Introduction:
Hello everybody, I am back with another blog for you guys. During a pentest involving Active Directory we tend to used powerview, AD Module, powerup etc for enumeration, but the thing is that AV detects the scripts and removes it immediately, even the AD Module which is signed by Microsoft, this script also gets detected by AV and all the scripts mentioned contains microsoft api functions, then why does it get detected. That was the curiosity I had and started working on how it detects and how it can be bypassed. (In this tutorial I bypassed PowerUp but the concept is basically the same for all the scripts as of right now)
I started poking around and playing with the script here's what I did I coped the whole function from the script to the powershell session and assumed that the AV was detecting the script by using signature approach which means that the AV has a signatures database and it matches the script from the database and if it matched then it blocks it.While copying the functions and pasting it in the session it detected the Write-HijackDll function I looked in to that function it detected the DLLs that were encoded (base64) in the function.
so what I did was I divided the base64 into 2 variables and concatenate them in the next step and the AV didn't detect it.
For example:
$var1 = "abc"
$var2 = "def"
$var3 = $var1 + $var2
$var3 = "abcdef"
Moving further I continued to copy the functions and this time with the divided variables the AV did not detect this time. Basically what I did was I created chunks of the scripts and each chunk contained different functions that were present in the PowerUp script, and the AV did not have any problems with it and thus bypassing it. It took sometime but in the end it was worth it :).
And there you have it bypassed PowerUp script while defender real time protection was enabled.