.
But
you
know
that's
that's
easy
enough.
You
know
that's
just
creating
an
array
of
numbers
or
you
know
whatever
it
is.
It's
just
your
execution
order.
So
it's
really
easy.
It's
modular
just
incredibly
easy
to
take
advantage
of.
B
B
Hackers
is
learning
how
to
obfuscate
your
code,
and
you
know
Powershell,
obviously
doesn't
do
it
intentionally,
but
they
have
implemented
a
lot
of
features
that
have
made
it
really
easy
for
us
to
do
this
so
some
things
that
I
mean
some
of
them.
You
guys
might
recognize
because
they're
from
a
long
time
ago,
right
here,
we
have
a
path
to
one
of
my
Stager
scripts.
B
B
B
So
when
we
were
talking
earlier
about
how
there
are
certain
directories
that
are
commonly
used
like
the
temp
directory
or
it
in
either
place
or
the
app
data
folder,
these
are
different
ways
that
we
would
try
to
either
use
that
same
folder
or
use
a
directory
inside
of
it,
but
then
obfuscated
as
well
to
avoid
detection
or
certain
rules
that
are
in
place
to
catch
these
types
of
things
and
then
there's
another
one.
This
one
is
a
lot
harder
to
work
with
so
you'll
see,
system,
Windows
forms
here,
system,
Windows
forms.
B
So
whenever
you're
working
with
like
a.net
framework
or
certain
methods,
you
can
use
asterisks
to
wipe
out
huge
chunks
of
characters.
This
is
something
that's
really
common
in
code
golfing
and
code.
Golfing
is
also
very
popular
amongst
hackers,
but
is
very,
very
hated
among
the
Casual
Powershell
community.
That
I
have
learned-
or
at
least
in
my
experience,
obviously
for
written
out
code
is,
you
know,
is
better
for
public
projects
Etc,
but
for
what
we
do?
B
Some
of
these
they
go
to
an
extra
level
and
it
is
actually
shocking
the
Ingenuity
behind
some
of
the
people
that
come
up
with
some
of
these
techniques,
so
we've
gone
over
different
ways
to
obfuscate,
the
you
know,
the
file
paths
or
you
know
the
environment
variables,
but
there
are
also
additional
levels
that
you
can
go
to
and
different
methods
that
you
can
use
to
hide
the
payloads
themselves
as
well.
One
of
these
options
is
using
something
called
a
polyglot
file.
B
If
you
are
not
familiar,
a
polyglot
file
is
a
file
that
the
extension
of
it
could
be
interpreted
differently
depending
on
the
program
that
is
opening
up
the
file.
So
you
could
have
you
know
on
the
malicious
side
of
things
you
have
an
image,
that's
also
a
Javascript
file,
so
an
image
opens
the
JavaScript
executes
as
well,
a
probably
the
main
one,
the
most
common
attack
Factor
one
is
when
you
combine
an
HTA
file
and
a
link
file
during
the
process
of
this.
B
What
makes
it
dangerous
is
that
it
removes
the
little
shortcut
Arrow
from
a
link
file.
So
if
you
make
that
link
file,
make
it
just
look
like
a
regular
image,
a
just
another
picture
on
the
desktop
it
will
not
have
that
shortcut
Arrow
and
when
it's
opened
it
could
be
set
to
open
that
image.
That's
stored,
someplace
else
in
the
temp
directory
and
run
something
behind
it.
B
This
right
here
it
says
H,
dot,
PNG,
so
we're
going
to
go
ahead
and
open
it.
It
says:
save
this
image
and
change
the
extension
to
a
zip
and
why
this
specific
project
right
here
is
so
absolutely
beautiful,
is
polyglot
files
are
an
art
in
themselves
like
for
someone
to
go
through
a
hex
editor
and
find
all
the
Indians
and
where
they're
at
and
find
out
where
they
can
place
extra
data
like
it's
just
absolutely
brilliant.
These
guys
are
geniuses.
