powershell -nop
will easily bypass this defence - best if logging is enabled via GPOs.Start-Transcript
without specifying the path will do just fine.616
which had spawned the powershell process (mentioned in point 1) that ran the mimikatz script;powershell > nc > cmd > powershell
instead of cmd > nc > cmd > powershell
- to no avail.(cmd > nc > cmd > powershell)
process ancestry, same like the first time, where the transcript.txt came back empty. This time, however, the results are different - the output is logged this time:-version 2
switch of the powershell.exe binary like so: System.Management.Automation.dll
- you can find its location by using powershell: PS C:\Users\mantvydas> [psobject].assembly.location
bypass.exe
although the file got successfully created!