Closed zeroSteiner closed 3 years ago
It looks like the gem failed to release for this because there was a unit test failure that I wasn't aware of. I'll look into and see if I can get it fixed. Thanks for testing and landing this @timwr! May have to hold on for a bit until I can get it resolved.
Figured out why the tests failed and proposed a solution to fix them in #32.
This adds and uses a method that can obfuscate powershell string literals. In the case of our current protections bypass stub (which is a combination of an AMSI bypass and a Script Block Loggin bypass), it is being detected as a malicious script. These changes alone aren't enough to fix that but put us in a position to add additional entropy to strings that are otherwise contributing to this classification. I also added a generic option to prepend a Powershell stub that can be used in the future to add custom logic. This currently isn't leveraged but will be necessary for future work on the Metasploit side of things.
Testing
For now, things are still identified as malicious so the target Windows system must have Defender disabled, specifically the Real Time Protections setting.
use exploit/windows/smb/psexec
set Powershell::prepend_protections_bypass true
Example
'ScriptB'+'lockLogging'
New obfuscated string literal which changes (default threshold is 0.15).