There are probably only limited opportunities to infect in corporate environment.  But it has potential to be a front-end for an exploit kit in bypassing AV & UAC controls.  If successful it can setup up its own “malware ADMIN” account.  Subsequently, other malware could flow  to potentially infect further, including even corporate ransomware (which is a growing trend).

There are some compensating controls for user to be in ADMIN group, plus to do some “clicking” along the way.  However, many developers who constantly install software are setup in the ADMIN group.  Often users are as well.  This is a beneficial finding in terms of security research for strengthening security within a powerful capability

Bypassing Amsi using PowerShell 5 DLL Hijacking — While doing some research on the inner workings of Microsofts new Antimalware Scan Interface technology within Windows 10, i found a DLL loading vulnerabilty within PowerShell 5. The reason i did some research is because some offensive PowerShell scripts i use within my own Red Teaming tool called p0wnedShell are getting blocked by Windows Defender on Windows 10 “despite of running from memory”, so i wanted to know if it was possible to bypass this technology.

So with these findings, we can conclude that PowerShell 5 is vulnerable for dll hijacking and we can control code execution when copied to a location where we have write access.  With this knowledge we could now use PowerShell to run custom code like backdoors, keyloggers, malware e.d. within a Windows 10 system.  Now when a local admin user runs PowerShell.exe from a command prompt, and clicked Yes on the UAC prompt, a new admin user is added to the local administrator group within the system.