LIVING THE SWEET POWERSHELL #2

In some domain environments due to security measures or hardening the execution of powershell.exe and powershell_ise.exe processes can be blocked through GPO/Applocker. These restrictions can sometimes be configured incorrectly. We can’t directly run our PowerShell commands or scripts but PowerShell is not limited to just powershell.exe, we can bypass the limitations. In today’s scenario from the Red Team perspective we will establish a connection using Empire in an environment where powershell.

Read more

LIVING THE SWEET POWERSHELL #1

In 2018, I conducted an attack scenario in my laboratory environment based on some external sources and my own research. In the scenario, an attacker exploited the MS17-010 vulnerability to gain access to a compromised machine. Using the compromised user account with limited privileges the attacker established a PowerShell Empire connection and executed DCSYNC and golden ticket attacks to take control of the domain environment. Attacker used WMI for lateral movements, compromising other machines.

Read more