Get A DemoContact Us
Request a Demo
NUMBER OF EMPLOYEES
FEDERAL ENTITY
COUNTRY
I'M INTERESTED IN
 
 
Get the shell content
Fetch the Attacker's Command-Line Shells History

According to almost every cyber security vendor, the major trend in the last few years is non-malware attacks. Scripting languages are becoming more prominent than before—a few lines of PowerShell code can be used as a full hacking toolkit, and open-source hacking frameworks based on PowerShell and Python are easily accessible.
 
 
There are a few reasons why the use of scripting language-based malware has increased:
1
Some are installed by default on every Windows operating system.
2
Detection is difficult because they leverage legitimate tools to perform malicious activity.
3
Shell-based attacks have the ability to exist only in memory.
 
Introducing
Get-ShellContent
A PowerShell-based script, Get-ShellContent leverages a modified Strings2 tool loaded in-memory to extract all the strings of any running or dumped process. Receive full visibility of the screen buffer the attacker used, the commands he wrote, and the results he obtained—Incident Response forensics at its finest!

Application
Use –ComputerName [TARGET] to analyze shells on a remote target endpoint.
Use –ProcDump [DumpPath] to analyze a Process Dump (Conhost or Shell) file.
Use –Deep to scan the actual process of the shell for any remaining data (you'll get FP).
Use –ProcessID [PID] to analyze specific (Conhost or Shell) process; don't use the flag if you want to scan all the processes automatically.

Technical Features
Supports PowerShell v2.0 and above
Remote WinRM capabilities
In-memory script
 

Fetch the tool from our GitHub.
 
Request a Demo
NUMBER OF EMPLOYEES
FEDERAL ENTITY
COUNTRY
I'M INTERESTED IN