0x00 p0wnedShell

p0wnedShell is an offensive PowerShell Runspace Post Exploitation host application written in C# that does not rely on powershell.exe but runs PowerShell commands and functions within a PowerShell run space environment (.NET). It has a lot of offensive PowerShell modules and binaries included making the process of Post Exploitation easier.

Github : https://github.com/Cn33liz/p0wnedShell

0x01 p0wnedShell 功能

0x02 编译

public static bool AutoMasq = true;

public static string masqBinary = @"C:\Windows\Notepad.exe";

如果AutoMasq为false,则不会进行进程注入,若为true,则会进行进程注入,伪装成C:\Windows\Notepad.exe.

需要Microsoft Visual Studio编译。

0x03 Let’s Try!

try

随便选择一个:13

try

会自动生成一个msf设置实例,根据提示设置一个监听器就好,最后按回车,就能获得会话。

try

0x04 总结

这个工具的优点就是加载powershell的行为不容易被AV查杀,但是编码只编码了一次,可能会被静态扫描到。

可以加一些反沙箱的功能,防止被传入云端。

还有一点就是不支持bypass uac,需要手动实现。