How Hackers Can Hide PowerShell in Environment Variables
HTML-код
- Опубликовано: 4 апр 2024
- jh.live/snykctf101 || Learn cybersecurity with a FREE Capture the Flag 101 workshop from Snyk on April 18th! jh.live/snykctf101
🗨️ Mapping printable characters to positions within Windows environment variables... to slap together silly obfuscated PowerShell code! Masking the original command in a cutesy way that made help evade detection... (or at least be a fun scripting challenge) 💬
Learn Cybersecurity - Name Your Price Training with John Hammond: nameyourpricetraining.com
📧JOIN MY NEWSLETTER ➡ jh.live/email
🙏SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎FOLLOW ME EVERYWHERE ➡ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/discord ↔ jh.live/instagram ↔ jh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware
🔥RUclips ALGORITHM ➡ Like, Comment, & Subscribe!
This is a very NEAT technique, did you stumble upon this technique in the wild being used by some bad actors?, how did you come up with it, Its really nice. I LOVED IT
This video is eye-opening! It's crazy to see how hackers can use something as innocuous as environment variables to hide malicious PowerShell commands. The level of sophistication in cyber attacks is just mind-boggling. Understanding these tactics is crucial for staying safe online. Thanks for the insightful breakdown! Time to up my cybersecurity game.
thanks, chatgpt, very cool!
yeah, why have chatgpt write this comment?? lmao
Great video, seems like a good way to obfuscate commands!
Im really happy to see you grow, I have recommended you to a "thousand" others and now I see u got 1.3 m subs which is AMAZING. Keep on what ur doing! Greetings!
If you have variables that only have the user name as a variable path, you could for example use string splitting on \ to get more options.
love the content!! keep killing it! what keyboard are you using in the newish setup?
Please bring a video on the new xz malware discovered
i agree
As i understand reverse engineering, which is very little admitedly. This is how hackers optimize building ROP gadgets. If you get a fixed number of bytes to add to the execution stack, you make sure that what is added is entirely built from other sections of the static mapped memory, because specific strings of assembly will be in fixed locations to reference. So instead of creating code that takes several bytes you just point to a chunk of that already in memory, thereby keeping the exploit within that limited stack space required to maintain the overflow or use after free or whatever tactic the codespace was permitted to hit the stack without the kernel overflowing. Stringing multiple gadgets together creates a ROP chain which is the set of functions you need the exploit to do.
Its Because PSModulePath include another Environment Variable (%ProgramFiles%)
It's because for some reason his Python generated powershell in sublime PSModulePath starts with the fixed system paths, C:\Program Files\W (17).
Later he starts running the code at a powershell terminal and the output includes his user profile path and things work now, but previously he generated code in sublime then copied to powershell and the indexed were different.
Besides it should be excluded since it has a user profile path depending on the context it is executed in. In both user and admin terminal i got the user profile, only at system context i did not, so maybe sublime runs python in a funky psuedo-user context. For an exploit that might run as system or admin, best to strike PSModulePath as a candidate .
Did this idea come from a sample or just random thought ? Also nice to have more of the red team POV stuff. I've been trying to improve on red side since I've been made part of purple team and stuff like this is helping me make the mental shift.
Great stuff. I would like to know how this looks in the event logs. Does it just show the env variables or does it show the cmdlet being run?
Cool video keep it up
You disappeared off my algorithm then I tried to remember ur name when I saw the xz hack and then I see u have 1.3 milli subs, you had 350k last time I watched a vid, killin it!!!
Watching right now❤
TNX bro
This video is interesting and enthusiastic 😁😂
where do you get windows iso to run in vmware or virtualbox, the official site offers 22GB zip which is unreasonable
In case my previous comment got deleted for whatever reason, I'll say again: The default ISO from Microsoft's website is about 5-6 GBs. You just download that & install it on virtual box normally. Don't waste time with the "optimized for VM" ISOs.
Media Creation Tools from Microsoft let's you make an iso of windows
I’ve never once heard of any OS being that large; even something as bloated as windows.
THANKS YOU
So helpful
this is a great idea... now i just need to translate python to PS to make it work on any Windows environment. Usually I don't have python available on Windows systems during tests.
You have built a nice very pythonic conditional christmas tree 😊😊
I am new to coding so all of this has been informative but very confusing to me. I need to start from the beginning of your videos I guess lol
John please make a video on the xz utils vulnerability and on Jia Tan😭
One form of obfuscation could even be caps, powershell should be case insensitive
It's worrying the lack of Jurassic Park references.
Love you, dude. I am continuously hacked. Dangerous stalker. I have managed to thwart him a few times thanks to vids like this, many are yours! 🌹
what!?
You need medication
YES!😃
Thanks for the great video John, I would like to see what kind of setup you are using (home lab, personal rig, laptop etc.). Can you do a home lab, everyday carry video? I think it will be very interesting and inspiring for the community
fun!
You are naughty boy John
It would be fun to run this on PowerShell Core in Linux or Mac 😂
is this really useful if my environment is hardened?
Not to be harsh, but if you don't know, I wonder how hardened your stuff is. This was just an exercise in obfuscation, an attacker would already need a way to execute powershell code on your hardened system.
@@dyerseve3001 haha yep! Thanks for your reply. That's why I asked. I don't have any environment. I am just studying. some measures:
Allsigned in the execution policy, no downgrade, ConstrainedLanguage, JEA, no powershell removing,WDAC Policy. Moreover, I could enable the various types of powershell logging in order to catch the execution of this obfuscated command.
leaking my sauce man :( - +10/10 video
Going to watch the video. Will ask if I want to know something
Use a debugger bro :D
The icons are so big😅
Activate Windows got me
i tried brute-forcing dvwa with hydra but wont work. I had to build a custom script can someone send me the command
Why is there so many ai written comments on this….
make a video on how to detect hacking script which is in encoded javascript , i saw a pastebin post which can hack peoples crypto from g2a account scamming people via encode js code malicious
please 1 video how to hacked gmail password please please new video
🙏🙏🙏🙏🙏🙏
LMFAO
420😄
I'm not trust snyk.
I guess first
video content is good, but python code quality terrible
I guess I am first😀
Python... wtf
He's using Python, the programming language...
It's not a snake so don't worry it's not going to bite you!
LOL where have you been
What's wrong with python ?
@@Hepad_
He's probably thinking: "Why would you spend 30 minutes writing this python script when you can spend 2 days writing a C++ code that will do the same exact thing?" lol
😂 powershell_command = 'Write-Output 420'
On a mission to bypass windows defnder. I found myself taking a powershell script Editing it a bit and to mt luck. I was able to get a shell and bypass defender. But that was me havifn to copy paste the powershell code ibto powershell. I wanted a clickable or executable.. Ya. Good luck 😅 I had to then create another file to excute the ps1 powershell payload i created. You cant just double click on it and run it. So i created a .bat file and slapped aome code in it.. to execute the ps1 powershell payload from my ppwershell script. It worked. Bypassed defender as well. I then added more code to execute the ps1 payload first then add an esclusion to windows defender to a future .exe windows meterpreter file and location that doesnt even exist yet. Then i created the meterpreter payload and uploaded it and ran it from mt basic shell. Boom! Full shell! Thats the most gangster thing i ever done as a begginer hacker. I think thats pretty advanced. Im on a fully updated windows 10.