Sign in to follow this  
Followers 0
MattHiggs

Powershell Gallery

24 posts in this topic

#1 ·  Posted

So a crazy thought occurred to me.  I am a very big fan of AutoIT, but, while this is unfortunate, it is true that many antivirus products don't like AutoIT very much, and this has been a constant frustration of mine throughout the course of my career and the numerous places I have worked and the different antivirus products utilized at these numerous companies.  It usually just gets to the point were I myself personally sabotage the antivirus product and prevent it from starting and/or working correctly in order to prevent it from quarantining my scripts and getting me in trouble with management, who don't seem to understand what the concept of a "false positive" is and just how useless antivirus software really is (shoutout to Sysinternals autoruns for being the easiest way to accomplish this).  However, I would rather not have to do these things, and have been thinking of a way to utilize autoit without putting the problem files on the computer.  Immediately I thought the best way to do this would be to use AutoIT's capability to integrate into other native scripting languages and are rarely flagged as malicious (at least I have never seen it happen).  And since I work as a Windows deployment specialist, I have been thinking about how I would be able to automate the process of obtaining only the files required for the AutoITx powershell module as part of the deployment task sequence.   I came up with the solution of creating a privately hosted Powershell gallery (the powershell gallery allows for the automated installation and configuration and powershell modules directly from the powershell console) and hosting the AutoITx powershell module from this private gallery, and it worked beautifully.  However, what I wanted to do was see if I could get permission/authorization (whatever legal term you want to use, just tell me what I need to do) to submit the AutoIT powershell module to the public Powershell gallery and make the module available to anyone who wants the AutoIt powershell and ONLY the AutoIT powershell module.  I know that I wouldn't be able to do this without permission and not violate (probably) every copyright law in existence, so could someone let me know if this is even possible in the first place and, if so, point me in the right direction as to what I need to do to obtain permission to do this?

Share this post


Link to post
Share on other sites



#2 ·  Posted

First and foremost, I believe this would be a question for @Jon

Secondly, as an aside, I am surprised that you have had the trouble you have. In all my years of working in the corporate sector, with all of the AV companies you'd find in the upper Gartner Quadrants, I have only run into false positives once or twice.


√-1 2^3 ∑ π, and it was delicious!

Share this post


Link to post
Share on other sites

#3 ·  Posted (edited)

On 8/2/2017 at 10:07 PM, JLogan3o13 said:

First and foremost, I believe this would be a question for @Jon

Secondly, as an aside, I am surprised that you have had the trouble you have. In all my years of working in the corporate sector, with all of the AV companies you'd find in the upper Gartner Quadrants, I have only run into false positives once or twice.

2 I can think of right off the bat:

 

4 I can think of right off the bat:

 

Cylance

 

Variant of bitdefender used by SolarWinds "n-able"

 

regular bitdefender too (i think)

 

Webroot

 

Those are just off the top of my head (as in I specifically remember having to go into the administration console and having to add the autoit program files folder to the exclusion list).  But Cylance is, by far, the worst excuse for an endpoint protection product I have ever encountered, ever.

Edited by MattHiggs

Share this post


Link to post
Share on other sites

#4 ·  Posted (edited)

you said autoit and powershell an awful lot without showing any code.   I have lots of snippets that run in an enterprise environment (though my AV experience has been Mcafee/Symantec/Trend/ and if you are including EDRs like Cylance they also run under Carbon Black default policy) without tripping flags https://www.autoitscript.com/forum/topic/166618-ps-cli/#comment-1242799

are you using any compiler directives like turning off UPX?

Also, as a deployment specialist that makes me wonder what you are running them on.  If these are offline images you may have better options than a repo, if they are online you can probably batch them with the first command whitelisting the working directory in the local AV.

Edited by iamtheky

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites

#5 ·  Posted (edited)

14 minutes ago, iamtheky said:

you said autoit and powershell an awful lot without showing any code.   I have lots of snippets that run in an enterprise environment (though my AV experience has been Mcafee/Symantec/Trend/ and if you are including EDRs like Cylance they also run under Carbon Black default policy) without tripping flags https://www.autoitscript.com/forum/topic/166618-ps-cli/#comment-1242799

are you using any compiler directives like turning off UPX?

