PowerShell Reflection

The psreflect command is used to inject and execute a reflective DLL into a remote process which loads the CLR DLLs to run powershell scripts and Cmdlets without calling powershell.exe. This command also accepts command-line arguments that can be supplied to the powershell command. The psimport command can be used to load a powershell script to memory. Unlike other C2s which load the PowerShell scripts into memory by hosting it locally and the then using IEX to load it into memory, badgers load the whole PowerShell script by reading it from local process memory.

In the example below, the PowerView script is imported using the psimport command. This command loads the whole script as a buffer and stores it in the badger’s memory. After importing the script, we can use the psreflect command to run the PowerView Cmdlet Get-DomainController.

Once the work of an imported PowerShell script is complete, you can remove the script from badger’s memory using the psclean command. The psreflect command comes pre-built with ETW and AMSI patching.