connorshride / box-ps Goto Github PK

View Code? Open in Web Editor NEW

17.0 17.0 3.0 214 KB

Powershell sandboxing utility

License: MIT License

PowerShell 54.38% Shell 2.49% Dockerfile 0.50% Python 42.63%

docker dotnet-core malware-analysis powershell sandboxing

box-ps's People

Contributors

Stargazers

Watchers

Forkers

kirk-sayre-work windyorguk cccs-kevin

box-ps's Issues

Doesn't work with powershell invocations given executionpolicy argument

example.
powershell.exe -ex Default

Will produce a base64 decode error

Hello from CCCS! 🍁

Hi there @kirk-sayre-work and @ConnorShride ,

It looks like we are working on similar things and there is a potential for collaboration.

The Canadian Centre for Cyber Security has a malware analysis tool called Assemblyline that uses a plugin that I developed called Overpower.

Overpower integrates the modified versions of a couple of dead projects such as PSDecode and PowerShellProfiler which I have done some heavy development on to bring back to life. It looks like the goal of those projects as well as this one is to extract similar features like written files, network callouts, etc.

For the sake of avoiding duplication of effort, I think it would be worth our time to discuss how to merge these projects or how to move forward.

If you're interested or have any questions, feel free to reach out, the Assemblyline team has a Discord server for faster communications: https://discord.gg/GUAy9wErNu

Kevin 🇨🇦

Unable to deobfuscate Invoke-Obfuscation

Nice project 👍

Testing box-ps out naturally with Invoke-Obfuscation I found out some problems with the test harness:

Using Invoke-Obfuscation inside docker:

pwsh -c 'Import-Module ./Invoke-Obfuscation.psd1 ; Out-SecureStringCommand -ScriptBlock {Write-Host 'Hello World'} -PassThru'

Generated payload using ConvertTo-SecureString method

 . ( $PshomE[4]+$PsHoMe[34]+'x')( ( [rUnTIME.iNTEropSeRviCeS.MARsHaL]::PTrtOsTRINgAuto( [RuntIMe.INTEroPserViCES.MaRsHal]::SeCurEsTRINGtOBsTr( $('76492d1116743f0423413b16050a5345MgB8AFUAbQBvAGgAWAAwAGwAbgBQAHYAaABnADIASABtAFUAYwByAGYAVwBrAEEAPQA9AHwANQAyAGMAMQA0ADQAMwBlADkAYQA1ADMAYwA4AGIANwBlADQAOABiADIAYQA5AGIANABlADkAOQBlADkAMAA0ADAAMgBiADEAOABjAGYAMAA3ADkANQA1ADUAZQAzADMAMgAxAGYAMwAwADMANwBlAGYAMwBiADcAZAA2ADcAZgAwAGIAYgAyAGIANAAyADEANQBmADAAMwBkAGYAMwAwADAAMQAzAGIANwBiADgANQBkAGUAMwBlAGYANAA1ADgA'|CoNveRtTo-seCuREsTring -keY  (207..192)) )) ))

Trying to deobfuscate, we get the following output, should have 'Hello World' in stdin but it is empty:

report.json

{
  "Actions": [
    {
      "Behaviors": [
        "script_exec"
      ],
      "SubBehaviors": [],
      "Actor": "Microsoft.PowerShell.Utility\\Invoke-Expression",
      "Line": ". ( $bshome[4]+$bshome[34]+'x')( ( [rUnTIME.iNTEropSeRviCeS.MARsHaL]::PTrtOsTRINgAuto( [RuntIMe.INTEroPserViCES.MaRsHal]::SeCurEsTRINGtOBsTr( $('76492d1116743f0423413b16050a5345MgB8AFUAbQBvAGgAWAAwAGwAbgBQAHYAaABnADIASABtAFUAYwByAGYAVwBrAEEAPQA9AHwANQAyAGMAMQA0ADQAMwBlADkAYQA1ADMAYwA4AGIANwBlADQAOABiADIAYQA5AGIANABlADkAOQBlADkAMAA0ADAAMgBiADEAOABjAGYAMAA3ADkANQA1ADUAZQAzADMAMgAxAGYAMwAwADMANwBlAGYAMwBiADcAZAA2ADcAZgAwAGIAYgAyAGIANAAyADEANQBmADAAMwBkAGYAMwAwADAAMQAzAGIANwBiADgANQBkAGUAMwBlAGYANAA1ADgA'|CoNveRtTo-seCuREsTring -keY  (207..192)) )) ))",
      "BehaviorProps": {
        "script": "W"
      },
      "Parameters": {
        "Command": "W"
      },
      "ExtraInfo": "",
      "Id": 1,
      "BehaviorId": "F4B3668EA3A7BB00F3D6A8B9FF39F8B1644F66B9E58EB197EFF86B05E9D5F9B4"
    }
  ],
  "PotentialIndicators": {
    "network": [],
    "file_system": []
  },
  "EnvironmentProbes": {},
  "Artifacts": {},
  "WorkingDir": "./working_1"
}

stderr

Get-Variable: /home/appuser/tool/working_1/harnessed_script.ps1:1500
Line |
1500 |  …      $parentVars = Microsoft.PowerShell.Utility\Get-Variable -Scope 1
     |                       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | The scope number '1' exceeds the number of active scopes.
     | (Parameter 'Scope') Actual value was 1.

This one (generated randomly) works:

( [RUnTIMe.IntErOPSeRVicES.MarshaL]::pTRtOstRiNGbsTR([ruNTime.INtERopSErViCeS.maRsHAl]::SecurestrInGtOBStr($('76492d1116743f0423413b16050a5345MgB8AFIAVQBSAGMAbQBkAHkAMgBSAEkAYwBVAGUAVQA1ADAAbwBkAEsAOABTAEEAPQA9AHwAZgAzADgAMwAzADkAMwAwAGEAZAAzAGEAMgAxADEAMwA1AGUAMABkADEAZABkADEANQA3AGIANAAyAGYAZABlADIAZAA1AGYAZAA2ADAAOQAxADQAMQAzAGQAMQA4AGMANwAzAGMAMgBiADUAZAA3ADMAMQAzAGYANgAzAGYAYQA4ADQAOABjADMAMgBlAGMANwA4ADgANQA1AGEAOQAxADkAYQA1ADEAYgA1AGIAMQAwADQAMwAyADUANAAxAGYA'|cOnverttO-sEcUrEstRING  -k 40,180,4,152,182,235,159,244,39,233,143,172,56,217,76,157,21,198,53,87,155,240,14,249,16,251,55,183,13,114,191,74)))) |INvOKe-ExpRESSION

Some other methods from Invoke-Obfuscation don't work because of some native implementations used, probably because of the limitation of the .NET Core implementation of pwsh on POSIX I believe. AFAIK this looks like a bug in the test harness?

Releases

Hello!

While packaging box-ps for the CinCan project / GitLab tools repo, we would want to produce a tool image with specific tool version. Ideally we would like to track GitHub releases. Version numbers are for example easier to compare than commit hashes (is 49e5d94be827af825afb953e5bfd365bdbd297a7 newer than 22b789ab2059722be3612bfca8b25b84258b27e7? How much features have changed between? ie. 0.1.0 to 1.0.0 jump conveys more meaning)

We have the cincan-registry for checking new upstream releases (for example from GitHub) so when you feel like there should be even a 0.1 release, make one, and we can use that instead of a hash, thanks!

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.