PowerShell for

InfoSec:
What you
Need to
Know!
Why PowerShell
Connect with me on Twitter and Discord!
https://wonderstructs.com/
Easy to Use
Powerful
Extensible
Recent PowerShell Versions
Course Outline
Schedule
PowerShell
Providers
Automatic Variables
Interact with the Registry
Aliases
View Aliases
Set-Alias
Cmdlet vs Function

Cmdlet Function
Compiled .NET PowerShell

https://www.leeholmes.com/cmdlets-vs-functions/
Naming conventions
Naming Convention
View Environment Variables
Session History
Get-Help
Line Continuation
PowerShell Profile
Profile Example
Other Profiles
Ways to run Scripts
No Profile / Hidden Window
Encoded Command
Download Cradles
Deal with Proxy
Execution Policy
Execution Policy
Get Execution Policy
POLICIES D E FA U LT S
Execution Policy Scope
SCOPES

P
Set via group
r
Policy
e
c
e
d
e
n
c Requires
e Admin
Set Execution Policy
15 Ways to
Bypass the
PowerShell
Execution
Policy

Blog Post Link

Bypass Execution Policy
P I C K A B Y PA S S , A N Y B Y PA S S . . .
 Also Known As
Unblock-File Alternate Data Stream
“Mark of the Web”
(MotW)
(ADS)
Session History
and History File
Session History
History File
PSReadLine Module Versions

Sensitive
Command Line
Scrubbing
• password
• asplaintext
• token
• apikey
• secret
Defense Evasion Made Easy
Pick Your Poison
Other History File Shenanigans
Lab Time
Modules
Modules
PowerShell Gallery
Install a Script from the PowerShell
Gallery
Module Manifest (psd1)
Script Modules (psm1)
MyScriptModule
Import-Module and Dot Sourcing
Name conflicts
Search Order Hijacking
Colibri Loader Malware
Get-Variable Hijack
Set-Variable Hijack
Obfuscation
Integrated
Development
Environment (IDE)
 PowerShell ISE

Scripting
Window
Command
Lookup

Interactive
Command
Window
Visual Studio Code

Scripting
Window

Interactive
Command
Window
Lab Time
Logging &
Logging
Bypasses
PowerShell Versions
PowerShell Downgrade Attacks
Get-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2

Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root

Detecting Downgrade Attacks
Default PowerShell Logging
Suspicious Script Block Logging
Example
Suspicious Script Block Logging
Example
What is “Suspicious”?
Script Block Logging
Basic Script Block Logging Example
Script Block Start/Stop Logging
Module Logging
Basic Module Logging Example
Transcription Logging
Basic Transcription Logging Example
Protected Event Logging

Microsoft Docs
Suspicious Script Block Logging Bypass
ScriptBlock & Module Logging Bypass
Microsoft Logging Recommendations
Lab Time
Popular PS
Attack Tools
Popular PS Attack Tools
BloodHound
Language Modes
PowerShell Language Modes
The Wrong Way to Set CLM

“As part of the implementation of Constrained Language, PowerShell

included an environment variable for debugging and unit testing called
__PSLockdownPolicy. While we have never documented this, some
have discovered it and described this as an enforcement mechanism.
This is unwise because an attacker can easily change the environment
variable to remove this enforcement. In addition, there are also file
naming conventions that enable FullLanguage mode on a script,
effectively bypassing Constrained Language.”

https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/
ConstrainedLanguage Mode (CLM) Bypass
The Right Way to Set CLM
Popular PS Attack Tools and CLM

• Mimikatz

• NinjaCopy

• Inveigh

• Get-Keystrokes

• Get-GPPPassword
Credentials &
Remoting
Credentials
Cmdlets that Support Credentials
Credentials
GetNetworkCredential (Less Secure)
Create SecureString
Store SecureString on Disk
Retrieve SecureString from Disk
PowerShell Remoting
Enter-PSSession
Update Trusted Hosts
Remote Management w/o PS Remoting
Invoke-Command
Rich Results with PSComputerName
Lab Time
 (JEA)
Just Enough Admin
Just Enough Admin
Role Capabilities File (psrc)
Session Configuration File (pssc)
Session Endpoint
Connect to JEA Endpoint
Modify Resource File (psrc)
Modify Session Configuration File (pssc)
ConsoleSessionConfiguration
Session End Point Logging

Local: Remote:
• Get-Credential • Session Configuration File
• Enter-PSSession • Role Capabilities File
• Get-Command
• Get-Service
Session End Point Transcription
Desired State Configuration (DSC)
Managed Object Format (MOF)
DSC Versions
Lab Time
PowerShell
without
PowerShell.exe
PowerShell.exe is a Front End
PowerShell without PowerShell.exe
Block PowerShell.exe?
AMSI Bypass
AMSI (AntiMalware Scan Interface)
AMSI Bypass amsiInitFailed
Defense? Basic String Search
AMSI Bypass ... Bypass
PowerView from PowerSploit?
No Problem!

No Bypass

Bypass
So .. Many .. Bypasses
https://pentestlaboratories.com/2021/05/
17/amsi-bypass-methods/

https://github.com/S3cur3Th1sSh1t/Amsi-
Bypass-Powershell
AMSI Bypass vs PS Attack Tools
Lab Time
PowerShell
Core
Recent PowerShell Versions
PowerShell Core (PWSH)
https://learn.microsoft.com/en-us/powershell/scripting/install/installing-powershell
Windows Terminal
PWSH Logging
PWSH Logging: Non-Windows
Switching Versions in VS Code
Remoting Between Operating Systems
Lab Time
Wrap-Up
PowerShell
Review
PowerShell
Review
History File Evasion
ScriptBlock & Module Logging Bypass
PowerShell
Review
AMSI Bypass
PowerShell
Review
ConstrainedLanguage Mode (CLM) Bypass
PowerShell
Review
PowerShell
Review
Block PowerShell.exe?
Additional Resources
Stay Connected with me on Twitter and Discord!