Common Language Infrastructure XML (CLIXML) is a widely used PowerShell serialization format. In this presentation, we will learn how to exploit PowerShell deserialization to move laterally and escalate privileges in an enterprise environment. I will perform multiple live demos, including a guest-to-host virtual machine breakout.

I will present several novel deserialization gadgets to achieve everything from out-of-band network requests and credential stealing to remote code execution. This includes golden gadgets that work on vanilla PowerShell installations and gadgets that depend on widely used PowerShell modules.

Finally, we will discuss how we can protect ourselves against these attacks as IT admins and how to avoid these vulnerabilities as developers.

You will learn:

• How PowerShell serialization works and how to exploit CLIXML deserialization bugs
• How a threat actor could abuse CLIXML attacks to break out from a virtual machine or compromise an admin workstation
• The important steps you need to take to mitigate the risk of these attacks