powerstager: A payload stager using PowerShell
This script creates an executable stager that downloads a selected powershell payload.
This script creates an executable stager that downloads a selected powershell payload, loads it into memory and executes it using obfuscated EC methods. The script will also encrypt the stager for dynamic signatures and some additional obfuscation.
This enables the actual payload to be executed indirectly without the victim downloading it, only by executing the stager. The attacker can then, for example, implement evasion techniques on the web server, hosting the payload, instead of in the stager itself.
Additional methods allow the payload to be embedded into the ‘stager’ and temporarily stored encrypted on disk for memory injection.
Not only are powershell powerful when managing Windows, it’s also powerful when exploiting Windows. This script exploits multiple Windows features such as its inherent trust of powershell, interpretation of shorthand syntaxes, code evaluation and more…
How to use
Generate a reverse shell payload to upload:
Generate an embedded reverse shell payload, with obfuscation and fake-error:
Generate a meterpreter payload to upload:
Generate an embedded meterpreter payload, with obfuscation and fake-error:
Generate an embedded custom payload:
Open a reverse shell listener:
Reverse shell listener commands:
- Local-InvokeInvokes powershell script files from host
- Local-Import-ModuleImports powershell modules from host
- Local-Set-WidthChanges the buffer width on remote client
- Local-UploadUploads files from host
- Local-DownloadDownloads files from client
- Local-Download-CommandsDownloads available powershell commands from client
- Local-Enumerate-SystemRuns enumeration scripts on client
- Local-Check-StatusCollects user and privilege status from client
- Local-Spawn-MeterpreterSpawns meterpreter shells on client
- Local-Spawn-Reverse-ShellSpawns reverse shells on client
- Local-Credential-CreateCreates credentials on client
- Local-Credential-ListLists created credentials on client