How To Compile It:

How To Use It:

Note:

Changing the Parent Process ID can also be used to spawn a p0wnedShell process with system privileges, for example using lsass as the the parent process. For this you need to have UAC elevated administrator permissions. C:\p0wnedShell>p0wnedShellx64.exe -parent [+] Please enter a valid Parent Process name. [+] For Example: C:\p0wnedShell\p0wnedShellx64.exe -parent svchost C:\p0wnedShell>p0wnedShellx64.exe -parent lsass

cd \Windows\Microsoft.NET\Framework\v4.0.30319 (Or newer .NET version folder) InstallUtil.exe /logfile= /LogToConsole=false /U C:\p0wnedShell\p0wnedShellx86.exe

cd \Windows\Microsoft.NET\Framework64\v4.0.30319 (Or newer .NET version folder) InstallUtil.exe /logfile= /LogToConsole=false /U C:\p0wnedShell\p0wnedShellx64.exe

What's inside the runspace:

PowerSploit: Invoke-Shellcode

PowerSploit: Invoke-ReflectivePEInjection

PowerSploit: Invoke-Mimikatz

PowerSploit: Invoke-TokenManipulation

PowerSploit: PowerUp and PowerView

Rasta Mouse: Sherlock

HarmJ0y's: Invoke-Psexec and Invoke-Kerberoast

Rohan Vazarkar's: Invoke-BloodHound (C# Ingestor)

Chris Campbell's: Get-GPPPassword

Tim Medin's: GetUserSPNS

Besimorhino's: PowerCat

Nishang: Copy-VSS and Invoke-Encode

Nishang: Invoke-PortScan and Get-PassHashes

Kevin Robertson: Invoke-Tater, Invoke-SMBExec and Invoke-WMIExec

Kevin Robertson: Invoke-Inveigh and Invoke-InveighRelay

FuzzySecurity: Invoke-MS16-032 and Invoke-MS16-135

To compile p0wnedShell you need to open this project within Microsoft Visual Studio and build it for the x64/x86 platform. You can change the following AutoMasq options before compiling:public static bool AutoMasq = true;public static string masqBinary = @"C:\Windows\Notepad.exe";With AutoMasq set to false, you just run the executable so it runs normally. With AutoMasq enabled, you could rename the p0wnedShell executable as the process you're going to masquerade (masqBinary), so it has the appearance of that process (for example notepad.exe).Using the optional "-parent" commandline argument, you can start p0wnedShell using another Parent Process ID. When combining the PEB Masq option and different parent process ID (for example svchost), you can give p0wnedShell the appearance of a legitimate service ;)Running p0wnedShell using another Parent Process ID doesn't work from a Meterpreter session/shell.... yet!To run as x86 binary and bypass Applocker (Credits for this great bypass go to Casey Smith aka subTee):To run as x64 binary and bypass Applocker:The following PowerShell tools/functions are included:Powershell functions within the Runspace are loaded in memory from Base64 encode and compressed strings.