IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [powershell]

task automation and configuration management CLI for Windows, the first release was in Windows XP SP2 in 2006

PowerShell is a CLI on Windows like CMD but it has enhanced functionality, since it was build up to create management scripts and automate system tasks.

89 questions
4
votes
2 answers

Powershell says microsoft's own ps1 script is insecure, should I proceed with running the script?

I am trying to update Powershell to version 5.1 which I have downloaded directly from Microsoft's website. The download's are signed from Microsoft (although the signatures are expired by a few months), but when I try to run the script I am given…
MXBuster
  • 65
  • 7
4
votes
1 answer

Powershell Empire - Token Impersonation

I have been struggling trying to get token impersonation to work in Empire 2.0. I use the credentials/mimitokens module to list and elevate to use a specific users token - I see mimikatz' output saying the token is impersonated, but using info on…
user3046771
  • 165
  • 2
  • 11
4
votes
1 answer

What are the proper steps for "quarantining" Malware?

I am writing a powershell script that effectively quarantines a computer after malware is detected on the system. So far I have the script disconnecting the ethernet adapters to ensure the device can't communicate with the internet. Next the script…
AckMan
  • 63
  • 5
4
votes
1 answer

Empire testing powershell commands

I am testing Empire Powershell. I was wondering how you can remotely execute a file after you upload it to the victim's machine? (Empire: ANHGP22NCFLPVAAH) > cd Desktop (Empire: ANHGP22NCFLPVAAH) > Path ---- …
alien187
  • 41
  • 2
4
votes
1 answer

Where you can run shellcode inside an ordinary process, what is a stealthy way to leverage that to get offensive Powershell code running from it?

Right now, offensive use of Powershell is one the hottest topics in infosec. Powershell scripts are most often pitched as being appropriate for the "post-exploitation" phase of a penetration. This question follows somewhat along those lines, except…
mostlyinformed
  • 2,715
  • 16
  • 38
3
votes
2 answers

Powershell opened up, switched to administrator mode and ran scripts all without me touching my computer. How worried should I be?

I'm on a laptop running Window 8.1 connected to the internet running Kaspersky. I am the sole user and administrator of this laptop. While going about my usual work, I paused for a moment (hands off both keyboard and mouse) during which time a…
Maxwell's Demon
  • 133
  • 7
3
votes
1 answer

What causes a powershell payload to run the first time but not the second?

I created a windows/meterpreter/reverse_https powershell payload using the python script provided at the end of this article. In the first run, the meterpreter session opened successfully, when I closed it and tried to execute the powershell command…
user41696
3
votes
1 answer

How do I stabilize a reverse shell in when the attack box is using powershell?

So I've managed to get a version of netcat onto my windows machine and I can run the standard: nc -lvnp 1234 and this properly connects to the victim's machine, but it's a very fragile connection. Ctrl + C will just drop the connection, tab doesn't…
user248411
  • 31
  • 1
  • 2
3
votes
0 answers

Cortana password bypass CVE-2018-8140

Recently a vulnerability in Microsoft's Cortana (CVE2018-8140) has been patched. Mcafee made a blog post about it explaining some background information. There is also a video showing a Proof of Concept, resetting the password of a computer and…
toom
  • 584
  • 3
  • 20
3
votes
1 answer

How can I list all self-signed certificates in my stores on a Windows client?

I'm on a mission to list the self-signed certificates ('issued by' and 'issued to' match) on my machine via an automated method. PowerShell is available for use. Preferably the results would be exported to a nice human-readable file.
Camelspiders
  • 33
  • 1
  • 1
  • 4
3
votes
1 answer

Powershell and cached credentials

In my environment we have powershell remoting off- I get around this using 2 hop scripts, packages(exe -no creds are stored in code- local privs only), and iwmi. I never pass creds to the endpoint, only use it to auth to the endpoint. I use…
Charles
  • 258
  • 2
  • 9
2
votes
0 answers

What is the security of Powershell "TrustedHosts"? (is it just a name match)?

Powershell has a TrustedHost section that is configured like this: winrm s winrm/config/client '@{TrustedHosts="CorpServer56"}' What security is implied for CorpServer56? Is it just an ASCII name match on the host that is "trusted"? I'm concerned…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
2
votes
1 answer

Is running Powershell always as administrator a good practice?

I work as software engineer in a company. The IT deparment has decided to forbid powershell execution from our computers as part of the actions they are implementing to avoid Emotet malware. As software developer I use Powershell every day. From now…
joanlofe
  • 131
  • 2
2
votes
1 answer

Would my USB interface be infected if I attached and immediately detached an infected USB device?

Two days ago, someone gave me their pen drive to copy some songs from. As soon as I inserted the drive into my laptop's USB interface, Windows Defender immediately warned me that the drive was infected, so I immediately removed it without opening…
Water Cooler v2
  • 123
  • 5
2
votes
1 answer

How to retrieve Kerberos Service tickets?

I am learning Kerberoasting see below are my steps that I am following. Step:1. Attacker will find the SPN's Step:2. After identifying we will request for TGS for that SPN. This is the script for that. Add-Type -AssemblyName…
Utkarsh Agrawal
  • 71
  • 5
1
2
3 4 5 6