GF - Invoke-NoShell - Gal Bitensky

hi guys it's a pleasure seeing a full house today at besides Vegas we are here for in vogue nutshell all the power with no shell as in PowerShell once we are leaving this place to eat our lunch in 25 minutes we'll be able to actually take payloads easily put them in a malicious document and execute them without PowerShell dot eggsy which is nice fast since were like kind of good guys trying to act as bad guys there many times without further ado let's move to me that's me I'm working for a company called Minerva labs but this is not a sales pitch so we don't care about this I have background at fret Intel background is threat intelligence

analyst I did some work of staff and full stack researcher meaning that I tried anything from SCADA and Modbus to this crappy PowerShell stuff I hate PowerShell after I am about to swear about it like tons of times I have many open source projects and this is my posterior and github I have stuff there for bypassing sandboxes like a cuckoo not sandbox as in browsers and project for copy-paste malware built from scratch and all kinds of cool stuff just like browse there and you'll be good so yeah my name is Colin by the way which is just like gal gadot that's like the best thing she ever did was being famous because now I can actually

explain my name really easily it's a unisex name so don't worry about it actually means wave in Hebrew which is kind of a cool name think about it yeah no worries and feel free to follow me on Twitter and get up and I know even on Instagram if you really want to yeah there will be tons of cheap effects in this presentation so stay tuned okay let's move to the outside of the presentation we'll start with a bit of a background of PowerShell what it is good for absolutely nothing but for blue teamers and red team from the different point of view the white pouch that is so good or bad will move them to the actual tool to invoke

no shell and how does it work and why it is better than what we have right now and then we'll introduce how it actually works and performs against real life AVS which is kind of what we are doing on a daily life okay so let's begin with the blue team point of view what is partial through blue teamers well it is kind of a programming language mostly for windows night now for Linux and Mac I guess I don't know who uses this kind of stuff on Linux but good for you it is really powerful it is actually really easy to learn and use which is good since we lack trained IT personnel so this is one of the reasons it is so

popular even I can code in PowerShell it has all the power of dotnet dotnet can do anything in Windows really anything even more than the people designing dot that intended to I guess so PowerShell packs all the dotnet power inside which is good for blue teamers because they can do anything it's compatible with WMI comma objects which is again really good because it enables us to do terms of stuff maintain the list of whatever in the cloud for example and it has better security nowadays it has logging and MC which you can send a buffer to your AV provider which is really nice however it is not perfect remember that for example yeah this is a recent thing

from a blog of anti sack for example you can see that they do have better security now and if you try to execute the system management automation MCU tools and get field etc and try to disable it they will detect it however if you break it with a plus and you can catenate strings or you just use double quotes instead of single quotes you bypass it so it's not perfect we still have some improvements an egg but it's a better situation that we used to have okay and it is so common that I did a survey among like 80 different friends of mine how many people actually use PowerShell in their daily life and nine seven

percent of the people use file shell some like me regret it really regret it but it is very common language for a good reason and let's continue to the red team's point of view which is I know how many of you are red teamers how many of you are blue teamers okay so it's good as Brad 5050 and maybe 20 20 and 60 percent which are kind of anonymous but just okay no worries so for red teamers kind of surprisingly the advantage of the four blue team is that the same for red team is alike because we also lack well-trained red teamers and it is easy to write bad stuff in PowerShell really easy almost

too easy it has all the power of dotnet which means we can do almost anything in malicious PowerShell because that is so powerful and it's communicate with WMI in comm check you can use WMI for example to launch processes without having the parent process as the original one which is kind of good if you want to fight edie RS for example again really nice just like a bit of a different advantage for photoshop for a team is the fact that it is fire less well this buzzword I hated sorry but it is an advantage you can actually execute thousand scripts without writing to the disk again nice assist you to evade some detection tools or to make blue teamers

