Skip to main content

Unmanaged PowerShell Binaries and Endpoint Protection

November 10, 2017

Optiv recently completed our 2017 endpoint security solution evaluation. The primary focus of the evaluation was to test the solutions’ efficacy across the cyber kill chain. Surprisingly, we discovered a high failure rate in detecting two custom binaries that were created for the evaluation as malicious and the commands executed through them. Both of these binaries incorporated the concept of unmanaged PowerShell. 

Endpoint Protection

Unmanaged PowerShell is a way of executing PowerShell commands and scriptblocks without ever using PowerShell.exe or PowerShell_ISE.exe. The concept was introduced to me by Ben Ten at the Raleigh B-Sides Conference in 2015. Ben, an industry expert, explained that PowerShell is only the executable that allows you to interact with the .Net Framework and that any binary could be created to do the same thing. This concept is a few years old and there has been interesting research done by several people including Ben, Jared Haight and others on the topic. While unmanaged PowerShell isn’t the newest concept, it still proved to be an effective method of obtaining a shell and performing post execution actions on endpoints protected by enterprise-class security products. 

My goal was to create an unassuming binary that applied the unmanaged PowerShell concept and returned a reverse shell. I used Ben’s AwesomerShell project on GitHub as a reference. AwesomerShell’s proof of concept code creates an executable file that uses the System.Management.Automation dll. This program provides an interactive command window that accepts PowerShell commands without ever running powershell.exe. The code was modified in an attempt to make the binary look as benign as possible. The payload was a command to download Nikhil SamratAshok Mittal’s Invoke-PowerShellTcp in memory and pass the arguments to connect to our C2 server. 

Endpoint Protection 1
Figure 1 – Creating the reverse shell connection 

Endpoint Protection 2
Figure 2 – Final code 

OUTLOOK was used as the assembly name and default name space.  

Endpoint Protection 3
Figure 3 – Changing the assembly name and default namespace  

The Outlook icon and Outlook 2013’s assembly information were also copied. Here, the intention was to fool or at least confuse a user if Task Manger was opened and the process details were viewed.  

Endpoint Protection 4
Figure 4 – Changing the assembly information to match Microsoft Outlook  

The file was compiled and signed with a fake certificate. There are newer techniques that can be used to copy legitimate certificates. The real Outlook application would have a trusted sha1 and sha256 signature and would not be timestamped by Symantec. Some endpoint security products only look to see if a file contains a digital signature, instead of performing signature validation.  

Endpoint Protection 5
Figure 5 – Details of the applied fake digital signature

During testing, the binary OUTLOOK.exe was delivered in an assumed phishing scenario and when executed on an endpoint it connects back to our C2 server. 

Endpoint Protection 6
Figure 6 – Image of the malicious OUTLOOK file a user’s desktop

The attacker now has a reverse shell running under OUTLOOK.exe with the ability to download additional scripts into memory and run any commands that PowerShell.exe can execute. The lack of detection for the initial execution isn’t that impressive because the malware is only making a TCP connection. However, Optiv discovered that some endpoint security products only detect and log commands run from PowerShell.exe, not the malicious OUTLOOK executable. Unmanaged PowerShell sessions can be a way to execute PowerShell commands while bypassing these detections and preventions.

Endpoint Protection 7
Figure 7 – Connection back from the victim with example PowerShell command

Endpoint Protection 8
Figure 8 – Note, PowerShell.exe is not running on the victim

There are several ways to detect this activity in your environment. If possible, prevent unknown binaries from running. Organizations should also look at the logging options offered in PowerShell v5. PowerShell’s ScriptBlock logging is a way to capture cli commands that are used in some unmanaged PowerShell sessions.    

There are many different ways to execute this concept. If you are interested, I suggest you take a look at the research being done by Casey Smith @SubteE on Twitter. Stay tuned for Unmanaged PowerShell Binaries Part 2, which explains how to create a similar binary with an Empire launcher as the payload and Invoke-Obfuscation for detection bypass.   

    Dan Kiraly

By: Dan Kiraly

Senior Research Analyst

See More

Related Blogs

January 25, 2017

Escape and Evasion Egressing Restricted Networks

A command kill chain consists of payload delivery, code execution on a target system, and establishing a command and control (C2) channel outside of a...

See Details

March 08, 2018

Part 2: Frameworks in Context: The Business-Aligned Information Security Program and Control Frameworks

In part 1 of this series, we provided insights responding to the frequent question regarding control frameworks and their place in the security strate...

See Details

February 28, 2018

Part 1: Frameworks in Context: The Business-Aligned Information Security Program and Control Frameworks

During hundreds of strategy, risk and compliance engagements, Optiv’s consultants often have been asked very thoughtful and deep questions about contr...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

February 08, 2018

Unmanaged PowerShell Binaries and Endpoint Protection – Part 2

In my last blog post, I discussed the process of creating a binary that contained a reverse PowerShell payload, only it did not leverage PowerShell.ex...

See Details

August 24, 2016

Endpoint Security Workshop

We help you navigate the endpoint technology landscape and define requirements to create an actionable plan.

See Details

November 10, 2017

Unmanaged PowerShell Binaries and Endpoint Protection

Optiv recently completed our 2017 endpoint security solution evaluation. The primary focus of the evaluation was to test the solutions’ efficacy acros...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.