Making Powershell Forensics Hard for Fun and Profit

I don’t know about you but when I am doing something related to pen-testing, I like to make it hard for the defenders to figure out what I had done. Everyone just gets a better overall and more realistic experience. You need challenges to grow! So, here is just another little trick to make it harder on forensic analysts when it comes to discovering what commands were run from a powershell process.

First thing here, I’d like to cover a few concepts of how powershell works and how we can exploit these nuances of the powershell scripting language. When you load up a powershell console, a “profile” will be loaded in the background. These files can do all sorts of things, from customizing your prompt to preloading variables and aliases for commands you frequently use. Also, there are something called “proxy functions”, which essentially allow you to overload built in cmdlets and the like. If you stick the two together, there are all sorts of things you can do to make forensics harder — I mean seriously, how many people really know a lot about the profile.ps1 file in the defenders realm? Hopefully this will aid in raising awareness of it.

Read More

Stickykeys Backdoors, Tradecraft, and Obligatory Powershell Goodness

I am currently working on an inter-team exercise as a red teamer against a Network Defender / Forensic Analysis team and we are all trying to get as much out of this as possible. I am getting plenty as I have a huge playground to hone my abilities on, but I wanted to also give them something a different to look at / analyze. This led me to creating a little script or two in powershell to make their job harder / more interesting than the typical stuff. I took a few techniques ( sticky keys backdoor / windows path canonicalization ) to achieve the desired affect with a little powershell seasoning to make things interesting.

My ideas were as follows:

1. Create a dropper which will download an unknown payload which can be dynamically changed and removed from the attacker’s machine to prevent analysis of it by the network defenders.
2. Try to obfuscate any files being transferred over the net to prevent file carving / figuring out what was transferred over the net.
3. Prevent AV from catching the payload.
4. Try to make it hard for them to delete said payload if they DO manage to find it.


Read More