Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refactor/fix/update PowerShell and related features #296

Merged
merged 23 commits into from
May 20, 2024
Merged

Refactor/fix/update PowerShell and related features #296

merged 23 commits into from
May 20, 2024

Conversation

Marshall-Hallenbeck
Copy link
Collaborator

@Marshall-Hallenbeck Marshall-Hallenbeck commented May 10, 2024
edited
Loading

  • fix(powershell): fix running via ps32, both with and without obfuscation
  • pwsh: remove commented code and remove easily detected amsi bypass
  • pwsh: tests: add and update tests related to powershell
  • pwsh: large amount of debugging added to powershell
  • pwsh: powershell helper refactored to fix obfuscation, running in 32 bit mode, encoding, etc
  • pwsh: turn off obfuscation by default for powershell, since defender picks it up easily
  • pwsh: turn off amsi-bypass by default, since it was an incredibly old signatured bypass (users can still pass in their own)
  • pwsh: more error checking for powershell
  • pwsh: better handling of quotes for powershell queries, since we have almost 4 layers of quoting (python, mssql, cmd, powershell)
  • wmi: check if virus detected in wmiexec
  • mssql: update mssql powershell to match smb
  • mssql: more error checking for mssql queries
  • fix(met_inject): simplify metasploit cradle, add logging, and update documentation
  • feat(tests): allow for specifying certain line numbers, allow for printing all failed commands, and properly use single quotes for linux
  • tests: add what was our default amsi bypass for testing
  • tests: add and update tests related to powershell

There's still more work to be done for the iex cradle & injection functions, but this gets us to a good point where we aren't being blown up by defender by default for simple powershell queries, etc.

@Marshall-Hallenbeck
pwsh: remove commented code and remove easily detected amsi bypass (d…
b219e8f 
…efault to none)
@Marshall-Hallenbeck
tests: add what was our default amsi bypass for testing
e342c3e
@Marshall-Hallenbeck
smb: properly obfs or not depending on args
04df1e7
@Marshall-Hallenbeck
refactor: remove unnecessary new lines
2172231
@Marshall-Hallenbeck
powershell: update powershell parameters, clean up code, and add debu…
eb9bf61 
…gging
@Marshall-Hallenbeck
fix(powershell): fix running via ps32, both with and without obfuscation
85bcbf3
@Marshall-Hallenbeck
feat(tests): allow for specifying certain line numbers, allow for pri…
90877dd 
…nting all failed commands, and properly use single quotes for linux
@Marshall-Hallenbeck
feat(powershell): large amount of fixes and improvements
27014a5 
- large amount of debugging added to powershell
- powershell helper refactored to fix obfuscation, running in 32 bit mode, encoding, etc
- turn off obfuscation by default for powershell, since defender picks it up easily
- turn off amsi-bypass by default, since it was an incredibly old signatured bypass (users can still pass in their own)
- check if virus detected in wmiexec
- more error checking for powershell
- update mssql powershell to match smb
- more error checking for mssql queries
- better handling of quotes for powershell queries, since we have almost 4 layers of quoting (python, mssql, cmd, powershell)
@Marshall-Hallenbeck
fix(met_inject): simplify metasploit cradle, add logging, and update …
ca74acd 
…documentation; related to #223
@Marshall-Hallenbeck Marshall-Hallenbeck added enhancement New feature or request bug-fix This Pull Request fixes a bug refactor labels May 10, 2024
@Marshall-Hallenbeck Marshall-Hallenbeck self-assigned this May 10, 2024
Marshall-Hallenbeck and others added 2 commits May 10, 2024 11:37
@Marshall-Hallenbeck
tests: add and update tests related to powershell
27a0b78
@Marshall-Hallenbeck
Merge branch 'main' into marshall-pwsh-update
c56f087 
Signed-off-by: Marshall Hallenbeck <Marshall.Hallenbeck@gmail.com>
@Marshall-Hallenbeck Marshall-Hallenbeck added this to the v1.3.0 milestone May 16, 2024
NeffIsBack
NeffIsBack requested changes May 17, 2024
View reviewed changes
Copy link
Contributor

@NeffIsBack NeffIsBack left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work, i will test it as soon as the changes are made and i have the time.

