PowerShell with Core Impact

January 29, 2018

[[{"fid":"4910","view_mode":"default","fields":{"format":"default","field_file_image_alt_text[und][0][value]":false,"field_file_image_title_text[und][0][value]":false,"alignment":""},"link_text":null,"type":"media","field_deltas":{"2":{"format":"default","field_file_image_alt_text[und][0][value]":false,"field_file_image_title_text[und][0][value]":false}},"attributes":{"style":"height: 400px; width: 800px;","class":"media-element file-default","data-delta":"2"}}]]

The next set of features shown in this quick video demonstrates the PowerShell integration that's available on Windows agents.

The first step is to use the "Get installed PowerShell version" in order to verify that the target system has the proper PowerShell environment ready to be used by our agent.

After that module finishes, launching a PowerShell shell is as easy as right-clicking over the agent and selecting the proper option. We'll then have a fully functional shell that is able to execute native PowerShell commands and scripts.

One of the main points to mention is that Impact's implementation of PowerShell doesn't use powershell.exe and instead uses the .NET interfaces exposed by the operative systems. This results in a very stealth and efficient integration that doesn't trigger alarms.

We also introduced some additional commands in order to allow network-restricted targets to be able to execute scripts and PowerShell files even when the target doesn't have Internet access.

In this case, we'll use our own "import-url" command in order to download script from an external repository. Note that this works even if the target host doesn't have direct connection to the Internet, and in this case, all communications are being handled using the DNS channel we established earlier.

  • Penetration testing

Ready for a Demo?

Eliminate identity-related breaches with SecureAuth!