Attacking PowerShell CLIXML Deserialization
2024-09-13 , Main hall

Common Language Infrastructure XML (CLIXML) is a widely used PowerShell serialization format. In this presentation, we will learn how to exploit PowerShell deserialization to move laterally and escalate privileges in an enterprise environment. I will perform multiple live demos, including a guest-to-host virtual machine breakout.

I will present several novel deserialization gadgets to achieve everything from out-of-band network requests and credential stealing to remote code execution. This includes golden gadgets that work on vanilla PowerShell installations and gadgets that depend on widely used PowerShell modules.

Finally, we will discuss how we can protect ourselves against these attacks as IT admins and how to avoid these vulnerabilities as developers.

Alexander is Principal Forensic Consultant at Truesec and spends most of his time providing incident response services to companies that have suffered from an attack. He has led hundreds of complex investigations into everything from full-scale ransomware attacks to zero-day exploits and APT campaigns. Whenever not in an active incident, Alexander spends time in research and development with a focus on both novel forensic tooling and offensive offensive vulnerability research.