we're changing things up this time this is PowerShell for Hackers a three-part series showing you how to use one of Windows's most powerful tools like an attacker we're talking about popping shells sneaking out data and living off the land powershell's got it all and it is already sitting right there on most of your computers these are real techniques that we have pulled from real Red Team operations real breaches and real cases out there in the world this series is brought to you by in partnership with Threat Locker they know PowerShell is a critical part of legitimate workflows and blocking it outright isn't always the answer threaters ring fencing gives you control like stopping PowerShell from accessing the internet while still allowing for local automation that is the kind of defense that keeps attackers boxed in without breaking your devices to help break these down I've teamed up with Jacobe one of the most talented hackers that I've had the pleasure to meet and work with to show you exactly how it all works in practice let's get into it before we jump into the content if you like this kind of content drop me a comment saying shell so I know you want to see more okay so let's just assume I know nothing about PowerShell and I really don't um what do I need to know like where do I start what do I do what's something like you know you think some of the things that you think any hacker should know when it comes down to PowerShell powershell is one of the programming languages that comes standard with Windows uh it typically comes with five unless you're Windows 11 that will come with PowerShell 7 there's not much of a distinguishing difference between like the net core functionality that's not something you got to jump into right away for a lot of people they think that PowerShell is just a language that admins will use uh for little things you know copying files from one location to another or moving through different settings or just little things like that once you start to get a little more creative with it there's a lot more that you can do especially from a hacker's perspective it's just a lot of these admin guys they don't typically look at it that way little things like net netsh command wand show profile you can name your Wi-Fi profile and hit key equals clear at the end this is a quick way to get the Wi-Fi password of whatever system you're on so this is like one of the recon things you might be able to do for some sort of lateral movement or you know something along those lines so what what all can you do with PowerShell like I know you you mentioned you can get someone's you know like Wi-Fi password if you're on the system or if you're on the Wi-Fi or whatever right like what is the the cutesy thing you can do like I think that the Wi-Fi password is one of them but what's something like you know craziest thing that you have accomplished maybe with uh PowerShell at a high level probably one of the coolest biggest projects that I took on that I've been working on over the last two years to make sure it's as efficient as possible and undetectable is I set up an API endpoint that generates a reverse shell for me that way I can pull it down and execute it with a single line of code as opposed to a lot of the different resources you see online where it's you know a bigger paragraph and then you have to get that all onto their system and slightly modify it so we can get past Defender so down here at the bottom this is my Lenode computer that I've hosted in the cloud it's an Iuntu server but I do have PowerShell installed onto it so I still am using PowerShell but you can just set up a nice little netcat listener easy enough and then I I set up an API endpoint where all you have to do is come up here pass in the IP address of your listener box down here in the port that you want to connect to you can pull down a reverse shell that uh it's polymorphic so every single time that you pull it down like I'll just show you for an example every time you pull it down it's going to give you a new version of it that is scrambled and hasn't been run before so it has no signature really to detect it's not easy to detect there are certain things that someone that's advanced enough can look for uh but instead of just posting it and pulling it down what we're going to do is we're going to pipe it intoex and that will give us an instant shell on this machine so if I run who am I I did set up my who am I command to run uh to output I am the ghost in the machine instead of my real name on someone else's computer typically you would get the real name and then from here I have full control over this PC from my cloud instance running something like a yeah like a cow command just to show that it's working a pop cow okay hold that thought because I feel like this is I think we're going to get to this eventually i love this what do I need to understand from a system perspective or from a PowerShell perspective before I could do any of these things like I'm primarily Linux guy you know everything that I do is like some sort of a Linux operating system i'm kind of used to you know having default processes and default uh binaries that come with uh your system and you can sometimes hijack them and do things that are malicious with it or sometimes you can hijack a process uh go to GTFO bin and you know you can get a reverse shell or you can get you know privilege escalation is there something similar to that on um with PowerShell is there default things you can rely on that could be used for malicious purposes even though that's not the intention behind it yes yes absolutely so uh like we were talking about PowerShell itself is a Lobin uh there's actually a really awesome resource online that I use pretty frequently this is a website called the Lobboss Project and this entire website itself is filled with all the different lobins that you could typically find on a Windows system and you know they got them separated down to whether reconnaissance execution download upload alternate data streams you know copying files over there are certain commands that you know like Linux are probably monitored pretty often like for you guys you have curl over here we have invoke web request and infogress method which is something that's commonly used to pull down malware from different places so you can execute it with those being monitored as much as they are sometimes you might want to look for a different version something else that you could run to replicate the effects of those commands while still trying to stay under the radar so these are when you say LOL bins or low bins these are by default on your machine with a fish install correct not necessarily all of the ones that you see listed here but lol bins themselves typically are this website also includes some ones for things that are kind of often downloaded as well to like a lot of different systems whether it be like pester or like Microsoft teams you know programs yeah most common programs that are set up on a machine especially from an enterprise perspective or like popularity right correct correct so while I would say that most of these do come on the machine by default often there are some of them that are programs that are more commonly downloaded downloaded in corporate environments you can still go through here and look and try to find