Reflective PE Injection in Windows 10 1909

Last month we taught our DEF CON 27 workshop, Introduction to Sandbox Evasion and AMSI Bypasses, as a webinar. It went really well, but the primary focus of the course was on delivering a primary agent to the target and getting it to run. We discussed how to obfuscate payloads to avoid AMSI and sandboxes (it’s like the name was descriptive or something), but that was where we left off.  

What about the next steps though? One of the first things I do when I land on a box is to migrate into a new process. Traditionally this is done in Empire with the PSinject module. It’s well known and works effectively, but if you have tried to use it recently, it may appear to be broken. However, what is actually happening is that Windows Defender is flagging it as malicious and killing the thread.

While it’s not the most operationally representative, I like to use notepad to test things out. It’s a stable process, won’t have any permissions problems when injecting as a non-administrative user and it’s easy to kill and restart the process. So that’s what I will be using in this walkthrough. Below is a couple of screenshots showing how Defender shwacked my process when I attempted to inject it into notepad with PSinject. 

This is happening because PSinject uses a default Empire payload without any obfuscation. Initially, the ReflectivePick.dll that PSinject uses couldn’t handle a payload greater than 3,000 characters, and obfuscation would cause it to exceed that rather quickly. That has since been remediated, but it is still possible to break ReflectivePick with certain obfuscation techniques. PSinject, on the other hand, has always been meant to be a point and shoot tool for the average user. For this reason, it makes sense to leave PSinject as straightforward as possible.

Luckily we can utilize a couple of other modules within Empire to overcome this issue. The two modules we are going to need are the stager module windows/dll and the code_execution/invoke_reflectivepeinjection module. Psinject is actually based upon the Invoke-ReflectivePEInjection module. It just has the ReflectivePick.dll preloaded into it instead of allowing us to inject an arbitrary .dll or .exe like the Invoke-ReflectivePEInjection module does. The windows/dll stager module builds a ReflectivePick.dll patched with our PowerShell stager code and allows us to implement some obfuscation. Be careful here, because it is still possible to create a one-liner that is too large for ReflectivePick by adding too much obfuscation. Let’s walkthrough exactly how to do this.

Just a quick note, I am not going to describe the exact stager settings or obfuscate command I used because, within a few weeks, it will likely no longer work to get past AV.         

First thing we need to do is generate our dll. We can do this with usestager windows/dll.

Set your Listener, Set Obfuscate to true and set the ObfuscateCommand to your desired obfuscation pattern. Type generate and it will be saved in the designated outfile location.  

Now we interact with the agent on our target machine, do a ps to find the PID for our notepad process and then type usemodule code_execution/invoke_reflectivepeinjection. 

Now, all we have to do is set ProcId to our notepad PID and then set DllPath to our dll location and execute! Just like that, we can now inject into other processes without being caught by Windows Defender. 

ProTip: You can test the obfuscation of your stager by first utilizing the Multi/Launcher module.

If you are interested in learning more techniques that Advanced Persistent Threats (APTs) use every day, then check out our course: Advanced Threat Emulation for Red Teams.

Use discount code BOBBYDROPTABLES for 50% off

The post Reflective PE Injection in Windows 10 1909 appeared first on BC Security.