shmu26

Level 82
Verified
Trusted
Content Creator
I have a bunch of powershells in the WinSxS folder.
I find multiple instances of other script interpreters in the same folder.
what are they doing there, and is it likely that malware can abuse them?

Capture.PNG
 
Last edited by a moderator:
5

509322

I have a bunch of powershells in the WinSxS folder.
I find multiple instances of other script interpreters in the same folder.
what are they doing there, and is it likely that malware can abuse them?
Those in WinSxS are OK. WinSxS is for installations, backups and updates of files.

The C_powershell.exe_* shorcut -- I have no idea what it is -- and it's in User Space too.
 

shmu26

Level 82
Verified
Trusted
Content Creator
Those in WinSxS are OK. WinSxS is for installations, backups and updates of files.

The C_powershell.exe_* shorcut -- I have no idea what it is -- and it's in User Space too.
the ones in WinSxS don't have full capabilities? Or are they okay because malware doesn't use them?
 
5

509322

the ones in WinSxS don't have full capabilities? Or are they okay because malware doesn't use them?
TechNet:

"All of the components in the operating system are found in the WinSxS folder – in fact we call this location the component store. Each component has a unique name that includes the version, language, and processor architecture that it was built for. The WinSxS folder is the only location that the component is found on the system, all other instances of the files that you see on the system are “projected” by hard linking from the component store. Let me repeat that last point – there is only one instance (or full data copy) of each version of each file in the OS, and that instance is located in the WinSxS folder. So looked at from that perspective, the WinSxS folder is really the entirety of the whole OS, referred to as a "flat" in down-level operating systems. This also accounts for why you will no longer be prompted for media when running operations such as System File Checker (SFC), or when installing additional features and roles."

This is why you see the multiple entries for WinSxS directories.

WinSxS Folder in Windows 10/8/7 explained only a partial explanation.
 
Last edited by a moderator:

shmu26

Level 82
Verified
Trusted
Content Creator
TechNet:

"All of the components in the operating system are found in the WinSxS folder – in fact we call this location the component store. Each component has a unique name that includes the version, language, and processor architecture that it was built for. The WinSxS folder is the only location that the component is found on the system, all other instances of the files that you see on the system are “projected” by hard linking from the component store. Let me repeat that last point – there is only one instance (or full data copy) of each version of each file in the OS, and that instance is located in the WinSxS folder. So looked at from that perspective, the WinSxS folder is really the entirety of the whole OS, referred to as a "flat" in down-level operating systems. This also accounts for why you will no longer be prompted for media when running operations such as System File Checker (SFC), or when installing additional features and roles."

This is why you see the multiple entries for WinSxS directories.

WinSxS Folder in Windows 10/8/7 explained only a partial explanation.
okay, but I can open the powershell in WinSxS, and run a script.
why can't malware do the same?
 
5

509322

The article mentions about malware placing a spoofed malicious DLL into WinSxS directory, it relates to the folder in question. It's possible for malware to abuse PowerShell?
Based on @shmu26's question about a script abusing an interpreter in WinSxS, if I recall correctly, I think the OS will redirect to %WinDir%.

I asked this same question probably - oh, at least 5 years ago - and I just can't remember the precise answer. Plus, there might have been pertinent changes over the intervening OS versions.

I will get more technical infos.

Mischief has always been possible in WinSxS.
 
Last edited by a moderator:
5

509322

Short answer :yes :)


Powershell was initially seen in office macros but most attackers will/can abuse methods such as psexec,task scheduler ,wmi etc. There are quite a few samples in the wild abusing powershell
The thread is about powershell.exe in WinSxS.

He asked a specific question about powershell abuse in WinSxS directories. @Spawn knows powershell.exe gets abused.
 
  • Like
Reactions: _CyberGhosT_

Wingman

Level 4
The thread is about powershell.exe in WinSxS.

He asked a specific question about powershell abuse in WinSxS directories. @Spawn knows powershell.exe gets abused.
I might have misinterpreted the question so apologies for that. How do you define 'abuse'? For example
you can create a powershell script that uses the IFileOperation COM to create a folder with a malicious dll and then bypas UAC using winSxS pointing to that dll. Does that count :)?
 
5

509322

I might have misinterpreted the question so apologies for that. How do you define 'abuse'? For example
you can create a powershell script that uses the IFileOperation COM to create a folder with a malicious dll and then bypas UAC using winSxS pointing to that dll. Does that count :)?
Of course, there is no absolute requirement to use WinSxS for a *.dll.
 
  • Like
Reactions: Wave

shmu26

Level 82
Verified
Trusted
Content Creator
let's assume for the moment that it is theoretically possible to abuse powershell in WinSxS.

The more relevant question (to me at least) is how current malware goes looking for powershell. Is it rigidly coded to find powershell in the standard locations, and will not find it hidden deep within WinSxS? Or maybe it is smart enough to search for it wherever it might be?
 
5

509322

let's assume for the moment that it is theoretically possible to abuse powershell in WinSxS.

The more relevant question (to me at least) is how current malware goes looking for powershell. Is it rigidly coded to find powershell in the standard locations, and will not find it hidden deep within WinSxS? Or maybe it is smart enough to search for it wherever it might be?
File extensions for stand-alone scripts, calls to the interpreter in code\command lines, system manipulation... as a single Example (countless techniques out there):

From: “Fileless” UAC Bypass Using eventvwr.exe and Registry Hijacking

With this information, I decided to create the registry structure needed for “eventvwr.exe” to successfully query the HKCU location instead of the HKCR location. Since the (Default) value located in HKCR\mscfile\shell\open\command contained an executable, I decided to simply replace the executable with powershell.exe:



When starting “eventvwr.exe”, I noticed that is successfully queried/opened HKCU\Software\Classes\mscfile\shell\open\command:



This action effectively replaced the expected “mmc.exe” value with our new value: “powershell.exe”. As the process continued, I observed that it ended up starting “powershell.exe” instead of “mmc.exe”:
 
Last edited by a moderator:
  • Like
Reactions: shmu26 and Wingman

Wingman

Level 4
let's assume for the moment that it is theoretically possible to abuse powershell in WinSxS.

The more relevant question (to me at least) is how current malware goes looking for powershell. Is it rigidly coded to find powershell in the standard locations, and will not find it hidden deep within WinSxS? Or maybe it is smart enough to search for it wherever it might be?
*This is not related to winSxS just to confirm :D*

There are few ways they can do this. Going back to my previous post,this can be seen more commonly on office macros. The macro would invoke the WMI service to spawn a hidden instance of powershell with specific arguments to bypass execution policy ,be hidden etc
 
  • Like
Reactions: shmu26

shmu26

Level 82
Verified
Trusted
Content Creator
*This is not related to winSxS just to confirm :D*

There are few ways they can do this. Going back to my previous post,this can be seen more commonly on office macros. The macro would invoke the WMI service to spawn a hidden instance of powershell with specific arguments to bypass execution policy ,be hidden etc
so in that scenario, you can delete every instance of powershell on your computer, and it won't help, because the malware will spawn a brand-new powershell file?