[Quick Notes] Powersploit - AV Evasion
On my pentest engagements, I primarily use Powershell (PS) & PS based exploitation tools & frameworks like CME, Empire, Powersploit, Nishang, Veil, etc, along with Metasploit & other tools.
This short writeup is one of the AV evasion scenarios. Posting here for reference.
Objective is to dump hashes & clear-text passwords from memory (use Mimikatz). Any decent Anti-Virus blocks any attempts to read / update / execute Invoke-Mimikatz.ps1.
Enter - PowerSploit's Out-EncryptedScript.ps1. Use the script to encrypt the any malicious file (text/ps1) offline (attacker's box) and upload it to the target. The script takes in a password and a salt to encrypt the file.
Out-EncryptedScript will encrypt a script (or any text file for thatmatter) and output the results to a minimally obfuscated script -evil.ps1 by default.
Out-EncryptedScript .\Invoke-Mimikatz.ps1 password salty
A new, encrypted ps script - evil.ps1 - is generated.
Read the file contents and execute the script from memory.
[String] $cmd = Get-Content .\evil.ps1Invoke-Expression $cmd$decrypted = de password saltyiex $decrypted; Invoke-Mimikatz -DumpCreds
Invoke-Mimikatz.ps1 executes successfully.