Invoke-NoShell

For defenders Powershell is a major challenge when for attackers it is an opportunity (if it is enabled). This talk will open with a quick explanations and examples for Powershell abuse by malware in the wild and why it is so common. Then, the main dish will be served, InvokeNoShell -a new framework for generating infected documents containing embedded Powershell executed even if powershell.exe is disabled without admin privileges, bypassing app whitelisting and AV solutions. The tool is fully automatic and capable of generating multiple variants of bypassing output to optimize the test of solutions claiming to block Powershell. It will be shown that using the InvokeNoShell framework enables easy automation of the payload generation process from scratch. This allows to create multiple similar payloads automatically, allowing an individual to poke advanced ML unicorn next-NG AV engines efficiently, generating dozen payloads with a single command.

Presented by