connorshride / box-ps Goto Github PK
View Code? Open in Web Editor NEWPowershell sandboxing utility
License: MIT License
Powershell sandboxing utility
License: MIT License
example.
powershell.exe -ex Default
Will produce a base64 decode error
Hi there @kirk-sayre-work and @ConnorShride ,
It looks like we are working on similar things and there is a potential for collaboration.
The Canadian Centre for Cyber Security has a malware analysis tool called Assemblyline that uses a plugin that I developed called Overpower.
Overpower integrates the modified versions of a couple of dead projects such as PSDecode and PowerShellProfiler which I have done some heavy development on to bring back to life. It looks like the goal of those projects as well as this one is to extract similar features like written files, network callouts, etc.
For the sake of avoiding duplication of effort, I think it would be worth our time to discuss how to merge these projects or how to move forward.
If you're interested or have any questions, feel free to reach out, the Assemblyline team has a Discord server for faster communications: https://discord.gg/GUAy9wErNu
Kevin ๐จ๐ฆ
Nice project ๐
Testing box-ps
out naturally with Invoke-Obfuscation
I found out some problems with the test harness:
Using Invoke-Obfuscation
inside docker:
pwsh -c 'Import-Module ./Invoke-Obfuscation.psd1 ; Out-SecureStringCommand -ScriptBlock {Write-Host 'Hello World'} -PassThru'
Generated payload using ConvertTo-SecureString
method
. ( $PshomE[4]+$PsHoMe[34]+'x')( ( [rUnTIME.iNTEropSeRviCeS.MARsHaL]::PTrtOsTRINgAuto( [RuntIMe.INTEroPserViCES.MaRsHal]::SeCurEsTRINGtOBsTr( $('76492d1116743f0423413b16050a5345MgB8AFUAbQBvAGgAWAAwAGwAbgBQAHYAaABnADIASABtAFUAYwByAGYAVwBrAEEAPQA9AHwANQAyAGMAMQA0ADQAMwBlADkAYQA1ADMAYwA4AGIANwBlADQAOABiADIAYQA5AGIANABlADkAOQBlADkAMAA0ADAAMgBiADEAOABjAGYAMAA3ADkANQA1ADUAZQAzADMAMgAxAGYAMwAwADMANwBlAGYAMwBiADcAZAA2ADcAZgAwAGIAYgAyAGIANAAyADEANQBmADAAMwBkAGYAMwAwADAAMQAzAGIANwBiADgANQBkAGUAMwBlAGYANAA1ADgA'|CoNveRtTo-seCuREsTring -keY (207..192)) )) ))
Trying to deobfuscate, we get the following output, should have 'Hello World' in stdin but it is empty:
{
"Actions": [
{
"Behaviors": [
"script_exec"
],
"SubBehaviors": [],
"Actor": "Microsoft.PowerShell.Utility\\Invoke-Expression",
"Line": ". ( $bshome[4]+$bshome[34]+'x')( ( [rUnTIME.iNTEropSeRviCeS.MARsHaL]::PTrtOsTRINgAuto( [RuntIMe.INTEroPserViCES.MaRsHal]::SeCurEsTRINGtOBsTr( $('76492d1116743f0423413b16050a5345MgB8AFUAbQBvAGgAWAAwAGwAbgBQAHYAaABnADIASABtAFUAYwByAGYAVwBrAEEAPQA9AHwANQAyAGMAMQA0ADQAMwBlADkAYQA1ADMAYwA4AGIANwBlADQAOABiADIAYQA5AGIANABlADkAOQBlADkAMAA0ADAAMgBiADEAOABjAGYAMAA3ADkANQA1ADUAZQAzADMAMgAxAGYAMwAwADMANwBlAGYAMwBiADcAZAA2ADcAZgAwAGIAYgAyAGIANAAyADEANQBmADAAMwBkAGYAMwAwADAAMQAzAGIANwBiADgANQBkAGUAMwBlAGYANAA1ADgA'|CoNveRtTo-seCuREsTring -keY (207..192)) )) ))",
"BehaviorProps": {
"script": "W"
},
"Parameters": {
"Command": "W"
},
"ExtraInfo": "",
"Id": 1,
"BehaviorId": "F4B3668EA3A7BB00F3D6A8B9FF39F8B1644F66B9E58EB197EFF86B05E9D5F9B4"
}
],
"PotentialIndicators": {
"network": [],
"file_system": []
},
"EnvironmentProbes": {},
"Artifacts": {},
"WorkingDir": "./working_1"
}
Get-Variable: /home/appuser/tool/working_1/harnessed_script.ps1:1500
Line |
1500 | โฆ $parentVars = Microsoft.PowerShell.Utility\Get-Variable -Scope 1
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| The scope number '1' exceeds the number of active scopes.
| (Parameter 'Scope') Actual value was 1.
This one (generated randomly) works:
( [RUnTIMe.IntErOPSeRVicES.MarshaL]::pTRtOstRiNGbsTR([ruNTime.INtERopSErViCeS.maRsHAl]::SecurestrInGtOBStr($('76492d1116743f0423413b16050a5345MgB8AFIAVQBSAGMAbQBkAHkAMgBSAEkAYwBVAGUAVQA1ADAAbwBkAEsAOABTAEEAPQA9AHwAZgAzADgAMwAzADkAMwAwAGEAZAAzAGEAMgAxADEAMwA1AGUAMABkADEAZABkADEANQA3AGIANAAyAGYAZABlADIAZAA1AGYAZAA2ADAAOQAxADQAMQAzAGQAMQA4AGMANwAzAGMAMgBiADUAZAA3ADMAMQAzAGYANgAzAGYAYQA4ADQAOABjADMAMgBlAGMANwA4ADgANQA1AGEAOQAxADkAYQA1ADEAYgA1AGIAMQAwADQAMwAyADUANAAxAGYA'|cOnverttO-sEcUrEstRING -k 40,180,4,152,182,235,159,244,39,233,143,172,56,217,76,157,21,198,53,87,155,240,14,249,16,251,55,183,13,114,191,74)))) |INvOKe-ExpRESSION
Some other methods from Invoke-Obfuscation
don't work because of some native implementations used, probably because of the limitation of the .NET Core implementation of pwsh
on POSIX I believe. AFAIK this looks like a bug in the test harness?
Hello!
While packaging box-ps
for the CinCan project / GitLab tools repo, we would want to produce a tool image with specific tool version. Ideally we would like to track GitHub releases. Version numbers are for example easier to compare than commit hashes (is 49e5d94be827af825afb953e5bfd365bdbd297a7
newer than 22b789ab2059722be3612bfca8b25b84258b27e7
? How much features have changed between? ie. 0.1.0
to 1.0.0
jump conveys more meaning)
We have the cincan-registry
for checking new upstream releases (for example from GitHub) so when you feel like there should be even a 0.1 release, make one, and we can use that instead of a hash, thanks!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.