Exploiting the powershell gallery
Throughout time threat actors have found impressively inconspicuous places to hide malicious code
today I am going to show you one of these places I found and it really shouldn’t be possible
There are several factors that a threat actor may consider when deciding where to host their malware. Some of the most common factors include the level of anonymity offered by the hosting location, the accessibility of the host from the target network, and the ability of the host to remain undetected by security measures. In some cases, threat actors may also choose to host their malware on compromised systems or networks, such as those belonging to other organizations, in order to avoid detection and make it more difficult for law enforcement or security professionals to track them down.
So what would happen if these malicious individuals all had a centralized repository they could access from almost any network in the world without compromising a single computer? Shockingly this already exists, and that threat is very real.
The PowerShell Gallery is an online repository for PowerShell modules and scripts. It provides a central location for users to find and download useful PowerShell tools, as well as share their own scripts and modules with the community. The PowerShell Gallery can be accessed directly through the PowerShell command line, making it easy for users to find and download the tools they need. Additionally, the PowerShell Gallery is integrated with the PowerShellGet module, which allows users to easily install, update, and manage the tools and scripts they download from the gallery. This also acts as a security buffer as the modules are scanned for malicious code and can only be executed if the modules are downloaded. With all of this in mind, that means malicious code doesn’t need to be a big worry right?
Watch this video and see how I walk right past all those security features!