life way more miserable but blue team is in the crowd I'm sure will agree okay also a key benefit of PowerShell at least for red teamers is the fact that turns of frameworks were already written for PowerShell for example powersploit invoke obfuscation veil all that I think is compatible of metalloid which is good for me kid I just like want to generate my payload click on this exploit button and set C to server and I have a working backdoor out of the box really easily and well we're all lazy but you might say not lazy maybe we are trying to be efficient is the world but powder is a good way to achieve powerful backdoors

in no time in a reliable way to bypass AVS partially because of those frameworks I I did a quick survey about this as well only 50% of the responders were actually using power ship for malicious purposes so I treated the results were suspect only to those using partial maliciously and 83% of those using partial malicious purposes actually successfully bypass AV the rest 17% I know maybe you can take a private class with me afterwards and 60 percent of those using PowerShell for malicious purposes use frameworks the remaining 40% I guess well maybe they're the kind of guys that invented their own cryptography or something use frameworks it is good it is really easy just use frameworks

there they're really good but well oh oh the life of red teamers we found are not that good as well we do have some issues with PowerShell like some respect in PowerShell you get 90,000 like results on Google you have some ways to restrict PowerShell execution they are not making it impossible but they they make you struggle for a bit and you have those annoying packager activation office thing which means that if you try to let's say put in a oil I object and a documented au in somebody clicks it in a fully up-to-date office that's an important thing you'll get this screen which blocks any kind of a badge PowerShell execution if it is an

embedded object again not perfect it can be bypassed from the three for example but it makes our life a bit more tough and this is the most annoying thing at least from my point of view when I'm using PowerShell for offensive purposes I use it often from a document so I have a blank document and I start like think about what I what we are doing now I'll launch it on open and close when user clicks let's say I go for unclick and then I need to write off the VBA ugly code and then I need to decide whether or not I want to use a if you bypass or not again I think about

well let's do the EP bypass and then I generate my final combination of traits like the first trait is the one click and the second one is the - EP bypass but I do all of it manually which is really time-consuming and really annoying since VBA is even worse than PowerShell yeah you're all agreeing at this and it's awful awful awful awful thing and I hate it there is a framework called Lucky Strike which is nice it does solve some of the issues I'm struggling with but it wasn't good enough for for my kind of need you'll see in a sec how I I solve it out so to sum it up now what we are missing is

that basically having a method to overcome restrictions effectively and to work at scale to generate all of those traits and combinations effectively and easily at least from my point of view I'm kind of a red teamer so in this stage I want to unveil invoke Michelle which is a yeah I promised the chief transitions between slides yeah I wish to unveil invoke Michelle sorry for saying in a way and well I don't want to kind of unveil directly I want to unveil via a story I had a case I had my boss comes to me one morning he says well we have a potential client but he says he's 100 here's 100 percent protection against any PowerShell attack

nothing can yeah exactly my response exactly my response I totally get it and well hi Google for a while and I found this think this is the call of invoke nutshell you might laugh but this is PowerShell I see for those of you don't know and after googling for a while it turns out that if you place your PowerShell script in this place which resolves to this path you can actually get your script executed by PowerShell ISE instead of PowerShell but eggsy it is nice it has a UI which pops but you can shut it down you can hide it it is really nice way to execute and power that XE is never invoked it is really

nice it overcomes many AVS which restrict PowerShell but not PowerShell ISE because why restricting power shall I see it can never execute power shell scripts it can well just need to read the manual and well in this stage I have like my first trait and my kind of a Taft Ward's a final version of my infected document but then I realized I need to find a way to bypass execution policy because well I guess that many of you already seen malicious documents and how they used to have like this - EP bypass all the time but I can't use the same flag from PowerShell I see because well it doesn't get these kind of arguments it's not