Also, as a deployment specialist that makes me wonder what you are running them on.  If these are offline images you may have better options than a repo, if they are online you can probably batch them with the first command whitelisting the working directory in the local AV.

.......  @iamthekyI think you misunderstood the purpose of my post.  Try reading it again.

Edited by MattHiggs

Share this post


Link to post
Share on other sites

#6 ·  Posted (edited)

I didn't. instead of sabotage, do it correctly within the bounds of the AV?  Or instead of your own repo, storing them somewhere already whitelisted like an SCCM queue? 

Is this also a local rights issue?  Are you unable to contact/make requests of the AV admin (I also have the advantage of being that person)?

Also, if you haven't tried compiling without UPX, you should try it.  My scripts run on 10s of thousands of tactical DoD systems, and now run at the energy company.  Unless you believe your scripts are performing behaviors that cause the alerts and you are tripping heuristics, then that will still happen.

 

*I just don't understand the hoops for the powershell module to overcome an issue that is not a technical issue, but an administrative one.

Edited by iamtheky

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites

#7 ·  Posted

On 8/2/2017 at 10:07 PM, JLogan3o13 said:

First and foremost, I believe this would be a question for @Jon

Secondly, as an aside, I am surprised that you have had the trouble you have. In all my years of working in the corporate sector, with all of the AV companies you'd find in the upper Gartner Quadrants, I have only run into false positives once or twice.

@JLogan3o13 So I figured that Jon was probably the user I needed to get in contact with.  I actually sent him a private message the day I created this post.  Not only have I not gotten a response, but I notice that he has not been active in quite a while, which was a concern.  Do you know of a more......reliable....way to reach out to him?

Share this post


Link to post
Share on other sites

#8 ·  Posted (edited)

maybe I misunderstood, but....this?  Or does that module package contain cmdlets unavailable here?

https://www.nuget.org/packages/AutoItX

Edited by iamtheky

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites

#9 ·  Posted

4 minutes ago, iamtheky said:

I didn't. instead of sabotage, do it correctly within the bounds of the AV?  Or instead of your own repo, storing them somewhere already whitelisted like an SCCM queue? 

Is this also a local rights issue?  Are you unable to contact/make requests of the AV admin (I also have the advantage of being that person)?

Also, if you haven't tried compiling without UPX, you should try it.  My scripts run on 10s of thousands of tactical DoD systems, and now run at the energy company.  Unless you believe your scripts are performing behaviors that cause the alerts and you are tripping heuristics, then that will still happen.

@iamtheky Yes.  you did misunderstand.  I am not referring to compiled AutoIT scripts.  I am referring to files within the AutoIT "Program Files", the core files of AutoIT itself, are being flagged as malware.  Furthermore, I am referring to operating system deployment scenarios as well and making the AutoIT powershell cmdlets available to machines which are being deployed without installing autoit on each client machine (since end users don't need and shouldn't have access to autoit) and automating the process by which the Autoit powershell cmdlets are made available to client devices during the deployment Task Sequence. The most simple way to do this would be to upload the AutoIT powershell module to the Public Powershell Gallery (which would eliminate the need for me to create a private powershell gallery which hosts the Autoit module for each client I work with), as that would allow me to make the Autoit powershell module available on the client device and automatically adds it to the PSModulePAth environment variable by running a single command from the powershell console.  The purpose of the post was to find out if I could, and if so, who I needed to contact, get permission to upload the powershell module to the Public Powershell gallery.

Share this post


Link to post
Share on other sites

#10 ·  Posted

1 minute ago, iamtheky said:

maybe I misunderstood, but....this?  Or does that module package contain cmdlets unavailable here?

https://www.nuget.org/packages/AutoItX

@iamtheky.  Nuget is only relevant for use from a development standpoint and (with the exception of the commandline utility) can only be used from within Visual Studio.  Nuget provides nuget packages to be used within Visual studio projects.  It doesn't make the powershell module available for use on the computer itself.

