The original module suffered from a small problem - interactive
process notification from Desktop 0 for users currently logged in.
Although acheiving full AV evasion, we were setting off UserAlert.
This commit updates the module itself to match #1379 in R7's repo.
The size of powershell payloads has been reduced, and a wrapper
added to hide the actual payload process entirely.
This commit rewires the existing work on PSExec performed by R3dy,
HDM, and countless others, to execute a powershell command instead
of a binary written to the disk. This particular iteration uses
PSH to call .NET, which pull in WINAPI functions to execute the
shellcode in memory. The entire PSH script is compressed with ZLIB,
given a decompressor stub, encoded in base64 and executed directly
from the command-line with powershell -EncodedCommand.
In practice, this prevents us from having to write binaries with
shellcode to the target drive, deal with removal, or AV detection
at all. Moreover, the powershell wrapper can be quickly modified
to loop execution (included), or perform other obfu/delay in order
to confuse and evade sandboxing and other HIDS mechanisms.
This module has been tested with x86/x64 reverse TCP against win6,
win7 (32 and 64), and Server 2008r2. Targets tested were using
current AV with heuristic analysis and high identification rates.
In particular, this system evaded Avast, KAV current, and MS' own
offerings without any issue. In fact, none of the tested AVs did
anything to prevent execution or warn the user.
Lastly, please note that powershell must be running in the same
architecture as the payload being executed, since it pulls system
libraries and their functions from unmanaged memory. This means
that when executing x86 payloads on x64 targets, one must set the
RUN_WOW64 flag in order to forcibly execute the 32bit PSH EXE.
Meatballs
RageLtMan