Skip to main content

Unmanaged PowerShell Binaries and Endpoint Protection – Part 2

February 08, 2018

In my last blog post, I discussed the process of creating a binary that contained a reverse PowerShell payload, only it did not leverage PowerShell.exe or PowerShell_ISE.exe. The binary talked directly to the .NET Framework. This binary proved very successful in bypassing endpoint vendors in Optiv’s 2017 endpoint research. In this blog I will build on the previous post by introducing obfuscation to the code, which will make detection more difficult. The new binary will contain a PowerShell Empire stager, it will be “signed,” and it will be placed on the OS where an attacker can achieve userland persistence. 

In order to get started, an Empire listener needs to be active, and a stager must be created for that listener. Using the multi/launcher stager and turning the BASE64 option to False, we receive the output below.

Figure 2.1
Figure 1 – PowerShell Empire stager output

The stager code is copied over to Visual Studio. Note, I removed a few of the ScriptBlock logging commands because the commands triggered detections during testing. The stager script is broken up into smaller, more manageable segments.

Figure 2.2
Figure 2 – PowerShell Empire stager in Visual Studio

If the stager code above was used in the binary, there is a high chance that endpoint vendors would detect the file as malicious. The endpoint industry is slowly starting to tackle the PowerShell problem, which is very difficult to solve because of PowerShell’s flexibility. The stager code needs to be changed to avoid detection but still needs to be readable by the .NET Framework. 

Daniel Bohannon, a senior applied security researcher at Mandiant, released an incredibly useful tool to obfuscate PowerShell commands and scripts called Invoke-Obfuscation. Written in PowerShell, Invoke-Obfuscation allows us to change the syntax of a PowerShell command through concatenating, whitespaces, reverse ordering, encoding and a few other methods.

Figure 2.3
Figure 3 – Invoke-Obfuscation

Invoke-Obfuscation is used to obfuscate each of the smaller stager commands. Line by line the commands were copied into Invoke-Obfuscation and encoded in either ASCII, Hex, Octal, Binary, AES or BXOR.

Figure 2.4
Figure 4 - Example of stager command encoded with Invoke-Obfuscation

Obfuscating a stager within Empire is now built in but must be set to “True” in the settings menu prior to creating the stager code. Similarly, commands can be obfuscated within Empire and also must be set to “True” in the stager settings. The Optiv research team discovered that the output of some obfuscated commands contained double quotes and needed to be replaced with single quotes in order for C# to interpret the command properly.

Figure 2.5
Figure 5 - PowerShell Empire multi/launcher stager settings

After each of the smaller segments from Figure 2 are obfuscated, the segments are inserted in the corresponding section in the Program.cs file.

Figure 2.6
Figure 6 – Program.cs file with the original commands in green and obfuscated ones in orange.

In this example, the custom application is named OneDrive. The file is signed with a fake signature designed to look like it is from Microsoft and the binary is compiled. The end result is a file that looks similar to the real Microsoft OneDrive executable.

Figure 2.7
Figure 7 – Compiled malicious OneDrive executable

Figure 2.8
Figure 8 – “Signed” file with sigtheif

But, why OneDrive? As it turns out, Microsoft OneDrive launches automatically each time a user logs in to their computer. Assuming an adversary has access to a machine, they can locate the OneDrive process, kill it and replace the binary with the malicious OneDrive file. On the next reboot, the attacker will have a persistent session under that particular user. 

Figure 2.9
Figure 9 – Locating and killing the OneDrive process on the victim host

Figure 2.10
Figure 10 – Uploading the malicious OneDrive executable to the users’ AppData\Local\Microsoft\OneDrive folder

Figure 2.11
Figure 11 – Client view of AppData\Local\Microsoft\OneDrive\OneDrive.exe

Once the machine is rebooted and the user logs back in, the attacker has a reverse shell that provides all the tools that PowerShell Empire offers. Not to mention it runs under an unmanaged PowerShell binary that looks a lot like OneDrive on the surface. 

Figure 2.12
Figure 12 - PowerShell session under our malicious OneDrive executable

There are several ways to detect this activity in your environment. If possible, prevent unknown binaries from running or perform hash verification. Organizations also should look at the logging options offered in PowerShell v5 and v6. PowerShell’s ScriptBlock logging is a way to capture CLI commands that are used in some unmanaged PowerShell sessions. If ScriptBlock logging is enabled, policies should be set to alert when it is turned off.  Monitoring network connections from OneDrive to IPs other than those used by Microsoft would be an additional way to detect malicious activity.  

    Dan Kiraly

By: Dan Kiraly

Senior Research Analyst

See More

Related Blogs

January 25, 2017

Escape and Evasion Egressing Restricted Networks

A command kill chain consists of payload delivery, code execution on a target system, and establishing a command and control (C2) channel outside of a...

See Details

March 08, 2018

Part 2: Frameworks in Context: The Business-Aligned Information Security Program and Control Frameworks

In part 1 of this series, we provided insights responding to the frequent question regarding control frameworks and their place in the security strate...

See Details

February 28, 2018

Part 1: Frameworks in Context: The Business-Aligned Information Security Program and Control Frameworks

During hundreds of strategy, risk and compliance engagements, Optiv’s consultants often have been asked very thoughtful and deep questions about contr...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

October 11, 2017

Managed Endpoint Protection Platform

Learn how our managed endpoint protection platform service keeps your technology running.

See Details

July 14, 2017

Endpoint Security Solutions

Learn how we help you identify your endpoint security gaps and find the right solutions.

See Details

November 10, 2017

Unmanaged PowerShell Binaries and Endpoint Protection

Optiv recently completed our 2017 endpoint security solution evaluation. The primary focus of the evaluation was to test the solutions’ efficacy acros...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.