Upgrade to Pro — share decks privately, control downloads, hide ads and more …

PowerShell-RAT - BlackHat USA 2019

PowerShell-RAT - BlackHat USA 2019

PowerShell-RAT is a stealthy tool which exfiltrates sensitive information from the fully patched Windows environment via screenshots, keystrokes, clipboard hijack and reverse shell over Gmail domain. This tool is highly useful when the standard RAT tools get picked by the client anti-virus software and one need to provide a proof of concept to the client to prove that malicious users or an attacker can exfiltrate information from the network even though they are running fully patched and up-to-date antivirus solutions.

The exfiltrated information is sent to a malicious user over a HTTPS protocol in the form of email attachments. The RAT can be invoked with a single key press using 'Hail Mary' option. Gmail is used to receive files from the backdoored machine as it is considered one of the highly trusted domains, this would allow an attacker to avoid network detection by NextGen Firewalls.

During a Red Team engagement or an Internal Penetration Test, this tool can be executed on any Windows machine which will backdoor the compromised user machine using a number of task schedulers in turn will run the PowerShell modules (scripts). Once backdoored, malicious user receives screenshots, clipboard history and keystrokes of the user activities via email every few minutes. After the email is received, screenshots and log files are deleted from the machine to clean up the disk space, hence, avoiding the detection.

On successful authentication on a Windows machine by a compromised user, backdoor triggers the keystroke module on the user machine. It saves every key press on the keyboard in the "log.txt" file on the user machine and sends it to the malicious user every hour as an email attachment. Similar to keystorkes, user clipboard us monitored every 2 seconds and is saved in the “clip.txt” file and the clipboard information is sent via email every 5 hours.

To setup this RAT it requires a dedicated throw away Gmail account with modification to PowerShell script credential variables and a malicious user needs to enable "Allow less secure apps" under the security settings of the Gmail account to receive screenshots, clipboard and key logs from the backdoored machine. To run these modules user does not require an administrator rights and these options for exfiltration can be customised as per user needs.

Reverse Shell module allows user to execute windows command on the compromised host by sending commands to the throwaway Gmail account. Commands are read in the background by constantly monitoring the inbox for a new email. Commands in the body of an email is read every 5 seconds and is executed instantly. Once the commands are executed on the backdoored host it will send the command output as an email to the attacker Gmail address automatically allowing two way communication between attacker and a compromised host.

Target system can be identified using email subject line which is a compromised host computer name followed by the timestamp. Remote Access Trojan (RAT) Python file can be converted into an executable using Pyinstaller. During demo at BlackHat, I walked everyone through a number of defence mechanisms to detect PowerShell-RAT backdoor using publicly available tools such as Sysinternals from Microsoft. However, all these defensive mechanism solutions can be bypassed by an attacker.

Further details can be obtained from the GitHub: https://github.com/Viralmaniar/Powershell-RAT



August 07, 2019

More Decks by ViralManiar

Other Decks in Technology


  1. None
  2. Disclaimer • Performing any hack attempts or tests without written

    permission from the owner of the systems is illegal. • This project must not be used for illegal purposes or for hacking into system where you do not have permission, it is strictly for educational purposes and for people to experiment with.
  3. # whoami • Over 6.5 years of experience in the

    field of Information Security • Passionate about offensive and defensive security • Working as a Principal Security Consultant at Threat Intelligence • In my free time I develop security tools • Outside from Infosec land – like photography https://github.com/Viralmaniar https://twitter.com/maniarviral https://www.linkedin.com/in/viralmaniar https://viralmaniar.github.io/

  5. Browser Warnings

  6. Anti-Virus Warnings

  7. PowerShell-RAT • Open source tool written in Python and PowerShell

    • Assist Red Teamers and Penetration Testers to exfiltrate sensitive information during internal penetration test, red team engagements or via phishing campaigns • This piece of code is Fully UnDetectable (FUD) by Anti-Virus (AV) software's (for now) • Currently supports following exfiltration modules over Gmail: • Reverse shell • Screenshots • Keyboard strokes • Clipboard Hijack
  8. PowerShell-RAT Overview Infected Machine RAT modules Attacker Controlled Gmail Account

    Runs modules frequently
  9. Setup • Throwaway Gmail account • Enable "Allow less secure

    apps" by going to https://myaccount.google.com/lesssecureapps • Modify the $username & $password variables for your account in the Mail.ps1, MailLogs.ps1, MailClip.ps1 PowerShell files • Modify $msg.From & $msg.To.Add with throwaway Gmail address
  10. Screenshots Module • Takes screenshots of the user screen every

    1 minute using Graphics.CopyFromScreen Method • Sends an email to the attacker as an attachment • Deletes the screenshots to avoid suspicious
  11. Clipboard Module • Keeps track of user clipboard along with

    timestamps every minute. • User can modify these as per their need to sniff every few seconds • Sends an email to the attacker with clipboard data as a clip.txt file attachment
  12. Keystroke Module • Starts keyboard strokes logging after user authentication

    • Uses SetWindowsHookEx with WH_KEYBOARD_LL • Sends an email to the attacker with keystrokes data as a elog.txt file attachment
  13. • Uses Gmail API’s to read emails every 15 seconds

    and parses the commands from the attacker • Shell output gets sent to the attacker email • Examples of commands for reverse shell: • BHUSADEM019:whoami • BHUSADEM019:tasklist • BHUSADEM019:ipconfig • BHUSADEM019:KILL Reverse Shell Module
  14. Enough talking!

  15. Detection Mechanism • SSL Stripping on your network. Some companies

    have policies to not perform SSL stripping on well known sites to maintain users privacy. Furthermore, attacker can encrypt traffic for exfiltration. • PowerShell Logging. However, attacker can clear these locations to avoid logging of the scripts. • Look for regularly timed DNS traffic through frequency analysis. However, this can be defeated using randomisation in connection timing. • Sysinternal tools such as autorun, sysmon, process explorer and process monitor to review system configurations. Requires time and resources.
  16. References • https://docs.microsoft.com/en- us/dotnet/api/system.drawing.graphics.copyfromscreen?view=netframework-4.8 • https://docs.microsoft.com/en- us/powershell/module/microsoft.powershell.management/get- clipboard?view=powershell-5.1 • https://developers.google.com/docs/api/quickstart/python

    • https://github.com/googleapis/google-api-python-client • https://www.pdq.com/blog/powershell-send-mailmessage-gmail/ • https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser- setwindowshookexa • https://docs.microsoft.com/en-us/windows/win32/winmsg/about-hooks • Sandeep Ghai from Threat Intelligence for his help on Reverse Shell Module