September 10, 2016 Karn Ganeshen

Powersploit – AV Evasion

[Quick Notes] Powersploit – AV Evasion

On my pentest engagements, I primarily use Powershell (PS) & PS based exploitation tools & frameworks like CME, Empire, Powersploit, Nishang, Veil, etc, along with Metasploit & other tools.

This short writeup is one of the AV evasion scenarios. Posting here for reference.

Objective is to dump hashes & clear-text passwords from memory (use Mimikatz). Any decent Anti-Virus blocks any attempts to read / update / execute Invoke-Mimikatz.ps1.

Enter – PowerSploit’s Out-EncryptedScript.ps1. Use the script to encrypt the any malicious file (text/ps1) offline (attacker’s box) and upload it to the target. The script takes in a password and a salt to encrypt the file.

A new, encrypted ps script – evil.ps1 – is generated.

Read the file contents and execute the script from memory.

 Invoke-Mimikatz.ps1 executes successfully.

+++++

Tagged: , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *