5.8. PowerShell

5.8.1. Execution strategy

PowerShell provides six types of execution policies: Restricted, AllSigned, RemoteSigned, Unrestricted, Bypass, and Undefined.

The Restricted policy can execute a single command, but cannot execute scripts. This policy is used by default in Windows 8 and Windows Server 2012.

The AllSigned policy allows execution of all digitally signed scripts.

RemoteSigned When executing a script downloaded from the network, the script needs to have a digital signature, otherwise the script will not be run. If the script is created locally, it can be executed directly without requiring the script to have a digital signature.

Unrestricted This is a more permissive policy that allows unsigned scripts to run. For scripts downloaded from the network, a security prompt will be given before running.

The BypassBypass execution policy does not set any restrictions on the execution of scripts, any script can be executed, and there will be no security prompts.

UndefinedUndefined means that no script policy is set, and the default script policy will be inherited or used.

5.8.2. Obfuscation

• -EC

• -EncodedCommand

• -EncodedComman

• -EncodedComma

• -EncodedComm

5.8.3. Common functions

5.8.3.1. Scheduled tasks

$Action = New-ScheduledTaskAction -Execute "calc.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTask -InputObject $object
Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false

5.8.3.2. Creating Links

$Shell = New-Object -ComObject ("WScript.Shell")
$ShortCut = $Shell.CreateShortcut("$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\test.lnk")
$ShortCut.TargetPath="cmd.exe"
$ShortCut.WorkingDirectory = "C:\Windows\System32";
$ShortCut.WindowStyle = 1;
$ShortCut.Description = "test.";
$ShortCut.Save()

5.8.3.3. Encoding

$OriginalCommand = '#{powershell_command}'
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
$EncodedCommand =[Convert]::ToBase64String($Bytes)

5.8.3.4. Others

• alias

  • alias

• download file

  • Invoke-WebRequest "https://example.com/test.zip" -OutFile "$env:TEMP\test.zip"

• unzip

  • Expand-Archive $env:TEMP\test.zip $env:TEMP\test -Force

• process

  • start process Start-Process calc

  • stop process Stop-Process -ID $pid

• file

  • create a new file New-Item #{file_path} -Force | Out-Null

  • set file content Set-Content -Path #{file_path} -Value "#{Content}"

  • Append file content Add-Content -Path #{file_path} -Value "#{Content}"

  • copy file Copy-Item src dst

  • delete file Remove-Item #{outputfile} -Force -ErrorAction Ignore

  • subdirectory Get-ChildItem #{file_path}

• service

  • Get service Get-Service -Name "#{service_name}"

  • start the service Start-Service -Name "#{service_name}"

  • stop the service``Stop-Service -Name “#{service_name}”``

  • delete the service Remove-Service -Name "#{service_name}"

• Get WMI support Get-WmiObject -list

5.8.4. Reference Links

• PowerShell Official Documentation