post-exploitation: using PS 5.0 security settings to hide code execution

Posted on by

I’ve started playing with all the new security features introduced in PowerShell 5.0 – ScriptBlock Logging, Protected EventLog and Transcripts mentioned in the PowerShell ♥ the Blue Team post.

All the following assumes that the target machine has already been breached, that you already have admin credentials on the box. It does not take advantage of any vulnerability.

Here’s the context of the scenario, let’s assume that:

  • the target computer owned is a Windows 10 computer
  • you’ve admin credentials on that box
  • a group policy was set and at least configures both the scriptblock logging and protected eventlog (just in case there are credentials in the code): see for example my previous post

or let’s say

  • I’m a local admin of a Windows 10 computer
  • My domain admin set a GPO that configured all the new WMF 5.0 settings: transcript, scriptblock logging and protected eventlog
  • I don’t want him or anybody to look over my shoulder

The goal is to hide the execution of a command in plain sight without touching the disk even if there’s already a Group Policy that enables scriptblock logging, protected eventlog and transcription.

How? By

  • using another another public key created on the fly that replaces the GPO settings
  • turning off transcripts if they are on
  • restoring gracefully the initial GPO parameters that configure protected eventlogs and transcripts

The first part of code when running isn’t hidden, it makes a lot of noise and can be detected by usual means.

The code is available in the following gist/link

Let’s see it in action as a picture is worth a thousand words:

attack-demo-01

attack-demo-02

As you can see, I’ve added two switches to let transcription on and to export the public and private keys of the new certificate used on the fly. Without the two switches, it doesn’t touch the disk (well, forensically speaking it still does because the registry, certificate stores, eventlogs,… are modified).

Read-protectedEventLog-02
If I don’t have the private key, I cannot decrypt the message in the protected eventlogs 😦
But, if I import the private key left and use the code from my previous post, I can see:
attack-demo-04

As I left transcription on, I can also see:
attack-demo-03

It’s a nice convenient way to stop everybody watching what you do, isn’t it 😉

1 thought on “post-exploitation: using PS 5.0 security settings to hide code execution

  1. Pingback: Dew Drop - August 8, 2016 (#2304) - Morning Dew

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.