Challenge 15: Alternative PowerShell Host

Medium Execution Evasion Target: Rule 5

Objective

Execute suspicious PowerShell commands without using powershell.exe.

Scanner Behavior

Rule 5 only activates when the process name contains powershell.exe:

proc rulePowerShell(info: ProcessInfo): seq[Detection] =
  # WEAKNESS: only detects powershell.exe, not pwsh.exe
  if "powershell.exe" notin info.exeName.toLowerAscii():
    return  # Skip entirely!
  ...

Any process that isn’t named powershell.exe bypasses Rule 5 completely.

Rules

  • Execute a PowerShell command that would trigger Rule 5 (e.g., Invoke-Expression, -EncodedCommand)
  • Do not use powershell.exe as the process
  • The command must execute successfully

Hints

Hint 1 PowerShell 7+ installs as pwsh.exe, which is not in the detection check.
Hint 2 You can host the PowerShell engine in custom applications. System.Management.Automation.dll can be loaded by any .NET process.
Hint 3 pwsh.exe -Command "Invoke-Expression 'whoami'" - pwsh.exe is not powershell.exe, so Rule 5 is skipped entirely.