Athena icon indicating copy to clipboard operation
Athena copied to clipboard

Published 20 hours ago verified publisher icon MythicAgents

Add powershell plugin from v0.2 dev

Open ascemama opened this issue 2 years ago • 8 comments

Hi Checkymander,

as you requested I retargeted the powershell plugins so that you can merge to v0.2-dev.

Note that additionally to not supporting single file build it is important to choose win10-x64 (or win7-x86) for the build. The more general win-x86/64 option does not work. As far as I understand this is another restriction related to the .Net powershell SDK : https://github.com/PowerShell/PowerShell/issues/12522. Anyway I don't think this is a big issue because win10-x64 is the correct RID for win10, win11 and win servers https://docs.microsoft.com/en-us/dotnet/core/rid-catalog

Let me know if you have any issues with the code.

BTW, I did not investigate but the "ls" plugin seems broken in this branch LS_plugin_Issue

ascemama avatar Jul 07 '22 07:07 ascemama

Regarding the ls plugin, that output goes to the file browser in mythic now, you'll see the output there. And thanks a lot, I'll play around with it and take a look!

checkymander avatar Jul 07 '22 13:07 checkymander

Can you try publishing this as a single file application (either through Mythic or by using a command similar to the one used in build.py?) Even when compiling it as a single-file application it seems to be spitting out a bunch of extra stuff:

image

Also, is there a smaller library you can use? This plugin seems to be adding anywhere between 15 to 35MB of stuff to the agent.

Athena is already fairly large as far as payloads are concerned, and I'd like to at least try to limit how big it gets.

Thanks!

checkymander avatar Jul 07 '22 18:07 checkymander

Hi, I had a look at why powershell SDK nugget produce that many artifacts and why it makes the binary so big. Without success. I will check if we can change to another nugget package in the next few days. Antoine

ascemama avatar Jul 08 '22 11:07 ascemama

  • So regarding the single file build issue, this can be fixed by adding /p:IncludeNativeLibrariesForSelfExtract=true in the build command. I already added it in this branch.

  • Unfortenately regarding the size of the EXE I don't see any way around this.

I tried to use a supposedly lighter nugget than Powershell SDK, namely system.management.automation. However it needs many other projects to be loaded too, which end up being as big. It is also not stable and does not work with some scripts.

I don't know much about .NET but I have the impression that getting powershell runspace to work correctly is really tricky. As far as I can see, except for those two nuggets, there are no other way to get a powershell running in a process.

So I don't see a way to reduce the size of the exe. But we could add a build configuration so that the operator decide to build with or without powershell capacity.

ascemama avatar Jul 09 '22 10:07 ascemama

I have a way that we can maybe solve this, take a look at the load-module and ds commands, remove the reference from the base Athena agent and see if you can figure out which DLL's are required for your plugin to work properly. Then use load-module to automagically load the required assemblies for the plugin

checkymander avatar Jul 10 '22 02:07 checkymander

ok, understood. I will give it a try next WE, won't have time during the week.

ascemama avatar Jul 10 '22 11:07 ascemama

hi @checkymander, I was away for a while. Still I spent a few afternoon trying to load the powershell DLL from the modules instead of the Athena binary, as you requested.

If you remember, the powershell plugin was loading and working by referencing the PowershellSDK directly from the Athena project, but it made the Athena binary really big. You asked me to remove the reference from the Athena project and put it only in the powershell plugin. Unfortunately I am not able to make it work this way.

  • by using the "load-module" as you suggested I stumbled in an error within the Powershell SDK library related to ExperimentalFeature. I tried to fix this directly into the powershell SDK, without success.
  • by loading the DLL directly from the Athena powershell plugin source code (Assembly.Loadfile). Again hitting issue within some DLL of the powershell SDK
  • I was also not able to find out where to put all the DLL for them to be statically load during the loading of the powershell-module.

I am not sure if me failing is due to my poor understanding of .Net Core (Assembly loading) or due to the Powershell .Net Core library being not so stable..

Not sure what else I could try.. if you have any ideas or would like to work together to make it work, I would be happy to.

Otherwise, I will move on. For my usage I don't really care that the Athena binary gets big. This branch can still be used for people wanting to get Powershell into their implant.

ascemama avatar Sep 04 '22 08:09 ascemama

No problem at all, hope you enjoyed your break. I'll think about it for a little bit and get back to you. Maybe take a look myself. I'd like to keep the binary as small as I can for now, so maybe I can find a way to get the DLLs to load.

checkymander avatar Sep 05 '22 01:09 checkymander