.ps1scripts. The first tactic is not to use these file extensions at all for the content of the script you wish to execute. Using .txt, or other non-script related file extensions is sufficient. Second, we will use redirection to pipe contents to the script execution environment.
There is a fundamental difference between the approach taken by a development team and that taken by someone attacking an application. A development team typically approaches an application based on what it is intended to do. In other words, they are designing an application to perform specific tasks based on documented functional requirements and use cases. An attacker, on the other hand, is more interested in what n application can be made to do and operates on the principle that "any action not specifically denied, is allowed" - OWASP Secure Coding Practices Guide v2
Released Windows operating system versions do support notification of image loading operations (which does meet some ISV requirements), but do not provide the ability to block the loading operation. For that reason, Microsoft investigated whether a new API would be needed to support this requirement, but ultimately concluded that existing supported functionality could be used to achieve the desired module load blocking behavior. In particular, a file system mini-filter can be utilized to block the loading of both modules in both user mode (e.g., DLLs) and kernel mode (e.g., device drivers). Intercepting
STATUS_ACCESS_DENIEDwhen sections are loaded for
PAGE_EXECUTEpermission is an appropriate approach." - Kernel Data Filtering and Support
The root issue here is that at the point at which execute operations are detected (
NtCreateSection), only read-only access to the section is requested, so it is not processed as an execute operation. Later, execute access is requested in the file mapping (MapViewOfFile->NtMapViewOfSection), which results in the image being mapped as
EXECUTE_WRITECOPYand subsequently allows unchecked execute access." - Chris Lord, Bit9
Invoke-ReflectivePEInjection. This tool is an amazing example of how PowerShell and the .NET framework can be leveraged to execute arbitrary PE files. Since many environments trust the
powershell.exebinary, it is a natural evolution for adversaries to leverage this framework. By creating an exploit for CVE-2014-4113, and embedding that into the
Invoke-ReflectivePEInjectionscript. We were able to achieve privilege escalation, even an environment with strict whitelisting enabled.