power at its power that I see and I can't use this - EP bypass fortunately enough although 30% of the user always see this annoying message it turns out this is executed policies of restricted message it turns out that the execution policy is broken it is not a security measure and should never be treated as one and you just again you - yeah I can just like toss it to the trash bin and even being Microsoft document it was never meant to be used as a security measure it just should idiot-proof powershell for the stupid user who doesn't need to exit a shell but if I usually intentionally wants to execute power shell you can't stop him

from doing so by execution policy and indeed I found this nice little blog post about this registry value all you need to do is just to set this registry value which resides in the HK Cu hive meaning that you even don't need to be an admin to set it and you can sell to unrestricted and it don't need this means ap bypass being which is again kind of amazing and this is the second trait which I added to my malicious document all again by hand which is kind of a frustrating and you need to do it in VBA and it's a really annoying thing to do but I have my second trait and now well it is not a single vendor it it is

never a single vendor you need to check it again it is the first vendor and then the second one and then the third one and everything by hand and you have like eight different combinations to check of trades and you do it all by hand and then you find that after doing all the vendors you find this perfect combination but this takes a lot of time and my goal was invoke no shell was solving it so in order to do so I've started to think about what is the technology where I can create all this stuff automatically and create a malicious payload a malicious document with a payload from code and I used power to do so and the result was this

nice thing called invoked or shell it is basically a partial script object-oriented PowerShell which is cancer [Music] Jacque which has all the kinds of traits being translated into members and members functions and it communicates with office comm object it just like uses the windward instance which means you need to have office installed but well this kind of makes sense and it's just like generates on the fly all the different permutations of the possible ways to for example to bypass the execution policy or to lunch believer by PowerShell ISE of a PowerShell and either to launch the payload and open and close o on user click which just creates a link in the document and that

will trigger it so those are the options those are the potential hosts for the PowerShell script and you can bypass actually execute policy as I said and a nice thing I added just recently is the option to embed an object in the document so this MSS sorry this setting content MS ping which was quite popular for the last couple of months well it generates just another permutation of the of those traits with just being embedded inside it is really easy to do this kind of stuff since it is written in object-oriented way it it is available online we were able to see it of course and it is really easy to add this kind of stuff inside and once you

do it you just click on a button and you get all the results they're actually two different modes to this you have a manual mode where you select all of those traits manually and you have an automatic mode now are you just like press a single key you have 13 different combinations of traits which is really easy because you don't need to manually edit the VBA code anymore you just like press on just Auto exploit button and you get tons of different variations of this malicious document and I'm lazy I really like it it really saved me time in my daily life so a little demonstration of how it works this is me actually executing invoke

Michelle I give it a path to the payload a mode which is manual to actually enter my traits manually and the text to lure the victim click me nothing that complex and my movie will now print the banner and awesome banner of a invoke no shell which is just like a shirt a shell and no and now I just like select - and which is on document clothes launch the payload I want to force execution if it is restricted and I want to use PowerShell ISE as the host of a script it is that easy I don't need to edit any VBA code anymore you can just like take to your payload of choice and embed it in a

document without messing around with actually writing the VBA and we're done on the other hand you can also use it in the automatic mode this is the auto mode I even don't use any arguments here like in the last movie I just like insert them by hand it will ask me questions to get like the payload path and the lure text and all the other stuff and then well yeah you can see I have a typo here and then I'll put it in and again like each me in this case because why not and auto mode and then instead of asking me which trades I want to add to my it will just like generate everything oh sorry yeah

it's not that man that matter really much it's just like sorry it will just like generate after five minutes all of those different documents which is awesome ok and you can see it's me it's not really surprising and I even commented the VBA code it generates yeah awesome so it even commented and well you can really enjoy an edited and we've seen the motivation for using it so far we've seen like how it works and let's speak about the the results I did a quick test whether it works or not I use the payload which is the satin on somewhere just like Reddit as a stream of bytes I used invoke reflective injection which is really popular thing and I just like

