Scribd
Upload
117 views

PowerShell RAT

Performing Hacking attempt without written permission from owner of system is illegal this is for education purpose only

Uploaded by

Atul Tarhale
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
117 views

PowerShell RAT

Performing Hacking attempt without written permission from owner of system is illegal this is for education purpose only

Uploaded by

Atul Tarhale
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 16

Disclaimer

• Performing any hack attempts or tests without written permission from


the owner of the systems is illegal.

• This project must not be used for illegal purposes or for hacking into
system where you do not have permission, it is strictly for educational
purposes and for people to experiment with.
# whoami
• Over 6.5 years of experience in the field of Information
Security
https://github.com/Viralmaniar
• Passionate about offensive and defensive security
https://twitter.com/maniarviral
• Working as a Principal Security Consultant at Threat
Intelligence https://www.linkedin.com/in/viralmaniar

• In my free time I develop security tools


https://viralmaniar.github.io/
• Outside from Infosec land – like photography
Why RAT?
EMPIRE NISHANG POWERSPLOIT
Browser Warnings
Anti-Virus Warnings
PowerShell-RAT
• Open source tool written in Python and PowerShell

• Assist Red Teamers and Penetration Testers to exfiltrate sensitive information during
internal penetration test, red team engagements or via phishing campaigns

• This piece of code is Fully UnDetectable (FUD) by


Anti-Virus (AV) software's (for now)

• Currently supports following exfiltration modules over Gmail:


• Reverse shell
• Screenshots
• Keyboard strokes
• Clipboard Hijack
PowerShell-RAT Overview

Infected Runs modules frequently


Machine

Attacker
Controlled
Gmail Account

RAT modules
Setup
• Throwaway Gmail account

• Enable "Allow less secure apps" by going to


https://myaccount.google.com/lesssecureapps

• Modify the $username & $password variables for your account in the
Mail.ps1, MailLogs.ps1, MailClip.ps1 PowerShell files

• Modify $msg.From & $msg.To.Add with throwaway Gmail address


Screenshots Module
• Takes screenshots of the user screen every 1 minute using
Graphics.CopyFromScreen Method

• Sends an email to the attacker as an attachment

• Deletes the screenshots


to avoid suspicious
Clipboard Module
• Keeps track of user clipboard along with timestamps
every minute.

• User can modify these as per their need


to sniff every few seconds

• Sends an email to the attacker


with clipboard data as a clip.txt file
attachment
Keystroke Module
• Starts keyboard strokes logging after user
authentication

• Uses SetWindowsHookEx with


WH_KEYBOARD_LL

• Sends an email to the attacker


with keystrokes data as a elog.txt file
attachment
Reverse Shell Module
• Uses Gmail API’s to read emails every 15 seconds and parses the
commands from the attacker

• Shell output gets sent to the attacker email

• Examples of commands for reverse shell:


• BHUSADEM019:whoami
• BHUSADEM019:tasklist
• BHUSADEM019:ipconfig
• BHUSADEM019:KILL
Enough talking!
Detection Mechanism
• SSL Stripping on your network. Some companies have policies to not perform SSL stripping on
well known sites to maintain users privacy. Furthermore, attacker can encrypt traffic for
exfiltration.

• PowerShell Logging. However, attacker can clear these locations to avoid logging of the
scripts.

• Look for regularly timed DNS traffic through frequency analysis. However, this can be defeated
using randomisation in connection timing.

• Sysinternal tools such as autorun, sysmon, process explorer and process monitor to review
system configurations. Requires time and resources.
References
• https://docs.microsoft.com/en-
us/dotnet/api/system.drawing.graphics.copyfromscreen?view=netframework-4.8
• https://docs.microsoft.com/en-
us/powershell/module/microsoft.powershell.management/get-
clipboard?view=powershell-5.1
• https://developers.google.com/docs/api/quickstart/python
• https://github.com/googleapis/google-api-python-client
• https://www.pdq.com/blog/powershell-send-mailmessage-gmail/
• https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-
setwindowshookexa
• https://docs.microsoft.com/en-us/windows/win32/winmsg/about-hooks
• Sandeep Ghai from Threat Intelligence for his help on Reverse Shell Module

You might also like