B
But
what
puts
this
on
another
level?
Is
this
image
again
we'll
go
ahead
and
open
it
for
you,
this
image
can
be
uploaded
to
Twitter
and
then
from
Twitter.
You
can
right
click
on
it.
You
can
download
this
image
right
onto
your
desktop
and
when
it's
downloaded
onto
your
desktop
we're
going
to
go
to
it,
we're
going
to
press
f2
and
we're
going
to
change
the
file
extension
to
a
zip
I
hit
enter
it's
going
to
say:
are
you
sure
I'm
gonna
say?
Yes,
yes,
I
am,
and
it
turns
into
a
zip.
B
So
this
is
the
python
script
that
you
use
to
pack
a
zip
inside
of
an
image,
but
I
can
put
whatever
scripts
I
want
into
here
inside
of
it
change
it
to
a
PNG,
you
sure,
yep
and
now
it's
an
image
again
and
now
I
can
download
it
onto
your
system
from
Twitter
through
an
email
whatever
it
is,
whatever
I
want
and
there's
some
code,
obviously
I'm
not
going
to
show,
but
I
can
open
that
folder
without
decompressing
the
zip
and
execute
what's
inside
of
it.
You
know
with
admin
permissions,
possibly
X.
B
You
know
bypass
execution
policy,
obviously,
but
yeah.
It's
really
hard
to
detect
something
like
this,
especially
when
I
can
also
then
convert
that
to
base64
and
Nest
that
and
sign
something
else
or
whatever
else.
It
is
a
lot
of
the
more
sophisticated
attacks.
You'll
see
that
they've
got
things
layered
and
layered
and
layered
and
yeah.
These
are
some
of
the.
These
are
some
of
the
techniques
that
they're
using.
B
This
is
a
more
docile
version
of
it
again
because
it's
just
the
zip
you'd
still
have
to
have
another
user
interaction
for
their
for
the
malware
to
deploy,
but
something
like
the
HTA
file
and
a
link
when
they're
combined
once
you
open
that
image
it
executes
or
when
you
mix
a
PNG
with
a
Javascript
file.
Once
you
open
that
PNG
the
Javascript
file
executes,
so
it
can
be,
it
can
be
pretty
dangerous
and
there's
not
too
many
ways
to
protect
it.
B
C
A
B
B
One
of
the
last
videos
that
I
just
did
this
is
kind
of
on
the
side
tension
a
little
bit
but
I
used
Powershell
and
custom
protocol
Handler,
and
it
makes
it
so
I
can
execute
Powershell
on
your
system.
From
my
website
like
if
you
visit
my
website,
I
can
execute
Powershell
in
your
system.
Now,
of
course,
that's
of
course
only
if
you're
using
my
custom
protocol,
Handler
and
I
did
that
on
purpose.
B
So,
as
you
know,
it
can't
be
used
maliciously,
but
there
are
ways
that
you
can
use
the
Chrome
protocol
Handler
in
the
file
protocol
Handler
and
exploit
them
to
do
the
same
thing
so
I
could
set
it
up.
So
if
you
go
to
my
website,
it
doesn't
matter
if
you
click
on
anything.
If
you
just
simply
open
the
wrong
web
page,
it
will
execute
Powershell
commands
on
your
system
no,
depending
on
what.
F
F
B
Is
it
is,
it
is
debatable
because
there's
a
there's
a
couple
different
file
types
that
are
basically
just
hidden,
zips
I,
don't
know
if
I
would
go
full
polyglot
I
think
there
would
be
I,
don't
know
like
a
masked
file,
I
guess
because
it
operates
the
same.
Polyglot
I
think
would
be
two
files
that
act
differently
depending
on
how
they're
opened,
as
opposed
to
both
of
those
files
act
the
same
regardless
of
how
they're
opened.
F
B
Okay,
that
would
be
a
that
would
be
a
fair
argument,
moving
it
towards
a
Pogba
file
and
there
for
sure
I.
