p0wnedShell - PowerShell Runspace Post Exploitation Toolkit

p0wnedShell is an offensive PowerShell host application written in C# that does not rely on powershell.exe but runs powershell commands and functions within a powershell runspace environment (.NET). It has a lot of offensive PowerShell modules and binaries included to make the process of Post Exploitation easier. What we tried was to build an “all in one” Post Exploitation tool which we could use to bypass all mitigations solutions (or at least some off), and that has all relevant tooling included. You can use it to perform modern attacks within Active Directory environments and create awareness within your Blue team so they can build the right defense strategies.

How to Compile it:

To compile p0wnedShell you need to open this project within Microsoft Visual Studio and build it for the x64/x86 platform. You can change the following AutoMasq options before compiling:

public static bool AutoMasq = true;

public static string masqBinary = @"C:\Windows\Notepad.exe";

How to use it:

With AutoMasq set to false, you just run the executable so it runs normally. With AutoMasq enabled, you could rename the p0wnedShell executable as the process you're going to masquerade (masqBinary), so it has the appearance of that process (for example notepad.exe).

Using the optional "-parent" commandline argument, you can start p0wnedShell using another Parent Process ID. When combining the PEB Masq option and different parent process ID (for example svchost), you can give p0wnedShell the appearance of a legitimate service ;)

Note: Running p0wnedShell using another Parent Process ID doesn't work from a Meterpreter session/shell.... yet!

Changing the Parent Process ID can also be used to spawn a p0wnedShell process with system privileges, 
for example using lsass as the the parent process.
For this you need to have UAC elevated administrator permissions.

C:\p0wnedShell>p0wnedShellx64.exe -parent
 
 [+] Please enter a valid Parent Process name.
 [+] For Example: C:\p0wnedShell\p0wnedShellx64.exe -parent svchost
 
C:\p0wnedShell>p0wnedShellx64.exe -parent lsass

To run as x86 binary and bypass Applocker (Credits for this great bypass go to Casey Smith aka subTee):

cd \Windows\Microsoft.NET\Framework\v4.0.30319 (Or newer .NET version folder)

InstallUtil.exe /logfile= /LogToConsole=false /U C:\p0wnedShell\p0wnedShellx86.exe

To run as x64 binary and bypass Applocker:

cd \Windows\Microsoft.NET\Framework64\v4.0.30319 (Or newer .NET version folder)

InstallUtil.exe /logfile= /LogToConsole=false /U C:\p0wnedShell\p0wnedShellx64.exe

Github Project

Disclaimer

This website uses cookies, and also collects some information using Google Analytics. Any actions and or activities related to the material contained within this Website is solely your responsibility.The misuse of the information in this website can result in criminal charges brought against the persons in question. The authors and www.hack4.net will not be held responsible in the event any criminal charges be brought against any individuals misusing the information in this website to break the law.

HACK4NET 🤖 Pentest Tools and News

p0wnedShell - PowerShell Runspace Post Exploitation Toolkit

How to Compile it:

How to use it:

Post a Comment

No comments

Search This Blog

Recommend You

Build Your Own PwnPhone

Follow Us

Random Posts

Popular Posts

Disclaimer

Popular Posts

HACK4NET 🤖 Pentest Tools and News

p0wnedShell - PowerShell Runspace Post Exploitation Toolkit

How to Compile it:

How to use it:

Related Posts

Post a Comment

No comments

Search This Blog

Recommend You

Build Your Own PwnPhone

Follow Us

Random Posts

Popular Posts

Disclaimer

Popular Posts