A tool for building PS>Attack, an offensive PowerShell console that makes it easy for pentesters to use PowerShell.
Clone or download
Latest commit 2e15f52 Apr 15, 2018

README.md

PS>Attack Build Tool Build status

A tool that makes it easy to compile a custom version of PS>Attack, a portable powershell attack environment.

What does the PS>Attack Build Tool do?

The build tool downloads the latest version of PS>Attack and the latest versions of tools that is uses (PowerSploit, Powercat, Inveigh, etc), obfuscates them with @danielbohannon's Invoke-Obfuscation and then encrypts them with a custom key.

It then replaces certain identifable strings within the PS>Attack source code with random strings and then compiles everything, producing a custom version of PS>Attack that's up to date and consists of unique file signatures, making it very difficult for Antivirus and Incident Response teams to find.

PS>Attack

PS>Attack is a self contained custom PowerShell console that comes with a lot of the latest and greatest offensive PowerShell tools. It's designed to make it very easy for Pentesters to incorporate PowerShell into their workflow. It's suitable to be used on live engagements as it's capable of evading Antivirus and Incident Response teams with the following tricks.

  1. It doesn't rely on powershell.exe. Instead it calls powershell directly through the .NET framework.
  2. The modules that are bundled with the exe are encrypted. When PS>Attack starts, they are decrypted into memory. The unencrypted payloads never touch disk, making it difficult for most antivirus engines to find them.
  3. When generated by the PS>Attack Build Tool, the payloads are encrypted with a unique key. This means that the generated executable's signature changes each time it's created.

You can find more information about PS>Attack at its github page

Using the Build Tool

You can download precompiled binaries of the build tool from the releases tab or if you'd like, clone the repo and compile it from source. To compile it, you can use the Community Edition of Visual Studio.

You also need full versions of .NET 4.6.1 and .NET 3.5. 4.6.1 is used to run the PS>Attack Build Tool, 3.5 is used to build PS>Attack. By using 3.5 for PS>Attack we end up with an executable that work on anything from a fresh Windows 7 install on up. You can find .NET versions here

Contact

If you have any questions or suggestions for PS>Attack or its Build Tool, feel free to submit an issue or reachout on twitter or via email: jh [at] psattack.com

Greetz

PS>Attack was inspired by and benefits from a lot of incredible people in the PowerShell community. Particularly mattifiestation of PowerSploit and sixdub, engima0x3 and harmj0y of Empire. Besides writing the modules and commands that give PS>Attack it's punch, their various projects have inspired alot of my approach to this project as well as my decision to try and contirbute something back to the community.

A huge thank you to Ben0xA, who's PoshSecFramework was used to figure out a lot of things about how to build a powershell console.

Thanks to danielbohannon for writing the masterpiece that is Invoke-Obfuscation. I'm glad someone is crazy enough to do the research in obfuscating PowerShell.