SAFE Powershell bypass

PowerShell: Malwares use it without powershell.exe

Windows PowerShell (PS) is a task automation and configuration management framework from Microsoft, it’s a command line shell with its own associated scripting language. Powershell was built on DotNet Framework.

PS is often used in cyber attacks to run malicious code stealthy on a target computer, but calling powershell.exe can be detected by security solutions.

To avoid this, malwares can use a Windows feature which allows running a PS script in a C# code without calling powershell.exe. With this feature, it is possible to run malicious scripts without triggering basic security solutions.

In this article, we will see how to load a PS environment without using the associated executable (powershell.exe).

 

Execute PS script without powershell.exe

The Powershell automation DLLs (System.Management.Automation.dll and System.Management.Automation.ni.dll) which is a PS Class for DotNet language, it allows creating a PS environment inside C# code in order to execute scripts.

The project PowerShdll written by « p3nt4 » in C# uses the PS automation DLLs in order to be an alternative to powershell.exe.

This project is divided into two parts, a standalone executable, and a DLL.

Usage of the executable file from the GitHub:

PowerShdll.exe <script>

PowerShdll.exe -f <path> # Run the script passed as argument

PowerShdll.exe -i # Start an interactive console in this console

Usage of the DLL file from the GitHub:

rundll32 PowerShdll,main <script>

rundll32 PowerShdll,main -f <path> Run the script passed as argument

rundll32 PowerShdll,main -w Start an interactive console in a new window

rundll32 PowerShdll,main -i Start an interactive console in this console

If you do not have an interractive console, use -n to avoid crashes on output

As we can see in the image below, powershell.exe has not been executed:

Powershdll execution and process hacker view

Some malwares can use this method to hide from security solutions that could monitor specific executable like powershell.exe. Using Procmon, we note that no access to powershell.exe is done because it directly uses PS automation DLLs.

 

Code injection into SyncAppVPublishingServer

SyncAppVPublishingServer is a part of Microsoft Application Virtualization (App-V) and a built-in tool from Win10, it is available in two versions, as an Executable and as a VBScript, both are available in “C:\Windows\System32” on Windows 10 and both are signed.

SyncAppVPublishingServer sigcheck

 

VBScript

Below is an extract of the VBScript SyncAppPublishinServer.vbs:

SyncAppVPublishingServer.vbs call powershell.exe

As you can see, the script will directly start a PS command with the following form:

[...]; Sync-AppvPublishingServer [ARGs]

It is possible to inject code into it because the arguments are not checked:

C:\Windows\System32\SyncAppvPublishingServer.vbs "Break; Start-Process Calc.exe"

This will result in an executed command like the following:

[...]; Sync-AppvPublishingServer Break; Start-Process Calc.exe

The command will execute the Break, and runs the other command which starts a calculator:

SyncAppVPublishingServer.vbs code injection

 

This script allows to execute injected code and can help to deduce how the associated executable (SyncAppvPublishingServer.exe) works. Some malwares can take advantage of this situation to execute PS script from a Microsoft signed script.

 

Executable

The executable version of SyncAppPublishingServer uses the same arguments, the same command line can be used to start the  calculator:

C:\Windows\System32\SyncAppvPublishingServer.exe "Break; Start-Process Calc.exe"

SyncAppVPublishingServer.exe code injection

Like the VBScript version, this executable allows executing injected script in its arguments. Because it’s signed, this allows bypassing some security solutions.

 

How SAFE Endpoint blocks these actions

SAFE Endpoint Security is a multi-layer security product which will block this type of attacks or malicious file using multiple methods and at each step of the attack:

  • SAFE Endpoint Security limits the access of some administrative tools (cmd.exe, powershell.exe, SyncAppVPublishingServer, …)
  • Thanks to the security policies, applications, and unsigned programs don’t have access to PS automation DLLs.

In the following video, the different methods described before are tested with SAFE Endpoint Security set to protection mode in order to block malicious actions:

 

Conclusion

More and More cyber attacks use PS in order to infect the system.

Windows allows programs to load PS automation DLLs in order to execute PS script without using powershell.exe. This is an alternative to Powershell.exe and especially for malwares which can use this method to bypass basics security solutions.

Sometimes, users’ education isn’t efficient enough to face advanced threats. That’s why companies should complete that with an endpoint solution able to block this type of threats to stay safe.

Thanks to the multi-layered security protection provided by SAFE Endpoint Security, this type of attack is easily detected and blocked by our Agent. The association of our multiple technologies allows providing the best protection against ransomware and other cyber attacks.