Share this post


Link to post
Share on other sites

#11 ·  Posted (edited)

I see (I think, maybe my tea is weak),

so this is strictly a solution to provide admins powershell modules on remotely managed systems without having to make an additional repo, in your instance?  But the greater good being their public availability. 

the nuget repo is builtin (and trusted, and default search location for Install-Package) in my default powershell (Win10 16257), if Jon could drop those ps files in this same location that would serve your purposes?  That might be an easier ask if it is being maintained.

 

** double checking settings I will reload a pc with stock win10 and keep it out of the fast ring and not add LXSS, just in case those options added the nuget repo. 

Edited by iamtheky

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites

#12 ·  Posted

8 minutes ago, iamtheky said:

I see (I think, maybe my tea is weak),

so this is strictly a solution to provide admins powershell modules on remotely managed systems without having to make an additional repo, in your instance?  But the greater good being their public availability. 

the nuget repo is builtin (and trusted, and default search location for Install-Package) in my default powershell (Win10 16257), if Jon could drop those ps files in this same location that would serve your purposes?  That might be an easier ask if it is being maintained.

@iamtheky.  Again, I am pretty sure nuget is a technology which provides packages for development projects.  In other words, the only place that nuget would really be of any use is when you are working with development projects within some kind of development environment.  Nuget is not capable of downloading and importing powershell modules onto a machine's powershell session.  However, Powershell 5 comes with the "PackageManagement" module (originally known, and still known to some, as OneGet), which allows powershell to import other package management services and then use the imported Package management service from within the Packagemanagement module.  This includes nuget, chocolateyRuckzuck, and others.  This module also provides cmdlets which allow users to automate the download and configuration of powershell modules and scripts from the powershell console.  These modules and scripts are obtained from the Powershell gallery, and I would highly recommend you take a look at it, as, based on our conversation, I take it that you are not familiar with this service.  My goal is to upload the AutoIT powershell module and all dependent files to the public powershell gallery, so that they can be obtained by simply running "Install-module AutoitX" from powershell console.

Share this post


Link to post
Share on other sites

#13 ·  Posted (edited)

I spend most of my time in bash powershell.  Most of my modules come straight off GitHub (most recently: https://github.com/danielbohannon/Invoke-Obfuscation) where I can certainly stage that file and import it into my session, and have cmdlets to use on the fly. Nuget too, but those look like all nanoserver stuff and maybe I am misunderstanding what it does, but when I pull something like powershell sql libraries its dlls and ps files and once imported I have new cmdlets I can use in session.

I'm not against psgallery, and certainly I should explore all options, but I would also contend the same.  Why put all other potential solutions on hold because you are busy waiting for an answer? 

If your ask is "can I do this one thing" its only a 50/50 shot, but "can any one of these 8 things happen" seems to improve odds, no?

Edited by iamtheky

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites

#14 ·  Posted

30 minutes ago, iamtheky said:

I spend most of my time in bash powershell.  Most of my modules come straight off GitHub (most recently: https://github.com/danielbohannon/Invoke-Obfuscation) where I can certainly stage that file and import it into my session, and have cmdlets to use on the fly. Nuget too, but those look like all nanoserver stuff and maybe I am misunderstanding what it does, but when I pull something like powershell sql libraries its dlls and ps files and once imported I have new cmdlets I can use in session.

I'm not against psgallery, and certainly I should explore all options, but I would also contend the same.  Why put all other potential solutions on hold because you are busy waiting for an answer? 

If your ask is "can I do this one thing" its only a 50/50 shot, but "can any one of these 8 things happen" seems to improve odds, no?

@iamtheky.  Its not like anything is on hold or anything.  Like I mentioned in first post, for each of my clients for which this was necessary, instead of uploading the Autoit powershell module to the public powershell gallery, I created a private powershell gallery for the client on premise (link in first post) and hosted the module from the private powershell gallery.  I was simply asking about this to potentially make it so I don't have to create the private powershell gallery instance for each client whenever the Autoit module is needed.

Share this post


Link to post
Share on other sites

#15 ·  Posted

So, just for posterity:

A scenario where you edit that .wim offline with DISM and drop the 4 dlls and psd1 from the .zip in a location only accessible to admins locally, and then add the install-package line in the setupcomplete.cmd -  and then apply that image to the client machine?  where does that lose feasibility?