a bunch of different resources now to make the process just a little bit easier I did also make this uh GitHub repo which is also a param module that you can download directly to the console and it comes with a bunch of these different commands that you'll see right here uh whether it's updating the lobin data directly from that website right here or just for example uh probably one of the more important ones that you would be running if you see right here we have test loben paths so if we run test globe and paths what this uh particular command will do this command gives you the ones that are specifically on the system that you just ran that on all of these ones that you see here listed currently these are on the current system on my system right now so these are all the different ones that you can take advantage of in order to be able to run these though uh you'd have to assume that you are able to download this module onto your system which that in itself uh might be a problem depending on if they're monitoring what modules are able to be downloaded i actually have kind of a workaround for that as well that I did inside one of my payloads right here i have uh one of my uh one of my payloads is called get PowerShell gallery module code so if we come into here I have a script right here called get module code so whenever you go to use a PowerShell module you actually have to install it and you have to go through a sequence of events like make sure the Nougat package is available so it can be downloaded and make sure that they're not monitoring and like whitelisting or blocking different modules that they don't want on the system so this particular payload right here get module code if we copy that and we go back to our PowerShell window we're going to go ahead and clear the screen we're going to run that clear get module code and then we can run it on lobins which is the specific module that we were just looking at and what that did is it just loaded the code from that module into this instance without actually downloading it so loading modules is that something very common you have to do as a part of using powers as an attacker or as a hacker I'll put it correct so I if you were wanting to actually get this module onto the system without using that workaround right there you would have to use install module but depending on what environment in like what what uh what they're running on their system this is something that might be monitored it might be blocked which does sometimes happen and then so if you do run it like I'm doing right here it it goes through a little process and since I already have this on the system see look it says it's an untrusted repository and you know you have to say yes to continue to download it where sometimes you won't even make it this far and they'll shut you down before you get that opportunity or it's something that'll it it'll send a flag over to whoever's watching their system and it might alert them if we're trying to stay low bin you don't necessarily want to download stuff onto their system so we can use like I said we can use this payload here to actually access the website powershell gallery.com which is where they store all that code so we're actually just going to the individual pages finding the code inside of that page parsing it out and then pulling it down filelessly which means you're not downloading it to a file you're saving it right to the system and you're running it inside this instance so when I open a new PowerShell window and I close this old one that code is now gone it's not anywhere on the system it'll be in the PowerShell history so you'll see like that's the last command that I ran but you could always wipe the history you know at the end of your jobs as well that way it was file list before there's nothing saved to disk and then you could wipe the commands that you ran from history so they aren't there as well you know that might be monitored as well but you know an attempted cleanup is still something worth looking into you mentioned curl earlier and you know as with web especially and you know when you get reverse shell and things like that curl is one of the biggest commands that I rely on and it's usually most of the time by default um available to to me as a user what are some equivalent commands that you think I should know as someone that's just getting started with PowerShell going into PowerShell there really are two different versions of curl you technically have curl in PowerShell but curl is just an alias for uh invoke web request so this is the closest equivalent for invoke web request i'm usually using that when I'm trying to do things like getting headers from a website or you know some basic information so you see we use invoke web request on PowerShell forhackers.com you get like the status code the content of the HTML the raw content the headers um that's helpful for you know you bug bounty hunters you know I was doing a lot of your labs for example and I was trying to do as much of them as I could using just PowerShell alone you know that's kind of like my challenge thing so for me whenever I was going through to do a lot of your challenges or even when I was going through to do the port swigger training I was using info web request a lot to grab the headers or sometimes you can see uh the different settings for the cores uh see if there's any kind of uh cores misconfigurations so yeah so we have invoke web request that I typically would use for that now there's a second version it's called invoke rest method now to make it easy to understand invoke web request will grab everything that you see here now if I wanted to grab like for example if I wanted to grab the status code what I would do is I would put this into braces like this or if I wanted to grab the header since it's already there you would do it inside of the parenthesis and then do dot headers that'll get you all the headers etc and if you see in here I do have a couple interesting ones like I have a command i can also do invoke headers so then I would put that in parenthesis dot command and then pipe that inex to open the calculator so you can modulize what you get from the responses pretty much you can say I want to get the the header and specifically this header name and I want to pipe that result into a command correct so ex invoke expression is what you use to run commands inside of PowerShell so anywhere that you can grab a string from you can take that string and throw it into invoke expression and it'll run it you can put little PowerShell commands in a bunch of different places in the headers of websites inside of DNS text records or like right here you see I put it in a header so I can grab that individual header command and then pipe it intoex isex by default set up on the machines usually yeah that is that is probably the most watched command though so when you talk about loins and looking for ways to find alternate ways to execute things without using invoke expression um that that is where that site for example comes in handy because invoke expression is watched so tightly so if I have some like edr or some whatever on my defender on my machine try and pipe something to ex not going to work right uh I wouldn't say it's not going to work per se because it is needed so often but it is going to be heavily