Alternate PowerShell Hosts

Abusing alternate PowerShell hosts can be an easy way to bypass application whitelisting like WDAC or AppLocker as these executables (hosts) are often signed by Microsoft.

As most of these hosts are usually not tied to malicious activities, they can bypass logging measures such as command-line logging, sysmon logging and less advanced logging based on traditional PowerShell hosts.

The following is a list of alternate PowerShell hosts signed by MS that we can use

  1. wsmprovhost.exe - PowerShell remoting host

  2. %windir%\System32\SyncAppvPublishingServer.exe

  3. powershellcustomhost.exe - IIS web deploy utility

  4. SQLPS.exe

  5. sdiagnhost.exe - Windows Troubleshooting Packs

  6. runscripthelper.exe - MSFT telemetry code execution

These hosts are usually C# / .NET assemblies in the form of .exe or .dll files; since they include the functionality to start a PowerShell session, they include the System.Management.Automation.dll as a referenced assembly and we can use these properties to automate the process of finding these alternate hosts.

This snippet can be used to identify some of these hosts.

PreviousPowerShell RemotingNextPowerShell Pipeline Runners

Last updated