injected the shell code to insert it used as a payload nothing too fancy or local even I didn't use like base64 encoding really simple stuff I generated 13 different documents the victim was Windows 10 64 bit five popular and the Friday if it's often including next-gen AVS which is just another AV some of them are really good but it is just another AV and they were fully enabled fully capable enterprise scale enterprise great and well it's time for checking if we've had great success or not I define the success criterion which is kind of awkward I want at least one of my payloads to actually bypass the AV and at least one to fail because if all the payloads

bypass the AV when were to is worthless because the AV is worthless and you don't need a tool to bypass the AV and if all failed the AV is goodbye to 'lest worthless so thankfully I had a hundred percent success radio out of those in forty percent of the cases actually all the pedals bypassed AV which is kind of awkward but in sixty percent of the cases my tool was useful so I think I can get the check nodes approved and seal and since we're kind of running out of time let's go to the takeaways well for red teamers use this to work in scale effectively adopt new techniques really fast take it in and

use it without messing around if your vba is just like take a powershell payload launch it without power shell and do it in no time it is really easy to use you need no prerequisites just get clone and even copy the raw powershell script it is really easy but I want blue tears also to take something from here don't rely on this 100% satisfaction guarantee promises of the vendors test it yourself it is really easy as a blue team to create many malicious documents or malicious you can also just like pop cards I don't know and to check whether or not the environment actually limits PowerShell as they expect don't rely on those snake all promises it is yeah it

is it is just like no simply now don't do it and without further ado we'll go to the Q&A session that this is the cat I have a cat slide in every one of my talks he looks at PowerShell on a Mac I found a stock photo online I can't explain it I I have literally no explanation what the actual we have streamed so I am NOT gonna say and I think we can go to a Q&A now [Applause] no questions in its current version is there any anti sandbox or sandbox detection built in no III didn't took the like the measures to evade sandbox or anything which in my understanding should be done by the payload itself I

tried to clip it keep it as clean as possible with nothing like malicious you might say in my framework it's really easy to add this kind of stuff

as it stands with this module could you create an executable that can run on its own or is it just for creating the the documents that contain the payload it in this stage it actually creates only a document of the payload but you can do anything in this like style - you're talking about like taking an executable to launch the PowerShell using PowerShell I see it is really easy yeah you should do it in no time I trust you

so I got the the malicious content in that word document was that BBS no actually it's VBA like the macro itself is VBA and it holds all of the payload as lines actual text lines inside the macro code okay and it just like concatenates it and in my case it in some of the scenarios it actually writes it to the disk so it is not file s but who cares it bypasses all of the Avs interestingly there's a limitation in VBA you can't exceed a thousand 24 characters in VBA line which is very annoying it limits your payload and also you can't use non ASCII characters it's also kind of suck but my tool actually

checks that it checks it prior to the creation of the payload and it will alert you if you broken the VBA and did you build this tool in c-sharp no it is funny PowerShell okay I cannot regret it right but it is kind of well well well coded and documented you can have a look it is good if you have questions feel free to ask

hello hi this is pretty red-eye I work as a blue Timur and this makes me want to red team had a question you tested a infomercial against a number of antivirus utilities did you try against any like EDR solutions like current black or otherwise well carbon black no I didn't try it specifically against carbon black also I'm not sure if I'm like allowed legally to say exactly against who I said it but it wasn't carbon black but cover black may alert like other EDR solutions on its kind stuff but easier solutions kind of alert on anything and as a blue Timur I think you can kind of I'm very where yeah yeah alert alert is just like log

in this case I guess hi so when you were testing a different combinations against different AV did you find that there were some combinations that were working across the board more often yeah not yeah okay and is that is that information documented or is there any if we word I can tell you right now it was the case of using PowerShell ISE and launching it on a user click you can actually write the payload to the disk and to launch power shall I see from user click on document and then you avoid using shell execute you avoid like using FileZilla taxi and well they just don't get you so cool thanks yeah that's the Magic Bullet

I think we can probably take one more question

normally thank him because that was fine [Applause]