PS>AttackBuildTool v1.9 releases, an offensive PowerShell console
What does the PS>Attack Build Tool do?
The build tool downloads the latest version of PS>Attack and the latest versions of tools that is uses (PowerSploit, Powercat, Inveigh, etc), obfuscate them with @danielbohannon’s Invoke-Obfuscation and then encrypts them with a custom key.
It then replaces certain identifiable strings within the PS>Attack source code with random strings and then compiles everything, producing a custom version of PS>Attack that’s up to date and consists of unique file signatures, making it very difficult for Antivirus and Incident Response teams to find.
PS>Attack is a self-contained custom PowerShell console that comes with a lot of the latest and greatest offensive PowerShell tools. It’s designed to make it very easy for Pentesters to incorporate PowerShell into their workflow. It’s suitable to be used on live engagements as it’s capable of evading Antivirus and Incident Response teams with the following tricks.
- It doesn’t rely on powershell.exe. Instead, it calls powershell directly through the .NET framework.
- The modules that are bundled with the exe are encrypted. When PS>Attack starts, they are decrypted into memory. The unencrypted payloads never touch the disk, making it difficult for most antivirus engines to find them.
- When generated by the PS>Attack Build Tool, the payloads are encrypted with a unique key. This means that the generated executable’s signature changes each time it’s created.
You can find more information about PS>Attack at its github page
- Incorporated @danielbohannon‘s Invoke-Obfuscation to obfuscate PowerShell modules and commands
- More strings within the PS>Attack source are replaced with randomness.
- Added a config file to control where PS>Attack source is downloaded from, what arch you’re building for and whether PowerShell is obfuscated.
Right now the PS>Attack Build Tool downloads the various PS1 files for its modules to disk. This can trip AV. If AV blocks downloading these PS1 files, the build of PS>Attack will ultimately fail.
It downloads files to %appdata%\PSAttackBuildTools, so you may want to whitelist that folder in your AV.
Copyright (c) 2015 Jared Haight