Research On PowerShell Technologies For APT Penetration Testing

In recent years,the purpose of cyberattacks has been gradually changing,from simply destroying to becoming a long-term persistent penetration attack on certain specific targets,and this trend has become increasingly fiercer.This new type of attack method for long-term penetration attacks on specific targets is called the Advanced Persistent Threat(APT)attack,which is different from traditional network attacks.It has the characteristics of long latency,difficulty to be noticed and greater harm.PowerShell is a command-line application developed by Microsoft for the Windows operating system.It is bundled with the.NET Framework.It is powerful,invisible,and flexible.These features make it a mainstream APT attack tool.Microsoft has established four security defenses against PowerShell-based scripting attacks: PowerShell execution policy,application whitelist,and App Locker,AMSI(Antimalware Scan Interface),and PowerShell constraint language modes.These four lines of defense effectively blocked Most PowerShell-based scripting attacks.This paper researches the key technologies involved in the penetration process of PowerShell-based APT attacks.First of all,this paper explains how PowerShell execution strategies and application whitelists work,and proposes two ways to bypass PowerShell execution strategies that can also bypass P ower Shell's limitations of application whitelists.Secondly,this paper explains the working principle and working process of AMSI,and proposes a method of bypassing AMSI detection on Windows 10 operating system and an AMSI-based code obfuscation method..Thirdly,this paper describes the attack principles of the three document viruses based on Office vulnerabilities,DDE based and VBA based,and proposed a new macro virus.This macro virus can bypass the virus detection of 6 anti-virus software: 360 Security Guard,Tencent Computer housekeeper,Kingsoft Internet Security,Dr.Web,Kaspersky,and Windows Defender.It is ideal for APT attacks.Finally,an APT penetration framework was designed and implemented.The framework can be used to confuse code in PowerShell scripts,generate 5 types of document viruses,and cooperate with document viruses to perform APT attacks.