Imagine
our
exploits
to
take
advantage
of
that.
That's
something
that's
popped
up
over
time.
You
know
I,
think
most
famously
with
the
macros
inside
of
Word
documents
or
whatever
else
macros
for
a
while
were
used
to
run
code
in
the
background,
whenever
you
open
up
any
sort
of
document
or
whatever
else
so
yeah
yeah,
actually
100
naked,
definitely
follow
the
polyglot
family.
B
And
then
so
most
of
my
most
of
my
work
is
public.
I
do
have
it
on
my
GitHub
or
whatever
else
there
are
like
I,
said
quite
a
few
exploits
or
payloads,
or
something
else
that
I've
come
up
with
that
I.
Just
don't
post
the
code
to
publicly
it
just
again
it
doesn't
feel
socially
responsible,
but
I.
This
is
just
kind
of
to
demonstrate.
One
of
the
things
that
you
can
do
is
Powershell
and
yeah.
It's
kind
of
threatening-
and
this
doesn't
require
admin
permissions.
You
don't
have
to
use
execution
policy
bypass.
B
C
B
B
B
And
there's
really
nothing
you
can
do
to
stop
it.
There's
no
rules
in
place.
There's
no
I
mean
by
default,
referring
to
default
users
just
using
their
default
computers
again
speaking
to
sys
admins,
it
might
be
different.
You
guys
might
have
things
that
you
can
definitely
put
in
place
for
this.
I
would
definitely
recommend
it,
but
exit
exit.
B
A
B
Just
two
simple
functions
this
one
right
here,
even
though
it's
obfuscated
currently
is
nothing
but
a
Discord
upload
function.
It
takes
a
string,
grabs
the
API
key.
Whatever
you
know
this
is
this
is
currently
my
Discord
web
hook.
That'll
be
changed.
Obviously
after
this
video
you,
if
you
want
to
pop
in
a
message,
say
what's
up,
you
can
do
that
but
yeah.
B
So
this
is
simply
a
Discord
upload
and
that's
it
and
then
from
here
we
are
going
in
at
type
simply
name
the
system
speech,
creating
an
object,
called
recognizer.
The
system
speech,
recognition,
speech,
recognition
engine
you,
like
I,
said
you
can
load
grammar,
so
you
can
make
it
more
accurate.
If
you
saw
it
wasn't
exactly
as
accurate
as
it
probably
should
be,
but
it's
accurate
enough
to
be
scary
and
then
we're
just
using
a
while
loop
we're
going
to
take
the
result.
B
Every
time,
there's
a
pause,
it'll
pass
it
through
a
story
Into
the
result
variable
if
result.
So,
if
there's
something
there,
then
you
know
we're
just
going
to
start
passing
it
through
and
yeah
down.
Here
is
you
know
if
it
says
notepad
open
notepad?
If
I
say
exit
then
just
break
and
you
know
close
out
the
program,
but
that
could
be
whatever
you
want
it
to
be.
That
could
be
any
trigger
word
that
could
be
kill,
switch,
activate.
B
B
A
B
Oh
over
the
stuff
situation:
no,
this
will
work
on
Powershell
five
minimum
like
at
least
ballpark.
We
are
testing
on
Windows
10
11..
Now
some
of
the
advanced
functionality,
like
you
know
they
Powershell,
seven
shipped
out
with
PS,
read
line,
for
example
right,
so
PS3
of
mine
is
a
really
really
cool
module.
It's
it's
allowed
me
to
make
some
pretty
cool
tooling
so
before
I
used
to
have
different
functions.
B
So,
if
I
wanted
to,
if
I
wanted
to
base64
encode,
a
string
I
would
do
basically
for
ES
and
code
string
or
decode
string
or
in
code
file
whatever
and
I
would
use
that
so
that
that's
just
the
base64
return
of
it.
Now,
with
Powershell,
seven
coming
out
in
PS,
Redline
being
a
a
native
module
that
comes
with
it,
there's
actually
a
way
to
grab
what's
inside
the
buffer.