,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites

#16 ·  Posted (edited)

27 minutes ago, iamtheky said:

So, just for posterity:

A scenario where you edit that .wim offline with DISM and drop the 4 dlls and psd1 from the .zip in a location only accessible to admins locally, and then add the install-package line in the setupcomplete.cmd -  and then apply that image to the client machine?  where does that lose feasibility?

@iamtheky When I have multiple client companies that I work with, each of which has different current environments, different wim files (if they want me to build off of it), different deployment tools, and different needs.  My goal is to create a pseudo-task sequence that is similar to an Microsoft Deployment toolkit task sequence, which is just composed of a series of scripts in of itself, but to tailor these scripts to more toward what how I accomplish the needs of my clients and not be as restrictive as mdt.  Mounting and modifying an offline wim is very time consuming, and is something I would rather avoid doing if at all possible.  Plus, I reference the anti-virus issue once more: I would rather avoid the conversation where a network administrator comes to me and asks me why I am downloading malware onto their network (which has happened).  The powershell gallery method not only gives provides a much more quick and less painful method to accomplish the same goal, but it a) provides access to the powershell modules without the need to deal with installing or unzipping the program files, and "b)" has the potential to give AutoIT some much needed publicity.

Edited by MattHiggs

Share this post


Link to post
Share on other sites

#17 ·  Posted (edited)

I totally get sub-item (b)

I was just a deployment architect for US ARMY STAMIS systems 5 years ago so understanding what is available (and where older solutions now falter) is of interest.  thanks for entertaining the question.

I thought the AV question was avoided in that scenario since at every stage you only ever need those 5 files, is it really one of those that's tripping AV?

And while most arguments are solid, that the gallery is quicker or less painful than already having the module available locally is questionable. My number one problem in DoD land was customer networks and egress/ingress rulesets.  Your current on-prem repo solution even seems ideal.

Edited by iamtheky
GD trying to make emojis out of my text

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites

#18 ·  Posted

34 minutes ago, iamtheky said:

I totally get sub-item (b)

I was just a deployment architect for US ARMY STAMIS systems 5 years ago so understanding what is available (and where older solutions now falter) is of interest.  thanks for entertaining the question.

I thought the AV question was avoided in that scenario since at every stage you only ever need those 5 files, is it really one of those that's tripping AV?

And while most arguments are solid, that the gallery is quicker or less painful than already having the module available locally is questionable. My number one problem in DoD land was customer networks and egress/ingress rulesets.  Your current on-prem repo solution even seems ideal.

@iamthekyNo.  Those files are not the files being flagged.  But think about it.  In order for that to work, I would need some kind of storage media to store the files on alone.  If I download the zip from the Autoit site, it still has all the files, and anti-viruses can scan inside archives these days, so same problem.  It just seems like keeping the necessary files isolated in their own folder and obtaining them from cloud and external storage is extremely inconvenient.   And this is assuming that my clients environment does not block external storage devices and that they leave cloud storage services unblocked, which is not really safe to assume either in a corporate environment now-a-days.

Share this post


Link to post
Share on other sites

#19 ·  Posted

@MattHiggs Jon keeps to his own, very busy, schedule and stops in when he is able. I do not have his home number, no.


√-1 2^3 ∑ π, and it was delicious!

Share this post


Link to post
Share on other sites

#20 ·  Posted (edited)

Sure, but save for making them publicly available, the problem now is ultimately:

You have 5 files, that are not flagged by any AV, that need to get to the client systems.

Quote

 It just seems like keeping the necessary files isolated in their own folder and obtaining them from cloud and external storage is extremely inconvenient.  

Good thing PSGallery is absolutely not a file in a folder that you obtain from cloud storage...

I don't think those last couple of assertions are accurate for enterprise these days, there are file shares in the AzureAD and o365 portals intended for All Users / and if you need a location only admins need to get to there are a few hundred of those.  Probably more stuff there than not as it makes compliance easy af when you throw into a govcloud.

Edited by iamtheky

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0