PS>Attack Build Tool v1.6 – an offensive PowerShell console that makes it easy for pentesters to use PowerShell.
Changelog PS>Attack Build Tool v1.6:
++ New “UI”
++ Implemented generated strings to be passed into PS>Attack when compiled.
What does it do?
The PS>Attack Build Tool downloads the latest release of PS>Attack, downloads a bunch of offensive PowerShell tools, encrypts them with a unique key, bundles all of that together and compiles it into a standalone exe.
The end result is a self contained PowerShell attack kit thats custom made for you.
What do you need to make it work
+ You need full versions of .NET 4.6.1 and .NET 3.5. 4.6.1 is used to run the PS>Attack Build Tool, 3.5 is used to build PS>Attack. By using 3.5 for PS>Attack we end up with an executable that work on anything from a fresh Windows 7 install on up. You can find .NET versions here
+ Right now the PS>Attack Build Tool downloads the various PS1 files for its modules to disk. This can trip AV. If AV blocks downloading these PS1 files, the build of PS>Attack will ultimately fail.
It downloads files to %appdata%\PSAttackBuildTools, so you may want to whitelist that folder in your AV.
What does the PS>Attack Build Tool do?
The build tool downloads the latest version of PS>Attack and the latest versions of tools that is uses (PowerSploit, Powercat, Inveigh, etc) and encrypts them with a custom key. It then compiles everything, producing a custom version of PS>Attack that’s up to date and consists of unique file signatures, making it very difficult for Antivirus and Incident Response teams to find.
PS>Attack is a self contained custom PowerShell console that comes with a lot of the latest and greatest offensive PowerShell tools. It’s designed to make it very easy for Pentesters to incorporate PowerShell into their workflow. It’s suitable to be used on live engagements as it’s capable of evading Antivirus and Incident Response teams with the following tricks.
+ It doesn’t rely on powershell.exe. Instead it calls powershell directly through the .NET framework.
+ The modules that are bundled with the exe are encrypted. When PS>Attack starts, they are decrypted into memory. The unencrypted payloads never touch disk, making it difficult for most antivirus engines to find them.
+ When generated by the PS>Attack Build Tool, the payloads are encrypted with a unique key. This means that the generated executable’s signature changes each time it’s created.