monitored and it will be flagged yeah most systems where they're really serious about their security they will flag log and check every invoke uh expression command that does come through because it is the number one use command for loading in malware okay so I'm I'm going to assume ex is something that you probably should know even though it's probably not like super useful anymore how would that work let's say if you wanted to do um to use it how would I use it do I always have to pipe things into it or can I use a standalone can you show me an example of it yeah yeah absolutely so what I'll do is I need to pull open my notebook real quick and I could show you a quick example for those of you guys that are watching and if any of you are familiar with a lot of my payloads that I used to make for like the flipper or the hack five devices this was like the number one way that I made those oneliners for you guys to use so what you would have is you would have like a a GitHub right the raw text the raw file inside of a GitHub it would just contain a a big PowerShell script and just again just to give you guys the quick difference between invoke web request and invoke rest method which is what I'm about to show you if you use invoke web request it gives you everything that you see here if you use invoke rest method which is what we're about to use it specifically grabs you the content so instead of putting invoke web request in in uh parenthesis and then doing content you can just use invoke rest method instead that's what I use most often when I'm trying to download the content of a file directly so it gives you no headers correct it gives you no headers it gives you just the content directly yes exactly exactly you can do you can type out invoke web request or you can type IWR which is it shorter alias and instead of invoke rest method you can just type IRM right so that's what I'll be doing here now right here I have a URL this is a short link that I made with Brandley that pointed to a GitHub raw file those are really long URLs so I don't like to use it you know it's just it's just lengthy but what we're going to do is we're going to pull it down using infogest method this is one of my reverse shells that I have hosted somewhere so what you would do is you would pull it down that is the reverse shell and then I can just show you a little example of it working just real quick you would typically have a netcat listener running somewhere like I do on my Lenode box right here you would do the same command right and then we were just talking about invoke expression instead of typing that out you can just type x so irr the url and then pipe it into invoke expression and we'll go ahead and make it easier so we'll set it here if you'll pay attention right here as soon as I run this that tiny little oneliner and I now have full control over this computer again uh just like before and then popcal just you know little demo invoke rest method invoke web request and invoke expression as far as wanting to get malware on the system and running it quickly those are the commands that you would definitely go through is it common to have IRM be heavily monitored too or is that not a thing it's it's hit or miss i I got to be honest I don't really have it get caught very often because once again it's something that so many other modules for CIS admins use to grab their resources as well so whenever they're updating their scripts or whenever they're pulling down updates or they're pulling down files or whatever else they also use it so much it just happens to be one of the ones that are monitored i know that later on we'll be diving into some of these low bins the actual individual lowben examples more and I can show you guys a couple workarounds for these commands like there are other you know commands that you can use to pull down code without using invoke rest method without using invoke web request i can actually since we got a little time I'm going to cut this off real quick now we've lost connection you see that it came back here we're going to clear this out i'll show you one of them real quick this is a little bit more advanced you don't have to like try to fully understand it right now butert wreck is another one of the commands that's inside the lenin library that I just showed you from earlier so this will be a substitute for invoke web request or invoke rest method uh cert is used to pull downerts and we won't super dive into it but if you notice it's a post it's not even like a what would be a pull that which we don't have and it's looking for a config we're going to pipe it in that same URL right here that I just used with invokess method and pass it into Windows win.ini now we have to split up and recombine things do a little skip and trim but long story short it is another way to pull down that same file without using info rest method so it's one of the less common more obscure ways to um to get access to that information without having to use something that gets alerted to as much i think with PowerShell there's more ways to invoke a web request and things like that than there is with bash what are the you know people that are watching this they go okay I'm personally intrigued by this dude I just want to learn PowerShell at this point what do I do like what are some you know resources I can use and then also like what are some things I should be aware of or you know learn on my own to get good at this the cool thing about PowerShell I is that in order to get good with it and to be able to use it in a hacking sense you do have to get really creative there are a lot of really good resources out there website that I pulled up earlier to be honest even if you don't know PowerShell that well you don't understand the full syntax of the language I think it would be really good to go through that website and just look through the individual uh lobins that they have on there and see if you can just conceptualize how they work you don't even necessarily have to get them working per se learning from other people how they look at different areas you know um it's it's kind of hard to conceptualize without peeking through it they they got pretty good descriptions on there to go through their different methodologies and everything and don't be afraid to use chat GPT either if you want to take one of those low bins pop it in and say "Hey can you explain this to me a little bit more in depth?" Um you might not be able to get to run it right away but it's you know a lot of people talk about the hacker mindset you know just learning to look at things from different angles and once you kind of start to understand um how some of those work you'll kind of get the idea in your head the building blocks so you can just start going through random PowerShell commands you know just use get command go through different modules go through different sections of code and start trying to pick out how you can maybe tweak something to use in a way that's not you know anticipated we'll say that's a wrap for episode 1 like I said this is something new that I'm trying so if you enjoy content like this please hit that subscribe button and drop me a comment if you like to see more series like this next PowerShell video drops a week from today so stay tuned and I'll see you all in next week's video peace [Music]