So
this
is,
it
says,
start
notepad.
This
is
the
buffer
right
here.
B
So,
instead
of
actually
having
to
type
a64
on
code
string,
I
can
actually
just
hit
alt
e
and
it'll
encode
it
in
base64
for
me
or
if
it
is
base64
it'll
encode
it
back,
convert
it
back.
I
made
the
same
thing
for
a
tool
for
aliases,
so
it's
Auto,
alias
anti-alias,
so
just
alt
a
will
turn
in
Alias
to
its
full
form
or
if
it's
full
form,
it'll
turn
into
its
shortest
iterable.
B
Now
those
particular
functions
which
are
in
some
of
the
stuff
I
showed
do
use
Powershell
seven,
so
those
particular
ones
yes,
would
be
dependent
on
seven,
but
for
the
most
part,
more
most
of
what
I
showed
is
relatively
Universal
I.
Try
to
make
it
so
worked
on
Windows,
10,
7,
10,
11,
powershells,
seven
and
five.
A
Yeah,
so
no
reason
why
not
I
didn't
I
didn't
want
to
interrupt
if
you
were
trying
to
do
other
stuff,
but
actually
a
question
just
came
in
in
the
chat.
That
is
really
the
64
000
question
for
all
the
stuff
that
you've
done
tonight,
which
is
so.
How
do
you
start
to
mitigate
against
these
attacks
without
basically
just
shutting
everything
down
right
because
here's
here's
the
problem,
the
security
team
wants
to
say
no
x,
no
y,
no
Z,
but
then
the
admins
and
the
team
go
but
I
need
X.
A
C
A
B
It
when
it's
regarding
specifically
we'll
say,
hid
attacks
because
we're
talking
about
two
different
things
here,
I
think
there's
hid
attacks
specifically
and
then
there's
Powershell
uh-huh
for
something
like
hid,
attacks,
there's
a
couple
things
that
you
can
mitigate
the
risk.
I
showed
you
the
common
directories,
where
people
drop
off
files,
yep
I'll,
say
on
my
system
that
I
change
those
environment
variables,
so
those
folders
aren't
called
the
same
thing
so
when
they
try
to
drop
those
files,
there's
nowhere
to
drop
them
to
you
know
what
I
mean,
so
you
can.
B
That
might
not
be
practical
for
everyone,
but
little
things
like
that
to
mitigate
the
risk,
whether
it
be
changing
the
environment
variables
for
certain
file
locations
or
doing
you
know,
Mac
address
matching
for
devices
which
they
do
at
high
level
places.
Now,
that's
not
always
practical.
When
you
got
people
like
boys
coming
in,
might
you
know
bring
in
you
know
their
laptop
whatever
to
work
on
kind
of,
like
you
know
how
you
guys
got
going
on
right
now.
That
might
be
something
more
difficult
to
implement.
Can.
D
B
Can
you
can
so
there's
actually
an
exploit
that
goes
along
with
that,
so
what
we're
gonna
do
is
we're
going
to
look
at
our
environment
variables,
real
quick.
These
are
all
of
our
environment
variables.
These
are
the
things
that
hackers
like
me
use
to
universally
navigate
your
systems.
Most
games
don't
change.
Now.
Some
of
these
are
added
like
you
know,
you
might
have
not
have
sqlite
3
or
python
or
whatever
else.
But
if
you
come
up
here,
oh
no
I
did
change
it
back.
I
did
change
back.
B
B
B
If
we
come
up
to
here,
comes
back,
you'll
see,
come
spec
which
changed
to
calc.exe,
so
I
just
changed
that
environment
variable
no
well.
That
is
a
way
to
mitigate
these
kind
of
attacks.
It's
also
an
attack
Vector
in
itself,
because
now
every
time
that
comes
back
variable
is
called
it's
going
to
be
calling
to
calc.exe.
