No description, website, or topics provided.
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
HiddenPowerShellDll Update HiddenPowerShellDll.cs Nov 15, 2018
Metasploit-modules Update hta_sharp.rb Nov 15, 2018
packages/DllExport.1.6.1 First commit Nov 15, 2018
.gitattributes Create .gitattributes Nov 15, 2018
.gitignore Create .gitignore Nov 15, 2018
DllExport.bat First commit Nov 15, 2018
DllExport_Configure.bat First commit Nov 15, 2018
HiddenPowerShellDll.sln First commit Nov 15, 2018
LICENSE First commit Nov 15, 2018
README.md Update README.md Nov 16, 2018

README.md

HiddenPowerShell

This project was created to explore the various evasion techniques involving PowerShell

  • Amsi
  • ScriptBlockLogging
  • Constrained Language Mode
  • AppLocker

Metasploit module and payload

The module manages the delivery of an hta file and a stager ps1 file. When the hta is executed it extracts the dll and runs it via rundll32. The metasploit payload is an Empire custom stager without Amsi bypass parts and ScriptBlockLogging, will be executed outside powershell. This prevents the logging bypass code from remaining logged.

HiddenPowerShellDll

This .Net class library is used to run PowerShell scripts from c #. The bypasses are executed and then the scriptblock that invokes the stager is executed. Using the DllExport package the .Net DLL exports a function that allows it to be executed via rundll32 and this results in a bypass of the default AppLocker rules

Instructions

Put the hta_sharp.rb file in the $ (HOME) /.msf4/modules/exploits/windows/misc folder

Put in powershell_empire_http.rb file in the $ (HOME) /.msf4/payloads/singles/windows/x64 folder

Complete the solution
Create the $ (metasploit_data_dir) / hta_sharp folder
Copy the bin\Release\x64\HiddenPowerShellDll.dll file to $(metasploit_data_dir)/hta_sharp renaming it to HiddenPowerShellDllx64.dll

Note

If you run a meterpreter payload set PrependMigrate advanced property to true

To run the Empire payload:

  • Create the http listener in Empire framework and use the StagingKey property to set the STAGINGKEY option of the powershell_empire_http payload
  • set PrependMigrate advanced property to false.

To maximize evasion it is necessary to use the https protocol for all the phases. Self signed or cloned certificates are supported. Do not use the default metasploit certificates.

References

AMSI Bypass @_RastaMouse version
ScriptBlockLogging @cobbr_io
General inspiration runspace @Cneelis