Skip to content

PowerShell

Kryptoxin supports PowerShell as an output language for script templates.

Overview

The PowerShell execution environment is a well known attack vector for Windows hosts. It stems from the fact that a lot of system utilities and libraries are using it. These libraries can be leveraged to get information about a Windows-based system. The execution environment can also provide access to native API functions via .NET reflection methods.

The print template generates a basic printing script. The latter can be used to "transmit" a secret string to a target; be used as a starting script or even for debugging purposes.

The below example shows a PowerShell script which include a base64 decoding function and a routine to perform AES decryption; both using system libraries only. This script can be readily copy/pasted to a windows host. Upon execution, it will print the encrypted message to the console.

python -m kryptoxin encrypt -k s3cret --random-iv --random-salt \
--lang powershell --action print

$base64EncData = "IJwkiZX5xSgNSKWhViyAvljc8A8omkslt9zlG+wUzXM=" # (1)!

function ConvertFrom-Base64ToByteArray {
    [...]
}

$data = ConvertFrom-Base64ToByteArray -base64EncData $base64EncData # (2)!


Add-Type -AssemblyName System.Security # (3)!

function Decrypt-AES256PBKDF2HMAC { (4)!
[...]

[System.Text.Encoding]::UTF8.GetString($data) # (5)!
  1. The $base64EncData variable holds the base64 encoded ciphertext generated by Kryptoxin.
  2. The encoded cipthertext is decoded by the ConvertFrom-Base64ToByteArray() function and returned as a byte[] array.
  3. The System.Security .NET class is "imported" using the Add-Typereflective method.
  4. The AES decryption routine is generated and can be called to decrypt the data.
  5. The decrypted data, here an UTF-8 encoded string is read and should be printed onto the console.

Load Assembly (load-asm)

This template generates a PowerShell script that load a COFF-based object into memory, such as a compiled .dll. It then loads the given class type and method provided by the --type= and --method= command-line arguments respectively.

This script runs entirely in memory

This script and all it's content runs entirely from memory, therefore it's a pretty good candidate script for loading payloads that may trigger on-disk AV and EDR inspection. Please note however, that AMSI may still flag this script.

python -m kryptoxin encrypt -k 123456 --random-iv --random-salt \
--lang powershell --action load_asm --in TestLibrary.dll \
--type=TestLibraryClass.Class1 # (1)! \
--method=run # (2)!
  1. Specify the namespace and the object class of your library or portable executable.
  2. Specify the class' method to invoke from PowerShell where code execution begins.

Custom Script (custom)

The custom template is provided as a reference and starting point for a custom script of your liking. Simply edit the custom.jinja file located in the /kryptoxin/templates/powershell/action directory in your default installation location. By default, the $data variable is used at every steps to hold the decoded and decrypted data. Finally, call the template using the --action custom command-line parameter.