So
if
you're
in
something
like
here
and
I,
think
it
was
a
do
a
break
to
REM,
which
is
like
nothing
to
nothing
but
it'll
open
the
calculator
because
I
placed
it
in
the
environment
path
variable.
So
you
can.
B
D
So
it's
not
that
that
you
know
your
your
idea
of,
like
you
can
change
some
of
that
stuff,
but
there's
still
ways
like
I.
Just
didn't
understand
like
like
the
temp
variable
even
comes
back,
those
those
variables
are
system-wide,
and
so,
if
you're
changing
what
they're
going
to
so
in
some
fashion,
hey,
you
could
not
allow
someone
to
do
that.
I'm
not
sure,
like
I,
did
not
fully
understand
that
concept
of
trying
to
so
prevent
that
you
know.
B
That
would
be
a
basic
basic
mitigation
technique
that
would
work
against
I.
Think
like
one
of
the
bigger
threats
right
now,
unfortunately,
is
all
the
script
kitties
who
are
running
around
with
flippers.
You
know
they
got
them,
they're
running
them
on
their
school
systems
and
everything
right.
So
the
problem
is,
is
that
these
kids
aren't
intelligent,
so
they're
not
changing
the
code.
B
They're,
not
you
know
what
I
mean
they're,
not
making
any
modifications
to
make
it
harder
to
use
they're
just
using
what
they
have
and
what
I'm
saying
is
that
all
reference
materials
that
they
have
always
points
to
the
same
three
directories?
I
got
assume
it's
the
same
three
directories:
it's
the
script,
Keys
specifically
I!
Guess
like
smaller
businesses
or
even
you
know,
I,
don't
know
what
kind
of
building
you
guys
are
currently
in
right
now,
it
looks
like
might
be
like
a
community
center
of
some
sorts
or
something
like
that
where
people
can
walk
around.
B
You
know
what
I
mean
it's
just
to
mitigate
the
risks
of
those
kind
of
people.
If
you
have
like
a
real
threat
actor,
that's
targeting
you!
No,
absolutely
not!
That's
not
gonna.
Do
it
because
I'll
just
iterate
through
the
environment
variables
find
out
what
they
are
and
then
pick
the
ones
that
I
want?
You
know
what
I
mean.
So
that's
just
a
it's,
not
a
honestly.
It's
not
a
good
one.
It's
a
small
one
to
mitigate
against
like
these
the
script
kitties
running
around
with
the
flippers
right
now
to
be
honest,
yeah.
A
Pointing
that
up
so
I
was
just
going
to
say
for
the
people
at
home
who
are
watching
this
and
don't
have
the
benefit
of
seeing
the
chat,
that's
happening
at
the
same
time.
So
Clem
misery
really
brings
it
home
in
a
good
way,
which
is
what
Jacoby's
saying
is
look.
These
are
the
default
directories
that
most
people
are
going
to
look
at.
A
That's
an
excellent
place
to
start
your
monitoring,
so
Clem
puts
in
this
chat
an
example
of
like
monitoring,
temp
directory
and
looking
for
large
amounts
of
file
changes
in
a
short
period
of
time
right,
and
maybe
that
Flags
an
alert
in
a
log
or
to
a
system
like
that.
So
maybe
you're
not
mitigating
against
the
attack
but
you're
getting
visibility
to
changes
on
a
system
that
might
be
raising
a
red
flag
a
little
bit
or
a
warning
sign
right.
A
So
I
think
yeah
like
symptoms
right
symptoms
of
something
that
might
not
be
normal,
yep
cool,
so
Jacoby
I
got
another
question
for
you.
This
is
a
little
bit
unplanned,
but
as
I
watch
you
do
this
stuff
tonight.
My
my
the
thing
that
I
thought
of
was
like:
how
do
you
go
about
trying
to
find
a
new
Vector
to
sort
of
find
a
way
to
use
like,
for
example,
DNS
text
records?
I?
Don't
think
that
for
any
of
us,
that
seems
like
a
common
thing.
