Skip to content

Warn user if they are using PowerShell with impersonation #20180

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
May 27, 2025

Conversation

smashery
Copy link
Contributor

@smashery smashery commented May 13, 2025

As per the discussion in rapid7/metasploit-payloads#737, the PowerShell extension doesn't easily deal with impersonation. So at least we can warn the user when this situation occurs.

This PR relies on rapid7/metasploit-payloads#747

Verification

  • Obtain a meterpreter session on Windows
  • load powershell
  • getsystem
  • Use the three powershell execution methods (powershell_execute, powershell_shell, powershell_import
  • Verify A warning should be shown
  • rev2self
  • Run the powershell commands again
  • Verify The warning should not be shown.
  • Also test with impersonate_token

@smashery
Copy link
Contributor Author

smashery commented May 14, 2025

Thinking of the error message to show - here's some text I think we could put somewhere, and link to it in the error message. What would be the best way of hosting this? Add the below to the metasploit-framework.wiki directory?


When using the PowerShell extension, if another user is being impersonated (e.g. getsystem or impersonate_token), the impersonation will not apply. This is because, on Windows, each thread needs to be explicitly impersonated. In normal Meterpreter code, we have control over that. The PowerShell extension, however, uses a Microsoft DLL that we do not fully control, and Microsoft's code launches threads to perform actions.

To run PowerShell with the impersonated token, either:

  • Launch a new Meterpreter process, so that the new process runs under the desired user context, rather than using Impersonation; OR
  • Launch the built-in system PowerShell; i.e. execute -c -f powershell.exe -t

Note that the latter will be at the mercy of any security mitigations on the system, such as AMSI, Constrained Language Mode, and logging.

Discussion at rapid7/metasploit-payloads#737


@smashery smashery marked this pull request as ready for review May 14, 2025 01:46
@@ -53,10 +53,10 @@ def import_file(opts={})
request.add_tlv(TLV_TYPE_POWERSHELL_ASSEMBLY_SIZE, binary.length)
request.add_tlv(TLV_TYPE_POWERSHELL_ASSEMBLY, binary)
client.send_request(request)
return true
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As this is an API change, have all the callers of this API been updated to support this result type?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, as far as I could find, the only calls were:

  • lib/rex/post/meterpreter/ui/console/command_dispatcher/powershell.rb (Updated)
  • modules/exploits/windows/local/tokenmagic.rb (Didn't use the return value in the first place)
  • modules/exploits/windows/local/cve_2020_1337_printerdemon.rb (Likewise, didn't use the return value in the first place)

@smcintyre-r7 smcintyre-r7 self-assigned this May 22, 2025
Copy link
Contributor

@smcintyre-r7 smcintyre-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes look good to me and from my testing are behaving in the way that we'd expect. Thanks for your work on this smashery! I'm going to start by landing the payloads side of things.

meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE
meterpreter > getsystem
WARNING: Local file /home/smcintyre/Repositories/metasploit-framework.pr/data/meterpreter/elevator.x64.dll is being used
...got system via technique 4 (Named Pipe Impersonation (RPCSS variant)).
meterpreter > load powershell
Loading extension powershell...WARNING: Local file /home/smcintyre/Repositories/metasploit-framework.pr/data/meterpreter/ext_server_powershell.x64.dll is being used
Success.
meterpreter > powershell_execute -h
Usage: powershell_execute <powershell code> [-s session-id]

Runs the given Powershell string on the target.

OPTIONS:

    -h   Help banner
    -s   Specify the id/name of the Powershell session to run the command in.

meterpreter > powershell_execute "Write-Output 'Hello, World'"
[!] Impersonation will not apply to PowerShell.
[+] Command execution completed:
Hello, World

meterpreter > powershell_shell
[!] Impersonation will not apply to PowerShell.
PS > 

@smcintyre-r7 smcintyre-r7 force-pushed the powershell-impersonate-warning branch from f2a56c3 to 904f4b6 Compare May 27, 2025 14:15
@smcintyre-r7 smcintyre-r7 merged commit 2ec4577 into rapid7:master May 27, 2025
18 checks passed
@smcintyre-r7
Copy link
Contributor

Release Notes

This adds a warning to PowerShell use when an impersonation token is active.

@smcintyre-r7 smcintyre-r7 added the rn-enhancement release notes enhancement label May 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
rn-enhancement release notes enhancement
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants