ETW Architecture We're happy to announce our ETW keylogger POC code from our talk at Ruxcon 2016 (slides here: https://ruxcon.org.au/assets/2016/slides/ETW_16_RUXCON_NJR_no_notes.pdf) has been turned into a PowerShell Empire module: https://github.com/CyberPoint/ETWKeyLogger_PSE

Due to PowerShell's close relationship with .NET/CLR PowerShell Empire (http://www.powershellempire.com/), it was an easy choice when picking a framework for giving an end-to-end demo of our code in a more "real world" attack scenario. The main challenge we had to solve was that, at the time of this writing, there doesn't seem to be a good, native PowerShell solution for ETW. To solve this issue we had to cheat a bit to bring the ETW functionality we needed, namely consuming events from the USB providers Microsoft-Windows-USB-UCX and Microsoft-Windows-USB-USBPORT. This was accomplished by turning our original POC from Ruxcon (https://github.com/CyberPoint/Ruxcon2016ETW/tree/master/KeyloggerPOC) into a DLL which allowed us to leverage PowerShell's API for loading COFF-based assemblies, [System.Reflection.Assembly]::Load(). This enabled us to use our same C# demo code inside of PowerShell with almost no changes. Also, because this function loads assemblies from raw bytes it allows us, with some help from @mattifestation's code (http://www.exploit-monday.com/2012/12/in-memory-dll-loading.html), to include our DLL in a compressed, base64 encoded string inside our module. We can then load and run it entirely from memory which greatly enhances the overall OpSec of our keylogger (with the obvious tradeoff of a much larger module file size).

The end result is a roughly 800k PowerShell USB key logger that runs entirely from memory without the need to ever write to disk! As with our original POC code the same requirements apply:

  • Only runs on Windows 7 and up (Windows 7 only supports USB 2)
  • Requires Admin privileges
  • .NET 4.5 (.NET version of the embedded DLL)

As always, please contact us with questions, comments, or feedback. This is our first PowerShell Empire module so there are likely some improvements to be made!

@CyberPoint_SRT

SRT [at] cyberpointllc.com

-SRT Team