A
B
Well,
for
that
one
specifically,
what
it
comes
down
to
is
modifying
and
holding
strings.
You
know
what
I
mean
like
you're
or
who
is
constantly
thinking
of
ways
to
do
that,
and
I
just
happen
to
be
thinking
about
that
at
roughly
the
same
time
that
I
was
making
one
of
my
actual
Powershell
modules
and
I
was
thinking
about
it,
and
then
I
was
just
thinking
about
how
there
was
all
those
string
containers
and
how
it
was
actually
still
treated
as
an
object
and
I
was
like
wait
a
minute.
B
B
You
know
breaking
down
everything
and
just
seeing
if
you
can
apply
this
over
to
it
and
it's
honestly,
it's
a
slow,
tedious
process
and
then
a
matter
of
finding
things
like
that
is,
you
know
sometimes
I'll,
just
I'll
put
a
movie
on
or
I'll
be
listening
to,
music,
whatever
it
is,
and
I
will
just
spend
like
four
or
five
hours
and
I'll
just
scour
through
the
registry.
You
know
or
scoursues
a.net
framework.
B
You
know,
that's
how
I
found
the
speech
engine
the
one
that
I
was
talking
to,
and
you
know
speaking
into
Discord
at
that
time.
I
was
working
on
a
project
which
honestly
might
be
going
too
far.
We
were
talking
about
Chad
GPT
earlier
I
took
it
too
far,
so
I
use
that
speech
recognizer
engine
to
talk
into
Powershell,
save
it
into
a
variable,
pass
that
variable
to
chat
GPT
pass
the
response
to
sappy
speak.
So
it
would
speak.
B
B
So
yeah
little
things,
it's
just.
It's
just
super
diving
into
weird
places
and
literally
every
single
thing
that
you
see.
If
you
don't
know
what
it
is
for
sure
Google
it
every
single
thing,
every
single
key,
every
single
directory
and-
and
it
just
makes
it
way
easier,
chat
GPT
by
the
way,
because
you're
like
what
is
this
key
for
right?
Why
did
they
add
this
key?
Because
I
found
one
that
was
called
like
there's
a
key
in
the
registry
called
This
is
a
rat.
This
is
a
rat
and
I
was
looking.
B
I
was
like.
Oh
no
did
somebody
really
get
me
did
I
get
got.
You
know
what
I
mean.
I
was
doing
some
research
and
no
it's
it's
a
remnant
of
old
Internet
Explorer.
It's
one
of
the
keys
that
they
use
to
you
know
say
what
websites
you
couldn't
go
to.
You
know
what
will
websites
were
blacklisted,
but
you
know:
I
wouldn't
know
that
if
I
didn't
super
dive
into
it
and
just
Google,
every
single
thing
I
came
across
and
that's
really
what
it
comes
down
to.
A
B
B
There's
there's
stuff
that
was
left
there
by
accident,
or
if
you
guys,
don't
you
guys
know
what
fod
helper
is
like
if
you
guys
are
familiar
with
fodhelper
they
just
like
it
was
just
four
months
ago
that
they
patched
one
of
the
exploits
that
I've
been
using
for
like
seven
years,
but
I
was
using
fodh
helper
as
a
privilege
escalation
to
get
admin
rates,
and
it's
seven
years,
seven
years
I've
been
using
it
and
it
just
went
completely
under
the
radar.
Never
did
anything,
but
it
was
just
it
was.
B
It's
it's
both
honestly
right
because,
of
course,
there's
the
selfish
part
of
me
where
it's
like
you
know
like
that
was
my
baby
and
it's
gone
now
right
and
of
course,
I
want
to
use
it
because
it
makes
me
feel
cool.
I'm,
not
gonna
lie
right,
but
at
the
same
time
part
of
what
I
do
is
to
try
to
make
them
take
hid.
Attacks
serious
you
know.
I
just
saw
yeah
I
just
saw
a
question.
