NXC’s PowerShell -X Option: A Stealthy Pentesting Technique

When the PowerShell -X option is used, nxc performs several behind-the-scenes actions to ensure both functionality and stealth. Let’s dig deeper and learn why and how to use it.

stealth

The -X option is not as good as a custom AMSI bypass but certainly has some advantages. When this option is used , nxc does the following:

• AMSI Bypass: By bypassing AMSI (Antimalware Scan Interface), this technique avoids detection by modern antivirus solutions and endpoint detection and response (EDR) systems, which actively scan and block suspicious PowerShell scripts.
• Payload Obfuscation: CrackMapExec obfuscates the payload to make it harder for detection mechanisms to identify malicious patterns or behavior, further reducing the chance of detection.
• Payload Execution: Finally, the payload is executed efficiently, taking advantage of stealthy methods like WMI execution to avoid triggering alarms associated with traditional execution techniques.

For instance, the command below demonstrates how nxc uses the -X option to retrieve the PowerShell version table without raising too much suspicion:

nxc smb [ip] -u john.doe -p 'SecurePass123!' --exec-method wmiexec -X '$PSVersionTable'