🔧Powershell Tricks
Powershell
Powershell is a console replacement for windows cmd.exe that takes advantage of the .Net framework and COM objects and has a lot of bash-like features built into it.
Powershell has many interfaces such as the shell interface, script development GUI interface (ISE) and most importantly System.Management.Automation.dll which is the main DLL for loading powershell sessions.
powershell version 2.0 is common in windows 7 and server 2008 and downgrading from powershell 3 or 5 (latest version) to this one is great way of defense evasion.
AMSI Bypass
Check this section.
Powershell without powershell.exe
Powershell.exe is just a process hosting the System.Management.Automation.dll which essentially is the actual Powershell as we know it.
If you run into a situation where powershell.exe is blocked and no strict application whitelisting is implemented, there are ways to execute powershell still.
SyncAppvPublishingServer
Windows 10 comes with SyncAppvPublishingServer.exe and SyncAppvPublishingServer.vbs that can be abused with code injection to execute powershell commands from a Microsoft signed script:
example:
getting a reverse shell with SyncAppvPublishingServer and powershell.
generate a powershell payload and serve it on the network, use this command to call powershell from vba and load the payload in memory.
BYOPS
Bring your own powershell, any application that can use the .Net DLL to execute powershell commands.
Powershell Command Order
when a powershell command is executed, windows will look for the command in this order:
Doskeys Alias (pre-windows 10 PSConsoleHostReadline)
Alias
Function
Cmdlet
overloaded cmdlet checks object type
Executable
tries each $PATHEXT for each directory in $PATH
Attacking Resources
Pilfer embedded credentials in scripts:
Powershell Autoruns
The PowerShell console and ISE have different defaults for a profile. The profile is loaded every time PowerShell starts. This can be specific to the Host, User, Console, ISE, or a combination thereof. The filename of the current profile is always stored at $PROFILE. Any statements, including legacy commands or cmdlets in this file, will be executed upon start of PowerShell. You may want to adjust your profile to load certain modules or preset some environment variables.
Because these files are automatically loaded when starting PowerShell, they are great locations to drop trojan payloads!
Profile running locations and context:
| Description | Tool | Path |
|---|---|---|
Current User +Host | Console | $Home\Documents\WindowsPowerShell\Profile.ps1 |
Current User | Console | $Home\Documents\Profile.ps1 |
Current Host | Console | $PsHome\Microsoft.PowerShell_profile.ps1 |
All Users, All Hosts | Console | $PsHome\Profile.ps1 |
Current User + Host | ISE | $Home\Documents\WindowsPowerShell\Microsoft.Power ShellISE_profile.ps1 |
Current Host | ISE | $PsHome\Microsoft.PowerShellISE_profile.ps1 |
Trojan powershell v3 PSConsoleHostReadline
In PowerShell 3.0, the system PATH is used to enumerate executables, specifically looking for a nonexistent file: PSConsoleHostReadline. Because the file doesn't exist, PowerShell attempts to load PSConsoleHostReadline with a long list of possible executable extensions: .ps1, .psm1, .psd1, .com, .exe, .bat, .cmd, .vbs, and so on. As an attacker, all you need is to drop one PowerShell script somewhere in the PATH of a PowerShell v3 system and wait for any PowerShell interactive session.
This particular missing file "feature" was removed in PowerShell v4, but because PowerShell v3 shipped with Windows 8 and Server 2012, the technique is still valid.
The attacker needs to write to the correct filename and then wait for the victim to run PowerShell interactively to run the dropped payload. Just note that whatever payload you drop will run with each line used in an interactive session on the victim.
Last updated
