Skip to content

Warn user if they are using PowerShell with impersonation #20180

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Warn user if they are using PowerShell with impersonation #20180

wants to merge 1 commit into from

Conversation

smashery
Copy link
Contributor

@smashery smashery commented May 13, 2025
edited
Loading

As per the discussion in rapid7/metasploit-payloads#737, the PowerShell extension doesn't easily deal with impersonation. So at least we can warn the user when this situation occurs.

This PR relies on rapid7/metasploit-payloads#747

Verification

  • Obtain a meterpreter session on Windows
  • load powershell
  • getsystem
  • Use the three powershell execution methods (powershell_execute, powershell_shell, powershell_import
  • Verify A warning should be shown
  • rev2self
  • Run the powershell commands again
  • Verify The warning should not be shown.
  • Also test with impersonate_token

@smashery smashery mentioned this pull request May 13, 2025
Open
@smashery
Copy link
Contributor Author

smashery commented May 14, 2025
edited
Loading

Thinking of the error message to show - here's some text I think we could put somewhere, and link to it in the error message. What would be the best way of hosting this? Add the below to the metasploit-framework.wiki directory?

When using the PowerShell extension, if another user is being impersonated (e.g. getsystem or impersonate_token), the impersonation will not apply. This is because, on Windows, each thread needs to be explicitly impersonated. In normal Meterpreter code, we have control over that. The PowerShell extension, however, uses a Microsoft DLL that we do not fully control, and Microsoft's code launches threads to perform actions.

To run PowerShell with the impersonated token, either:

  • Launch a new Meterpreter process, so that the new process runs under the desired user context, rather than using Impersonation; OR
  • Launch the built-in system PowerShell; i.e. execute -c -f powershell.exe -t

Note that the latter will be at the mercy of any security mitigations on the system, such as AMSI, Constrained Language Mode, and logging.

Discussion at rapid7/metasploit-payloads#737

@smashery smashery marked this pull request as ready for review May 14, 2025 01:46
sjanusz-r7
sjanusz-r7 reviewed May 15, 2025
View reviewed changes
lib/rex/post/meterpreter/extensions/powershell/powershell.rb
@@ -53,10 +53,10 @@ def import_file(opts={})
request.add_tlv(TLV_TYPE_POWERSHELL_ASSEMBLY_SIZE, binary.length)
request.add_tlv(TLV_TYPE_POWERSHELL_ASSEMBLY, binary)
client.send_request(request)
return true
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As this is an API change, have all the callers of this API been updated to support this result type?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sjanusz-r7 sjanusz-r7 sjanusz-r7 left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@smashery @sjanusz-r7