Skip to Main Content

powershell

Information contained in the articles on this site may not be representative of actual use cases. The views expressed in the articles are personal views of the author and are not necessarily those of State Farm Mutual Automobile Insurance Company, its subsidiaries and affiliates (collectively “State Farm”). Nothing in the articles should be construed as an endorsement by State Farm of any non-State Farm product or service.
Red Team Research - Runspace Debugging by Michael Garrison
Finding creative opportunities for code execution and lateral movement

red team research

Tldr; Runspace debugging is a cool feature added into the .NET framework that allows developers to attach to a PowerShell Host (PSHost) process to debug a script. Once a process instantiates the PSHost, it never goes away, even if the runspace object is disposed. I submitted it as a bug to Microsoft and hopefully it will be fixed in the future. This can be used as a neat way to execute PowerShell code under someone else’s legitimate process or PowerShell session.

READ MORE