B
A
So
I
did
a
pretty
I
did
a
pretty
terrible
job
when
we
did
the
intro
I
didn't
give
you
a
chance
to
talk
a
little
bit
about
where
people
can
find
the
things
that
you
do
online.
So
maybe
you
can
help
us
out,
give
us
a
little
plug
on
where
you
live
online,
how
they
can
find
you
on
Twitter
and
social
and
I'm
sure
you
have
a
GitHub
repo
you'd
like
to
share,
or
maybe
your
YouTube
channel
I,
think
people
would
be
interested
in
what
you
do
and
how
to
follow
along
yeah.
A
B
Was
literally
just
about
to
show
you
that
button
yeah
yeah
as
far
as
socials,
if
you
guys
want
you,
can
find
me
on
Twitter
I'm,
pretty
much
I
am
Jacoby
on
absolutely
everything:
Ben
Jacoby
GitHub.
If
you're
wanting
to
use
check
out
any
of
my
code,
it's
crazy!
You
know,
I've
had
this.
For
just
just
over
a
year,
I
started
posting
code
before
I
always
used
it
as
reference
on
my
flipper
zero
bad
USB
is
currently
the
biggest
bad
USB
repo
on
GitHub,
which
is
wild
I.
B
B
B
To
blur
that
out,
yeah,
no,
it's!
No!
It's
no
worries,
no
worries,
it's
funny.
If
you
see
the
name
and
you
connect
the
dots,
it's
just
gonna
be
extra
funny
if
you
somehow
figure
it
out.
But
yes,
this
is
my
YouTube.
If
you
guys
want
to
check
me
out,
there
I
make
a
lot
of
videos
going
over
these
different
techniques.
This
is
a
whole
Powershell
for
hacker
series.
You
know
little
things:
how
to
convert
text
or
images
to
base64.
B
I
use
a
detect,
Mouse
movement,
a
lot
in
a
lot
of
either
like
my
prank
payloads
or
certain
Recon
ones,
either
in
prank,
payloads
I
want
the
prank
to
start
as
soon
as
they
move
their
mouse
or
in
realistic
Recon
ones.
I
don't
want
a
payload
to
run
until
the
mouse
hasn't
moved
for
a
certain
amount
of
time
just
to
try
to
indicate
someone's,
not
there
yeah
yeah.
So
those
are
the
main
places.
If
you
want
to
follow
me,
I
definitely
appreciate
that.
B
Oh
right,
right,
I
I
forgot
Clint
yeah.
That
would
that
would
be
a
good
point.
Oh
don't
go
to
the
links.
Lol
yeah
I
know,
I,
know
yeah.
So
my
buddy
matinee,
we
actually
just
started
a
podcast
of
our
own.
We
just
did
the
second
episode.
We're
gonna
be
doing
that
every
Saturday
right
now
it's
at
five,
but
we
might
make
it
earlier.
So
we
get
the
European
audience
in,
but
yeah
yeah
I
appreciate
you
for
reminding
me
yeah.
B
A
A
Presentation
really
enjoyed
what
you
had
to
share
and
your
perspectives
on
how
things
work
is
just
really
refreshing,
especially
for
guys
who
are
dealing
with
thinking
about
just
as
an
Administration
system,
and
so
I
just
want
to
say
for
the
people
at
home.
If
you've
been
watching
this
on
YouTube
we'd
love
to
have
him
come
and
join
us
in
person
for
a
live
live
meeting,
you
can
find
us
at
Meetup.
You
can
search
for
rtpsug.com.
A
We
also
have
a
YouTube
channel
until
maybe
you're
visiting
us
from
there,
but
we'd
love
to
have
you
come,
and
you
can
ask
your
own
questions
of
our
presenters
and
learn
some
stuff
with
us,
and
so
please
check
us
out,
and
we
have
about
somewhere
about
130
videos
on
Powershell
on
our
Channel
right
now,
covering
all
aspects
of
powershell's
system
and
application
Administration.
So
please.