What about winrm powershell? Does that need to be adjusted now as well?

nxc/helpers/powershell.py Outdated Show resolved Hide resolved
nxc/modules/met_inject.py Outdated Show resolved Hide resolved
nxc/protocols/smb.py Outdated Show resolved Hide resolved
nxc/protocols/smb.py Outdated Show resolved Hide resolved
nxc/protocols/mssql.py Show resolved Hide resolved
nxc/protocols/mssql/mssqlexec.py Outdated Show resolved Hide resolved
nxc/protocols/mssql/proto_args.py Outdated Show resolved Hide resolved
@Marshall-Hallenbeck Marshall-Hallenbeck linked an issue May 17, 2024 that may be closed by this pull request
Fix module met_inject #223
Closed
@NeffIsBack NeffIsBack added the reviewed code Label for when a static code review was done label May 18, 2024
@NeffIsBack
Copy link
Contributor

@Marshall-Hallenbeck i think we should also update the winrm powershell logic to match the logic of smb/mssql, thoughts?

@Marshall-Hallenbeck
Copy link
Collaborator Author

@Marshall-Hallenbeck i think we should also update the winrm powershell logic to match the logic of smb/mssql, thoughts?

hmm didn't realize it used a different method of execution... I'll have to look into that.

@Marshall-Hallenbeck
Copy link
Collaborator Author

@NeffIsBack ohh it uses RSRP over WinRM, that's why. I think it should be fine to leave alone since it's a different protocol. I can look into updating the obfuscation/etc later, but that's not a huge priority right now.

@mpgn
Copy link
Collaborator

mpgn commented May 19, 2024

@NeffIsBack ohh it uses RSRP over WinRM, that's why. I think it should be fine to leave alone since it's a different protocol. I can look into updating the obfuscation/etc later, but that's not a huge priority right now.

💯

@NeffIsBack
Copy link
Contributor

Ok sounds good👍🏼will test the next days and than this can be merged

NeffIsBack
NeffIsBack requested changes May 20, 2024
View reviewed changes
Copy link
Contributor

@NeffIsBack NeffIsBack left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Besides the cosmetic issue everything is working as expected! Finally powershell is working again 🚀
Fyi, tests ran perfectly fine

nxc/protocols/mssql.py Show resolved Hide resolved
@NeffIsBack NeffIsBack mentioned this pull request May 20, 2024
Merged
@NeffIsBack
Copy link
Contributor

Tested other exec methods because of crashes in #317, so far it looks like this PR fixes the issue(s). I will add the exec methods to the tests though.

@NeffIsBack NeffIsBack modified the milestones: v1.3.0, v1.2.0 May 20, 2024
@Marshall-Hallenbeck
Copy link
Collaborator Author

@NeffIsBack fixed the output, this should be good to go

@NeffIsBack
Copy link
Contributor

@Marshall-Hallenbeck 😬
image

@Marshall-Hallenbeck
Copy link
Collaborator Author

@NeffIsBack ah okay I misunderstood. I've changed it back and they're both the same now

@NeffIsBack
Copy link
Contributor

Awesome! Works as intended
image

NeffIsBack
NeffIsBack approved these changes May 20, 2024
View reviewed changes
Copy link
Contributor

@NeffIsBack NeffIsBack left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Marshall-Hallenbeck Marshall-Hallenbeck merged commit cf231d5 into main May 20, 2024
6 checks passed
@Marshall-Hallenbeck Marshall-Hallenbeck deleted the marshall-pwsh-update branch May 20, 2024 16:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@NeffIsBack NeffIsBack NeffIsBack approved these changes

@zblurx zblurx Awaiting requested review from zblurx zblurx is a code owner

@mpgn mpgn Awaiting requested review from mpgn mpgn is a code owner

Assignees

@Marshall-Hallenbeck Marshall-Hallenbeck

Labels
bug-fix This Pull Request fixes a bug enhancement New feature or request refactor reviewed code Label for when a static code review was done
Projects
None yet
Milestone
v1.2.0
Development

Successfully merging this pull request may close these issues.

Fix module met_inject
3 participants
@Marshall-Hallenbeck @NeffIsBack @mpgn