PowerShell is a scripting language included with all modern Windows operating systems, which, among other features, provides access to the Win32 API and the capability to run scripts on remote servers without writing to disk. PowerShell scripts bypass application white listing, application-signing requirements, and generally bypass anti-virus as well.
While all of these characteristics are very desirable to a penetration tester, rewriting penetration test tools in PowerShell would be time consuming. Instead, I will show how to combine PowerShell and assembly to reflectively load existing EXE’s and DLL’s without writing to disk, triggering anti-virus, or triggering application whitelisting. I’ll finish with several demonstrations of the Invoke-ReflectivePEInjection script in action.
Joe Bialek (@JosephBialek) is currently a Security Engineer on the Office 365 Red Team at Microsoft where he does security research, red teaming, penetration testing, tool development, and code review. Joe was a contributor to Microsoft's Pass the Hash guidance paper, and has been a contributor to other large security efforts within the company. Prior to his role at Microsoft, Joe graduated from Western Washington University with a Bachelors degree in Computer Science.