Invoke-NoShell - Gal Bitensky

okay testing yeah so hi everyone welcome to my talk in vogue no shell once you're out of here like this evening or in just like 15 minutes time you will be well we will add to your knowledge a nice way to execute power shell without power shell which is quite weird but we'll get to it and you'll get a tool to take off this nice power shell things and put it in a malicious malicious document so let's look a bit at the outside of the talk we'll begin with a bit about power shell why it's good for what's it good for absolutely nothing and why you red teamers like it and what do we lack and

power shell for both red team and blue team s and we will proceed to see what the hell my toe is doing and then we'll see how it actually works and performs against ABS so this is a fast talk note it's gonna be like 15 mins talk so please stay focused and stay quiet so I'll be able to stay focused thank you a bit about myself I worked for a minute I work from another labs with those two fans and front row and I did some previous work you can search all of it in my github account which is down here I'm including invoke no shell feel free to contact me on Twitter Facebook and or

even an Instagram to really want to I know I'll be very happy to answer any kind of questions you have and finally a couple of thanks for Phillip who spoke here before today he inspired me to do this project and object-oriented the PowerShell which is quite weird but he inspired me to do it and to Dan iosifovich which is not here also yeah she promised she'll be here but tough luck for giving me the motivation to do the trick you're about to see with the PowerShell as partial execution so foul shall what is it good for mostly these kind of screens we all know too good no not really it is a really nice kind of a scripting

language console built in Windows there are tons of open source frameworks for red teamers to use it all kind of compatible with Metasploit which is good because we're lazy we don't want to build anything which is to compare complex and we just can't just like you know take it off the shelf and win most of the Avs which are out there in nowadays which is cool and easy so I did a quick survey I questioned about 80 researchers about PowerShell and indeed most of like security researchers pen testers mostly like over 95% I believe no PowerShell some regret that they know it but including me and but almost everybody knows pouch and uses PowerShell to some extent also most of

the people who actually use it for offensive purposes actually bypass AV successfully using it so yeah it's not like a big surprise for anyone but yeah it was the also a question also the people who actually use PowerShell offensively do it mostly with known frameworks we talked about for again not surprising never invent the wheel this kind of people actually write your own PowerShell offensive payload it's the kind of people that invent your own cryptography I believe as well which is well you know yeah one last bonus question all of us know this nice screen execution policies restricted all of us have seen it too often I guess at least me we will return to it later in this

talk all the people suffer from it in different levels some disabled did some but yeah okay but what we do lack we have amazing frameworks which allow us to bypass AVS if you have any experience using it you already know it so it's awesome it works but when I want to use it I want to deploy it somehow often using malicious document using some macro tricks dde whatever and I want to automate it I want to have all kinds of tricks which are released on daily basis and to have it all end and have some kind of restrictions sometimes in PowerShell I wanted to automate all the process and to have one tool to rule them all and to

be able to pack all this nicely and neatly without too many manual labor there is a tool called Lucky Strike which is nice but it wasn't sufficient for me so this is how invoke no shell was borned invoke no shell you can see below here I hope you can see the link now I heard bb-8 yeah so invoke nutshell is a mixture of cool partial tricks of a PowerShell less parallel execution it is already online my presentation is there as well so don't like be super picky about writing all the notes it's it is a combination of few nice tricks and framework for creating documents with macro code in combat addendum automatically which is quite nice so

this is what you are here for this is the pearl shell especial execution I don't know how many of you know it this is PowerShell ISE the built in IDE for a PowerShell it's usually used for debugging PowerShell on the windows machines and it turns out that if you read the documentation the this variable which resolves to a path this path and if you place a PowerShell script a ps1 file in this path whenever publish an IFC starts up it will be loaded with no power that exit instances at all which is like what but nobody blocks partial I see etcetera and well it turns out to be a nice cool trick to bypass any kind of restrictions on

PowerShell PowerShell dot XE but wait there's the execution policy kind of thing we always use this means if you bypass if you're bad hackers etc and we can't do it without shall I see it doesn't get this arguments you know so yeah so back to the kind of question from before from the kind of polls that I did execution policy is broken it's just like a broken thing it doesn't work you can just take it and just like throw it away I did maybe a couple of minutes google searching for a way to bypass execution policy and I found this cool registry key and value which should be set it is in the current user hive so

you even don't have to be an admin and once this registry key is set you can execute power shell without setting any kind of unrestricted execution policy from an admin prompt or something this is all you need to do you don't need to be an admin execution policy is broken and it's just worthless the only thing that it does it kind of disturbs me from doing what I want do when I need to actually use PowerShell created by the way to the link below so what we now have is a couple of tricks but I also want to use them in a document in at or some sort so in this stage I kind of

went through all what I have I have a couple of tricks which I can decide whether or not I want to use I can also decide when I want to launch this PowerShell payload on open on clothes or on user click so I have if you'll kind of like 12 different possible permutations to select from and I have two modes for my tool now my tool just like get a PowerShell payload and you can either use it in a manual mode to selectively manually pick whether or not you want any of the features or you can use it in this automatic mode and just like generate 12 documents at once and throw it at AV as I did so this

brings me to the test I actually took ransomware or very well-known one we have over 95% detection in virus total I used invoke reflective injection of a well-known framework to load the bytes directly to the memory no special tricks just like took the bite injected it to the memory and I talking to it I'd create 12 document and I threw it at five popular enterprise-class AVS all fully enabled if they have any kind of restriction for PowerShell it was applied and in this stage I actually set an interesting success criteria I wanted a success was defined as a kind of a situation where some of the payloads bypass the Avs and some didn't so if not bypass the IV

my tools crap and if none were detected by the AV Devi is worthless so I want kind of trade off to define the kind of situation where my tool is actually useful and for the results drums drums Jones yeah 100% it's like a quite rare situation when it comes to information security but trying to percent of the payloads actually bypass the AV but it's not actually a hundred percent because in 40% of the cases actually all of the payloads bypass the AV and in 60 percent of they fail oh it's my tool is actually useful so yeah I it was kind of not worthless job it actually say served me well and I think that yeah it was a

good job I can like do like this himself and yeah oh yeah I forgot about him he can surprise me now life-sized Chuck Norris and so to conclude this kind of chance think it kind of worked and it was wonderful to watch all the of those vendors who claim that no PowerShell can be executed under this setting yeah I totally smashed them this brings me to the good idea better idea phase of the talk good ideas and bad ideas are actually quite a saying here never believe two kind of vendors which promise you 100% bulletproof PowerShell s environment there's no such thing as 100% blocking or in information security at all we just released a blog about it today you

can read the full backstory origin story of invoke no shell in Minerva's blog today if you want you I kind of search for good advices for blue teamers other than that and it's mostly about logging my tool by the way if you have PowerShell 5 or more advanced version it is logged so enable dogs and don't rely on any kind of promises which actually are worthless and I guess that this is time to my mandatory I'm slide with a cat he actually looks at Paulo she'll know that it is like on a Mac I know how comes it is PowerShell on a Mac but yeah it's a curious situation we have here again this is my Twitter handle and my

github account the project is already up there and I know if you have time for Q&A or not but yeah this was in vogue nutshell we have time for Q&A we have time for Q&A right or not okay so questions yeah question one nobody wow thank you so I guess this is it [Applause]