RandomPS-Scripts: PowerShell Scripts focused on Post-Exploitation Capabilities
RandomPS-Scripts is the PowerShell Scripts focused on Post-Exploitation Capabilities.
git clone https://github.com/xorrior/RandomPS-Scripts.git
This project includes
- JScriptShellThis script can be used to remotely (or locally) deploy a wmi event subscription with an ActiveScriptEventConsumer. This is not a new technique except for the fact that @tirannido recently released a really interesting method that would allow for dynamic loading of a csharp assembly entirely from memory within a jscript file.
We can use this technique to remotely deploy csharp assemblies without writing to disk (i.e. SharpPick for powershell, a shellcode loader, .etc). The trigger to deploy this consumer is a Win32_ProcessStartTrace event for the process specified. Once the event has occurred, the JScript payload will be executed. All components of the Wmi subscription will be cleaned up.
- DisableCylance.ps1This function is a powershell wrapper for the Cylance Bypass POC.
- Get-ChromeDump.ps1This function uses the System.Data.SQLite assembly to parse the different sqlite db files used by chrome to save passwords and browsing history. The System.Data.SQLite assembly cannot be loaded from memory. This is a limitation for assemblies that contain any unmanaged code and/or compiled without the /clr:safe option.
- Get-DXWebcamVideo.ps1This function will list all audio input options for DirectX
- Get-FoxDump.ps1This script will utilize the api functions within the nss3.dll to decrypt saved passwords and output them to the pipeline. This will only be successful if the master password has not been set. The results will include the username, password, and form submit url. This script should work with Firefox version 32 and above. Earlier versions utilized a different storage method for passwords.
- Invoke-ExecuteMSBuild.ps1This function executes a powershell command on a local/remote host using MSBuild and an inline task. If credentials are provided, the default administrative share is mounted locally.The xml file is copied to the specified path through the share. If credentials are not provided for a remote host, the xml file is copied using the default administrative share. If the Command parameter is omitted, the embedded powershell command will be used. This command will be executed in the context of the MSBuild.exe process without starting PowerShell.exe.
- Invoke-RemoteMimikatz.ps1This function will install a remote Wmi Event Sub with an ActiveScriptEventConsumer. The JScript consumer contains a csharp pe loader (by @subtee) and will load mimikatz from memory. Mimikatz is written to the targets registry as a base64 encoded blob. The powershell_reflective_mimikatz export is executed and the results are written to a ‘debug’ registry key. The results are retrieved and then cleaned up.
This script conducts user, system, and network enumeration using the current user context or with a specified user and/or keyword.
- Invoke-WmicDriveBy.ps1 This function calls wmic process call create to execute the powershell command for the IEX download cradle. The cradle is used to execute a payload delivered via the powershell web drive-by exploitation module in cobaltstrike. Wmic runs with the permissions of the current user by default.
- WMIBackdoor.ps1 This script contains two functions that will create or remove a backdoor using WMI event subscriptions. Currently, there are only two triggers that can be used. The first triggers an event once an interactive or cached interactive session has been established. A username can be utilized to create a more specific trigger. The second will trigger once a specific time has been met and will also trigger every subsequent hour afterward. When an event is triggered, a powershell download cradle will connect to the URL specified.