It is a fact that security controls and detection capabilities against Powershell attacks have been improved during the last years. However, are Powershell attacks still evolving?
Recently, we have read quite a few articles regarding Offensive Powershell:
- Invoke-PSImage . Invoke-PSImage takes a PowerShell script and embeds the bytes of the script into the pixels of a PNG image. It generates a oneliner for executing either from a file of from the web (when the -Web flag is passed).
- The Invoke-Obfuscation Usage Guide :: Part 1 . Daniel Bohannon provides insights on the lesser-known features of Invoke-Obfuscation.
- The Invoke-Obfuscation Usage Guide :: Part 2 . Daniel Bohannon elaborates on what to focus when using Invoke-Obfuscation for both commands and script.
- InsecurePowerShell . PowerShell without System.Management.Automation.dll . Ryan Cobb explains how to use the PowerShell without powershell.exe native windows binary as well as with a modified version of System.Management.Automation.dll ! Really interesting stuff.