Changelog Version 1.4:
+ Includes a bypass method for Amsi (Antimalware Scan Interface) within Windows 10.
p0wnedShell is an offensive PowerShell host application written in C# that does not rely on powershell.exe but runs powershell commands and functions within a powershell runspace environment (.NET). It has a lot of offensive PowerShell modules and binaries included to make the process of Post Exploitation easier. What we tried was to build an “all in one” Post Exploitation tool which we could use to bypass all mitigations solutions (or at least some off), and that has all relevant tooling included. You can use it to perform modern attacks within Active Directory environments and create awareness within your Blue team so they can build the right defense strategies.
What’s inside the runspace:
The following PowerShell tools/functions are included:
+ PowerSploit Invoke-Shellcode
+ PowerSploit Invoke-ReflectivePEInjection
+ PowerSploit Invoke-Mimikatz
+ PowerSploit Invoke-TokenManipulation
+ Veil’s PowerTools PowerUp
+ Veil’s PowerTools PowerView
+ HarmJ0y’s Invoke-Psexec
+ Besimorhino’s PowerCat
+ Nishang Invoke-PsUACme
+ Nishang Invoke-Encode
+ Nishang Get-PassHashes
+ Nishang Invoke-CredentialsPhish
+ Nishang Port-Scan
+ Nishang Copy-VSS
Powershell functions within the Runspace are loaded in memory from Base64 encode strings.
The following Binaries/tools are included:
+ Benjamin DELPY’s Mimikatz
+ Benjamin DELPY’s MS14-068 kekeo Exploit
+ Didier Stevens modification of ReactOS Command Prompt
+ hfiref0x MS15-051 Local SYSTEM Exploit
Binaries are loaded in memory using ReflectivePEInjection (Byte arrays are compressed using Gzip and saved within p0wnedShell as Base64 encoded strings).
How to build:
download *.zip and unzip it
Open your Visual Studio Community
right click p0wnedShell open with Your Visual Studion version..