How to Break Out of Hyper-V and Compromise your Admins
This blog post is a high-level overview. If you are looking for the full technical details, please see this article Attacking PowerShell CLIXML Deserialization – Truesec.
PowerShell Remoting and PowerShell Direct are widely used solutions, used to manage enterprise IT environment. They both have a feature to share objects between computers and this is implemented with a serialization format called CLIXML. The issue is that they put trust the remote system to always provide legitimate CLIXML data. This is a vulnerability known as CWE-502: Deserialization of Untrusted Data. In this attack scenario we do not target the server, instead, the target is the client of the connection. Anyone who use these solutions to connect to a compromised computer is thus exposed.
The PowerShell Remoting attack scenario is illustrated in the figure below. The unsuspecting administrator connects to a compromised server. However, as the server is compromised, the threat actor can control what data to return. This scenario would thus result in a compromise of the administrator’s computer. Note that this also affects many popular admin solutions because rely on PowerShell Remoting.
