Right now, offensive use of Powershell is one the hottest topics in infosec. Powershell scripts are most often pitched as being appropriate for the "post-exploitation" phase of a penetration. This question follows somewhat along those lines, except it involves taking a step toward using Powershell a bit earlier than usual: when the only foothold you've gotten so far has been from getting an application to run shellcode of your choosing. (Call it " very early post-exploitation" if you like.) So:
Let's say you are in a situation where you have gained the ability to execute assembly shellcode (with no size limit or character restrictions) inside a certain process on a Windows machine. You want to leverage that ability not to directly run lots of low level code, but to do something quite different: to create a execution environment inside that process where you can run Powershell code.
The reasoning behind that choice is pretty simple: setting up a Powershell execution environment allows you to take advantage of all of the ever-increasing Tools, Tactics, and Procedures that use Powershell that the security community now has produced/is producing. And setting up that environment within a process that's already running allows you to avoid starting a new process to run the Powershell code (and especially avoid starting powershell.exe, cmd.exe, or wscript.exe) like most lower-skill pen testers and bad guys will often do, something that can be very, very suspicious to a defender that is monitoring event logs or is using well-configured HIDS/HIPS software. The overall goal is to replicate some of the capabilities and stealth of some higher-end attackers without having to much custom programming work in low level programming languages, instead taking advantage of the universe of Powershell scripts/tools that already exist.
I know that the general concept of what I'm interested in doing here works, because I've been able to prove it out, using (for example) Metasploit--specifically with adllinject payload that starts from shellcode generated by msfvenom-- along with a reflective dll (from Empire, for eg.) to successfully get a Powershell agent up and running without creating a new process in a number of test situations. But, to be frank, I'm a little skittish about the idea of using anything that relies on Metasploit payloads or communications for something that might eventually (hopefully) be used during an actual engagement against a defender with HIDS, HIPS, NIDS, etc.
Are there alternative tools/methods that might be quieter while accomplishing the same result--getting Powershell code running on a target where you already have some code execution and without creating a new process that might be easily detected? I'm open to considering pretty much anything that doesn't require writing a lot of custom code in assembly. (Though, of course, more straightforward to implement is always preferable.)
