Y̸͎͊ȍ̴̟̺ȗ̸̬r̵̺̔̑ ̶̰͠n̵̺̅͋ȩ̵̢̈́͝ẘ̵̨ ̶̙͓̅̆f̵̮́̚ą̶̼̈́v̴̟̈́̏o̷̢̗̾̆r̴͕̅i̵̩̭͌t̵̞̫͛e̴̙͛́ ̸͍̭͛À̷̧̰̈́M̸̱͙̒̈́S̵͓̓I̵̗̥̿ ̷̝͗ḅ̵͔͋y̵̖̗̋p̴̧̫͆ä̵͓̫́̒s̵̬͊̀s̶̪̉̌.̸̮͂̆͜.̸̬̎͑͜.̷͖̯̕
Okay, this is a strange one. For those of you who are unaware, there are certain Unicode characters that exist that when combined with another similar class of character, they will combine to form two characters occupying the same space. There are certain characters which allow for “diacritics” to be formulated together which is needed from some languages to be displayed properly. These can be abused to produce some rather wacky character combinations.
This is demonstrated perfectly when generating “cursed text” strings using one of many online generators.
I suppose it should come as to surprise that “cursed text” could be used maliciously, but here we are. Playing around with this inside a PowerShell terminal led to an interesting discovery: If enough characters are “stacked” and placed before and after a PowerShell command, AMSI will seemingly ignore the command in between the combined blob of Unicode characters.
The characters need to be within the same script block as the code you intend to execute and use them in a manner in which the PowerShell code will actually execute without producing errors. I found the simplest way is to just surround them in single quotes so that they are just printed. Here’s the most reliable structure I was able to determine:
'stacked chars' Malicious PowerShell 'stacked chars'
Let’s run though this using a super common AMSI bypass which uses reflection:
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
The above will be flagged by any modern antivirus, especially AMSI as it doesn’t like anyone messing with its functionality.
Let’s run this command, however let’s through ~150 stacked strings before and after the command, and then check on the state of AMSI by running the tried and true ‘Invoke-Mimikatz’ command.
As you can see, AMSI stopped us from executing the initial “Invoke-Mimikatz” command, however after pasting the new bypass with the AMSI bypass in between two blocks of overlapping Unicode characters, it is now disabled, thus allowing us to run whatever commands we want to run in our terminal session at this point.
Gist containing a few I generated:
https://gist.github.com/bobby-tablez/22158f0e57dae3c4f12ffae9d31701a1
If you want to make your own, simply follow the outline structure above and generate “cursed text” from a single character and bring it up to about ~150 characters.
~ Enjoy! For educational purposes only, obviously.
Leave a Reply